Before the legal detail, three things we commit to without qualification:
No model training. Your session content — including all strategic inputs, responses, and business information — is never used to train, fine-tune, evaluate, or improve any AI model, by Stratimind or by any infrastructure provider we engage. This is a contractual obligation at every layer of the stack, not a discretionary policy.
No human review. No Stratimind personnel access or review your session content as part of normal operations. The assessment is generated by the system. Your inputs are processed ephemerally at inference time only.
No third-party disclosure. Nothing you share leaves this engagement except as required by applicable law. Client Privilege Framework commitments survive the conclusion of your session and any termination of the platform.
This Privacy Policy explains how Stratimind collects, processes, stores, and protects information you provide when engaging with our platform and diagnostic services. It applies to all users globally, including users in the European Economic Area (EEA), the United Kingdom, and the State of California. By accessing this site or initiating a session, you acknowledge that you have read and understood this policy.
This policy forms part of our binding legal framework alongside our Terms of Service. In the event of any conflict, the Terms of Service shall prevail with respect to commercial matters; this policy shall prevail with respect to personal data processing.
During a diagnostic session we collect the following categories of data:
| Category | Examples | Purpose |
|---|---|---|
| Identity data | Name or preferred form of address | Session personalisation |
| Contact data | Email address | Report delivery only |
| Session content | Conversational responses during the diagnostic | Generation of your Assessment |
| Technical metadata | Session ID, timestamps, language preference | Service operation and security |
| Payment data | Transaction reference only | Billing confirmation (no card data stored) |
We do not collect government-issued identification, biometric data, health data, or any special category data as defined under GDPR Article 9. Payment card information is processed exclusively by our third-party payment processor and is never transmitted to or stored by Stratimind.
For users in the European Economic Area (EEA) and United Kingdom, we process your personal data under the following legal bases pursuant to Article 6 of the UK/EU General Data Protection Regulation:
| Processing Activity | Legal Basis |
|---|---|
| Conducting your diagnostic session and generating your Assessment | Article 6(1)(b) — Performance of a contract |
| Delivering your report by email | Article 6(1)(b) — Performance of a contract |
| Maintaining session records for security and fraud prevention | Article 6(1)(f) — Legitimate interests |
| Compliance with legal obligations | Article 6(1)(c) — Legal obligation |
We do not rely on consent as a legal basis for core service delivery. We do not engage in automated decision-making or profiling as defined under GDPR Article 22 that produces legal or similarly significant effects.
Stratimind does not sell, rent, trade, or commercially exploit your personal or business data. We do not share your data with third parties for their own marketing, research, or commercial purposes under any circumstances.
To deliver this service, we engage a limited number of trusted infrastructure sub-processors. Each provider is selected based on its compliance with recognised data protection standards, and operates under a binding Data Processing Addendum (DPA) or equivalent contractual instrument that: (a) restricts data use solely to the specific technical function engaged; (b) explicitly prohibits use of your data for model training, research, or secondary commercial purposes; and (c) requires appropriate technical and organisational security measures.
Our sub-processors perform the following categories of function:
| Function | Certification Standards | Processing Location |
|---|---|---|
| AI inference and analytical processing — Enterprise-tier infrastructure providing the primary analytical capability of the platform | SOC 2 Type II · ISO/IEC 27001 · ISO 27017 · ISO 27018 · GDPR compliant · HIPAA-eligible configurations available | Enterprise cloud regions (enterprise DPA with Standard Contractual Clauses applies) |
| Workflow orchestration and session routing — Secure automated processing and session management | GDPR Data Processing Agreement · automatic execution log pruning · no retention of session content beyond technical processing | EU/EEA regions per configuration |
| Encrypted session data storage and authentication — Secure storage of session metadata and access management | SOC 2 Type II · AES-256 encryption at rest · TLS 1.2+ in transit | EEA-compatible hosting with data residency controls |
| Report generation and delivery — Secure rendering and delivery of your diagnostic assessment | EU-hosted infrastructure · no content retention beyond delivery | EU region |
| Payment processing — Payment authorisation only; no payment card data reaches or is stored by Stratimind | PCI DSS compliant · per processor's own privacy policy | Per processor's own policy |
Our complete sub-processor list, including provider names and applicable DPA references, is available upon request to users who require it for enterprise due diligence, institutional procurement, or GDPR Article 28 compliance purposes. To request this list, contact support@stratimind.org with the subject line Sub-processor List Request.
We reserve the right to update our sub-processor list. For material changes, we will provide 30 days' notice where reasonably practicable. Continued use of the platform after such notice constitutes acceptance of the updated list. Where required by applicable law, we will obtain your consent before engaging a new sub-processor that materially changes the nature of processing.
Zero Training Commitment. Your session content — including all inputs, responses, strategic information, and business data — is contractually prohibited from being used to train, fine-tune, evaluate, or improve any AI model, whether proprietary or third-party. This obligation is enforced at the infrastructure level through binding DPAs with all AI processing providers. It is not a discretionary policy — it is a contractual restriction that applies regardless of which AI models power the analytical layer.
Your proprietary business information — including market assessments, competitive intelligence, financial data, strategic plans, product details, and investment theses — is processed solely to generate your Assessment and is not retained for secondary purposes. Session inputs are processed at inference time only; there is no cross-contamination of analytical logic between different client sessions.
As Stratimind utilises cloud infrastructure that may be located outside the European Economic Area, we ensure that all international transfers of personal data are subject to appropriate safeguards as required by Chapter V of the GDPR. Specifically:
All international transfers of personal data to sub-processors are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent transfer mechanisms recognised under applicable data protection law. Where a sub-processor is located in a country without an adequacy decision, we rely on SCCs or equivalent approved transfer mechanisms. Transfer documentation is available upon request for enterprise due diligence purposes.
Stratimind treats all session content as strictly confidential under our Client Privilege Framework. We will not disclose, reproduce, or reference your session content — including the nature of your business, your strategic questions, or your assessment output — to any third party under any circumstances, except: (i) where required by applicable law or a valid legal order issued by a court of competent jurisdiction; or (ii) with your explicit prior written consent. This commitment survives the conclusion of your engagement and any termination of the platform.
We acknowledge that information you provide may constitute trade secrets, inside information, or commercially sensitive material, and we apply corresponding levels of operational security.
We apply the principle of data minimisation in all retention decisions. Session conversational content and strategic inputs are retained only for the period required to produce and deliver your Assessment, after which they are purged from active systems in accordance with our data minimisation policy. Session metadata (session ID, timestamps, report delivery confirmation) is retained for a period not exceeding 12 months for security, fraud prevention, and service integrity purposes, after which it is deleted or anonymised. Email addresses used for report delivery are not added to any marketing list without your explicit prior consent and are deleted upon request.
Stratimind's infrastructure is built on enterprise-grade cloud services. Key security measures include: encryption of all data in transit using TLS 1.2 or higher; encryption of all data at rest using AES-256; access controls limiting internal access to session data on a strict need-to-know basis; and sub-processor selection criteria requiring demonstrable compliance with recognised security standards.
Our primary AI processing infrastructure maintains independent third-party certifications including ISO/IEC 27001, SOC 2 Type II, and SOC 3, and operates in compliance with GDPR, HIPAA-eligible configurations, and applicable data protection frameworks. Certification documentation is available upon request for enterprise due diligence purposes — contact support@stratimind.org with the subject line Security Certifications Request.
If you are a resident of the State of California, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These include the right to know what personal information we collect and how it is used; the right to delete personal information we hold about you; the right to correct inaccurate personal information; and the right to opt out of the sale or sharing of personal information.
Stratimind does not sell or share your personal information as those terms are defined under the CCPA/CPRA. We do not use your data for cross-context behavioural advertising. To exercise any of your California privacy rights, contact us at support@stratimind.org with the subject line "CCPA Rights Request." We will respond within 45 days as required by applicable law.
In accordance with transparency obligations under the EU AI Act (Regulation (EU) 2024/1689) and equivalent applicable law: Stratimind's sessions involve interaction with an AI-powered analytical system, not a human advisor. This service does not fall within the high-risk AI system categories defined in Annex III of the EU AI Act. No automated decisions are made that produce legal or similarly significant effects on individuals. All outputs constitute analytical opinion only. We monitor developments in AI regulation and will update our practices as applicable requirements come into force.
Regardless of your location, you may request: access to the personal data we hold about you; correction of inaccurate personal data; deletion of your personal data (subject to any legal retention obligations); restriction of processing in certain circumstances; and portability of your data in a structured, machine-readable format where technically feasible.
To exercise any of these rights, contact support@stratimind.org. Requests will be acknowledged within 5 business days. We will aim to fulfil requests within 30 days; complex requests may require up to 90 days, in which case we will notify you of the extended timeline. We will not discriminate against you for exercising any privacy right.
If you are located in the EEA or UK and believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your relevant supervisory authority.
Stratimind uses only technically necessary cookies and session tokens required for platform operation. We do not use third-party advertising cookies, cross-site tracking technologies, or analytics that involve transmission of personal data to advertising networks. No cookie consent banner is currently required as we do not deploy non-essential cookies; this policy will be updated if that changes.
We may update this Privacy Policy to reflect changes in our practices, applicable law, or infrastructure. Material changes will be indicated by a revised "Last updated" date at the top of this document. We encourage you to review this policy periodically. Continued use of the platform following any update constitutes acceptance of the revised policy.
For all privacy-related enquiries, requests, or complaints, contact: support@stratimind.org. For enterprise clients requiring a formal Data Processing Addendum (DPA) pursuant to GDPR Article 28, our standard DPA is available upon request.