Privacy Policy

1. Overview

This Privacy Policy explains how Prism AI, Inc. ("Prism AI," "we," "us," or "our") collects, uses, discloses, and safeguards information in connection with the Bigspin website, dashboard, APIs, and related services that reference or link to this Policy (collectively, the "Services"). We recognize privacy is an ongoing responsibility and will update this Policy as our practices evolve.

2. Scope & Relationship to Enterprise Agreements

For most customers, access to and use of the Services is governed by a separate written agreement between Prism AI and your organization (e.g., a Master Subscription Agreement and/or Order Form, and where applicable a Data Processing Addendum, together the "Enterprise Agreement"). If there is any conflict between this Privacy Policy and an Enterprise Agreement, the Enterprise Agreement governs with respect to the Services provided to that organization. This Privacy Policy also applies to visitors of our public website and to account-level information we process to operate the Services.

3. Key Definitions

• Personal Data (or "personal information") means information that identifies, relates to, describes, or could reasonably be linked with an identified or identifiable individual (e.g., name, business email).
• Customer Data means data, content, prompts, examples, annotations, files, configuration settings, model inputs/outputs, usage logs, and other information that you or your organization submits to the Services for processing in connection with your use of the platform. As between you and Prism AI, you (or your organization) retain all right, title, and interest in and to Customer Data. We do not claim ownership of Customer Data.

Regulated data: Unless expressly agreed in writing, the Services are not designed for protected health information (HIPAA), payment card data (PCI DSS), or similarly regulated data categories. If your use cases involve such data, you must have an Enterprise Agreement that expressly permits it and sets applicable controls.

4. Information We Collect

4.1 Personal Data

• Business contact details (name, job title, employer, business email, business phone, work address).
• Account and authentication data (usernames, organization/workspace/project relationships, role/permissions).
• Support and communications (tickets, chat, feedback, email correspondence).
• Marketing preferences (subscriptions, event registrations, consent choices).
• Website/Service usage data (IP address, device and browser metadata, pages/features used, timestamps, referring/exit pages).
• Cookie and similar technology data (see Section 7).

4.2 Customer Data

• Prompts, examples, requirements, evaluation datasets, uploaded files, model inputs/outputs.
• Configuration settings, workflows, templates, and metadata used to design or evaluate AI behavior.
• End-user feedback, scoring, annotations, and structured reactions collected via the Services.
• Operational logs associated with your organization's use of the Services (e.g., job IDs, performance metrics).

We access, process, and use Customer Data only to provide and improve the Services in accordance with this Policy and the applicable Enterprise Agreement/DPA. We do not use Customer Data to train foundation models. Any exceptions require explicit written consent documented in your Enterprise Agreement.

5. Sources of Information

• Directly from you (account creation, uploads, prompts, support requests, feedback).
• Automatically via cookies, logs, and usage analytics when you access the website or Services.
• From your organization (administrator-provided account details, role assignments).
• Third parties such as identity providers, analytics vendors, CRM/marketing systems, or public sources (e.g., LinkedIn) where permitted by law.

6. How We Use Information (Purposes & Legal Bases)

We use Personal Data and Customer Data for the following purposes:

• Provide and operate the Services (set up accounts, authenticate users, process prompts/data, enable features, provide support).
• Security (fraud prevention, abuse detection, incident response, access controls, auditing, logging, and monitoring).
• Improve and develop the Services (quality, performance, usability, reliability) — applied to telemetry and de-identified/aggregated insights; Customer Data only as permitted by contract or instructions.
• Communications (service notices, transactional emails, product updates, security alerts).
• Marketing (with your consent where required; you may opt out at any time).
• Compliance (enforce terms, satisfy legal obligations, respond to lawful requests).

GDPR legal bases: contract performance (Art. 6(1)(b)) for account/Services operations; legitimate interests (Art. 6(1)(f)) for security, service improvement, and basic analytics; consent (Art. 6(1)(a)) for optional marketing or non-essential cookies; and legal obligations (Art. 6(1)(c)) where applicable.

7. Cookies & Similar Technologies

We use cookies and similar technologies to operate the website/Services, remember preferences, authenticate users, analyze usage, and improve performance. You can manage cookies via your browser settings. Blocking essential cookies may impair functionality. Where required, we will obtain consent for non-essential cookies. See our Cookies notice (if published) for details.

8. Sharing & Subprocessors

We do not sell Personal Data. We share Personal Data and Customer Data with third-party vendors acting as our subprocessors to support delivery of the Services (e.g., cloud hosting, data storage, authentication, analytics, email/service communications, and—if enabled by you—LLM providers). We conduct vendor diligence and maintain contractual obligations requiring appropriate confidentiality, security, and data protection.

Categories of subprocessors include: cloud infrastructure (e.g., AWS), managed databases (e.g., Supabase), authentication providers (e.g., Clerk), analytics/telemetry, email delivery and customer support tools, and optional LLM or model providers (e.g., OpenAI, Anthropic, Together AI) when explicitly enabled by you. A current list of subprocessors is available upon request to privacy@bigspin.ai.

We may disclose information if required by law, to protect rights and safety, to enforce our agreements, or in connection with a corporate transaction (e.g., merger, acquisition, financing). We may publish de-identified/aggregated insights that do not identify any individual or customer organization.

9. Security & SOC-2 Program

Prism AI maintains an information security program designed to protect the confidentiality, integrity, and availability of Personal Data and Customer Data and to align with SOC-2 requirements. Controls include risk management, access control, encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent), vulnerability and patch management, secure software development practices, logging/monitoring, regular backups, disaster recovery procedures, employee training, and incident response.

Upon execution of an NDA, we provide summary security documentation and our SOC-2 Type II report to Enterprise customers. Requests may be submitted to security@bigspin.ai.

Breach notification. In the event of a security incident that materially impacts Personal Data or Customer Data, we will notify affected customers within 72 hours of confirming the incident, in accordance with applicable law and the Enterprise Agreement/DPA.

10. International Transfers

Prism AI is headquartered in the United States. If you access the Services from outside the U.S., we may transfer and process information in the U.S. and other countries that may not provide the same level of data protection as your jurisdiction. Where required, we use appropriate safeguards such as the EU/UK Standard Contractual Clauses and additional measures as needed.

11. Retention & Deletion

We retain Personal Data for as long as necessary to fulfill the purposes described in this Policy, to comply with legal obligations, resolve disputes, and enforce agreements. Retention of Customer Data is governed by the Enterprise Agreement/DPA and your organization's configuration. Upon contract termination or at your organization's instruction, we will delete or return Customer Data in accordance with the Enterprise Agreement/DPA and our retention schedules, subject to any legally required retention.

12. Your Privacy Rights

Depending on your location, you may have rights under applicable laws (e.g., GDPR, UK GDPR, CCPA/CPRA) including the right to request access, correction, deletion, portability, restriction or objection to certain processing, and to withdraw consent where processing is based on consent. You also may have the right to opt out of certain uses or disclosures (e.g., targeted advertising) where applicable.

If your account is provisioned by your employer, please direct requests to your organization's administrator where appropriate. Otherwise, you (or your authorized agent) can submit a request by emailing privacy@bigspin.ai. We will verify and respond in accordance with applicable law. You also have the right to lodge a complaint with a supervisory authority.

13. Children's Privacy

The Services are not directed to individuals under the age of 18, and we do not knowingly collect Personal Data from children.

14. Changes to This Policy

We may update this Policy from time to time. The "Effective" date at the top indicates when the current version took effect. Material changes will be communicated as required by law or by reasonable notice through the Services.

15. Contact Us

Questions about this Policy, our privacy practices, or requests to obtain a copy of our DPA or security reports (under NDA) can be sent to: