Privacy Policy
Expert AI Labs
Effective Date: April 24, 2026 ยท Version 2.0
See also: Trust Center ยท Compliance ยท Data Processing Addendum
Expert AI Labs, Inc. ("Expert AI Labs," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, share, and safeguard personal information across our marketing website, the Expert AI Labs platform, and any related services (collectively, the "Services").
Two roles are relevant when reading this policy. When you visit our marketing website, sign up for our newsletter, or contact us directly, we are the Controller of your information. When you use the Services as part of a customer organization (for example, a restoration franchise's account), the customer organization is the Controller of personal data within that account, and we act as a Processor. The terms of our processing relationship with customer organizations are set out in our Data Processing Addendum (DPA).
1. Information We Collect
Information you provide directly: Name, email, phone, mailing address, business affiliation, billing details, and any other content you submit through forms, account registration, support requests, or by uploading data into the Services.
Technical and usage data: IP address, browser and device identifiers, pages visited, referrer, session timestamps, and diagnostic events.
Communication content: Email messages exchanged with us, support tickets, and (if you choose to record interactions in the Services) call recordings, transcripts, and message bodies that you or your customers generate.
What we deliberately do not collect: We do not collect payment card data on our own systems (handled by PCI-compliant processors); we do not collect protected health information (PHI) without a separate Business Associate Agreement; and we do not collect government-issued IDs, biometric identifiers, or sensitive categories of personal data unless explicitly contracted to do so under appropriate safeguards.
2. AI Models and Tenant Data
We do not train AI models on customer data. Prompts, generated outputs, transcripts, photos, structured records, and any other tenant data sent through the Services are not used to train, fine-tune, or improve foundation models, ours or any third party's. This restriction is enforced by contract with our AI subprocessors (Anthropic, OpenAI), and we use their zero-data-retention API tiers where supported.
Tenants may opt out of any AI-assisted feature on a per-feature basis through Account Settings.
3. How We Use Information
- To provide and maintain the Services, including authentication, audit logging, billing, and account administration.
- To deliver AI-assisted features (content generation, classification, transcription, scope extraction) based on tenant configuration and consent.
- To improve and secure the Services, including diagnosing errors, monitoring performance, and detecting abuse.
- To communicate with you about your account, transactional notices, security alerts, and (with your consent) product updates.
- To comply with legal obligations and enforce our agreements.
4. Data Residency and Retention
Data residency: Tenant data is hosted in the United States on Vercel (compute, edge) and Supabase (Postgres database, file storage). Enterprise customers may request EU residency in advance of contract signing.
Retention defaults:
- Audit logs: 7 years (regulatory and insurance requirements)
- Claim photos and scope items: 90 days (configurable per tenant)
- Call recordings and transcripts: 90 days (configurable per tenant)
- Outbound message content: 1 year (deliverability investigation window)
- Marketing-website lead form submissions: 24 months absent earlier deletion request
Soft delete: Deleted records are recoverable for 90 days then permanently purged. Hard delete is available on request and completes within 30 days.
5. How We Protect Information
We implement administrative, technical, and physical safeguards. Highlights: TLS 1.3 in transit, AES-256 at rest, Postgres row-level security for tenant isolation, role-based access controls, immutable audit logging, automated daily backups, vendor security review, and a SOC 2 readiness program (Type I targeted within 6 months of this policy's effective date). The current control set is published at /security.
6. Subprocessors
We engage trusted vendors to deliver the Services. Our current subprocessor list is published at /security#subprocessors. We notify customers at least 30 days in advance of adding a new subprocessor that processes customer data.
7. Sharing and Disclosure
We do not sell personal information.
We share information only as necessary to provide the Services, with subprocessors bound by data protection agreements, and as required by law (subpoena, court order, regulatory request) where we believe such disclosure is legally compelled.
In the event of a corporate transaction (merger, acquisition, sale of assets), we will provide notice and ensure continuity of these privacy commitments.
8. Your Rights
Depending on your jurisdiction, you may have the right to access, rectify, erase, restrict, or port your personal data, and to object to certain processing. You may also have the right to lodge a complaint with a supervisory authority.
To exercise these rights, email info@expertailabs.com. We acknowledge requests within 5 business days and complete them within 30 days, consistent with applicable law. We may need to verify your identity before acting.
9. Breach Notification
We commit to notifying affected customers within 24 hours of confirming a personal data breach impacting their data, with a written incident report following within 14 days of containment. Regulator notification (where required) is handled per applicable law.
10. Children's Privacy
The Services are not directed to children under 16 and we do not knowingly collect their personal information. If you believe we have, contact us and we will delete the data promptly.
11. International Transfers
If personal information is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum, as detailed in our DPA.
12. Changes to This Policy
We may update this Policy from time to time. Material changes will be announced via the Trust Center, by email to active customers, and by updating the effective date above. Continued use of the Services after the effective date of an updated Policy constitutes acceptance of the changes.