01 Introduction
This Privacy Policy describes how Ahmed Adel Bakr Alderai ("Provider", "we", "us", or "our") collects, uses, stores, and protects information in connection with the UMMRO AI Safety Audit Service ("Service").
We are committed to protecting your privacy and handling your data transparently. This policy applies to all users of the Service, including the REST API, CLI tool, and any associated web properties.
02 Data Controller
The data controller for information processed through the Service is:
03 Data We Collect
3.1 Information You Provide Directly
| Data Category | Examples | Purpose |
|---|---|---|
| Contact Information | Name, email address, company name, job title | Account management, report delivery, communication |
| Billing Information | Payment method details, billing address, invoice records | Payment processing |
| Audit Inputs | Prompts, reframing parameters, model selection preferences | Audit execution |
| API Keys | Third-party AI provider API keys submitted for testing | Authenticating with AI providers during audit execution |
3.2 Information Collected Automatically
| Data Category | Examples | Purpose |
|---|---|---|
| API Request Metadata | Timestamps, endpoint accessed, HTTP method, response codes | Service monitoring, debugging, rate limiting |
| CLI Usage Metadata | Command flags used, execution mode, model group selected | Service improvement |
3.3 Information We Do NOT Collect
- No cookies are used on the UMMRO landing page (static site).
- No tracking pixels, analytics scripts, or third-party trackers are embedded.
- No device fingerprinting or behavioral profiling is performed.
- No social media integrations that transmit data to third parties.
04 How We Use Your Data
We process your data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Executing the AI safety audit you requested | Performance of contract (Art. 6(1)(b)) |
| Delivering the audit report to you | Performance of contract (Art. 6(1)(b)) |
| Processing payment for the Service | Performance of contract (Art. 6(1)(b)) |
| Responding to support inquiries | Legitimate interest (Art. 6(1)(f)) |
| Improving the Service using anonymized, aggregated data | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (tax records, fraud prevention) | Legal obligation (Art. 6(1)(c)) |
We do not use your data for marketing, advertising, profiling, or automated decision-making unless you have given explicit consent.
05 How We Process Audit Data
5.1 Local Processing
All audit orchestration, reframing logic, and report generation run on Provider-controlled infrastructure. Your prompts and parameters are processed locally within our systems.
5.2 Third-Party AI Providers
During audit execution, your prompts (after reframing and sanitization) are transmitted to the AI providers you selected for testing. This is the core function of the Service -- evaluating how those providers respond to reframed prompts.
AI providers that may receive reframed prompts include:
We transmit only the reframed prompt and necessary API parameters. We do not share your name, email, company, or any other personal information with these providers.
5.3 API Keys
If you provide your own API keys for testing, those keys are:
- Encrypted at rest using AES-256 encryption.
- Used exclusively to authenticate API calls to the designated provider during audit execution.
- Never logged, cached beyond the active audit session, or shared with any party.
- Permanently deleted within 24 hours of audit completion or within the 30-day data retention window, whichever is earlier.
5.4 No Other Third-Party Sharing
We do not sell, rent, or share your personal data or audit data with any third party beyond the AI providers being tested as part of the audit. We do not use third-party analytics services, advertising networks, or data brokers.
06 Data Retention
| Data Type | Retention Period |
|---|---|
| Audit inputs (prompts, parameters) | 30 days after report delivery, then permanently deleted |
| API keys provided for testing | Deleted within 24 hours of audit completion |
| Audit reports (Provider copy) | 30 days after delivery, then permanently deleted |
| Contact and billing information | Duration of business relationship + 7 years (legal/tax obligations) |
| API request metadata (anonymized) | 90 days |
A different retention period may be agreed upon in writing via a Service Agreement. Upon request, we can delete your data sooner (see Section 7).
07 Your Rights (GDPR and Applicable Law)
If you are located in the European Economic Area (EEA), the United Kingdom, or any jurisdiction with equivalent data protection laws, you have the following rights:
7.1 Right of Access Art. 15 GDPR
You may request a copy of all personal data we hold about you. We will respond within 30 days.
7.2 Right to Rectification Art. 16 GDPR
You may request correction of inaccurate or incomplete personal data.
7.3 Right to Erasure Art. 17 GDPR
You may request deletion of your personal data. Upon receiving a valid erasure request, we will:
- Delete all audit inputs, reports, and associated data from our systems.
- Confirm deletion in writing within 30 days.
- Note: We may retain certain data where required by law (e.g., billing records for tax compliance).
7.4 Right to Data Portability Art. 20 GDPR
You may request your data in a structured, commonly used, machine-readable format (JSON). This includes your audit inputs, configuration parameters, and report data.
7.5 Right to Restrict Processing Art. 18 GDPR
You may request that we restrict the processing of your data while a complaint or dispute is being resolved.
7.6 Right to Object Art. 21 GDPR
You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
7.7 Right to Withdraw Consent
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
7.8 Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection supervisory authority.
How to Exercise Your Rights
Submit requests to: privacy@ummro.ai
We will verify your identity before processing any request. Responses will be provided within 30 days. Complex requests may require an extension of up to 60 additional days, in which case you will be notified.
08 Data Security
We implement the following technical and organizational measures to protect your data:
Encryption in transit
All data transmitted to and from the Service uses TLS 1.3.
Encryption at rest
Sensitive data (including API keys) is encrypted using AES-256.
Access control
Access to Client data is restricted to the Provider on a need-to-know basis.
Infrastructure security
Services run on hardened infrastructure with regular security updates.
Audit logging
All access to Client data is logged for accountability.
Secure deletion
Data is permanently deleted using cryptographic erasure at the end of the retention period.
09 International Data Transfers
If your data is transferred outside your jurisdiction (e.g., when reframed prompts are sent to AI providers whose servers may be in different countries), such transfers are necessary for the performance of the audit service you requested. We rely on:
- Standard Contractual Clauses (SCCs) where applicable.
- The necessity of the transfer for performing the contract with you (Art. 49(1)(b) GDPR).
10 Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us and we will promptly delete it.
11 Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or posted on the Service website at least 30 days before taking effect. The "Last Updated" date at the top of this document will be revised accordingly.
12 Contact
For privacy-related inquiries, data subject requests, or complaints: