Skip to content
GilbertDynamics

Privacy Policy

Last updated: [Month, Year]

Starter template — this draft must be reviewed by legal counsel before launch. Bracketed values are placeholders that need to be completed with Gilbert Dynamics's legal entity, jurisdiction, regions, and retention periods.

This Privacy Policy explains how [Legal entity name] (“Gilbert Dynamics,” “we,” “us”) collects, uses, and protects personal data when you visit our website, create an account, or use our AI assistant services (the “ Services”). It also describes the rights you have over your personal data and how to exercise them.

Controller vs. processor — two roles

Gilbert Dynamics handles two distinct categories of data in two different roles:

  • Account data — we are the controller. Information about you and your organization that we collect to provide the Services (e.g. names, email addresses, billing details, usage logs). We decide how and why this data is processed, and this policy governs it.
  • Customer content — we are the processor. Documents and data you upload so your assistant can answer from them, plus the questions your end users ask and the answers produced. We process this content on your behalf and only on your instructions, under a Data Processing Agreement (DPA). You — our customer — are the controller of this content.

Data we collect

  • Contact and account data: name, email, company, role, and any message you submit through our forms or during onboarding.
  • Billing data: billing contact and payment metadata. Card details are handled directly by our payment processor; we do not store full card numbers.
  • Customer content: documents and data you upload, plus end-user queries and generated answers, processed on your behalf as described above.
  • Technical and usage data: IP address, device and browser information, pages viewed, and feature usage, used to operate, secure, and improve the Services.
  • Communications: records of your correspondence with us (support, sales, scheduling).

How we use data

We use account and technical data to provide, secure, bill for, and improve the Services, to respond to inquiries, and to send service-related and (where permitted) marketing communications. Our legal bases include performance of a contract, our legitimate interests in running and securing the Services, your consent (where required, e.g. marketing and non-essential cookies), and compliance with legal obligations. We do not sell your personal data.

How AI processes customer content

When an end user asks a question, our system retrieves the relevant passages from your uploaded content and sends those excerpts — along with the question — to our AI model provider (Anthropic) to generate a grounded, cited answer. Only the excerpts needed to answer are sent, not your entire corpus.

Your content is not used to train AI models. Customer content is isolated to your account, is not used to train or fine-tune models for Gilbert Dynamics or any other customer, and is not used by our AI provider to train its models. We process customer content solely to deliver answers to you under your instructions.

Subprocessors

We use the third-party providers below to deliver the Services. Each is bound by contractual data-protection obligations. “ Planned” entries are not yet in use and are listed for transparency.

SubprocessorPurposeLocationStatus
AnthropicAI model provider — processes excerpts of customer content to generate grounded answers. Not used to train models.United StatesActive
VercelApplication hosting, edge delivery, and serverless compute.United States / global edgeActive
ResendTransactional email delivery (account and system notifications).United StatesActive
PostHogProduct analytics and usage measurement.United States / [EU]Active
Cal.comDemo and meeting scheduling.United StatesActive
LoopsMarketing and lifecycle email.United StatesActive
Neon / PostgresPrimary application database (account data and metadata).[Region]Planned
Cloudflare R2Object storage for uploaded customer documents.[Region]Planned
StripePayment processing and billing.United StatesPlanned

Data retention

We retain account data for as long as your account is active and for [retention period] afterward, unless a longer period is required by law (e.g. tax and accounting records). Customer content is retained for the term of your subscription and deleted within [retention period] of account termination or upon your documented request, subject to backup-rotation cycles. Backups are purged on a rolling [retention period] schedule.

Your rights — GDPR, UK GDPR, and CCPA

Depending on where you live, you may have the right to access, correct, delete, or receive a portable copy of your personal data, to object to or restrict certain processing, and to withdraw consent. Under the EU/UK GDPR these include the rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your supervisory authority.

Under the California Consumer Privacy Act (CCPA/CPRA) and similar U.S. state laws (including those in [Virginia, Colorado, Connecticut, Utah, and other applicable states]), you may have the right to know, access, delete, and correct personal information, to opt out of the sale or sharing of personal information and of targeted advertising, and to be free from discrimination for exercising these rights. We do not sell personal information. To exercise any right, email hello@gilbertdynamics.net. We will verify your request and respond within the timeframe required by law. For customer content, requests should be directed to the customer who controls that content; we will assist them as their processor.

International data transfers

We and our subprocessors may process data in the United States and other countries. Where we transfer personal data out of the EEA, the UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with supplementary measures where needed.

Security

We use technical and organizational measures designed to protect personal data, including encryption in transit, access controls, tenant isolation of customer content, and least-privilege access for our team. No system is perfectly secure, but we work to protect your data and to notify you of incidents as required by law.

Cookies and analytics

We use strictly necessary cookies to operate the site and, with your consent where required, analytics cookies (via PostHog) to understand usage and improve the Services. You can control non-essential cookies through our cookie controls or your browser settings.

Children

The Services are not directed to children under [16] and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. We will post the updated version here with a new “Last updated” date and, for material changes, provide additional notice where required.

Contact

Questions about this policy or to exercise your rights, email hello@gilbertdynamics.net, or write to [Legal entity name, mailing address]. Our data protection contact is [DPO / privacy contact].