Privacy Policy
Last updated: May 2026. This policy complies with UK GDPR / EU GDPR.
Information we collect
Account information (name, work email, workspace). Usage data (per-conversation model, token counts, credit ledger). Documents you actively upload (PDF / DOCX / XLSX; SharePoint Live knowledge bases do NOT persist documents). Payment data: processed by Stripe; we don't store card numbers or CVCs — only Stripe customer / subscription / payment intent IDs for reconciliation. Microsoft 365 OAuth credentials (if you enable SharePoint Live): refresh tokens are AES-256 encrypted at rest and only used to make Microsoft Graph requests on your behalf.
How we use your information
To provide and improve RAGDC; to process Stripe payments and renewals; to forward the context you choose to query to the LLM provider you select (OpenAI / Anthropic etc., via router.one). We do not sell your documents, conversations, or M365 content to third parties, nor use them to train any third-party model. LLM providers operate under their published zero-retention and no-training API policies.
Data residency & security
All data is stored in EU / UK region servers. TLS 1.3 in transit; AES-256 at rest. M365 OAuth refresh tokens are double-encrypted. On account deletion, identifying data is purged within 30 days (backups roll out within 90). SharePoint Live content is never written to disk — fetched per question and discarded after answering.
Your rights (GDPR)
Access, correct, or delete your personal data — workspace owners can self-serve in settings or contact us. Data portability: export company KB metadata and transaction history as JSON. Withdraw consent: revoke M365 binding, unsubscribe email notifications, or cancel subscriptions any time. If you have a complaint about how we process data, you may lodge it with your local data protection authority.
Contact
Privacy / data inquiries: [email protected]. Data controller: AIVault Ltd. (registered in the UK).