Privacy Policy
Effective date: March 22, 2026
1. Who we are
AI Vitals (“we,” “our,” or “us”) operates the AI Vitals platform — a continuous AI literacy and fluency assessment tool for individuals and organizations. This policy explains what data we collect, how we use it, and the rights you have over it.
2. Data we collect
Account information
Your name, email address, job title, and organization affiliation when you create an account or are invited by your organization.
Assessment and learning data
Your responses to assessment questions, dimension scores (L1–F3), lesson completions, practice session content, reflections, and coaching conversation history. This is the core data that powers your skill profile.
Usage and signal data
Learning touchpoints such as lesson views, reflection submissions, and practice attempts — tagged to dimensions and used to keep your score current between formal assessments.
Billing information
Payment is processed by Stripe. We store your subscription tier and billing status but never your full card number. Stripe's privacy policy governs their handling of payment data.
Technical data
IP address, browser type, and standard server logs used for security, debugging, and abuse prevention. We do not sell or share this data for advertising.
3. How we use your data
- Generating and maintaining your AI skill profile across six dimensions.
- Powering AI-driven features: coaching, debrief sessions, practice feedback, growth narratives, and team gap analysis.
- Providing managers and L&D administrators with aggregated team insights (individual scores are visible to admins within your organization).
- Sending progress notifications, review reminders, and milestone alerts.
- Improving our assessment framework and AI features (using anonymized, aggregated data).
- Processing billing and communicating about your subscription.
4. AI and your data
The AI we use
AI Vitals uses Claude, made by Anthropic, to power coaching, feedback, debrief sessions, and analysis features. When you interact with an AI feature, your content is sent to Anthropic's API to generate a response and then returned to you. Anthropic acts as a data processor on our behalf.
Anthropic does not train on your data
Anthropic's policy for API customers (which includes AI Vitals) is that inputs and outputs are not used to train their models by default. Your coaching conversations, assessment responses, and practice content are processed transiently to generate your response and are not retained by Anthropic to improve their models. You can read Anthropic's usage policy at anthropic.com/legal/aup.
Data Processing Addendum (DPA)
Our relationship with Anthropic is governed by Anthropic's Data Processing Addendum, which is automatically incorporated into the Anthropic Commercial Terms of Service accepted by enterprise and commercial API customers. The DPA includes Standard Contractual Clauses (SCCs) for international data transfers, ensuring adequate protection for data transferred from the EU/EEA to the United States under GDPR Article 46.
What we actually send to Claude
We practice data minimization when constructing AI prompts. Specifically:
- Only your first name (not your full name) is included in coaching and debrief prompts.
- Dimension scores are sent as band labels (e.g., “Developing”, “Proficient”) rather than raw numeric scores wherever possible.
- Your email address, employer name, and billing information are never included in prompts.
- Content you type into coaching conversations is sent to generate your response and is not retained beyond your session by Anthropic.
Automated decision-making
Your assessment scores are generated by our scoring algorithm based on your self-reported responses — not solely by AI. If you are in the EU/EEA, you have the right under GDPR Article 22 to request human review of any assessment result you believe does not accurately reflect your abilities. See Section 7 (Your Rights) for how to exercise this right.
5. Data sharing
We do not sell your personal data. We share data only in these circumstances:
- Your organization: If you access AI Vitals through an employer or institution, administrators with roles of Manager, Department Head, L&D Admin, or Executive can view your scores and progress within that organization. Your AI coaching conversations are private to you and are not visible to your manager unless you explicitly choose to share them.
- Anthropic (AI processing): Content you send through AI features is processed by Anthropic's Claude API under their Data Processing Addendum. Anthropic does not use API data for model training.
- Supabase (database and auth): Your account data, assessment records, and application data are stored in Supabase's managed PostgreSQL infrastructure. Supabase processes data under a Data Processing Agreement compliant with GDPR Article 28.
- Stripe (payments): Payment processing is handled by Stripe under their own privacy policy and DPA. We do not store full card numbers.
- Vercel (hosting): The application runs on Vercel's infrastructure. Vercel processes request data (including IP addresses) as part of serving the application. Vercel's DPA is available at vercel.com/legal/dpa.
- Legal requirements: When required by law, court order, or to protect the safety of users or the public.
6. Data retention
We retain your data for as long as your account is active. Specific retention schedules by data type:
| Data type | Retention period |
|---|---|
| Account profile (name, email, role) | Until account deletion, then deleted within 30 days |
| Assessment scores and responses | Duration of account + 2 years (for longitudinal progress tracking) |
| AI coaching conversations | 1 year from session date, or until account deletion |
| Assessment disclosure acknowledgments | 3 years (compliance audit record) |
| Billing records | 7 years (financial/tax compliance) |
| Server and security logs | 90 days |
| Anonymized, aggregated data | Indefinitely (no personal data retained) |
If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (noted above). You may request earlier deletion by contacting us at the address in Section 12.
7. Your rights
Depending on your location, you may have the right to:
- Access a copy of the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Request deletion of your account and associated data.
- Object to or restrict certain processing activities.
- Data portability — receive your data in a machine-readable format.
- Human review of automated assessment results (GDPR Article 22): If you are in the EU/EEA and believe your assessment score does not accurately reflect your actual AI skills, you have the right to request a human review. Contact your organization's L&D administrator, or reach us directly at privacy@aivitals.ai with the subject line “Human Review Request.” We will respond within 30 days.
To exercise any of these rights, contact us at the address in Section 12. We will respond within 30 days.
8. Cookies and tracking
We use only functional cookies required for authentication and session management (via Supabase Auth). We do not use advertising cookies or third-party tracking pixels.
9. Security
All data is encrypted in transit (TLS) and at rest. Row-level security is enforced at the database layer so users can only access their own data. Organizational data is scoped to authenticated members of that organization. We conduct regular security reviews of our infrastructure and dependencies.
10. International data transfers
AI Vitals is operated from the United States. If you access the platform from the EU/EEA, your personal data is transferred to and processed in the US. We ensure appropriate safeguards are in place for these transfers:
- Supabase: Data transfer covered by Standard Contractual Clauses (SCCs) under GDPR Article 46.
- Anthropic: Data transfer covered by SCCs included in Anthropic's Data Processing Addendum.
- Vercel: Data transfer covered by Vercel's DPA and SCCs.
- Stripe: Data transfer covered by Stripe's DPA and SCCs.
You can request a copy of the relevant SCCs or transfer mechanisms by contacting us at the address in Section 12.
11. Changes to this policy
We may update this policy as our product evolves. If we make material changes, we will notify you by email or via an in-app notice at least 14 days before the change takes effect. Continued use of AI Vitals after that date constitutes acceptance of the updated policy.
12. Contact
Questions about this policy, your data, or to exercise your rights? Reach us at privacy@aivitals.ai. For human review requests, include “Human Review Request” in the subject line.