Legal

Privacy Policy

Last updated: 12 May 2026

1. Who We Are

Responsible AI Studio operates the AI-governance tools and content at responsibleaistudio.com. We are the data controller for personal data processed through our services.

Contact: support@responsibleaistudio.com

2. What Data We Collect

2a. Tool input data (non-personal)

When you use our tools you provide contextual inputs such as jurisdiction, industry, staff size, risk appetite, and optionally an organisation name. This information is used to generate your requested document during the request and is not linked to any individual identity. We do not require you to create an account to use our tools.

2b. Email address

We collect your email address on the following surfaces — each with its own purpose. Where the law requires consent, we collect it before sending marketing email; where the relationship is purely transactional we rely on contract or our legitimate interest in responding.

  • Newsletter signup — the footer form, the Responsible AI Studio Brief page, the brief index, and the score completion page allow you to subscribe to the weekly Responsible AI Studio Brief. Subscription is opt-in and stored in Resend Audiences. You can unsubscribe at any time using the link in every issue.
  • Readiness Score — if you complete the Readiness Score at /score, you voluntarily provide an email so we can deliver your personalised mini-report. Your contact is then tagged in Resend with your score band so we can send relevant follow-ups. You can unsubscribe at any time.
  • Stripe-derived contact — checkout-implies-newsletter. When you purchase a tool, Stripe collects your email at checkout and our backend receives that email via the checkout.session.completed webhook. We add the email to the Responsible AI Studio Brief audience so you receive product updates and tips relevant to the tool you purchased. You can unsubscribe at any time via the link in any email; doing so does not affect your access to the tool or the document you generated. If you do not want to receive the weekly brief, unsubscribe immediately after your purchase confirmation.
  • Feedback form — when you submit feedback at /feedback, your name, email, and message are delivered as a transactional email through Resend to our support inbox. We retain the email as part of normal inbox triage. We use this information only to read, triage, and reply.
  • Chatbot interactions — our in-product chatbot, the Responsible AI Studio Assistant, runs anonymously by default and stores no personally identifying information unless you voluntarily provide an email mid-conversation (for example to receive a personalised follow-up or a sample artifact). If you do, that email and the conversation that followed are linked together in our chatbot database and upserted to Resend Audiences with a source tag of chatbot.

2c. Payment data

All payments are processed by Stripe under their own PCI-DSS certified infrastructure. We never see, store, or process your card or banking details. Stripe provides us with limited transaction metadata (transaction ID, amount, timestamp, payment status, and the email you entered at checkout) for order fulfilment and refund processing.

2d. Server logs and technical metadata

Our hosting infrastructure (Vercel for the frontend, Railway for the backend) records standard server logs including IP addresses, request paths, response timestamps, and user-agent strings. These logs are retained for approximately 30 days for operational and security purposes and are not used for marketing or advertising.

For the chatbot specifically, we store a salted SHA-256 hash of your IP address — not the IP itself — so we can apply rate limits and detect abuse without retaining your raw IP.

2e. Cookies

We use a minimal set of cookies described in our Cookie Policy.

3. How We Use Your Data

  • To generate your requested document.
  • To process and verify your payment.
  • To deliver the weekly Responsible AI Studio Brief and the welcome sequence to subscribers.
  • To answer your feedback or chatbot questions.
  • To operate, maintain, and improve our services.
  • To investigate and prevent fraud or abuse.

We do not use your data for behavioural advertising, profiling, or sell it to third parties.

4. Lawful Basis for Processing (GDPR / UK GDPR)

  • Consent for marketing email (newsletter subscription, score follow-ups, chatbot lead-magnet follow-ups). You can withdraw at any time by unsubscribing.
  • Contract performance for processing a tool purchase, generating the document, and providing the receipt.
  • Legitimate interests for operating, securing, and improving the platform, and for the post-purchase newsletter addition (necessary to keep tool buyers informed about updates; always overridden by your unsubscribe).
  • Legal obligation for retaining transaction records.

5. Third-Party Processors

We share personal data only with the processors below, each under a data-processing agreement.

  • Stripe — payment processing. Card data is held by Stripe; we receive only limited metadata.
  • Anthropic — AI generation. Your tool inputs and chatbot messages are transmitted to Anthropic’s Claude API to generate responses. Per the Anthropic Commercial Terms of Service applicable to API customers, Anthropic does not use data submitted via its API to train its models.
  • Resend — transactional and bulk email delivery (feedback form, score mini-report, weekly brief, welcome sequence, chatbot follow-ups).
  • Vercel — frontend hosting and standard request logs.
  • Railway — backend hosting and standard request logs.
  • Supabase — chatbot conversation storage (anonymous session ID, salted IP hash, role-tagged messages, retrieved chunk references). Conversations are retained for 30 days unless you provide an email, in which case the conversation is retained while the contact remains subscribed.
  • Voyage AI — embedding model used to power chatbot retrieval. Your individual chat messages are transmitted as text to compute a numerical vector; Voyage’s published terms do not use API input to train their models.
  • Cloudflare — DNS and email routing forsupport@responsibleaistudio.com.

We do not share your data with advertisers, data brokers, or any third party for marketing purposes.

6. Data Retention

  • Tool input data — not persistently stored after your session.
  • Payment metadata — retained for as long as our refund window and applicable law require (typically up to 7 years for financial records).
  • Newsletter audience contacts — retained until you unsubscribe.
  • Feedback emails — retained in our support inbox during normal triage; pruned as part of inbox maintenance.
  • Chatbot anonymous sessions — retained for 30 days.
  • Chatbot identified sessions — retained while the linked email remains subscribed.
  • Server logs — approximately 30 days.

7. Chatbot Data Collection

The Responsible AI Studio Assistant chatbot is anonymous by default. When you open the widget we issue a session identifier (a UUID) and store it in a first-party cookie named raisChatSessionId with a 30-day lifetime and SameSite=Lax attribute. The cookie carries no personally identifying information; it is the key under which your conversation is stored in our Supabase database.

We log each user message and assistant reply against the session ID, plus a salted SHA-256 hash of your IP address (we never persist the raw IP) and a coarse user-agent summary (e.g.mobile-safari). We log the IDs of retrieved content chunks used to ground each reply so we can audit the chatbot’s adherence to its source material.

If you choose to provide an email mid-conversation (for example to receive a personalised summary or a sample artifact), the session is linked to that email, the email is added to the Responsible AI Studio Brief audience in Resend with a chatbot source tag, and you receive the welcome sequence. You can clear the cookie and start a fresh anonymous session at any time using the “Forget this conversation” button inside the widget. You can unsubscribe from the Brief at any time using the link in any issue.

8. Your Rights

Depending on your jurisdiction (GDPR, UK GDPR, Quebec Law 25, CPRA, and similar regimes), you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data.
  • Have your personal data erased (e.g. removed from our Resend audience, our chatbot database, and any other store).
  • Restrict or object to processing.
  • Receive a portable copy of the personal data you provided.
  • Withdraw consent for marketing email at any time by clicking the unsubscribe link in any issue.
  • Lodge a complaint with your supervisory authority.

To exercise any of these rights, email support@responsibleaistudio.com. We aim to respond within 30 days.

9. International Transfers

Our services operate globally and your data may be processed in jurisdictions outside your own (in particular the United States, where our hosting and AI providers operate). Where personal data is transferred internationally, we rely on appropriate safeguards including standard contractual clauses or equivalent mechanisms provided by each processor.

10. Security

All data transmission uses TLS encryption. Payment information is handled exclusively by Stripe’s PCI-DSS-certified infrastructure. The chatbot database uses Supabase row-level security; our chatbot backend authenticates with a server-side service key never exposed to the browser.

11. Children’s Privacy

Our services are not directed at children under 16. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted to this page with an updated date. For material changes we will email subscribers using the address on file.

13. Contact

Privacy questions and data-rights requests: support@responsibleaistudio.com.