Privacy Policy

1. Data Controller Information

For the purposes of the GDPR and UK GDPR, the data controller responsible for your personal data is:

If you are located in the European Economic Area (EEA) or the United Kingdom, you may contact us at the email address above regarding any questions or concerns about how we process your personal data. While we are not required to appoint a Data Protection Officer under Article 37 of the GDPR based on our current processing activities, we are committed to responding to all data protection inquiries promptly.

2. Information We Collect

We collect information in the following categories:

2.1 Information You Provide Directly

When you use the Platform, you may voluntarily provide the following information:

• Business Information: Company name, company website URL, industry vertical, company size (employee count range), and primary business goals. This information is collected during the adaptive diagnostic interview to tailor the Platform's analysis to your organization.
• Contact Information: Your work email address, provided when you choose to save your assessment progress, receive a report, or create an account.
• Assessment Responses: Your answers to the diagnostic interview questions, including information about your business processes, operational workflows, technology usage, and related business metrics.
• Account Credentials: If you upgrade to a paid tier, a password for your account (stored in hashed form only).
• Payment Information: When making a purchase, payment details are collected and processed directly by our payment processor, Stripe, Inc. We receive a Stripe customer identifier and transaction confirmation but do not receive or store your full credit card number, CVV, or other sensitive payment credentials on our servers.
• Communications: Any messages, feedback, or correspondence you send to us via email or through the Platform.

2.2 Information Collected Automatically

When you access the Platform, certain information is collected automatically:

• Session Data: A browser-generated anonymous session identifier stored in your browser's local storage, used to maintain your assessment progress and enable session recovery if you leave and return to the Platform.
• Device and Browser Information: Device type, operating system, browser type and version, screen resolution, and language preferences.
• Usage Data: Pages visited, features used, time spent on pages, click patterns, and interaction sequences within the Platform.
• Log Data: IP address, access timestamps, referring URL, and server response codes.
• Cookies and Similar Technologies: See Section 8 (Cookies and Tracking Technologies) for detailed information.

2.3 Information Derived from Your Use

We generate the following derived data from your inputs:

• ROI Estimates and Projections: Calculated from your assessment responses combined with industry benchmark data from third-party research.
• Opportunity Assessments: AI-generated analyses of potential AI adoption use cases for your organization.
• Aggregated and Anonymized Data: Statistical and benchmarking data derived from aggregated user inputs that cannot reasonably be used to identify you or your organization.

3. Legal Basis for Processing (GDPR/UK GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases under Article 6(1) of the GDPR:

Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To conduct the diagnostic interview, generate your assessment report, calculate ROI projections, and deliver your report via email and web.
• Account Management: To create and manage your account, process upgrades, and maintain your subscription.
• Payment Processing: To process payments for premium services through our third-party payment processor.
• Session Management: To save your progress during the diagnostic interview, enable session recovery, and allow you to resume an interrupted assessment.
• Communications: To send transactional emails including report delivery, session recovery links, and purchase confirmations. With your consent, to send marketing communications about related services, product updates, and industry insights.
• Agency Matching: If you request it, to facilitate introductions with vetted AI implementation agencies.
• Product Improvement: To analyze usage patterns, improve diagnostic accuracy, refine our ROI methodology, and enhance the user experience.
• Research and Benchmarking: To generate anonymized, aggregated insights and industry benchmarks that inform our methodology and may be shared in anonymized form.
• Security and Integrity: To detect and prevent fraud, abuse, and unauthorized access to the Platform.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and government requests.

5. Data Sharing and Disclosure

We do not sell your personal data. We share your information only in the following limited circumstances:

5.1 Service Providers

We engage trusted third-party service providers to perform functions on our behalf. These providers are contractually obligated to process your data only for the purposes we specify and in accordance with this Privacy Policy. Our current service providers include:

• Stripe, Inc.: Payment processing. Stripe's privacy policy is available at https://stripe.com/privacy.
• Email Delivery Services: For sending transactional and, with consent, marketing emails.
• Cloud Hosting and Infrastructure: For hosting the Platform and storing data securely.
• Analytics Providers: For understanding usage patterns and improving the Platform (using anonymized or pseudonymized data where possible).

5.2 Agency Partners

If you explicitly request an agency introduction through the Platform, we will share limited information (your name, email, company name, industry, and a summary of your assessment results) with the relevant Agency Partner to facilitate the introduction. We will clearly inform you before any such sharing occurs and obtain your affirmative consent.

5.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of the Company, our users, or the public.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of the transaction. We will notify you via email or prominent notice on the Platform of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data.

5.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

6. International Data Transfers

The Company is based in the United States. If you are accessing the Platform from outside the United States, including from the European Economic Area (EEA), the United Kingdom, or other regions with data protection laws that differ from U.S. law, please be aware that your personal data will be transferred to, stored, and processed in the United States.

For transfers of personal data from the EEA or UK to the United States, we rely on the following transfer mechanisms to ensure an adequate level of protection for your personal data:

• Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with our service providers and partners who process personal data outside the EEA/UK, ensuring they provide adequate safeguards.
• EU-U.S. Data Privacy Framework: Where applicable, we rely on our service providers' certifications under the EU-U.S. Data Privacy Framework.
• Supplementary Measures: Where necessary, we implement additional technical and organizational measures to ensure the security of your data during transfer.

You may request a copy of the applicable transfer mechanism by contacting us at hello@usecasefinder.ai.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Our retention periods are as follows:

• Assessment Session Data: Active assessment sessions are retained for up to twelve (12) months from the date of the last interaction. Abandoned sessions (where no email was provided) are automatically deleted after ninety (90) days.
• Reports: Generated reports are retained for as long as your account is active or for twenty-four (24) months from generation, whichever is longer, to allow you to return and access your report.
• Account Data: Active account data is retained for the duration of your account. If you request account deletion, we will delete or anonymize your data within thirty (30) days, except where retention is required by law.
• Payment Records: Transaction records are retained for seven (7) years as required by tax and accounting regulations.
• Communications: Support correspondence is retained for twenty-four (24) months following resolution.
• Anonymized and Aggregated Data: This data, which cannot identify you, may be retained indefinitely for research and benchmarking purposes.

8. Cookies and Tracking Technologies

The Platform uses cookies and similar tracking technologies to enhance your experience and analyze usage patterns.

8.1 Types of Cookies We Use

8.2 Managing Cookies

When you first visit the Platform, we present a cookie consent banner that allows you to accept or decline non-essential cookies. You can modify your cookie preferences at any time through the cookie settings accessible in the Platform's footer. You may also manage cookies through your browser settings. Please note that disabling strictly necessary cookies may impair the Platform's functionality, including your ability to save and resume an assessment.

8.3 Local Storage

The Platform uses browser local storage to maintain an anonymous session identifier that allows your assessment progress to be preserved if you close your browser and return later. This is functionally necessary for the Platform to operate. You may clear local storage through your browser settings, but doing so will reset any in-progress assessment.

9. Your Privacy Rights

9.1 Rights Under GDPR and UK GDPR

If you are located in the EEA or the United Kingdom, you have the following rights under the GDPR/UK GDPR:

• Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): You have the right to request correction of any inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data, subject to certain legal exceptions (e.g., data required for legal compliance or the establishment, exercise, or defense of legal claims).
• Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
• Right to Object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interest or for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing immediately.
• Right to Withdraw Consent (Art. 7(3)): Where we process data based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your data protection rights.

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the CCPA/CPRA:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share personal information.
• Right to Delete: You may request that we delete the personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising purposes. Therefore, there is no need to opt out of such activities.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

9.3 Exercising Your Rights

To exercise any of the rights described above, please submit a request to hello@usecasefinder.ai. We will verify your identity before processing your request. We will respond to verified requests within the timeframes required by applicable law: within one (1) month for GDPR/UK GDPR requests (extendable by two months for complex requests) and within forty-five (45) days for CCPA/CPRA requests (extendable by an additional forty-five days with notice).

We do not charge a fee for exercising your privacy rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse the request.

10. Children's Privacy

The Platform is not directed to individuals under the age of eighteen (18), and we do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at hello@usecasefinder.ai. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information promptly.

11. Data Security

We implement appropriate technical and organizational security measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: Data in transit is protected using TLS/SSL encryption. Sensitive data at rest is encrypted using industry-standard encryption algorithms.
• Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis, with role-based access controls and multi-factor authentication.
• Password Security: User passwords are stored using one-way cryptographic hashing (never in plain text).
• Payment Security: Payment processing is handled by Stripe, which is PCI DSS Level 1 certified. We never store full card numbers on our servers.
• Infrastructure Security: Our hosting infrastructure employs firewalls, intrusion detection systems, and regular security patching.
• Monitoring and Incident Response: We maintain logging and monitoring systems to detect potential security incidents, and we have an incident response plan to address any data breach promptly.

While we take reasonable precautions to protect your data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we commit to notifying affected individuals and relevant supervisory authorities of any personal data breach in accordance with applicable law (within 72 hours for GDPR-reportable breaches).

12. "Do Not Track" Signals

Some web browsers transmit a "Do Not Track" (DNT) signal. At present, there is no universally accepted standard for how websites should respond to DNT signals. The Platform currently does not respond to DNT signals but does honor cookie consent preferences expressed through our cookie consent mechanism. We will update this policy if a uniform DNT standard is adopted.

13. Third-Party Links and Services

The Platform may contain links to third-party websites, services, or resources that are not operated by us. This Privacy Policy does not apply to third-party sites. We encourage you to review the privacy policies of any third-party service before providing your personal information. We are not responsible for the privacy practices or content of third-party sites.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will:

• Update the "Effective Date" at the top of this document.
• Provide notice via the email address associated with your account (if you have one).
• Display a prominent notice on the Platform.

For changes that materially affect how we process personal data you have already provided, we will seek your renewed consent where required by applicable law. Your continued use of the Platform after the updated Privacy Policy takes effect constitutes your acceptance of the changes.

We recommend reviewing this Privacy Policy periodically for any updates.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For GDPR-related inquiries, please include "Data Protection Inquiry" in your email subject line to ensure prompt routing to our data protection team.

If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.