Privacy Policy

This Privacy Policy explains how Ethics Copilot ("we", "us") collects, uses, shares, and protects personal data when you use our website, applications, assessments, reports, and related services (collectively, the "Service"). It applies to visitors, account holders, and people whose information is submitted by an account holder.

By using the Service you acknowledge the practices described here. Our Terms of Service govern your overall use of the Service.

We collect the following categories of data:

• Account data — name, email address, password hash, organization, and role.
• Assessment content — project descriptions, questionnaire answers, uploaded files, and any other inputs you submit.
• Billing data — plan, billing email, and limited payment-card metadata. Full card details are handled directly by our payment processor (Stripe) and are never stored on our servers.
• Usage data — pages viewed, features used, timestamps, approximate location derived from IP, browser/device type, and error logs.
• Communications — messages you send us through the contact form, support requests, or email.

• To provide, operate, secure, and improve the Service;
• To generate assessments, reports, and AI-driven recommendations from your inputs;
• To process payments, manage subscriptions, and send service-related notices;
• To respond to support requests and other communications;
• To detect, investigate, and prevent fraud, abuse, and security incidents;
• To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal data, and we do not use it for advertising.

If you are in the European Economic Area or the United Kingdom, we rely on these legal bases:

• Contract — to provide the Service you signed up for;
• Legitimate interests — to secure the Service, prevent abuse, and improve features, balanced against your rights;
• Consent — for optional cookies and marketing communications, where applicable;
• Legal obligation — to meet accounting, tax, and other compliance requirements.

Assessment content you submit is processed by large language models hosted by our model providers to generate Outputs. We send only the inputs needed to produce a response. We do not permit our model providers to use your content to train their general-purpose foundation models.

Do not submit sensitive personal data (for example government identifiers, health records, or payment card numbers) into assessment fields. Outputs may be imperfect and should be reviewed by a qualified human before being relied upon — see the AI disclaimers in our Terms of Service.

We share personal data only with:

• Service providers (processors) acting on our instructions — for example our cloud infrastructure provider, database host, email sender, analytics provider, payment processor (Stripe), and AI model providers;
• Other users in your organization, when you share a project or assessment with them;
• Authorities or counterparties when required by law, valid legal process, or to protect rights, safety, or property;
• Successors in connection with a merger, acquisition, or asset sale, subject to equivalent privacy commitments.

We use a small number of strictly necessary cookies to keep you signed in and to maintain security. We may also use first-party or privacy-respecting analytics to understand aggregate usage and improve the Service. Where required, we will ask for your consent before setting non-essential cookies. You can control cookies through your browser settings.

We keep personal data only as long as we need it for the purposes described above. Account and assessment data is retained while your account is active and for a reasonable period after closure to handle legal, tax, and dispute requirements. Backups are deleted on a rolling schedule. You can request earlier deletion as described under "Your Rights".

We use industry-standard administrative, technical, and physical safeguards — including encryption in transit, encryption at rest for sensitive fields, access controls, and least-privilege practices — to protect personal data. No system is perfectly secure; if you suspect unauthorized access to your account, contact us immediately.

Your data may be processed in countries other than your own. Where we transfer personal data out of the EEA, UK, or other regulated regions, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent mechanisms.

Subject to applicable law, you may have the right to:

• access the personal data we hold about you;
• correct inaccurate or incomplete data;
• delete your data ("right to be forgotten");
• restrict or object to certain processing;
• port your data to another provider;
• withdraw consent where processing is based on consent;
• lodge a complaint with your local data-protection authority.

To exercise these rights, contact us via our contact page. We will respond within the timeframes required by applicable law.

The Service is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this Policy from time to time. When we do, we will update the "Last updated" date above and, for material changes, give reasonable advance notice (for example by email or an in-product notice). Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

Questions about this Privacy Policy or our data practices? Reach us via our contact page.