Privacy Policy

Effective Date: January 1, 2025
Last Updated: December 12, 2024

1. Introduction

Nuwest AI LLC ("Company", "we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services including Sextant and related research platforms (the "Services").

Key Commitments:

  • We do not sell your personal data to third parties
  • We encrypt all data in transit and at rest
  • We maintain multi-tenant data isolation (your data is never visible to other organizations)
  • We are SOC 2 Type II compliant and GDPR-ready
  • You retain ownership of all content you create

2. Information We Collect

2.1 Information You Provide

Account Information: When you create an account, we collect:

  • Name, email address, company name
  • Role/title, phone number (optional)
  • Password (stored as cryptographic hash only)
  • Billing information (processed by third-party payment processor)

Exercise Content: When you use the Service, we collect:

  • Exercise transcripts and participant responses
  • Custom scenarios you create
  • Compliance reports you generate
  • Team member invitations and roles
  • Settings and preferences

2.2 Automatically Collected Information

Usage Data: We automatically collect:

  • IP address, browser type, operating system
  • Pages visited, features used, time spent
  • Device identifiers (anonymized)
  • Referral source (how you found us)

Cookies and Tracking: We use cookies for:

  • Authentication (session management)
  • Preferences (language, interface settings)
  • Analytics (understanding how you use the Service)
  • Security (detecting suspicious activity)

You can disable cookies in your browser, but some features may not work correctly.

3. How We Use Your Information

We use the information we collect to:

3.1 Provide the Service

  • Create and manage your account
  • Facilitate tabletop exercises (AI Games Master, AI NPCs)
  • Generate compliance reports
  • Process billing and payments
  • Provide customer support

3.2 Improve the Service

  • Analyze usage patterns to improve features
  • Train and improve AI models (using aggregated, anonymized data)
  • Fix bugs and technical issues
  • Develop new features based on user feedback

3.3 Communicate With You

  • Send service announcements and updates
  • Respond to support requests
  • Send security alerts and important notices
  • Send marketing communications (with your consent, opt-out anytime)

3.4 Security and Compliance

  • Detect and prevent fraud, abuse, and security incidents
  • Enforce our Terms of Service
  • Comply with legal obligations (e.g., responding to lawful requests)
  • Maintain audit logs for security and compliance

4. How We Share Your Information

We do NOT sell your personal data. We share information only in these limited circumstances:

4.1 Service Providers

We share data with third-party vendors who help us provide the Service:

  • Cloud Hosting: Google Cloud Platform (data encrypted, multi-tenant isolation)
  • Payment Processing: Stripe (PCI-DSS compliant, we do not store credit card numbers)
  • Email Service: SendGrid (for transactional emails and notifications)
  • Analytics: Google Analytics (anonymized data only)
  • AI Services: OpenAI, Anthropic (for AI Games Master and NPCs - see section 5)

All service providers are contractually required to protect your data and use it only for providing their services to us.

4.2 Legal Requirements

We may disclose your information if required by law or in response to:

  • Valid legal process (subpoena, court order, search warrant)
  • Government or regulatory requests
  • Emergencies involving danger of death or serious physical injury
  • Enforcement of our Terms of Service or protection of our legal rights

4.3 Business Transfers

If nuwest.ai is acquired or merged with another company, your information may be transferred to the new owner. We will notify you before this happens and provide options to delete your account if you choose.

4.4 Aggregated Data

We may share aggregated, anonymized data (e.g., "50% of users run ransomware scenarios") for research, marketing, or industry reports. This data cannot be used to identify you or your organization.

5. AI and Machine Learning

How We Use AI: Sextant uses AI models (OpenAI GPT, Anthropic Claude) to power the AI Games Master and AI NPCs. When you run an exercise:

  • Your prompts and exercise context are sent to AI providers for processing
  • AI responses are generated in real-time and stored in your account
  • We do NOT use your exercise data to train third-party AI models (zero-retention data processing agreements)
  • Exercise transcripts remain private to your organization (multi-tenant isolation)

Model Improvement: We may use aggregated, anonymized usage data to improve our own internal systems, but never share your specific exercise content with AI providers for training purposes.

6. Data Security

We implement industry-standard security measures to protect your data:

6.1 Encryption

  • In Transit: TLS 1.3 for all connections (HTTPS)
  • At Rest: AES-256 encryption for database storage
  • Backups: Encrypted backups stored in separate geographic regions

6.2 Access Controls

  • Multi-tenant data isolation (PostgreSQL Row-Level Security)
  • Role-based access control (RBAC) for team members
  • Multi-factor authentication (MFA) supported
  • Employee access logs and audit trails

6.3 Compliance

  • SOC 2 Type II certified
  • GDPR-compliant data processing
  • Regular security audits and penetration testing
  • Incident response plan and breach notification procedures

Note: No security system is 100% impenetrable. While we take extensive measures to protect your data, we cannot guarantee absolute security.

7. Data Retention

Active Accounts: We retain your data for as long as your account is active or as needed to provide the Service.

Inactive Accounts: If your account is inactive for 12 consecutive months, we will send notice before deleting your data.

Account Deletion: When you delete your account:

  • You have 30 days to export your data
  • After 30 days, all data is permanently deleted from our systems
  • Backups are purged within 90 days
  • Some data may be retained for legal compliance (e.g., billing records for tax purposes)

8. Your Privacy Rights

Depending on your location, you may have the following rights:

8.1 Access and Portability

  • Access: Request a copy of your personal data
  • Portability: Export your exercise data in JSON format

8.2 Correction and Deletion

  • Correction: Update inaccurate information in your account settings
  • Deletion: Request deletion of your account and data (30-day retention for export)

8.3 Control and Opt-Out

  • Marketing Emails: Opt-out via unsubscribe link (you'll still receive service emails)
  • Cookies: Manage cookie preferences in your browser
  • Analytics: Request to opt-out of analytics tracking

8.4 GDPR Rights (EU/EEA Users)

  • Right to access, rectification, erasure, restriction of processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent
  • Right to lodge a complaint with your local data protection authority

8.5 CCPA Rights (California Users)

  • Right to know what personal information we collect and how we use it
  • Right to delete your personal information
  • Right to opt-out of sale (note: we do not sell personal information)
  • Right to non-discrimination for exercising your rights

To exercise your rights, contact: privacy@nuwest.ai

9. International Data Transfers

Our servers are located in the United States (Google Cloud Platform - us-central1 region). If you access the Service from outside the US, your data will be transferred to and processed in the US.

EU/EEA Users: We use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for data transfers to the US.

Data Localization: Enterprise customers can request data residency in EU regions (subject to additional fees).

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover we have collected data from a child, we will delete it immediately.

If you believe a child has provided us with personal information, please contact us at privacy@nuwest.ai.

11. Third-Party Links

The Service may contain links to third-party websites or services (e.g., compliance framework documentation, social media). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page with a new "Last Updated" date
  • Sending an email notification to your registered email address
  • Displaying a prominent notice within the Service

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: