Privacy Policy

1. Introduction

Welcome to E-ARI (Enterprise AI Readiness Intelligence) Platform. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI readiness assessment platform.

2. Information We Collect

2.1 Personal Information

• Name and contact information (email, phone number)
• Organization details and professional information
• Account credentials and authentication data
• Payment and billing information
• Enterprise user roles and permissions
• Department and team assignments
• SSO and identity provider information

2.2 Assessment Data

• Responses to AI readiness questionnaires
• Assessment results and scores
• Organizational AI maturity metrics
• Usage patterns and platform interactions

2.3 Technical Information

• Device and browser information
• IP addresses and location data
• Platform usage analytics
• Performance and error logs
• API usage and integration data
• Security audit logs and access records
• Data residency and compliance tracking

2.4 Enterprise Data

• Multi-tenant organization structures
• Role-based access control permissions
• Customer success and onboarding data
• Support tickets and communication history
• Compliance and audit trail information
• Data residency preferences and locations
• SOC 2 control testing and evidence

3. How We Use Your Information

• Provide and improve our AI readiness assessment services
• Generate personalized reports and recommendations
• Process payments and manage subscriptions
• Communicate with you about our services
• Ensure platform security and prevent fraud
• Comply with legal and regulatory requirements
• Conduct research and analytics to enhance our platform
• Manage enterprise user roles and permissions
• Provide customer success and onboarding support
• Maintain compliance with SOC 2, GDPR, and CCPA requirements
• Track data residency and regional compliance
• Monitor operational resilience and system health
• Facilitate SSO and enterprise integrations

4. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties without your consent, except in the following circumstances:

• Service Providers: Trusted third-party vendors who assist in platform operations
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with mergers, acquisitions, or asset sales
• Consent: When you explicitly authorize disclosure

5. Data Security

We implement enterprise-grade security measures to protect your information:

• End-to-end encryption for data transmission
• Secure data storage with access controls
• Regular security audits and assessments
• Employee training on data protection
• Incident response and breach notification procedures
• SOC 2 Type II compliance framework
• Role-based access control (RBAC) systems
• Multi-factor authentication and SSO integration
• Comprehensive audit logging and monitoring
• Data residency controls and regional compliance
• Disaster recovery and business continuity planning

6. Your Rights and Choices

You have the following rights regarding your personal information:

• Access: Request access to your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal data (Right to be Forgotten)
• Portability: Export your data in a structured format
• Opt-out: Unsubscribe from marketing communications
• Restrict Processing: Limit how we use your information
• Data Residency: Request data storage in specific regions
• Consent Management: Manage your consent preferences
• Audit Trail: Access your data access and usage history

You can exercise these rights through our Privacy Dashboard or by contacting our privacy team at privacy@e-ari.com.

7. International Data Transfers and Data Residency

We offer flexible data residency options to meet your organization's compliance requirements:

7.1 Regional Data Storage

• United States (US): SOC 2 Type II compliant infrastructure
• European Union (EU): GDPR compliant with EU data residency
• Asia-Pacific (APAC): Regional compliance including PDPA

7.2 Transfer Safeguards

• Adequacy decisions by relevant authorities
• Standard contractual clauses
• Certified data protection frameworks
• Data residency controls and monitoring
• Regional compliance validation

8. Retention Policy

We retain your information only as long as necessary for the purposes outlined in this policy or as required by law. Data retention periods vary by type:

• Active Accounts: Duration of your subscription plus 2 years
• Inactive Accounts: 1 year after last activity
• Assessment Data: 7 years for enterprise accounts, 3 years for individual accounts
• Audit Logs: 7 years for compliance and security purposes
• Support Data: 3 years after ticket resolution
• Legal Requirements: As mandated by applicable laws (SOC 2, GDPR, etc.)

9. Enterprise Features and Compliance

9.1 SOC 2 Type II Compliance

We maintain SOC 2 Type II compliance with comprehensive security controls covering:

• Security, Availability, Processing Integrity, Confidentiality, and Privacy
• Regular control testing and evidence collection
• Third-party security audits and assessments
• Incident response and breach notification procedures

9.2 GDPR and CCPA Compliance

We comply with major privacy regulations including:

• GDPR (General Data Protection Regulation) for EU users
• CCPA (California Consumer Privacy Act) for California residents
• Automated privacy rights request processing
• Consent management and data inventory tracking

9.3 Enterprise Security Features

• Role-based access control (RBAC) with hierarchical permissions
• Multi-tenant architecture with data isolation
• SSO integration with SAML/OIDC support
• Comprehensive audit logging and monitoring
• API security with rate limiting and authentication

10. Children's Privacy

Our platform is designed for enterprise use and is not intended for children under 16. We do not knowingly collect personal information from children. If we become aware of such collection, we will take steps to delete the information promptly.

11. Updates to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of significant changes through:

• Email notifications to registered users
• Prominent notices on our platform
• Updated policy publication dates