Privacy Policy
Privacy Policy
Preview — These terms are provided for transparency during our pre-launch period. Final terms will be published at launch and may differ from what is shown here.
Effective Date: Upon launch Last Updated: May 28, 2026
Clover IT Solutions of the Upstate, LLC (“Company,” “we,” “us,” “our”) operates the Undercurrent platform (“Platform,” “Service”). This Privacy Policy describes how we collect, use, store, and protect your information.
1. What Data We Collect
Account Information
When you create an account, we collect:
- Name and email address
- Organization name (if applicable)
- Authentication credentials (via Google or Microsoft OAuth — we do not store your OAuth passwords)
- Billing information (processed and stored by Stripe; we do not store full payment card numbers)
Platform Data
As you use the Platform, we process:
- Observations and field notes — qualitative data you enter about client engagements
- Meeting debriefs — structured notes from client meetings
- Client profiles — information about your clients’ organizations that you enter
- Player profiles — information about stakeholders within your clients’ organizations
- Working theories and hypotheses — analytical interpretations generated by you and the Platform
- Audio recordings — meeting recordings you upload for transcription. Transcription is performed with speaker diarization (speaker identification), which generates speaker embeddings — short numerical representations of each speaker’s voice. Speaker embeddings may qualify as biometric identifiers under the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and the Washington biometric identifier statute (H.B. 1493). See §4 (AssemblyAI) and §6 (Your Responsibility for Client Data) for how this is handled and what you are responsible for
- Canon data — accumulated organizational patterns built over time from your observations
- Analytical outputs — analytical signals, confidence assessments, organizational canon, thesis assessments, speech dynamics analysis, and other outputs generated by the Platform’s analytical engine from your data. These are produced by the Platform as part of the Service and are subject to the intellectual property terms in the EULA
This is your data. You enter it. You own it. We process it to provide the Service. Analytical outputs generated by the Platform from your data are provided to you as part of the Service; the underlying methods and frameworks that produce them remain the intellectual property of the Company.
Usage Data
We collect minimal usage data necessary to operate and improve the Service:
- Login timestamps
- Feature usage patterns (aggregated, not content-level)
- Error logs and performance metrics
Cookies
We use session cookies only — functional cookies necessary for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
2. How We Use Your Data
We use your data solely to:
- Provide the Service — process observations through our analytical engine, generate analytical outputs, maintain your engagement canon
- AI processing — send your content to AI model providers for narrative extraction, assessment, and synthesis (see Section 4)
- Transcription — process uploaded audio through our transcription service
- Communication — send you service-related emails (account verification, billing, important updates)
- Improve the Platform — analyze aggregated, anonymized usage patterns to improve features and performance. This includes anonymized, aggregated data about the Platform’s analytical performance — such as signal frequency distributions and confidence calibration patterns — which contains no identifiable practitioner content or client information
We do not use your data to:
- Train AI models
- Build profiles for advertising
- Sell or rent to third parties
- Cross-reference data between practitioners or organizations
3. Data Storage and Security
Where Your Data Is Stored
- Database: Neon PostgreSQL, hosted in AWS us-east-2 (Ohio), encrypted at rest
- File storage: Cloudflare R2, encrypted at rest
- Application hosting: Cloudflare Workers (global edge network)
How We Protect Your Data
- All data is encrypted in transit via HTTPS/TLS
- All data is encrypted at rest in our database and storage systems
- Database access is enforced through row-level security (RLS) — your data is isolated at the database level from other practitioners
- Authentication tokens are verified against cryptographic keys (JWKS)
- API endpoints are protected by rate limiting and authentication middleware
- Each client engagement is hermetically sealed — no data crosses engagement boundaries
Data Retention
- Active accounts: Your data is retained for as long as your account is active
- After cancellation: You may export your data for 30 days following account closure. After 30 days, your data is permanently deleted from our production systems
- Backups: Database backups that may contain your data are retained for up to 90 days after deletion and are then permanently purged
- Audio recordings: Audio sent to AssemblyAI for transcription is deleted from AssemblyAI’s processing storage within 24 hours of successful transcription, and speaker embeddings generated during diarization are not retained by AssemblyAI beyond that processing window. Original audio files you upload are stored in our Cloudflare R2 storage under your account and are retained for the life of the engagement; you may delete an individual recording at any time through the Platform, and all uploaded audio is deleted along with the rest of your data per the account-closure schedule above
4. Third-Party Services
We use the following third-party services to operate the Platform. Each processes limited data as described:
| Service | Purpose | Data Processed |
|---|---|---|
| Cloudflare | Application hosting, CDN, WebSocket connections, file storage | All Platform traffic (encrypted in transit) |
| Neon | PostgreSQL database | All Platform data (encrypted at rest, RLS-enforced) |
| Anthropic (Claude) | AI analytical processing (assessment, synthesis) | Observation text, client context (no PII required) |
| Google (Gemini) | AI narrative extraction, structured analysis | Observation text, client context (no PII required) |
| AssemblyAI | Audio transcription and speaker diarization | Uploaded audio recordings and the speaker embeddings produced during diarization; opted out of model improvement data sharing; governed by AssemblyAI’s Biometric Data Addendum (effective May 26, 2026) |
| Stripe | Payment processing | Billing information, payment methods |
| Resend | Transactional email | Email addresses, service notifications |
| Google/Microsoft | OAuth authentication | Email address, name (for login only) |
We select providers with enterprise-grade security practices and have opted out of model training programs where applicable. Anthropic processes data under their commercial API terms, which prohibit using API inputs and outputs for model training. Google processes data under their paid-tier Gemini API terms with billing enabled, which similarly prohibit using paid API data for model training. AssemblyAI processes audio under their paid API terms; we have opted out of their model improvement data sharing program. We do not use free-tier AI APIs.
AI Subprocessor Flowdown
Our no-training commitment is contractually flowed through from our AI subprocessors. The specific terms that bind them — and therefore us — are:
- Anthropic (Claude): Zero data retention and no use of inputs or outputs for model training under the Anthropic Commercial Terms of Service and the Anthropic API Data Processing Addendum.
- Google (Gemini, paid tier with billing enabled): No use of paid-tier API content for product improvement or model training, per the Gemini API Additional Terms of Service and Google Cloud’s standard Cloud Data Processing Addendum.
- AssemblyAI: Paid API terms with model improvement opt-out elected; no use of customer audio or speaker embeddings for model training. Speaker diarization is performed under AssemblyAI’s Biometric Data Addendum (effective May 26, 2026), which classifies speaker embeddings as biometric data and requires that the party submitting audio has obtained legally adequate notice and consent from all recorded individuals. The Platform enforces this by requiring you to attest to that notice and consent each time you upload audio (see §6).
Our current AI subprocessor list is the table above. We will give at least 90 days’ advance written notice of any addition or replacement of an AI subprocessor that will process customer content, and we will make our then-current data processing agreements with these subprocessors available on request to active subscribers.
5. We Do Not Sell Your Data
We do not sell, rent, lease, or trade your personal information or Platform data to any third party. Period.
6. Your Responsibility for Client Data
As a practitioner, you enter information about your clients, their organizations, and their people into the Platform. You are responsible for:
- Having appropriate authorization or professional basis to collect and process this information
- Complying with any confidentiality agreements between you and your clients
- Not entering data that you do not have a professional right to process
- Understanding that the Platform does not have a direct relationship with the individuals described in your observations — your professional obligations govern that relationship
- For audio recordings specifically: providing legally adequate notice to, and obtaining all required consents from, every individual whose voice appears on a recording you upload, before that recording is uploaded. This includes consent to be recorded under the recording laws of the jurisdictions in which the meeting occurred (all-party / two-party consent states such as California, Illinois, Florida, Maryland, and others) and consent to biometric processing under BIPA, CUBI, and Washington H.B. 1493 where applicable. Each upload requires you to attest that you have obtained this consent
7. Your Rights
For All Users
You have the right to:
- Access your data at any time through the Platform
- Export your data in a portable format
- Delete your account and all associated data
- Correct inaccurate account information
- Object to specific uses of your data by contacting us
GDPR Rights (European Economic Area Residents)
If you are located in the EEA, you additionally have the right to:
- Request a copy of all personal data we hold about you
- Request erasure of your personal data (“right to be forgotten”)
- Restrict or object to processing of your personal data
- Data portability — receive your data in a structured, machine-readable format
- Lodge a complaint with your local data protection authority
Our legal basis for processing is legitimate interest (providing the Service you have subscribed to) and contractual necessity (fulfilling our obligations under your subscription agreement).
CCPA Rights (California Residents)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell personal information)
- Non-discrimination for exercising your privacy rights
To exercise any of these rights, contact us at privacy@undercurrentapp.ai.
Data Processing Agreements
If your organization requires a Data Processing Agreement (DPA) for GDPR or other regulatory compliance, contact us at privacy@undercurrentapp.ai. We will provide a DPA upon request for active subscribers. The DPA enumerates the AI subprocessors listed in §4 (Anthropic, Google Gemini, AssemblyAI) and incorporates the no-training and zero-retention flowdowns described above. We commit to at least 90 days’ advance notice of any change to the AI subprocessor list.
8. Children’s Privacy
The Platform is designed for professional use by adults. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we will promptly delete it.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 30 days before they take effect. The “Last Updated” date at the top of this document reflects the most recent revision.
10. Contact
For privacy-related questions or to exercise your data rights:
Clover IT Solutions of the Upstate, LLC Greenville, SC Email: privacy@undercurrentapp.ai Web: https://undercurrentapp.ai