LevyAI

LevyAI Trust, Privacy & Security Policy

Last updated: August 12, 2025

LevyAI is built for teams that handle sensitive information. This page explains what data we collect, how we use it, and the measures we take to protect it. It also outlines your rights and choices.

01

Scope & Roles

  • This policy applies to LevyAI’s website, apps, APIs, and managed deployments ("Services").
  • For end-user or business data you send to LevyAI, you are the Data Controller and LevyAI is the Data Processor under GDPR. For our own website analytics, billing records, and account data, LevyAI is the Data Controller.
02

Data We Process

Customer Content. Prompts, chats, files, metadata, and outputs you submit to or generate with LevyAI.

Account Data. Name, email, company, role, authentication identifiers, billing and subscription info.

Usage Data. Feature usage, device and browser info, timestamps, IP address, performance/telemetry logs.

Support Data. Communications with our team (tickets, emails, call recordings if applicable).

What we don’t collect or do

  • We do not sell personal data.
  • We do not use Customer Content to train our foundation models unless you explicitly opt in.
  • We do not share Customer Content with third-party advertisers.
03

How We Use Data

  • Provide the Services: execute prompts, generate responses, store and retrieve content, maintain session state.
  • Secure and improve reliability: detect abuse, debug issues, maintain audit trails, and improve system performance.
  • Customer support and billing: resolve tickets, manage subscriptions, send essential service communications.
  • Optional model quality improvements (opt-in only): anonymized samples may be used to improve product features. You can opt out at any time.
04

Data Ownership & Segregation

  • You own your Customer Content. LevyAI obtains a limited license to process it solely to provide and secure the Services.
  • Customer Content is logically isolated per tenant; enterprise plans support dedicated environments and private networking.
05

AI & Model Policy

  • No training on your private data by default. Foundation models used by LevyAI are not trained on your Customer Content unless you opt in.
  • Third-party models: when you enable third-party LLMs, we route requests under strict data processing terms; we configure vendors to not train on your data whenever such controls are available.
  • Safety: content filters, rate limiting, and abuse detection; continuous hardening against prompt-injection, data exfiltration, and jailbreak attempts.
06

Security Controls (Overview)

Encryption
  • In transit: TLS 1.2+
  • At rest: AES-256 (or cloud-provider equivalent)
  • Enterprise options: customer-managed keys (BYOK/KMS) and key rotation.
Identity & Access
  • SSO/SAML/OIDC, enforced MFA for admins
  • RBAC/least privilege, just-in-time access for support (with customer approval where applicable)
Network & Infra
  • Private VPCs, security groups, WAF, DDoS protections
  • Secrets in KMS/HSM-backed stores, regular backups with integrity checks
Application Security
  • Secure SDLC, code reviews, dependency scanning
  • SAST/DAST, supply-chain controls (SBOM), reproducible builds where feasible
Monitoring & Logging
  • Centralized logging, anomaly detection
  • Audit trails for administrative actions and data access events
Vulnerability & Third-Party Risk
  • Continuous scanning, risk scoring, and time-bound patch SLAs
  • Subprocessor security reviews, DPAs, and minimum-security baselines

Compliance & attestations: If you require formal evidence (e.g., SOC 2 Type II, ISO/IEC 27001), please contact our security team for our latest status, reports (under NDA), and control mapping. We align our controls to these frameworks and provide customer security questionnaires on request.

07

Data Retention & Deletion

  • Default retention (configurable):
  • Customer Content: retained for your workspace lifecycle or as you configure.
  • System logs: typically 30–90 days (shorter/longer by plan and region).
  • Deletion: You may delete content via the product or request deletion; backups roll off on a scheduled cycle. We also honor right-to-erasure requests.
  • Export: You may export your data in a machine-readable format upon request or via product features.
08

Data Residency & Transfers

  • Regional hosting options (e.g., US, EU) available on qualifying plans.
  • When data is transferred internationally, we use appropriate safeguards (e.g., Standard Contractual Clauses for EEA/UK).
09

Subprocessors

We use vetted providers to deliver the Services (cloud infrastructure, telemetry, email, authentication, payments). We contractually require privacy and security commitments and least-privilege access. For the current list, please contact our team or see levyai.com/subprocessors (if available). You will be notified of material changes as required by your DPA.

10

Government & Legal Requests

We only disclose data when required by law and after reviewing the validity and scope of the request. We will notify you before disclosure unless legally prohibited and will seek to narrow the request to the minimal required data.

11

Incident Response & Notifications

We maintain a formal incident response plan with 24/7 on-call. Following confirmation of a security incident impacting your data, we will notify your designated contacts without undue delay and share remediation details and corrective actions. For GDPR-reportable breaches, we follow the applicable notification timelines.

12

Your Responsibilities

  • Maintain the security of your endpoints, identity provider, and admin accounts (e.g., SSO/MFA).
  • Configure retention and data-sharing settings to match your policies.
  • Ensure you have a lawful basis to process personal data you send to LevyAI and provide required notices to your end users.
13

End Users; Children’s Data

LevyAI is not directed to children under 16, and we do not knowingly collect children's personal data. If you believe a child has provided personal data, please contact our privacy team for prompt deletion.

14

Your Privacy Rights

Depending on your location, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing. To exercise these rights, please contact our privacy team. California residents also have rights under the CCPA/CPRA; LevyAI does not "sell" personal information.

15

Cookies & Analytics

We use strictly necessary cookies for session management and security. With your consent (where required), we may use analytics to improve product performance. You can manage preferences via your browser or our in-product controls.

16

Enterprise Features (Available on request/plan)

  • Private networking: VPC peering/PrivateLink, egress allow-listing.
  • Data controls: Workspace-level retention policies, DLP patterns, PII redaction, domain restrictions.
  • Auditability: Immutable audit logs, SIEM exports, Admin Activity Reports.
  • Key management: BYOK (customer KMS) and dedicated tenant encryption contexts.
  • Model routing: Regional model endpoints and “no-train” enforcement for third-party LLMs.
17

HIPAA/PHI & Regulated Data

By default, LevyAI is not intended to process PHI or other highly regulated categories unless explicitly contracted. If you need to handle PHI, PCI, or similar regulated data, please contact our security team to discuss a restricted deployment, additional agreements (e.g., BAA), and controls.

18

Changes to This Policy

We may update this policy to reflect changes to our Services or legal requirements. We’ll post the new version with a revised “Last updated” date and, for material changes, provide advance notice through the Service or email.

19

Contact

For any security, privacy, or support inquiries, please contact us through our website or support portal.

Attachments

Attachments & Linked Terms (on request)

  • Data Processing Addendum (DPA)
  • Information Security Overview / Pen-Test Summary (NDA)
  • Business Continuity & Disaster Recovery Summary
  • Acceptable Use Policy (AUP)
  • Subprocessor List

Plain-English summary

You own your data. We process it only to run LevyAI and keep it secure. Your data is encrypted, access-controlled, and never used to train models unless you opt in. You can configure retention, export or delete data, and request regional hosting. If something goes wrong, we notify you quickly and fix it fast.

Want this as a styled Trust Center with badges and a collapsible subprocessor list? Let us know and we’ll deliver a production‑ready page.