top of page

Privacy Policy

Scope

Scope. This policy explains how Impacts AI (“we,” “us”) handles information on our website and during client engagements. It is written for clarity and is not legal advice.

What we collect and why

  • We only collect the data needed to deliver agreed services (e.g., metrics, logs, evaluation results).

  • We never sell data.

  • We never use personally identifiable client data beyond the scope of the engagement.

  • Any model fine-tuning, benchmarking, or shared evaluation requires explicit written consent.

  • We may retain de-identified, aggregate insights to improve methods and contribute to field-level benchmarks.

Consent minimization

We collect the minimum necessary, prefer anonymized/aggregated data, and turn off non‑essential tracking by default where feasible. You can request deletion of website submissions at any time (see “Your choices”).

Security (encryption & access)

We use encryption in transit (TLS 1.2+) and at rest for cloud‑stored data (e.g., AES‑256 where supported). Access is limited on a least‑privilege basis with MFA for staff accounts. Devices are patched and encrypted; access is logged. We review vendors for security posture before use.

Retention

  • Website inquiries: up to 18 months or until we fulfill the purpose.

  • Proposals and engagement records: for the term of the agreement and as needed for accounting/compliance, then archived or deleted per contract.

  • Derived, de‑identified metrics and benchmarks may be retained longer for research/portfolio insights.

  • Backups follow provider cycles (typically 30–90 days). We will honor stricter retention requested in a DPA/BAA.

Third‑party processors & location

We rely on reputable cloud providers and analytics tools; a current list and data‑hosting region (default U.S.) are available on request or in your DPA. Region restrictions can be honored by agreement.

Incident response

We monitor for security incidents. If we discover unauthorized access, we will (1) investigate and contain, (2) notify affected clients and contacts without undue delay and as required by law/contract, and (3) share remedial steps and lessons learned.

DPAs/BAAs

We will sign a Data Processing Addendum (DPA) and, for covered health data, a Business Associate Agreement (BAA) on a per‑engagement basis. These documents control over this page if conflicts arise.

Your choices & rights

You may request access, correction, or deletion of your information, or ask us to stop contacting you. Email hello@impactsai.io. We’ll respond promptly and within applicable legal timelines.

Updates

We may update this page as our services or laws change. The “Last updated” date will reflect the latest version.

Last updated: {{September 29, 2025}}

bottom of page