Privacy Policy
Last updated: July 2026 (placeholder — set at publication)
Information We Collect
We collect the minimum needed to respond to you: business contact details (name, work email, phone if provided, organization, role) and the content of your inquiry (industry, organization size, service interest, timeline, message). If the newsletter is enabled in the future, we would additionally collect the email address you submit for it.
For anti-abuse purposes, our forms store one-way salted hashes of IP address and browser user-agent. Raw IP addresses and user agents are not stored with your inquiry. We do not collect analytics data unless you opt in via the cookie banner, and no analytics provider is currently configured.
How Information Is Used
Inquiry data is used to respond to you, scope potential engagements, and manage the resulting business relationship. We do not sell personal information, share it for cross-context behavioral advertising, or add you to marketing lists you did not request.
Legal Bases
[PLACEHOLDER — counsel to confirm.] Where GDPR or similar law applies, we process inquiry data on the basis of legitimate interest (responding to a business inquiry you initiated) and, where applicable, consent (which you may withdraw) or steps taken prior to entering a contract.
Cookies and Analytics
Strictly necessary cookies keep the site functioning. Analytics and marketing cookies are off by default and load only after explicit opt-in through the consent banner. We honor Global Privacy Control signals. Details, including how to change your preferences at any time, are in the Cookie Policy.
Third-Party Processors
[PLACEHOLDER — name actual processors at launch.] We use a small number of service providers to operate this site, expected to include: website hosting, database hosting, email delivery, and — if enabled — scheduling and CRM services. Each processes data only on our instructions under a data processing agreement.
Data Retention
[PLACEHOLDER — counsel to set the schedule.] Inquiry records are retained while relevant to an active or prospective business relationship and reviewed periodically for deletion — our working default is review after 24 months of inactivity. You may request deletion sooner (see Contact below).
Security
We apply the controls we advise clients to apply: encryption in transit, access limited to personnel who need it, hashed rather than raw network identifiers, minimal logging of inquiry content, and audit trails on administrative access. No system is immune to compromise, and we will be straightforward with you if an incident affects your data.
International Visitors
This site is operated from the United States and information is processed there. If you visit from another jurisdiction, you understand your information will be transferred to and processed in the U.S. [PLACEHOLDER — add transfer mechanisms if EU/UK clients are onboarded.]
California Privacy Rights
[PLACEHOLDER — counsel to finalize CCPA/CPRA disclosures.] California residents may have rights to know, delete, correct, and limit use of personal information. We do not sell or share personal information as those terms are defined by the CPRA. See Do Not Sell or Share My Personal Information and contact info@cyai.io to exercise rights.
EU/UK Privacy Rights
[PLACEHOLDER — counsel to finalize GDPR/UK GDPR disclosures.] Where applicable, you may have rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with a supervisory authority. Requests: info@cyai.io.
Contact
Privacy questions and rights requests: info@cyai.io with the subject "Privacy Rights Request".
This policy is a working draft. Legal counsel must review and finalize it before production launch.