Privacy Policy
Your privacy and data security are our top priorities. This policy explains how we collect, use, protect, and handle your information.
Last Updated: April 26, 2026
Introduction
CorpGPT ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered document-intelligence platform hosted on Amazon Web Services (AWS). It applies to all users of the CorpGPT cloud-based platform. By using our service, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Account Information
When you register for CorpGPT, we collect your name, email address, and (optionally) company name, phone number, and job title. This information is used to authenticate you, contact you about your account, and provide customer support.
1.2 Documents & Content
You may upload PDFs, documents, audio files, images, and other content ("Input") to your private workspace, where it is stored securely in AWS. You retain ownership and control of all Input. We act as a processor for your uploaded documents — see Terms of Service §6.1 for the rights and warranties you provide when uploading.
1.3 Usage Data
Queries and prompts submitted to the AI, feature-usage patterns and interactions, search history within your workspace, document-processing metrics, and session duration / frequency of use.
1.4 Technical Data
Browser type and version, IP address and approximate location (country / city level), device information (type, operating system), session logs and timestamps, and cookies / similar tracking technologies (see Section 7).
1.5 Payment Information
Payment-card details are processed by Stripe, our PCI-DSS Level 1 certified payment processor, and are not stored on our servers. We retain only transaction records and billing information necessary for account management.
2. How We Use Your Information
2.1 Legal Basis for Processing
We process your personal information based on (a) Contract Performance — to provide CorpGPT as agreed in our Terms of Service; (b) Legitimate Interest — to improve the Service, ensure security, and communicate with you about your account; (c) Legal Compliance — to meet regulatory requirements and respond to lawful requests; and (d) Consent — where you have explicitly consented to specific processing activities (e.g., non-essential cookies, marketing emails).
2.2 Purposes of Use
We use the information we collect to: provide, operate, and maintain the platform; process your documents using AI and deliver intelligent insights; authenticate users and manage account access; improve and personalize your experience; develop new features; communicate with you about updates, security alerts, and support; comply with legal obligations; detect, prevent, and address fraud or unauthorized access; analyze usage patterns; and provide customer support.
2.3 AI Processing — What We Do NOT Do
We do NOT use your documents or AI-generated content to train our own AI models. We do NOT share your content with other users or tenants. We do NOT sell, rent, or trade your data. AI processing occurs within an isolated workspace environment, and document embeddings / vectors are stored solely for your use. Our AI subprocessors (AWS Bedrock, Anthropic, and other foundation- model providers) are contractually prohibited from training on or repurposing your content — see Terms of Service §6.6.
3. Data Storage & Security
3.1 Infrastructure
All customer data is hosted on Amazon Web Services (AWS) infrastructure, with the primary region being us-east-1 (Northern Virginia, USA).
3.2 Security Measures
We employ industry-standard security practices, including: AES-256 encryption at rest, TLS 1.3 encryption in transit, AWS IAM policies enforcing least privilege, multi-factor authentication (MFA), tenant isolation per customer, regular security audits, continuous vulnerability scanning, and 24/7 incident-response monitoring.
3.3 Data Backups
We maintain automated daily backups (encrypted with the same standards as primary data) with geographic redundancy for disaster recovery. Backups are subject to the same retention policy described in Section 6.
4. Data Sharing & Third Parties
4.1 We Do NOT Sell Your Data
We do NOT sell, trade, or rent your personal information or documents to third parties for marketing or any other purposes. We do not engage in “sharing” of personal information for cross-context behavioural advertising as defined under the California Consumer Privacy Act (CCPA / CPRA).
4.2 Service Providers (Subprocessors)
We share data with vetted service providers who help us operate the Service. These include AWS (hosting), AWS Bedrock + Anthropic (AI inference), Stripe (payments), Amazon Cognito (authentication), Zendesk (support), and analytics / advertising vendors strictly limited to the cookie categories you have consented to (see Section 7). All providers are contractually bound to keep your information confidential and to use it only for the purposes we specify.
4.3 Legal Requirements
We may disclose information when required by law, regulation, legal process, or governmental request, including compliance with court orders or subpoenas, protection of our legal rights, investigation of fraud or security issues, and protection of user or public safety.
4.4 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred. We will notify you via email and/or prominent notice on our platform before your data becomes subject to a different privacy policy.
4.5 With Your Consent
We may share information for purposes not described in this policy with your explicit consent, which you may withdraw at any time.
5. Your Rights & Choices
5.1 Access & Portability
You have the right to access your personal information and uploaded documents, export your data in a structured, machine-readable format (JSON, CSV), and request a copy of all data we hold about you. Use the “Export Data” feature in your account settings or email support@corpgptai.com.
5.2 Correction & Updates
You may update or correct your account information at any time through your account settings.
5.3 Deletion
You may request deletion of your personal data at any time via Account Settings → Delete Account or by contacting support@corpgptai.com. Upon account deletion, your account data and uploaded content are subject to the 180-day retention window in Section 6. Some information may be retained longer where required by law (e.g. tax / billing records) or as part of the trial-eligibility ledger described in Terms of Service §8.9.
5.4 Restriction & Objection
You may restrict processing of your personal information in certain circumstances, object to processing based on legitimate interests, and opt out of marketing communications using the unsubscribe link in any marketing email.
5.5 Withdraw Consent
Where processing is based on consent (including non-essential cookies and marketing), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
5.6 California Residents — Your Privacy Choices
California residents have additional rights under the CCPA / CPRA, including the right to opt out of any “sharing” of personal information for cross-context behavioural advertising. We honour the Global Privacy Control (GPC) signal automatically: if your browser sends GPC, we treat it as a valid opt-out request without further action on your part. You can also use the “Your Privacy Choices” link in our website footer to manage your preferences directly.
5.7 How to Submit a Privacy Request
Email support@corpgptai.com with the subject line “Privacy Rights Request” and include your name, the email address associated with your account, and a description of the right you wish to exercise. We aim to respond within 5 business days and to resolve requests within the timeframes required by applicable law (typically 45 days for CCPA, 30 days for GDPR).
6. Data Retention
6.1 Active Accounts
While your account is active, we retain your personal information, uploaded documents, AI-generated content, and transcriptions for as long as necessary to provide the Service.
6.2 Terminated Accounts — 180-Day Window
Following account termination (whether by you or by us), we retain your account data and content for one hundred and eighty (180) days, after which it is permanently deleted from our active systems and routine backups. The deletion is enforced automatically via DynamoDB TTL and a streaming cleanup job that purges your S3 documents, AI-generated content, transcriptions, and per-tenant data stores.
6.3 Exceptions
We retain certain information beyond the 180-day window where: (a) we are legally required to keep it (e.g. tax and billing records — typically 7 years; security audit logs — typically 2 years); (b) it is needed to resolve a dispute or enforce our agreements; or (c) it is part of the trial-eligibility ledger described in Terms of Service §8.9, which retains a one-way hash of previously-used email addresses indefinitely as an anti-abuse control.
6.4 Earlier Deletion
You may request earlier deletion of your data at any time by contacting support@corpgptai.com. We will honour such requests to the extent permitted by applicable law.
7. Cookies & Tracking Technologies
7.1 Categories We Use
Strictly Necessary — required for sign-in, security, and remembering your cookie choice (cannot be disabled). Analytics — anonymous usage statistics so we can improve the product. Marketing — measures the effectiveness of our advertising on third-party platforms. Analytics and Marketing categories are off by default until you opt in via the consent banner.
7.2 Your Controls
You can change your cookie choices at any time using the Your Privacy Choices link in our website footer, the detailed inventory on our Cookie Policy page, or through your browser settings. Disabling Strictly Necessary cookies may prevent you from using authenticated features.
7.3 Global Privacy Control (GPC)
If your browser sends the Global Privacy Control signal (e.g. Brave, Firefox with Sec-GPC enabled, DuckDuckGo browser), we automatically treat it as an opt-out from Analytics and Marketing categories on your first visit. You do not need to take any further action.
7.4 Third-Party Services
When you opt in, we may use third-party services such as Google Analytics 4, the TikTok Pixel, the LinkedIn Insight Tag, and Google Ads conversion tracking. Each is configured to anonymise IP addresses where supported and is gated through Google Consent Mode v2 so that no tracking occurs without your consent. See our Cookie Policy for the complete inventory of cookies and providers.
8. International Data Transfers
8.1 Data Location
Your data is primarily stored in AWS data centres in us-east-1 (Northern Virginia, USA). Data may be transferred to and processed in countries other than your country of residence as part of our normal operations.
8.2 Transfer Safeguards
When we transfer personal data outside the European Economic Area (EEA), the United Kingdom, or Switzerland, we use one or more of the following safeguards: Standard Contractual Clauses (SCCs) — EU-approved model contracts; Adequacy Decisions — transfers to countries deemed adequate by the European Commission; the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework where applicable; and your explicit consent where required.
8.3 Data Processing Agreement
Enterprise customers may request a Data Processing Agreement (DPA) that includes Standard Contractual Clauses by emailing support@corpgptai.com.
9. Security Incidents & Breach Notification
9.1 Our Commitment
We maintain documented incident-response procedures designed to detect, contain, respond to, and recover from security incidents.
9.2 Breach Notification
If a personal-data breach affects your information, we will notify you by email to your registered address and via in-app notification within 72 hours of becoming aware of the breach (or as required by applicable law). The notification will describe the nature of the breach, the data affected, the steps we have taken in response, and any recommended actions you should take. We will also notify relevant supervisory authorities as required by law.
10. Children's Privacy
10.1 Age Restrictions
CorpGPT is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16 without parental consent. Users aged 16 or 17 should use the Service under the supervision of a parent or guardian.
10.2 Reporting
If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact support@corpgptai.com. We will delete such information from our systems within 30 days of verifying the request.
11. Automated Decision-Making
11.1 AI-Powered Features
CorpGPT uses artificial intelligence to analyse and extract information from your documents, generate summaries and insights, provide search and retrieval, and suggest relevant content.
11.2 Human Oversight
Our AI features are designed to assist you, not to make decisions on your behalf. You retain full control over which documents to upload, how to interpret AI-generated insights, and any business decisions based on platform outputs.
11.3 No Profiling for Significant Decisions
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you without human intervention.
11.4 Your Rights
Under the GDPR and certain other privacy laws, you have the right not to be subject to decisions based solely on automated processing, to request human review of automated decisions, and to express your point of view and contest an automated decision. You can exercise these rights by emailing support@corpgptai.com.
12. Contact Us About Privacy
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We aim to respond to privacy inquiries within 5 business days and to resolve formal requests within the timeframes required by applicable law (typically 45 days under the CCPA and 30 days under the GDPR).
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by (a) posting the updated policy on this page with a new “Last Updated” date, (b) sending an email notification to your registered email address where appropriate, and (c) displaying an in-app notification on your next sign-in.
Your continued use of CorpGPT after changes become effective constitutes your acceptance of the updated policy. If you do not agree to the changes, you should discontinue use and may delete your account at any time. Prior versions of this policy are retained for your review on request.