Privacy Policy
Privacy Policy
Preview — These terms are provided for transparency during our pre-launch period. Final terms will be published at launch and may differ from what is shown here.
Effective Date: Upon launch Last Updated: April 4, 2026
Clover IT Solutions of the Upstate, LLC (“Company,” “we,” “us,” “our”) operates the Undercurrent platform (“Platform,” “Service”). This Privacy Policy describes how we collect, use, store, and protect your information.
1. What Data We Collect
Account Information
When you create an account, we collect:
- Name and email address
- Organization name (if applicable)
- Authentication credentials (via Google or Microsoft OAuth — we do not store your OAuth passwords)
- Billing information (processed and stored by Stripe; we do not store full payment card numbers)
Platform Data
As you use the Platform, we process:
- Observations and field notes — qualitative data you enter about client engagements
- Meeting debriefs — structured notes from client meetings
- Client profiles — information about your clients’ organizations that you enter
- Player profiles — information about stakeholders within your clients’ organizations
- Working theories and hypotheses — analytical interpretations generated by you and the Platform
- Audio recordings — meeting recordings you upload for transcription
- Canon data — accumulated organizational patterns built over time from your observations
This is your data. You enter it. You own it. We process it to provide the Service.
Usage Data
We collect minimal usage data necessary to operate and improve the Service:
- Login timestamps
- Feature usage patterns (aggregated, not content-level)
- Error logs and performance metrics
Cookies
We use session cookies only — functional cookies necessary for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
2. How We Use Your Data
We use your data solely to:
- Provide the Service — process observations through our analytical engine, generate analytical outputs, maintain your engagement canon
- AI processing — send your content to AI model providers for narrative extraction, assessment, and synthesis (see Section 4)
- Transcription — process uploaded audio through our transcription service
- Communication — send you service-related emails (account verification, billing, important updates)
- Improve the Platform — analyze aggregated, anonymized usage patterns to improve features and performance
We do not use your data to:
- Train AI models
- Build profiles for advertising
- Sell or rent to third parties
- Cross-reference data between practitioners or organizations
3. Data Storage and Security
Where Your Data Is Stored
- Database: Neon PostgreSQL, hosted in AWS us-east-2 (Ohio), encrypted at rest
- File storage: Cloudflare R2, encrypted at rest
- Application hosting: Cloudflare Workers (global edge network)
How We Protect Your Data
- All data is encrypted in transit via HTTPS/TLS
- All data is encrypted at rest in our database and storage systems
- Database access is enforced through row-level security (RLS) — your data is isolated at the database level from other practitioners
- Authentication tokens are verified against cryptographic keys (JWKS)
- API endpoints are protected by rate limiting and authentication middleware
- Each client engagement is hermetically sealed — no data crosses engagement boundaries
Data Retention
- Active accounts: Your data is retained for as long as your account is active
- After cancellation: You may export your data for 30 days following account closure. After 30 days, your data is permanently deleted from our production systems
- Backups: Database backups that may contain your data are retained for up to 90 days after deletion and are then permanently purged
- Audio recordings: Transcribed audio is deleted from processing storage within 24 hours of successful transcription. We do not retain original audio files long-term
4. Third-Party Services
We use the following third-party services to operate the Platform. Each processes limited data as described:
| Service | Purpose | Data Processed |
|---|---|---|
| Cloudflare | Application hosting, CDN, WebSocket connections, file storage | All Platform traffic (encrypted in transit) |
| Neon | PostgreSQL database | All Platform data (encrypted at rest, RLS-enforced) |
| Anthropic (Claude) | AI analytical processing (assessment, synthesis) | Observation text, client context (no PII required) |
| Google (Gemini) | AI narrative extraction, structured analysis | Observation text, client context (no PII required) |
| AssemblyAI | Audio transcription | Uploaded audio recordings; opted out of model improvement data sharing |
| Stripe | Payment processing | Billing information, payment methods |
| Resend | Transactional email | Email addresses, service notifications |
| Google/Microsoft | OAuth authentication | Email address, name (for login only) |
We select providers with enterprise-grade security practices and have opted out of model training programs where applicable. Anthropic processes data under their commercial API terms, which prohibit using API inputs and outputs for model training. Google processes data under their paid-tier Gemini API terms with billing enabled, which similarly prohibit using paid API data for model training. AssemblyAI processes audio under their paid API terms; we have opted out of their model improvement data sharing program. We do not use free-tier AI APIs.
5. We Do Not Sell Your Data
We do not sell, rent, lease, or trade your personal information or Platform data to any third party. Period.
6. Your Responsibility for Client Data
As a practitioner, you enter information about your clients, their organizations, and their people into the Platform. You are responsible for:
- Having appropriate authorization or professional basis to collect and process this information
- Complying with any confidentiality agreements between you and your clients
- Not entering data that you do not have a professional right to process
- Understanding that the Platform does not have a direct relationship with the individuals described in your observations — your professional obligations govern that relationship
7. Your Rights
For All Users
You have the right to:
- Access your data at any time through the Platform
- Export your data in a portable format
- Delete your account and all associated data
- Correct inaccurate account information
- Object to specific uses of your data by contacting us
GDPR Rights (European Economic Area Residents)
If you are located in the EEA, you additionally have the right to:
- Request a copy of all personal data we hold about you
- Request erasure of your personal data (“right to be forgotten”)
- Restrict or object to processing of your personal data
- Data portability — receive your data in a structured, machine-readable format
- Lodge a complaint with your local data protection authority
Our legal basis for processing is legitimate interest (providing the Service you have subscribed to) and contractual necessity (fulfilling our obligations under your subscription agreement).
CCPA Rights (California Residents)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell personal information)
- Non-discrimination for exercising your privacy rights
To exercise any of these rights, contact us at privacy@undercurrentapp.ai.
8. Children’s Privacy
The Platform is designed for professional use by adults. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we will promptly delete it.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 30 days before they take effect. The “Last Updated” date at the top of this document reflects the most recent revision.
10. Contact
For privacy-related questions or to exercise your data rights:
Clover IT Solutions of the Upstate, LLC Greenville, SC Email: privacy@undercurrentapp.ai Web: https://undercurrentapp.ai