Introduction
This Privacy Policy describes how Bodaty LLC, an Illinois limited liability company (“Bodaty,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you use the AICtrlNet platform and HitLai user interface (collectively, the “Service” or “Platform”).
AICtrlNet is an AI workflow orchestration and governance platform that enables organizations to build, deploy, and manage AI-powered automation workflows. HitLai is the user interface for accessing AICtrlNet across all editions (Community, Business, and Enterprise).
We are committed to protecting your privacy and being transparent about our data practices. This policy is designed to comply with applicable privacy laws including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy regulations.
By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.
Table of Contents
- Information We Collect
- How We Use Your Information
- Information Sharing and Disclosure
- Data Retention
- Your Privacy Rights
- Rights for European Users (GDPR)
- Rights for California Residents (CCPA/CPRA)
- Cookies and Tracking Technologies
- International Data Transfers
- Children’s Privacy
- Security Measures
- AI-Specific Privacy Considerations
- Third-Party Integrations
- Contact Information
- Changes to This Policy
1. Information We Collect
We collect information to provide, improve, and secure our Service. The types of information we collect include:
1.1 Account Information
When you create an account, we collect:
| Data Type | Examples | Purpose |
|---|---|---|
| Identity Information | Name, username, email address | Account creation and authentication |
| Authentication Data | Password (hashed), API keys, OAuth tokens | Secure access to the Service |
| Organization Data | Company name, team name, role | Multi-tenant organization management |
| Billing Information | Payment method, billing address (for paid tiers) | Subscription and billing processing |
| Profile Information | Profile picture, job title, timezone preferences | Personalization and user experience |
1.2 Usage Data
We automatically collect information about how you interact with the Service:
| Data Type | Examples | Purpose |
|---|---|---|
| Access Logs | IP addresses, browser type, device information, access times | Security, troubleshooting, analytics |
| Feature Usage | Pages visited, features used, button clicks | Product improvement and analytics |
| Performance Data | Response times, error rates, API call frequency | Service reliability and optimization |
| Session Information | Session duration, login frequency | Usage patterns and experience improvement |
1.3 Workflow and Automation Data
When you create and execute workflows, we process:
| Data Type | Examples | Purpose |
|---|---|---|
| Workflow Definitions | Workflow templates, node configurations, automation rules | Service delivery and workflow execution |
| Execution Data | Workflow run logs, execution status, timestamps | Monitoring, debugging, and auditing |
| Input/Output Data | Data processed by your workflows | Workflow execution as configured by you |
| Approval Records | Human-in-the-loop approvals, decision logs | Governance and audit trail |
1.4 AI Interaction Data
When you use AI-powered features, we may process:
| Data Type | Examples | Purpose |
|---|---|---|
| AI Prompts | Natural language commands for workflow creation | AI feature functionality |
| AI Outputs | Generated workflow configurations, recommendations | Service delivery |
| Conversation History | Chat history with AI assistants | Context continuity and improvement |
| Feedback Data | Ratings, corrections, preference signals (with consent) | AI quality improvement |
1.5 Communication Data
We collect information when you communicate with us:
| Data Type | Examples | Purpose |
|---|---|---|
| Support Communications | Support tickets, emails, chat transcripts | Customer support |
| Feedback | Survey responses, feature requests | Product improvement |
| Marketing Preferences | Email subscription status, communication preferences | Marketing communications |
1.6 Information from Third Parties
We may receive information from:
- OAuth Providers: When you authenticate via third-party providers (Google, GitHub, Microsoft), we receive basic profile information as authorized.
- Integration Partners: When you connect third-party services, we receive data necessary for the integration to function.
- Business Partners: For Business and Enterprise customers, we may receive information from resellers or partners.
2. How We Use Your Information
We use your information for the following purposes:
2.1 Service Delivery and Operations
- Account Management: Creating and maintaining your account, authenticating access, and managing subscriptions.
- Workflow Execution: Processing and executing your workflows, including AI-powered features.
- Platform Functionality: Enabling core features including workflow creation, template management, and team collaboration.
- Technical Support: Responding to support requests and troubleshooting issues.
2.2 Service Improvement and Development
- Analytics and Insights: Understanding usage patterns to improve features and user experience.
- Product Development: Developing new features based on aggregated usage data and feedback.
- Quality Assurance: Testing, debugging, and ensuring platform reliability.
- Performance Optimization: Improving response times and system efficiency.
2.3 Security and Compliance
- Security Monitoring: Detecting and preventing fraud, abuse, and security threats.
- Access Control: Enforcing authentication, authorization, and governance policies.
- Audit Logging: Maintaining audit trails for compliance and accountability.
- Legal Compliance: Meeting regulatory and legal obligations.
2.4 Communication
- Transactional Communications: Sending service-related notifications, alerts, and updates.
- Marketing Communications: Sending promotional content (with your consent, where required).
- Product Updates: Informing you about new features, changes, and improvements.
2.5 AI Model Training (Opt-Out Available)
We do not train AI models on your data without your explicit consent.
- By default, your workflow data, AI interactions, and business data are NOT used for AI training.
- You may opt-in to allow anonymized, aggregated data to contribute to AI model improvements.
- Even with opt-in, we apply strict anonymization and never use identifiable data.
- Enterprise customers have additional controls and can enforce organization-wide opt-out policies.
See Section 12: AI-Specific Privacy Considerations for more details.
3. Information Sharing and Disclosure
We do not sell your personal information. We share information only in the following circumstances:
3.1 With Your Consent
We share information when you explicitly authorize us to do so, such as when you:
- Connect third-party integrations
- Invite team members to your organization
- Publish workflows to public galleries (if applicable)
3.2 Service Providers
We engage trusted third-party service providers to perform functions on our behalf:
| Provider Type | Purpose | Data Shared |
|---|---|---|
| Cloud Infrastructure | Hosting, storage, computing | All service data (encrypted) |
| Payment Processors | Subscription billing | Billing and payment information |
| Email Services | Transactional and marketing emails | Email addresses, names |
| Analytics Providers | Usage analytics | Aggregated, anonymized usage data |
| Security Services | Threat detection, DDoS protection | Access logs, security events |
| Customer Support | Help desk, ticketing | Support communications |
All service providers are bound by data processing agreements that require them to:
- Process data only as instructed by us
- Implement appropriate security measures
- Delete or return data upon termination
- Not use data for their own purposes
3.3 Within Your Organization
For Business and Enterprise customers:
- Organization administrators can access aggregated usage data
- Team managers can view team member activity within their scope
- Audit logs may be accessible to compliance officers
3.4 Legal Requirements
We may disclose information when required by law or when we believe disclosure is necessary to:
- Comply with legal process, subpoenas, or government requests
- Enforce our Terms of Service or other agreements
- Protect our rights, property, or safety
- Protect the rights, property, or safety of our users or others
- Detect, prevent, or address fraud, security, or technical issues
Transparency Commitment: Where legally permitted, we will notify you of legal requests for your data. We publish transparency reports detailing government requests received.
3.5 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets:
- Your information may be transferred to the successor entity
- We will notify you before your information becomes subject to a different privacy policy
- You will have the opportunity to delete your account before such transfer
3.6 Aggregated and De-Identified Data
We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you:
- Industry benchmarks and statistics
- Research publications
- Public reports on platform usage trends
4. Data Retention
We retain your information for as long as necessary to provide our Service and fulfill the purposes described in this policy. Retention periods vary by data type:
4.1 Retention Periods by Data Type
| Data Type | Retention Period | Basis |
|---|---|---|
| Account Information | Duration of account + 30 days after deletion request | Service provision |
| Authentication Logs | 90 days | Security and troubleshooting |
| Workflow Definitions | Duration of account + 30 days | Service provision |
| Workflow Execution Logs | 90 days (configurable for Enterprise) | Operations and debugging |
| AI Interaction History | 30 days (configurable) | Feature functionality |
| Audit Logs | 7 years (Enterprise) / 1 year (Business) / 90 days (Community) | Compliance and governance |
| Billing Records | 7 years after transaction | Legal and tax requirements |
| Support Communications | 3 years after resolution | Quality assurance |
| Analytics Data | 26 months (aggregated) | Product improvement |
| Marketing Consent Records | Duration of consent + 3 years | Legal compliance |
4.2 Deletion and Anonymization
When data reaches the end of its retention period:
- Personal data is securely deleted or anonymized
- Anonymized data may be retained for statistical purposes
- Backup copies are purged within 90 days of primary deletion
4.3 Legal Holds
Retention periods may be extended when required by:
- Legal proceedings or investigations
- Regulatory requirements
- Contractual obligations with Enterprise customers
5. Your Privacy Rights
Regardless of your location, we provide all users with the following rights:
5.1 Right to Access
You can request a copy of your personal data, including:
- Account and profile information
- Usage history
- Workflow data you have created
- Data we have collected about you
How to exercise: Email privacy@aictrlnet.com or use the “Download My Data” feature in account settings.
5.2 Right to Correction
You can update or correct inaccurate personal information:
- Profile information can be updated directly in your account settings
- For other corrections, contact privacy@aictrlnet.com
5.3 Right to Deletion
You can request deletion of your personal data:
- Delete your account through account settings
- Request deletion of specific data via privacy@aictrlnet.com
- Note: Some data may be retained for legal or security purposes
Processing time: Deletion requests are processed within 30 days.
5.4 Right to Data Portability
You can export your data in a structured, commonly used format:
- Workflow definitions (JSON/YAML)
- Account information (JSON)
- Execution history (CSV)
How to exercise: Use the “Export Data” feature or contact privacy@aictrlnet.com.
5.5 Right to Opt-Out
You can opt out of:
- Marketing communications (via unsubscribe link or account settings)
- Non-essential analytics (via cookie preferences)
- AI model training contributions (via privacy settings)
- Personalized recommendations (via account settings)
5.6 Right to Restrict Processing
You can request that we limit how we use your data in certain circumstances:
- When accuracy is contested
- When processing is unlawful but you don’t want deletion
- When we no longer need the data but you need it for legal claims
5.7 Right to Object
You can object to processing based on:
- Legitimate interests
- Direct marketing
- Profiling
6. Rights for European Users (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):
6.1 Legal Basis for Processing
We process your data based on the following legal grounds:
| Purpose | Legal Basis |
|---|---|
| Account creation and service delivery | Contract performance |
| Billing and payment processing | Contract performance |
| Security and fraud prevention | Legitimate interests |
| Product improvement and analytics | Legitimate interests |
| Marketing communications | Consent |
| AI model training (when opted-in) | Consent |
| Legal compliance | Legal obligation |
6.2 Additional GDPR Rights
In addition to the rights in Section 5, you have:
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your member state.
6.3 Data Protection Authority
If you have concerns about our data practices, you may contact:
- Your local data protection authority
- The lead supervisory authority (for cross-border processing)
6.4 Data Controller Information
Data Controller: Bodaty LLC 200 E. 5th Ave., Suite 121DE Naperville, IL 60563 United States Email: privacy@aictrlnet.com
Data Protection Officer: Email: dpo@aictrlnet.com
EU Representative (Article 27 GDPR): Bodaty does not currently target the Services to data subjects in the European Economic Area within the meaning of GDPR Article 3(2). Prior to onboarding any EU-based Customer or otherwise targeting Services to EU data subjects, Bodaty will designate an EU Article 27 representative (such as VeraSafe or EDPO) and update this Section 6.4 with the representative’s name and contact details.
UK Representative: Bodaty does not currently target the Services to data subjects in the United Kingdom within the meaning of UK GDPR Article 3(2). Prior to onboarding any UK-based Customer, Bodaty will designate a UK representative and update this Section 6.4 accordingly.
6.5 Legitimate Interests Assessment
When we rely on legitimate interests, we balance our interests against your rights and freedoms. Our legitimate interests include:
- Improving and developing our Service
- Ensuring security and preventing fraud
- Understanding how our Service is used
- Marketing our Service to prospective customers
You may object to processing based on legitimate interests at any time.
7. Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
7.1 Categories of Personal Information
We have collected the following categories of personal information in the past 12 months:
| Category | Examples | Collected | Sold | Shared for Cross-Context Advertising |
|---|---|---|---|---|
| Identifiers | Name, email, IP address | Yes | No | No |
| Customer Records | Payment information, account data | Yes | No | No |
| Commercial Information | Subscription history, usage records | Yes | No | No |
| Internet Activity | Browsing history, interactions | Yes | No | No |
| Geolocation Data | Approximate location from IP | Yes | No | No |
| Professional Information | Job title, company name | Yes | No | No |
| Inferences | Preferences, behavior patterns | Yes | No | No |
| Sensitive Personal Information | Account credentials | Yes | No | No |
We do not sell personal information and have not sold personal information in the past 12 months.
7.2 Your California Privacy Rights
-
Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom we share it.
-
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
-
Right to Correct: You have the right to request correction of inaccurate personal information.
-
Right to Opt-Out of Sale/Sharing: Although we do not sell or share personal information for cross-context behavioral advertising, you may submit an opt-out request.
-
Right to Limit Use of Sensitive Information: You may limit our use of sensitive personal information to purposes necessary to provide the Service.
-
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
7.3 Exercising Your Rights
To exercise your rights:
- Email: privacy@aictrlnet.com
- Use the “Privacy Settings” in your account
- Submit a request through our website
We will verify your identity before processing requests. You may designate an authorized agent to make requests on your behalf.
7.4 Response Timing
We will respond to verifiable consumer requests within 45 days, with a possible 45-day extension for complex requests.
7.5 Automated Decision-Making Technology (ADMT)
If the Service is used to make Automated Decisions that produce a legal or similarly significant effect on you (including decisions affecting employment, housing, financial services, healthcare, education, essential services, or insurance), under the CPRA-amended CCPA and the California Privacy Protection Agency’s Automated Decision-Making Technology regulations:
(a) Pre-Use Notice Right. You have the right to receive a pre-use notice from the business deploying the ADMT before it is used to make a significant decision about you. Bodaty provides Customer with the technical capability to issue such pre-use notices; the obligation to issue them rests with the Customer (Controller) deploying the ADMT.
(b) Right to Opt-Out. You have the right to opt out of the use of ADMT for significant decisions, subject to limited exceptions specified in the regulations. To exercise this right with respect to ADMT operated through the Service, contact the Customer (Controller) operating the workflow; Bodaty will support Customer in honoring such requests technically.
(c) Right of Access. You have the right to obtain meaningful information about the ADMT used, including the logic, the personal information used, and the consequences of the decision.
(d) Right to Human Review and Appeal. Where ADMT is used for a significant decision, you have the right to request human review and appeal of the decision under conditions specified in the regulations.
(e) Risk Assessments. Where Bodaty processes personal information using ADMT or for purposes that present significant risk to consumer privacy under the CPPA regulations effective January 1, 2026, Bodaty conducts and documents risk assessments. Customers acting as Controllers retain primary responsibility for their own risk assessments under 11 CCR § 7152.
These ADMT-specific rights are in addition to, and do not replace, the general California rights described in Section 7.2.
7.6 Do Not Sell or Share My Personal Information
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. However, if you wish to record your preference, you may:
- Email: privacy@aictrlnet.com with subject “Do Not Sell or Share”
- Enable “Limit the Use of My Sensitive Personal Information” in account settings
7.6 California “Shine the Light”
California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing. We do not disclose personal information to third parties for their direct marketing purposes.
8. Cookies and Tracking Technologies
8.1 Types of Cookies We Use
| Cookie Type | Purpose | Duration | Required |
|---|---|---|---|
| Essential Cookies | Authentication, security, core functionality | Session / Persistent | Yes |
| Functional Cookies | Preferences, language, timezone | 1 year | No |
| Analytics Cookies | Usage patterns, performance metrics | 26 months | No |
| Marketing Cookies | Campaign effectiveness (if enabled) | 90 days | No |
8.2 Essential Cookies
These cookies are necessary for the Service to function:
- Session management and authentication
- Security features (CSRF protection)
- Load balancing and performance
- Remembering cookie consent preferences
You cannot opt out of essential cookies while using the Service.
8.3 Analytics and Performance Cookies
We use analytics to understand how users interact with our Service:
- Page views and navigation patterns
- Feature usage and adoption
- Error tracking and performance monitoring
- A/B testing for product improvements
Analytics providers may include:
- Self-hosted analytics (privacy-focused)
- Aggregated usage metrics
8.4 Managing Cookies
You can manage cookies through:
- Cookie Consent Banner: Adjust preferences when first visiting
- Account Settings: Update cookie preferences in your privacy settings
- Browser Settings: Configure your browser to block or delete cookies
Note: Blocking certain cookies may affect Service functionality.
8.5 Do Not Track
We honor Do Not Track (DNT) signals. When your browser sends a DNT signal:
- We disable non-essential analytics cookies
- We limit data collection to service-essential purposes
- Third-party tracking is blocked
8.6 Other Tracking Technologies
In addition to cookies, we may use:
- Local Storage: For caching and performance
- Session Storage: For temporary state management
- Pixel Tags: For email delivery confirmation (in transactional emails)
9. International Data Transfers
9.1 Data Location
Our primary services are hosted in the United States. Your data may be processed in:
- United States (primary data centers)
- European Union (for EU-resident data, where applicable)
- Other regions as necessary for service delivery
9.2 Transfer Mechanisms
When transferring data outside your region, we use appropriate safeguards:
For EEA/UK/Swiss Users:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplementary measures including encryption and access controls
- Data Processing Agreements with all processors
For Other Jurisdictions:
- Contractual protections equivalent to SCCs
- Compliance with local data transfer requirements
9.3 EU-U.S. Data Privacy Framework
Bodaty relies on the 2021 EU Standard Contractual Clauses (Module Two — Controller-to-Processor) and the UK International Data Transfer Addendum as the primary contractual mechanisms for transfers of personal data from the EEA, UK, and Switzerland to the United States. Bodaty intends to self-certify under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework. Until certification is filed and active, all such transfers operate under the SCCs and equivalent UK/Swiss mechanisms.
Where Bodaty’s sub-processors (including AI model providers such as Anthropic, PBC and Google LLC) are themselves DPF-certified, Bodaty may rely on such certifications for downstream transfers, with SCCs serving as the contractual fallback in all cases.
9.4 Your Choices
Enterprise customers may have options to:
- Restrict data to specific geographic regions
- Use dedicated infrastructure in preferred regions
- Implement additional encryption for data in transit
10. Children’s Privacy
10.1 Age Requirement
Our Service is not intended for individuals under 13 years of age.
- We do not knowingly collect personal information from children under 13.
- If we learn that we have collected information from a child under 13, we will delete it promptly.
- If you believe we have collected information from a child under 13, please contact us immediately at privacy@aictrlnet.com.
10.2 Users Between 13 and 18
- Users between 13 and 18 may use the Service with parental or guardian consent.
- Parents or guardians are responsible for monitoring their minor’s use of the Service.
- We encourage parents to discuss online privacy with their children.
10.3 Educational Use
For educational institutions using AICtrlNet:
- Additional protections may apply under FERPA (U.S.), COPPA, or local laws
- Contact us for educational agreements with enhanced privacy protections
- We offer specific configurations for educational environments
10.4 Biometric Information — Non-Collection (Illinois BIPA and Similar Laws)
Bodaty does not collect, capture, purchase, receive, retain, or otherwise obtain biometric identifiers or biometric information as those terms are defined under the Illinois Biometric Information Privacy Act (740 ILCS 14) (“BIPA”), the Texas Capture or Use of Biometric Identifier Act, the Washington Biometric Privacy Act, or analogous laws in other jurisdictions. Specifically, the Service does not collect or process retinal or iris scans, fingerprints, voiceprints, scans of hand or face geometry, DNA, or any other biological characteristic used to identify an individual.
Customer-configured workflows. Customers may build workflows on the Service that reference third-party biometric verification providers (e.g., identity verification or KYC vendors). In such cases, biometric identifiers flow directly between the data subject and the third-party provider; Bodaty does not capture, store, retain, or otherwise obtain those identifiers. Customers are solely responsible for selecting and contracting with such providers and for any BIPA, CUBI, or analogous compliance obligations arising from those workflows.
If Customer separately chooses to send biometric data to the Service as Customer Content (for example, by configuring a workflow that processes a biometric image as input), Customer is the Controller of that biometric data and is solely responsible for obtaining the consents and complying with the notice, storage-limitation, and destruction obligations required by BIPA and analogous laws. Bodaty does not consent to receive biometric data and reserves the right to require Customer to remove such data and to disable the relevant workflow.
11. Security Measures
We implement comprehensive security measures to protect your data:
11.1 Technical Safeguards
| Measure | Description |
|---|---|
| Encryption in Transit | TLS 1.3 for all data transmission |
| Encryption at Rest | AES-256 encryption for stored data |
| Key Management | Secure key storage with rotation policies |
| Access Controls | Role-based access control (RBAC) |
| Authentication | Multi-factor authentication (MFA) support |
| API Security | Token-based authentication, rate limiting |
| Network Security | Firewalls, intrusion detection, DDoS protection |
11.2 Organizational Safeguards
| Measure | Description |
|---|---|
| Employee Training | Regular security and privacy training |
| Access Limitations | Least-privilege access to production data |
| Background Checks | For employees with data access |
| Confidentiality Agreements | All employees bound by confidentiality |
| Vendor Assessment | Security evaluation of all service providers |
11.3 Operational Safeguards
| Measure | Description |
|---|---|
| Incident Response | 24/7 security monitoring and response |
| Vulnerability Management | Regular security assessments and patching |
| Audit Logging | Comprehensive logs of data access and changes |
| Business Continuity | Disaster recovery and backup procedures |
| Penetration Testing | Regular third-party security testing |
11.4 Security Certifications and Compliance
We operate the following compliance programs:
- GDPR compliance program — active, including DPA availability for Business and Enterprise customers
- CCPA / CPRA compliance program — active, including ADMT risk assessments for in-scope automated decision-making
- HIPAA-ready architecture — available for eligible Enterprise customers under Business Associate Agreement (BAA)
- NIST AI Risk Management Framework alignment — operational roadmap; full attestation contingent on third-party assessment
- ISO 42001 (AI Management Systems) alignment — operational roadmap; full attestation contingent on third-party assessment
- SOC 2 Type II audit — engagement scoped; certification target is a future date and is not yet attested. Bodaty does not represent SOC 2 Type II compliance until a final report is issued.
11.5 Security Incident Notification
In the event of a security incident affecting your data:
- We will notify you within 72 hours of discovery
- Notification will include the nature of the incident and data affected
- We will provide remediation steps and ongoing updates
- Regulatory authorities will be notified as required by law
11.6 Reporting Security Issues
If you discover a security vulnerability:
- Email: security@aictrlnet.com
- We operate a responsible disclosure program
- Do not publicly disclose vulnerabilities before we address them
12. AI-Specific Privacy Considerations
Given that AICtrlNet is an AI-powered platform, we provide additional transparency about how AI interacts with your data, in alignment with GDPR Art. 22 (right not to be subject to solely automated decision-making with legal or similarly significant effect), the CPRA-amended CCPA’s Automated Decision-Making Technology regulations, the Colorado AI Act (effective June 30, 2026), and the EU AI Act (Regulation (EU) 2024/1689, full applicability August 2, 2026):
12.1 AI Model Inputs
When you use AI-powered features:
| Data Type | How It’s Used | Retention |
|---|---|---|
| Natural language commands and prompts | Processed to understand intent and generate workflows or Outputs | Session only, unless saved by Customer |
| Workflow context (current + immediately relevant history) | Provided to the selected Foundation Model for relevant Outputs | Session only |
| Historical patterns / fine-tuning data | Used only with Customer’s explicit opt-in | As configured by Customer; deletable on request |
12.2 AI Model Outputs
AI-generated content (“Outputs”) is:
- Owned by Customer. As between Bodaty and Customer, Customer owns all right, title, and interest in Outputs generated from Customer Inputs.
- Stored only if Customer chooses to save. Outputs surfaced through the Service are stored at Customer’s direction; ephemeral Outputs are not retained.
- Not used to train models without consent. Bodaty does not use Outputs (or Customer Inputs that generated them) to train AI models, sell or license Outputs to third parties, or use Outputs to deliver services to other customers.
- Not used to deliver services to other customers. Outputs are not cross-pollinated across customer accounts.
12.3 Training Data Commitment
We make the following commitments regarding AI training:
-
No Training by Default. Bodaty does not use Customer Personal Data, Customer Confidential Information, prompts, or Outputs to train, fine-tune, or otherwise improve any general-purpose AI model owned by Bodaty or any AI Sub-processor. The prohibition applies by default and persists unless Customer affirmatively opts in.
-
Anonymization First. If Customer opts in to a model-improvement program, data is de-identified and aggregated before any use.
-
Enterprise Organization-Wide Opt-Out. Enterprise customers can enforce organization-wide opt-out policies that override individual user settings.
-
AI Sub-Processor Flow-Down. Bodaty contractually requires every AI Sub-processor to honor a substantively equivalent no-default-training prohibition, with no-training flow-down to any further sub-processor in the AI inference chain.
-
Data Minimization. Bodaty sends to each Foundation Model only the inputs reasonably necessary for the requested Output, in keeping with the data-minimization principles of GDPR Art. 5(1)(c) and equivalent provisions of other privacy laws.
12.4 AI Sub-Processor Disclosure
We may use the following Foundation Model Providers and AI Sub-Processors for various features. Bodaty maintains a current, complete list of Sub-Processors at aictrlnet.com/legal/sub-processors; the table below is illustrative and may not reflect the most recent additions.
| Provider | Edition tier | Purpose | Region | Training Opt-Out / Flow-Down |
|---|---|---|---|---|
| Anthropic, PBC | Community+ | Claude model inference | United States | Default no-training; contractually flowed down |
| OpenAI, LLC | Community+ | GPT model inference (where Customer enables) | United States | Default no-training (commercial / API tier); contractually flowed down |
| HuggingFace, Inc. | Community+ | Hosted open-source model inference (where Customer enables) | United States; EU | Default no-training; flowed down |
| DeepSeek | Community+ | DeepSeek model inference (where Customer enables) | China-based provider; review transfer-impact assessment before enabling | SCCs Module Three; supplementary measures required |
| Google LLC (Gemini) | Business+ | Gemini model inference (where Customer enables) | United States; EU (where supported) | Default no-training; contractually flowed down |
| AWS Bedrock | Business+ | Multi-model Foundation Model gateway (Anthropic, Meta, Mistral, Cohere) | United States (primary); EU (where supported) | Default no-training; contractually flowed down |
| Cohere, Inc. | Business+ | Cohere model inference (where Customer enables) | United States; Canada | Default no-training; flowed down |
| Microsoft (Azure OpenAI) | Business+ | OpenAI models via Azure regional deployment | Customer-selected Azure region | Default no-training; contractually flowed down |
| Ollama / vLLM (self-hosted) | Community+ | Local Foundation Model inference | Customer infrastructure | N/A (Customer-controlled — not an AI Sub-Processor) |
AI Sub-Processor Change Notice. We provide at least fifteen (15) days’ prior notice of any addition, replacement, or material expansion of an AI Sub-Processor, by updating the published Sub-Processors page and notifying account administrators by email. This is shorter than the thirty (30) days applied to non-AI Sub-Processors because the AI vendor stack changes more frequently.
12.5 Human-in-the-Loop and Right to Human Review
Our AI governance features include:
- Approval workflows requiring human authorization for high-stakes decisions
- Audit trails of AI decisions and human overrides
- Configurable confidence thresholds for automatic vs. human-assisted processing
- Pre-use notice generation for ADMT-affected significant decisions
- Mechanisms for data subjects to request human review of automated decisions
Where the Service is used by a Customer (Controller) to make solely automated decisions producing legal or similarly significant effects on individuals, the Customer is the Controller and is responsible for ensuring that the GDPR Art. 22 right not to be subject to such decisions, and analogous rights under the CPRA-amended CCPA, Colorado AI Act, and other applicable laws, are honored.
12.6 Cross-Border AI Inference
Customer acknowledges that AI Sub-Processors may host inference infrastructure in regions different from the data residency region selected by Customer. When a prompt or AI input from a user in the EEA, UK, or Switzerland is routed to an AI Sub-Processor’s inference endpoint outside the EEA, UK, or Switzerland (as applicable), such routing constitutes an international data transfer.
Bodaty relies on (i) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework where the relevant AI Sub-Processor is certified, and (ii) the EU Standard Contractual Clauses (Module Two: Controller-to-Processor; Module Three: Processor-to-Processor where applicable) as the contractual fallback in all cases.
Customer may select an in-region AI Sub-Processor where the Service supports such selection, subject to the availability of the requested model in the requested region.
12.7 EU AI Act Deployer Support
Where Customer is a “deployer” under the EU AI Act, Bodaty will, on written request and at Customer’s reasonable cost, provide the technical and procedural support required for Customer’s compliance with Article 26 (Obligations of Deployers of High-Risk AI Systems), as further detailed in our Terms of Service Section 6.9 and the Data Processing Agreement Section 12.
12.8 Colorado AI Act Compliance
For decisions affecting Colorado residents that fall within the scope of the Colorado Artificial Intelligence Act (effective June 30, 2026), Bodaty supports Customer’s deployer obligations including: pre-use notice generation, adverse-action notice generation, and risk-assessment documentation. Customer is the deployer and bears primary compliance responsibility; Bodaty provides technical support consistent with the rebuttable-presumption framework of the Act.
12.9 AI Transparency Reports
We publish periodic AI transparency reports covering:
- AI feature usage statistics (aggregated; never personally identifying)
- Model performance and accuracy metrics
- Changes to AI capabilities, AI Sub-Processors, and supported regions
- Aggregate volume of pre-use notices, opt-outs, and human-review requests honored
13. Third-Party Integrations
13.1 How Integrations Work
AICtrlNet allows you to connect third-party services. When you connect an integration:
- You authorize the third party to share data with us
- You authorize us to send data to the third party
- Each integration has specific permissions you control
- You can revoke integrations at any time
13.2 Types of Integrations
| Integration Type | Examples | Data Exchanged |
|---|---|---|
| Authentication Providers | Google, GitHub, Microsoft, Okta | Profile information, authentication status |
| Cloud Platforms | AWS, Azure, GCP | Resource metadata, execution triggers |
| Communication Tools | Slack, Microsoft Teams | Notifications, approvals |
| Data Sources | Databases, APIs, file storage | Data as configured in workflows |
| AI Services | LLM providers, ML platforms | Prompts and responses |
13.3 Integration Privacy Responsibilities
- Our Responsibility: Securely transmitting data, honoring your integration settings, providing audit logs
- Third-Party Responsibility: Their handling of data is governed by their privacy policies
- Your Responsibility: Reviewing third-party privacy policies, configuring appropriate permissions
13.4 Managing Integrations
You can:
- View all connected integrations in account settings
- See permissions granted to each integration
- Revoke integrations at any time
- Export integration connection history
13.5 OAuth Scopes
When connecting via OAuth, we request only necessary permissions:
- We document each scope and its purpose
- We refresh tokens securely
- We delete tokens when you revoke access
14. Contact Information
14.1 Privacy Inquiries
For questions, concerns, or requests related to this Privacy Policy:
Email: privacy@aictrlnet.com Subject Line: Include “Privacy Inquiry” for faster routing
Mailing Address: Bodaty LLC Attn: Privacy Team 200 E. 5th Ave., Suite 121DE Naperville, IL 60563 Email: privacy@aictrlnet.com
14.2 Data Protection Officer
For GDPR-related matters or to contact our Data Protection Officer:
Email: dpo@aictrlnet.com
14.3 Response Time
We aim to respond to all privacy inquiries within:
- 48 hours for acknowledgment
- 30 days for substantive response or request fulfillment
- 45 days for CCPA requests (with possible 45-day extension)
14.4 Verification
For data access, deletion, or other requests, we may need to verify your identity:
- We will request information sufficient to verify you are the account holder
- We will not request unnecessary sensitive information
- Authorized agents must provide proof of authorization
15. Changes to This Policy
15.1 Notification of Changes
When we make changes to this Privacy Policy:
Material Changes:
- We will notify you by email at least 30 days before the changes take effect
- We will post a prominent notice on our website and in the application
- We will update the “Last Updated” date at the top of this policy
Non-Material Changes:
- We will update this policy and the “Last Updated” date
- Changes will be effective immediately upon posting
15.2 Your Choices After Changes
After receiving notice of material changes:
- You may continue using the Service, indicating acceptance
- You may delete your account if you do not agree with the changes
- Enterprise customers may have contractual protections against certain changes
15.3 Version History
We maintain a version history of this Privacy Policy. Previous versions are available upon request by emailing privacy@aictrlnet.com.
Supplemental Notices
For Business Customers
If you use AICtrlNet under a Business subscription, additional terms may apply:
- Our Data Processing Agreement (DPA) governs data processing on your behalf
- The DPA takes precedence in case of conflict with this Privacy Policy
- Business Account administrators have additional controls and responsibilities
For Enterprise Customers
Enterprise customers receive:
- Dedicated Data Processing Agreements
- Custom data retention policies
- Geographic data residency options
- Enhanced audit logging and access controls
- HIPAA Business Associate Agreements (where applicable)
- Custom security assessments and documentation
For Open Source Users
If you self-host AICtrlNet Community Edition:
- This Privacy Policy governs only our hosted services
- Self-hosted instances process data according to your own policies
- We do not receive data from self-hosted installations unless you enable optional telemetry
- Self-hosted telemetry is opt-in, anonymized, and limited to aggregate usage statistics
Definitions
| Term | Definition |
|---|---|
| Personal Data/Information | Information that identifies, relates to, describes, or could be linked to a particular individual |
| Processing | Any operation performed on personal data, including collection, storage, use, and deletion |
| Data Controller | Entity that determines the purposes and means of processing personal data |
| Data Processor | Entity that processes personal data on behalf of a data controller |
| Service | The AICtrlNet platform and HitLai user interface |
| Platform | Same as Service |
| Workflow Data | Data you create, process, or generate using AICtrlNet workflows |
Summary of Rights by Jurisdiction
| Right | All Users | GDPR (EU/UK) | CCPA (California) |
|---|---|---|---|
| Access your data | Yes | Yes | Yes |
| Correct your data | Yes | Yes | Yes |
| Delete your data | Yes | Yes | Yes |
| Export your data | Yes | Yes | Yes |
| Opt-out of marketing | Yes | Yes | Yes |
| Opt-out of sale | N/A | N/A | Yes (we don’t sell) |
| Restrict processing | Limited | Yes | Limited |
| Object to processing | Limited | Yes | Limited |
| Withdraw consent | Yes | Yes | Yes |
| Lodge a complaint | Support | Supervisory Authority | AG/Support |
| Non-discrimination | Yes | Yes | Yes |
This Privacy Policy is effective as of May 1, 2026.