Back

Privacy Policy for Probull.AI

Last Updated: March 24, 2025

1. Core Principles of Data Protection

Probull.AI operates under the following foundational principles to ensure compliance with global privacy frameworks (GDPR Art. 5, CCPA §1798.100, EU AI Act Art. 10):

1.1 Lawfulness, Fairness, and Transparency

All data processing activities adhere to legal bases under GDPR (consent, contractual necessity, legitimate interests) and CCPA (notice at collection, right to opt-out). Transparent disclosures about AI decision-making processes, including automated profiling and training data sources.

1.2 Data Minimization & Purpose Limitation

Collect only data essential for delivering AI-driven SaaS services (e.g., user inputs for model training, account credentials). Strict separation of data processing purposes: Primary Use: Service delivery (e.g., predictive analytics, natural language processing). Secondary Use: Requires explicit opt-in consent (e.g., improving models, marketing).

1.3 Security by Design & Default

End-to-end encryption (AES-256 for data at rest, TLS 1.3 for data in transit). Pseudonymization of user data used in AI training pipelines.

2. Data Collection & Usage

2.1 Types of Data Collected

CategoryExamplesLegal Basis
User-Provided DataPrompts, files, API inputsContractual necessity (GDPR Art. 6(1)(b))
Technical DataIP addresses, device fingerprintsLegitimate interests (fraud prevention)
Behavioral DataFeature usage patterns, session durationConsent (CPRA §1798.135)
Third-Party DataCRM integrations, payment processorsData Processing Agreements (GDPR Art. 28)

2.2 AI-Specific Processing

Training Data:

  • Publicly available datasets (CCPA-compliant web scraping).
  • User-provided data only with explicit opt-in via granular consent checkboxes.
  • Full transparency documentation available upon request (Dataset Cards, Model Cards).

Inference Data:

  • Real-time processing logs retained for 30 days (GDPR Art. 30).
  • Automated deletion of temporary cache files after 72 hours.

3. Data Subject Rights & Controls

3.1 Global Rights Framework

RightImplementationResponse Timeline
AccessSelf-service dashboard with data export (JSON/CSV)30 days
RectificationIn-app editing of profile data72 hours
ErasureCryptographic shredding of all data traces45 days
ObjectionOne-click opt-out of profiling24 hours

3.2 Automated Decision-Making

Users may:

  • Request human review of AI outputs (EU AI Act Art. 14).
  • Opt out of ADMT for significant decisions (employment, credit, healthcare) per CCPA §1798.121.
  • Receive plain-language explanations of AI logic (GDPR Art. 13(2)(f)).

4. International Data Transfers

4.1 Mechanisms & Safeguards

  • EU-US Data Privacy Framework (DPF): Certified under July 2023 adequacy decision.
  • Standard Contractual Clauses (SCCs): Version 2021/914 implemented for non-DPF countries.
  • Binding Corporate Rules (BCRs): Applied for intra-group transfers across 12 jurisdictions.

4.2 Regional Specifics

  • EU: Data localization option in Frankfurt AWS region.
  • California: No sale of personal data without GPC signal compliance.
  • China: On-premise deployment option via Alibaba Cloud.

5. Security Measures

5.1 Technical Safeguards

  • Encryption: FIPS 140-2 validated modules for PHI/HIPAA data.
  • Access Controls: Role-based permissions (RBAC) with MFA enforcement.
  • Monitoring: Real-time anomaly detection via AI-powered SIEM.

5.2 Organizational Safeguards

  • Employee Training: Quarterly workshops on AI ethics (ISO 42001 §4.3).
  • Incident Response: 7/24 SIRT team with 15-minute SLA for breach containment.

5.3 Third-Party Audits

  • Annual: ISO 27001, SOC 2 Type II, HIPAA Attestation.
  • Quarterly: Vulnerability scans (OWASP Top 10 coverage).

6. AI-Specific Provisions

6.1 Training Data Transparency

  • Public registry of data sources (excluding trade secrets).
  • Bias mitigation reports published biannually (EU AI Act Art. 13).

6.2 Model Governance

Risk Tiering:

TierExamplesControls
High-RiskCredit scoring, medical diagnosesHuman-in-the-loop + CE marking
Limited-RiskChatbots, recommendation enginesTransparency notices

Testing Protocols: Adversarial testing, differential privacy audits.

7. Breach Response

7.1 Notification Workflow

  • Detection: AI-powered DLP alerts within 5 minutes.
  • Containment: Automated isolation of compromised systems.
  • Reporting:
    • Regulatory authorities: 72 hours (GDPR), 45 days (CCPA).
    • Affected users: 96 hours with mitigation guidance.
  • Post-Mortem: Public disclosure of root causes (SEC Rule 10b5-1 compliance).

8. Compliance Certifications

  • ISO 42001: AI management system certification (Q4 2025).
  • NIST AI RMF: Alignment with 2024 framework for risk categorization.
  • EU AI Act Conformity: Planned for 2026 high-risk certification.

9. Children's Privacy

  • Age Verification: Active checks via Yoti/Digital ID.
  • Parental Controls:
    • Consent management portal for under-13 accounts.
    • Prohibition of behavioral advertising (COPPA §312.2).

10. Meta Platform Compliance

  • Data Usage Restrictions:
    • No processing of Meta-derived data for eligibility determinations.
    • Annual audits of Facebook/Instagram integrations.
  • Advertising Compliance:
    • Segregated ad targeting databases (CA CPA §1798.135).
    • Independent review of lookalike audience algorithms.

11. State-Specific Addendums

11.1 California (CPRA)

  • Do Not Sell/Share: Persistent cookie honoring GPC signals.
  • Dark Patterns Prohibition: No manipulative UI designs in consent flows.

11.2 Virginia (VCDPA)

  • Opt-Out Preference Signals: Universal API endpoint for automated requests.

11.3 Colorado (CPA)

  • Data Protection Assessments: Published redacted versions for high-risk processing.

12. Continuous Improvement

  • Bi-Annual Audits: Third-party reviews of AI governance (PwC/RSA Archer).
  • User Impact Assessments: Mandatory for new model deployments.
  • Regulatory Watch: Dedicated team tracking 45+ jurisdictional updates.

Citations

CCPA Automated Decision Rules • Global AI Regulations • Meta Platform Terms • HIPAA Compliance • AI Governance Best Practices • Breach Response • Data Privacy Best Practices • AI Act • Data Rights • Training Data Transparency • CPPA ADMT Rules • Data Minimization Principles • ISO 42001 Framework • EU-US Data Transfers • GDPR Addendum • State Privacy Laws • AI Risk Management

This policy will be updated quarterly and undergoes annual board review.

Contact

Probull.AI LLC.
Email: privacy@probull.ai
131 Continental Dr Suite 305 Newark, DE, 19713 US