DATA RETENTION AND DELETION POLICY

Version: 0.2
Last Updated: 19/May/2025 23:10

This Data Retention and Deletion Policy outlines how Innovatica Technologies FZ-LLC manages the lifecycle of data on the Brilio AI platform. It details retention periods for different data categories, explains our soft delete mechanism, describes the data deletion request process, and covers technical methods for secure data destruction. The policy ensures compliance with international data protection regulations while providing users with clear guidelines for managing their data. Our approach balances business needs, regulatory requirements, and user privacy rights.

1. INTRODUCTION

1.1 Purpose and Scope. This Data Retention and Deletion Policy (“Policy”) governs how Innovatica Technologies FZ-LLC (“Innovatica,” “we,” “us,” or “our”) collects, retains, and deletes data processed through our Brilio AI platform (“Brilio” or the “Platform”). This Policy outlines our commitment to responsible data management and compliance with applicable data protection laws.

1.2 Relationship to Other Policies. his Policy forms part of our modular legal framework and should be read in conjunction with our: • Master Terms of Service • Privacy Policy • Data Processing Agreement • Security Policy • AI Training and Improvement Policy • Data Sovereignty Addendum • Cookie Policy.

In case of any conflict between this Policy and any other document in our legal framework, the Master Terms of Service shall prevail unless explicitly stated otherwise.

1.3 Definitions. The terms used in this Policy shall have the same meaning as defined in our Master Terms of Service, unless defined otherwise herein:

1. “Data” refers to any information processed by or stored on the Brilio platform.
2. “User” refers to individuals or entities with an account on the Brilio platform.
3. “Agent Creator” refers to Users who create and manage AI Agents on the platform.
4. “Hard Delete” refers to the permanent and irrevocable deletion of data from our systems.
5. “Soft Delete” refers to the logical deletion of data that renders it inaccessible to Users but retains it in our systems for a defined period.
6. “Retention Period” refers to the duration for which we retain various categories of data.
7. “Anonymization” refers to the irreversible process of transforming personal data in such a way that an individual can no longer be identified from the data.
8. “Data Controller” refers to the entity that determines the purposes and means of processing personal data.
9. “Data Processor” refers to the entity that processes personal data on behalf of the Data Controller.
10. “Data Subject” refers to an identified or identifiable natural person whose personal data is processed.
11. “Legal Hold” refers to a process that preserves all data potentially relevant to a legal proceeding.
12. “Cryptographic Erasure” refers to the process of rendering data inaccessible by securely deleting the encryption keys.
13. “Pseudonymization” refers to the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information.

2. DATA CATEGORIES AND RETENTION SCHEDULES

2.1 Account Data:

Data Type	Description	Retention Period	Justification
User Account Information	Email address, full name, and password (hashed)	90 days after account deletion (soft delete)	Account recovery, security investigation, and compliance with legal obligations
Authentication Logs	Records of login attempts and platform access	13 months	Security monitoring and fraud detection
Billing Information	Payment details, subscription history, invoices	7 years	Tax compliance and financial auditing requirements
Usage Statistics	Platform usage patterns, feature utilization	36 months in identifiable form; indefinitely in anonymized form	Product improvement, trend analysis

 

2.2 Agent-Related Data:

Data Type	Description	Retention Period	Justification
Agent Configuration	Settings, parameters, and metadata of AI Agents	For as long as the Agent is active plus 90 days after deletion	Restore capability, continuity
Agent Content	Knowledge bases, training data, and other content provided by Agent Creators	For as long as the Agent is active plus 90 days after deletion	Restore capability, continuity
Agent Interactions	User queries and Agent responses	13 months by default; configurable by Enterprise users within the range of 1-36 months	Training improvement, quality assurance, compliance with regional regulations
Agent Analytics	Performance metrics, usage statistics	36 months in identifiable form; indefinitely in anonymized form	Performance optimization, quality assurance

 

2.3 Content and Knowledge Base Data:

Data Type	Description	Retention Period	Justification
Original Uploaded Documents	Documents, websites, or databases uploaded to Agents	For as long as the Agent is active plus 90 days after deletion	Data integrity, restore capability
Processed Data	Chunks, vectorized data, embeddings	For as long as the Agent is active plus 90 days after deletion	Operational necessity
Cached Third-Party Data	Temporary copies of data from integrated services	30 days maximum	Operational efficiency
Data Backups	Complete system backups	30 days for daily backups; 90 days for weekly backups; 12 months for monthly backups	Disaster recovery, business continuity

 

2.4 Communication Data:

Data Type	Description	Retention Period	Justification
Support Communications	Customer service interactions, support tickets	24 months after resolution	Quality assurance, training, pattern identification
Notification Preferences	User communication settings	For the duration of the account plus 90 days after deletion	User experience consistency
Marketing Communications	Records of marketing consent and interactions	For the duration of the account plus 24 months	Compliance with marketing regulations
System Notifications	Records of service-related communications	13 months	Audit trail for critical communications

3. SOFT DELETE PERIOD AND PROCESS

3.1 Soft Delete Overview. When a User initiates account deletion or requests the deletion of an Agent or specific data, we implement a 90-day soft delete period. During this period:

1. The data is rendered inaccessible to the User and other platform users
2. The data remains in our systems but is logically separated from active data
3. The data is marked for eventual hard deletion
4. The data can be restored upon User request during this period

3.2 Rationale for Soft Delete Period. The 90-day soft delete period serves multiple important purposes:

1. Allows Users to recover from accidental deletion
2. Provides time for Users to export or transfer their data
3. Enables investigation of security incidents or policy violations
4. Reduces the risk of data loss due to malicious account compromises
5. Aligns with technical constraints of our backup and recovery systems

3.3 Soft Delete Notification and Communication. When a User initiates a deletion action that triggers the soft delete period:

1. A confirmation email is sent to the User’s registered email address
2. The email includes the date when the hard delete will occur
3. Instructions for data restoration during the soft delete period are provided
4. Contact information for support is included if assistance is needed

3.4 Exceptions to the Soft Delete Period. In certain circumstances, the soft delete period may be modified:

1. Legal holds may extend the retention period indefinitely until resolved
2. Regulatory requirements may mandate longer or shorter retention periods in specific jurisdictions
3. Enterprise customers may negotiate different retention periods in their Enterprise Subscription Agreement, which will be documented in writing as an addendum to this Policy
4. Immediate deletion may be implemented in cases of confirmed policy violations, subject to applicable legal requirements.

4. DATA DELETION REQUEST PROCESS

4.1 User-Initiated Deletion Requests. Users may request deletion of their data through the following methods:

1. Self-service deletion within the platform account settings
2. Emailing a deletion request to privacy@brilio.ai
3. Submitting a deletion request through our support portal

All deletion requests must be authenticated to verify the identity of the requestor.

4.2 Required Information for Deletion Requests. When requesting data deletion, Users must provide:

1. Account email address or username
2. Specific data categories requested for deletion
3. Confirmation of account ownership through authentication
4. Optional: reason for deletion (to help us improve our services)

4.3 Verification Process. To protect against unauthorized deletion requests, we employ a multi-factor verification process:

1. Email verification through a unique token sent to the registered email address
2. Password verification or other authentication method
3. For high-sensitivity requests: additional verification may be required

4.4 Timing and Confirmation:

1. We will acknowledge deletion requests within 48 hours of receipt
2. Soft deletion will be implemented within 7 days of verification
3. Hard deletion will occur automatically 90 days after soft deletion
4. Confirmation of both soft and hard deletion will be provided to the User

4.5 Exceptions and Limitations. Certain data deletion requests may be limited by:

1. Legal obligations requiring continued retention
2. Technical limitations making selective deletion impossible
3. Legitimate business interests as permitted by applicable law
4. Anonymized or aggregated data that no longer identifies the User

In such cases, we will inform the User of these limitations and provide alternatives where possible.

5. DATA BACKUP AND ARCHIVING PROCEDURES

5.1 Backup Schedule and Retention. We implement a comprehensive backup strategy to ensure data integrity and availability:

Backup Type	Frequency	Retention Period	Storage Location
Full System Backup	Weekly	90 days	Primary data center and geographically diverse secondary location
Incremental Backup	Daily	30 days	Primary data center
Database Backup	Every 6 hours	14 days	Primary data center
Configuration Backup	After significant changes	12 months	Primary and secondary locations
Critical System State	Continuous	7 days	High-availability storage

 

5.2 Backup Security Measures. All backups are protected by:

1. AES-256 encryption at rest
2. TLS 1.2 or higher encryption in transit
3. Role-based access control limited to authorized personnel
4. Regular integrity verification and validation
5. Audit logging of all access and restoration activities

5.3 Backup Testing and Verification. To ensure backup viability:

1. Full restoration tests are conducted quarterly
2. Sample data restoration tests are conducted monthly
3. Backup integrity checks are performed weekly
4. Automated monitoring alerts for backup failures

5.4 Impact of Deletion Requests on Backups. When a User requests data deletion:

1. Data is removed from active systems as described in Section 3
2. Data remains in backups until those backups reach the end of their retention period
3. If a backup containing deleted data must be restored, we will re-apply deletion markers to ensure the deleted data remains inaccessible

5.5 Archiving vs. Backups. Archiving differs from backups in the following ways:

1. Backups are for disaster recovery and business continuity
2. Archives are for long-term retention of data that has historical or compliance value
3. Archived data is subject to the same deletion policies unless legal holds apply
4. Only specific data categories are archived based on regulatory requirements

6. RETENTION FOR COMPLIANCE AND LEGAL PURPOSES

6.1 Regulatory Retention Requirements. We are required to retain certain data categories to comply with applicable laws and regulations, including but not limited to:

Regulation/Requirement	Data Type	Minimum Retention	Jurisdictional Scope
Tax regulations	Financial records, billing information	7 years	UAE, international where applicable
Anti-money laundering laws	Transaction records, identity verification	5 years	UAE, international where applicable
Electronic communications laws	Service usage logs	2 years	Varies by jurisdiction
Data protection laws	Consent records, data processing records	Duration of processing plus 3 years	GDPR, CCPA, and other applicable regimes

 

6.2 Legal Holds. In the event of:

1. Pending or anticipated litigation
2. Governmental investigation
3. Internal investigation of policy violations
4. Other legally mandated preservation requirements

We may implement a legal hold that suspends normal deletion processes. During a legal hold:

1. Affected data will not be deleted regardless of user requests
2. Users will be notified of the legal hold if permitted by law
3. The data will resume normal deletion cycles once the hold is lifted

6.3 Retention for Dispute Resolution. In accordance with the Liability and Dispute Resolution provisions in our Terms of Service:

1. Data relevant to potential disputes will be retained for 12 months after the end of the business relationship
2. This includes contract records, usage logs, and communications
3. This retention is based on our legitimate interest in defending legal claims

6.4 Documentation of Retention for Legal Purposes. When data is retained for legal or compliance purposes:

1. The specific legal basis for retention will be documented
2. The expected duration of the extended retention will be recorded
3. Regular reviews will be conducted to determine if continued retention is necessary
4. Data will be securely segregated and access-restricted

7. DATA ANONYMIZATION AND AGGREGATION PRACTICES

7.1 Anonymization Process. We may anonymize data for analytical, research, and improvement purposes. Our anonymization process:

1. Removes all direct identifiers (names, email addresses, account IDs)
2. Removes or generalizes indirect identifiers (IP addresses, device information)
3. Applies technical measures to prevent re-identification
4. Is verified through re-identification risk assessment

Once data is anonymized according to these standards, it is no longer subject to deletion requests as it no longer constitutes personal data under applicable law.

7.2 Aggregation Methods. We aggregate data to derive statistical insights while protecting individual privacy:

1. Minimum aggregation threshold of 50 users per data point
2. No outlier preservation that could lead to identification
3. Removal of unique identifiers prior to aggregation
4. Statistical noise addition where appropriate

Aggregated data is retained indefinitely for historical analysis and platform improvement.

7.3 Use Cases for Anonymized and Aggregated Data. Anonymized and aggregated data is used for:

1. Platform performance optimization
2. Usage trend analysis
3. Feature development prioritization
4. Market research and business intelligence
5. Academic research partnerships (with additional safeguards)
6. Industry benchmarking

7.4 Disclosure to Users. We disclose our anonymization and aggregation practices to Users:

1. In our Privacy Policy
2. In relevant sections of our Terms of Service
3. In data processing notifications where required by law
4. In response to specific inquiries

7.5 Safeguards Against Re-identification. To prevent re-identification of anonymized data:

1. Regular risk assessments are conducted
2. Technical safeguards are implemented and updated
3. Access to anonymized datasets is restricted
4. Combining anonymized datasets is subject to approval and review

7.6 AI Training Opt-Out. Brilio respects users’ right to control how their data is used for AI training and improvement purposes. The following provisions apply:

1. Users may opt out of having their data used for AI training and improvement at any time through their account settings
2. Opt-out requests will be implemented within 7 days of submission
3. Historical data from users who opt out will be excluded from future training datasets
4. Opt-out status will be preserved even if users upgrade, downgrade, or change their subscription
5. Enterprise customers may set organization-wide opt-out policies through their Enterprise Subscription Agreement

This opt-out applies specifically to the use of data for improving our AI models and does not affect normal service operations or legally required data retention.

8. VERIFICATION PROCEDURES FOR DELETION REQUESTS

8.1 Identity Verification. To ensure deletion requests are legitimate, we verify the requestor’s identity through:

1. Authentication via account credentials
2. Multi-factor authentication where enabled
3. Email verification using the registered email address
4. For sensitive accounts: additional verification steps may be required

8.2 Authority Verification. For organizational accounts, we verify that the requestor has the authority to request deletion by checking:

1. User role and permissions within the organization
2. Organizational policies on data management
3. Approval from designated data controllers where applicable
4. Documentation of authorization for significant deletion requests

8.3 Scope Verification. We verify the scope of deletion requests to ensure clarity:

1. Specific confirmation of data categories for deletion
2. Explicit acknowledgment of deletion consequences
3. Verification of cascading effects (e.g., deleting an Agent deletes all associated data)
4. Confirmation of exceptions (data that cannot be deleted due to legal requirements)

8.4 Processing Verification. After implementing a deletion request, we verify its execution through:

1. Automated system checks confirming data removal
2. Sampling verification for comprehensive deletion requests
3. Database integrity validation after deletion operations
4. Documentation of the deletion timestamp and method

8.5 Deletion Confirmation. Users receive confirmation of deletion including:

1. Categories of data deleted
2. Timestamp of soft deletion
3. Expected date of hard deletion
4. Exceptions or limitations applied to the request
5. Instructions for any additional steps needed

9. TECHNICAL METHODS FOR SECURE DATA DESTRUCTION

9.1 Data Destruction Standards. We implement industry-standard data destruction methods aligned with:

1. NIST Special Publication 800-88 Guidelines for Media Sanitization
2. ISO/IEC 27001 Information Security Management Standards
3. UAE Federal Law No. 2 of 2019 Concerning the Use of Information and Communication Technology
4. Additional applicable international standards

9.2 Destruction Methods by Storage Type. Different destruction methods are employed based on the storage medium , in compliance with industry standards including NIST Special Publication 800-88 Rev.1 and ISO/IEC 27001:2013:

Storage Type	Destruction Method	Verification Method
Cloud Storage	Cryptographic erasure, overwriting with random data	Automated verification logs
Database Records	Record deletion with table optimization	Database integrity checks
Backup Media	Secure overwriting, media destruction at end-of-life	Physical verification for physical media, cryptographic verification for digital
Archived Data	Complete purging followed by storage reallocation	Storage allocation verification
Distributed Systems	Coordinated deletion across all nodes and replicas	Consistency checks across infrastructure

 

9.3 Hard Deletion Implementation. Our hard deletion process ensures complete data destruction through:

1. Removal of primary data records
2. Cleanup of all secondary references and indexes
3. Purging of caching systems
4. Removal from search indexes
5. Deletion from analytical datasets
6. Verification of complete removal

9.4 Cryptographic Erasure. For certain storage systems, we implement cryptographic erasure which:

1. Encrypts data using strong encryption (AES-256)
2. Securely destroys the encryption keys when deletion is required
3. Renders the encrypted data permanently inaccessible
4. Provides mathematical assurance of data inaccessibility

9.5 Third-Party Service Provider Compliance. We ensure that third-party service providers:

1. Adhere to our data destruction standards
2. Provide contractual guarantees of proper data destruction
3. Submit documentation of destruction procedures
4. Allow for audits of their destruction processes where appropriate

9.6 Destruction Documentation and Certification. For critical or sensitive data destruction:

1. Detailed logs of the destruction process are maintained
2. Certificates of destruction are generated
3. Independent verification is conducted where appropriate
4. Documentation is retained for compliance purposes

10. INTERNATIONAL DATA TRANSFER AND RETENTION

10.1 Cross-Border Data Transfers. When data is transferred across borders:

1. We ensure adequate safeguards are in place as required by applicable law
2. We implement Standard Contractual Clauses where necessary
3. We restrict transfers to countries without adequate protection
4. We maintain records of international transfers

10.2 Regional Retention Requirements. We adjust our retention practices to comply with regional requirements:

Region	Specific Requirements	Implementation
European Economic Area	GDPR compliance, right to erasure	Enhanced deletion capabilities, data minimization
California (USA)	CCPA/CPRA compliance	Specific deletion request handling for California residents
UAE	Federal Law No. 2 of 2019, DIFC Data Protection Law	Compliance with local data protection requirements
Other jurisdictions	Various local requirements	Case-by-case compliance assessment

 

10.3 Data Localization. For data subject to localization requirements:

1. Dedicated storage in the required jurisdiction is implemented in compliance with applicable data localization laws
2. Data segregation ensures compliance with local laws, including physical and logical separation where required
3. Documented procedures maintain localization compliance, with records retained for audit purposes
4. Independent third-party audits verify continued compliance at least annually.

10.4 Conflict Resolution. In case of conflicting international retention requirements:

1. The most restrictive requirement is generally applied
2. Legal counsel is consulted for specific cases
3. Technical solutions implement jurisdiction-specific policies where possible
4. Transparency with Users about applicable requirements is maintained

11. USER CONTROLS AND SELF-SERVICE OPTIONS

11.1 User Dashboard Controls. Users can manage their data through a comprehensive dashboard that provides:

1. Visibility into all data categories stored
2. Self-service deletion options for eligible data
3. Data export capabilities in machine-readable formats
4. Retention period customization where permitted

11.2 Agent-Specific Controls. Agent Creators have additional controls including:

1. Customized retention settings for Agent data
2. Bulk deletion capabilities for Agent content
3. Version control with rollback options
4. Knowledge base management tools

11.3 Enterprise Administrator Controls. Enterprise accounts include advanced controls such as:

1. Organization-wide retention policy management
2. Delegated administration for departmental data
3. Compliance reporting and audit logs
4. Custom retention schedules aligned with industry requirements

11.4 Deletion Request Tracking. Users can track the status of their deletion requests through:

1. A dedicated request management interface
2. Email notifications at key stages
3. Status updates showing progress
4. Confirmation of completion

11.5 Data Subject Rights Management. In support of data subject rights under applicable law:

1. Streamlined processes for access, correction, and deletion requests
2. Standardized response timelines aligned with regulatory requirements
3. Documentation of all requests and responses
4. Regular review and improvement of request handling processes

12. DATA RETENTION MONITORING AND COMPLIANCE

12.1 Automated Retention Enforcement. We implement automated systems to enforce retention policies:

1. Scheduled scans identify data exceeding retention periods
2. Automated alerts notify administrators of retention issues
3. Regular purge processes remove expired data
4. System logs document all retention-related activities

12.2 Compliance Auditing. Regular audits ensure adherence to this Policy:

1. Internal quarterly reviews of retention practices
2. Annual comprehensive retention audit
3. Third-party compliance verification where appropriate
4. Remediation tracking for identified issues

12.3 Staff Training and Awareness. To ensure proper implementation of this Policy:

1. All staff receive training on data retention principles
2. Technical teams receive specialized training on deletion methods
3. Regular refresher training maintains awareness
4. Updates to this Policy are communicated promptly

12.4 Documentation and Records. We maintain comprehensive records related to data retention:

1. Retention schedule implementation documentation
2. Deletion request records and responses
3. Exceptions and special cases with justification
4. Compliance verification evidence

12.5 Continuous Improvement. This Policy and its implementation are subject to continuous improvement:

1. Regular review based on emerging best practices
2. Updates to reflect regulatory changes
3. Refinement based on User feedback
4. Enhancement in response to technological developments

13. SPECIAL CONSIDERATIONS

13.1 Paid vs. Free Users. Different retention periods may apply based on account type:

1. Free users: Standard retention periods apply
2. Paid users: Enhanced retention options based on subscription tier
3. Enterprise users: Customizable retention aligned with specific requirements

13.2 Enterprise-Specific Requirements. Enterprise customers may have specific needs addressed through:

1. Custom data retention addenda to their Enterprise Subscription Agreement
2. Technical implementation of industry-specific retention requirements
3. Enhanced deletion verification processes
4. Dedicated compliance support

13.3 Research and Development Exceptions. Limited exceptions to standard retention periods may apply for research and development purposes:

1. Anonymized data may be retained longer for R&D
2. Clear purpose limitation is implemented
3. Regular necessity reviews are conducted
4. Enhanced security measures apply to R&D data

13.4 Technical Constraints. We acknowledge certain technical constraints in data deletion:

1. Complete removal from backups may be delayed until backup expiration
2. Some metadata may be retained for system integrity
3. Derived insights may persist in anonymized form
4. Technical logs may require retention for security purposes

13.5 Educational and Non-Commercial Use. Special considerations may apply for educational institutions and non-commercial organizations:

1. Educational data may be subject to specific regulatory requirements
2. Non-commercial research may qualify for extended anonymized data retention
3. Documentation of educational purpose is required
4. Regular review ensures continued qualification

14. POLICY UPDATES AND COMMUNICATION

14.1 Policy Review Schedule. This Policy is subject to regular review:

1. Annual comprehensive review
2. Ad hoc reviews triggered by significant regulatory or operational changes
3. Stakeholder input collection during review process
4. Documentation of review outcomes

14.2 Update Notification. When this Policy is updated:

1. Users will be notified via email for significant changes
2. Platform notifications will announce updates
3. A summary of changes will be provided
4. The effective date will be clearly indicated

14.3 Version History. A complete version history of this Policy is maintained and accessible to Users, including:

1. Date of each version
2. Summary of significant changes
3. Rationale for major updates
4. Archived versions for reference

14.4 Questions and Clarifications. For questions about this Policy:

• Users may contact privacy@brilio.ai
• Frequently asked questions are maintained in our knowledge base
• Enterprise customers may consult their account representative
• Regulatory inquiries should be directed to compliance@brilio.ai

15. GOVERNING LAW AND COMPLIANCE

15.1 Primary Regulatory Framework. This Policy is governed primarily by:

1. UAE Federal Law No. 2 of 2019 Concerning the Use of Information and Communication Technology
2. Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020
3. UAE Federal Decree-Law No. 45 of 2021 Regarding Personal Data Protection
4. GDPR and other applicable international data protection regulations including but not limited to CCPA/CPRA (California), PIPL (China), LGPD (Brazil), and PDPA (Singapore)

15.2 Compliance Approach. Our compliance approach includes:

1. Regular assessment of regulatory requirements
2. Implementation of privacy by design principles
3. Documentation of compliance measures
4. Engagement with regulatory authorities as needed

15.3 Data Protection Authority Cooperation. We cooperate with data protection authorities by:

1. Responding promptly to inquiries
2. Providing required documentation
3. Implementing recommended improvements
4. Maintaining open communication channels

15.4 Conflicts and Precedence. In case of conflict between this Policy and:

1. Applicable law: The law prevails
2. User agreements: The most protective provisions for User data prevail
3. Other policies: The most recently updated policy prevails unless otherwise specified

16. CONTACT INFORMATION

For matters related to this Policy, please contact:

Data Protection Officer
Innovatica Technologies FZ-LLC
VUNE0632, Compass Building – Al Hulaila
Al Hulaila Industrial Zone-FZ
Ras Al Khaimah, United Arab Emirates

Email: privacy@brilio.ai
Phone: +971 509 083 742

For urgent deletion requests:
emergency-deletion@brilio.ai

17. Alignment with AI Ethics and Responsible Use

This Data Retention and Deletion Policy operates in conjunction with our AI Ethics and Responsible Use Policy. Key considerations include:

1. Data minimization principles guide our collection and retention practices
2. We conduct regular ethical reviews of our retention practices and their impact on AI training
3. Data that has been flagged as potentially biased or problematic is subject to special review before use in AI training
4. User feedback regarding ethical concerns with data retention may be submitted to info@innovatica.ai
5. Annual transparency reports regarding our data practices are published on our website

For complete details on our ethical AI practices, please refer to our AI Ethics and Responsible Use Policy.

18. APPENDICES

Appendix A: Data Inventory and Classification Schema

Classification	Description	Examples	Special Handling
Critical	Essential business data with strict regulatory requirements	Payment information, legal documents	Maximum security, limited access, enhanced monitoring
Sensitive	Data that could cause harm if disclosed	User credentials, internal configurations	Encryption, access controls, comprehensive logging
Internal	Operational data for platform functioning	System logs, performance metrics	Standard security, role-based access
Public	Data intended for public consumption	Public agent descriptions, marketing materials	Normal validation, integrity checks

 

Appendix B: Record of Deletion Methods by System Component

System Component	Primary Deletion Method	Secondary Verification	Responsible Team
User Database	SQL DELETE with cascade, table optimization	Record count verification	Database Administration
Object Storage	Object deletion followed by lifecycle policies	Storage audit	Cloud Infrastructure
Search Indexes	Index record removal, reindexing	Search verification	Search Engineering
Analytics Platform	Identifier removal, aggregation	Statistical analysis	Data Science
Backup Systems	Retention policy enforcement, media rotation	Restoration testing	Security Operations

 

Appendix C: Compliance Matrix

Regulation	Key Requirements	Implementation Measures	Verification Method
GDPR	Right to erasure, data minimization	Self-service deletion, retention limits	Audit logs, regular testing
CCPA/CPRA	Deletion requests, opt-out rights	California-specific request handling	Compliance documentation
UAE Data Law	Local data protection requirements	UAE-compliant storage and processing	Local legal review
Industry-Specific	Varies by industry	Custom retention rules for affected industries	Specialized compliance reviews

 

Appendix D: Regional Data Retention Requirements

Region	Key Regulation	Specific Requirements	Brilio Implementation
European Union	GDPR	Right to erasure, data minimization, storage limitation	48-hour acknowledgment of deletion requests, default 13-month retention
United States	CCPA/CPRA	Right to delete, opt-out rights	California-specific processing for deletion requests
United Arab Emirates	Federal Decree-Law No. 45 of 2021	Local storage requirements, data protection	UAE-compliant storage infrastructure, DPO appointment
China	PIPL	Data localization, processing restrictions	China-specific data storage for applicable users
Brazil	LGPD	Data subject rights, legal bases for processing	Compliance with deletion and access requirements
Japan	APPI	Consent requirements, cross-border transfers	Enhanced consent mechanisms for Japanese users
India	PDPB (Pending)	Data localization, processing limitations	Prepared compliance measures for implementation

This appendix will be updated as regulations evolve or new significant regulations are enacted.

AI TRAINING AND IMPROVEMENT POLICY

Last Updated: 19/May/2025 22:14

1. INTRODUCTION

1.1 Purpose and Scope. This AI Training and Improvement Policy (“Policy”) governs how Innovatica Technologies FZ-LLC (“Innovatica,” “we,” “our,” or “us”) collects, processes, and utilizes data for the purpose of training, developing, and improving our artificial intelligence systems, specifically our Brilio AI platform (“Brilio” or the “Platform”).

This Policy applies to all users of the Brilio platform, including Agent creators, Agent users, and other stakeholders who interact with our AI systems, regardless of jurisdiction or access method. By using Brilio, you acknowledge and consent to the practices described in this Policy, subject to the opt-out provisions detailed in Section 5 and applicable data protection laws in your jurisdiction.

1.2 Relationship to Other Policies. This Policy is part of a comprehensive legal framework that governs your use of the Brilio platform. It should be read in conjunction with the following documents, which are incorporated by reference:

1. Master Terms of Service
2. Privacy Policy
3. Data Retention and Deletion Policy
4. Data Processing Agreement
5. Security Policy
6. AI Ethics and Responsible Use Policy

In case of any conflict between this Policy and any of the above documents, the terms of this Policy shall prevail with respect to AI training and improvement matters.

2. AI MODEL TRAINING METHODOLOGIES

2.1 Training Approaches. Brilio employs various methodologies to train and improve its AI models, including but not limited to:

1. Supervised Learning: Our AI models may be trained using labeled datasets, where the model learns to predict outputs based on input examples with known correct answers. This approach is primarily used to train models for specific tasks such as classification, entity recognition, and content filtering.
2. Reinforcement Learning from Human Feedback (RLHF): We may employ RLHF techniques to align AI outputs with human preferences and values. This involves human evaluators providing feedback on model outputs, which is then used to further train and refine the model’s responses.
3. Transfer Learning: Our models may utilize transfer learning, where a model initially trained on one task is adapted to perform a different but related task. This approach allows us to leverage knowledge gained from larger datasets to improve performance on specialized tasks with limited data.
4. Continual Learning: Brilio employs continual learning techniques to enable AI models to learn from new data and adapt to emerging patterns while maintaining stability of previously acquired knowledge. This approach helps keep our AI systems current and relevant. We implement mechanisms to prevent catastrophic forgetting and maintain performance on previously learned tasks.

2.2 Model Versioning and Documentation. All AI models used within the Brilio platform are versioned and documented to ensure:

1. Traceability of model development and changes
2. Accountability for model performance
3. Transparency in model capabilities and limitations
4. Compliance with regulatory requirements

For each model version, we maintain documentation that includes information about the training data sources (with appropriate anonymization and aggregation to protect privacy), training methodologies, performance metrics, and known limitations.

2.3 Quality Assurance and Testing. All AI models undergo rigorous testing before deployment to ensure they meet our standards for:

1. Performance and accuracy
2. Fairness and bias mitigation
3. Safety and reliability
4. Compliance with ethical guidelines and legal requirements

Testing involves both automated evaluation metrics and human review to ensure that models operate as intended and produce high-quality outputs.

3. TYPES OF USER DATA UTILIZED FOR AI IMPROVEMENT

3.1 User Interaction Data. We may collect and process data from user interactions with the Brilio platform, including:

1. User queries and inputs
2. Agent responses and outputs
3. User feedback on Agent responses (e.g., ratings, likes, edits, regenerations)
4. Usage patterns and session information

This data helps us understand how users interact with our AI systems and identify areas for improvement.

3.2 Agent Creation and Configuration Data. For Agent creators, we may process:

1. Knowledge base content
2. Agent configuration settings
3. Performance metrics of published Agents
4. User feedback specific to each Agent

This data helps us improve the Agent creation experience and enhance the capabilities of our platform.

3.3 Application Performance Data. We collect technical data related to the performance of our AI systems, including:

1. Response times
2. Error rates and types
3. Resource utilization
4. System load and capacity metrics

This data helps us identify and address technical issues that affect user experience.

3.4 Excluded Data Categories. The following categories of data are specifically excluded from AI training and improvement processes:

1. Payment information (handled by third-party payment processors as described in the Privacy Policy)
2. Account credentials and authentication data
3. Data explicitly marked as confidential or private by users
4. Data that users have opted out from being used for training purposes (see Section 5)
5. Data specifically identified as sensitive under applicable data protection laws, unless explicit consent has been provided
6. Biometric data, including facial recognition data
7. Children’s personal data as defined under applicable laws (including COPPA in the United States)
8. Health, genetic, or other special category data as defined by GDPR and similar regulations
9. Any data that would violate our AI Ethics and Responsible Use Policy if used for training
10. Data subject to legal privilege or confidentiality obligations

4. DATA ANONYMIZATION PROCESSES FOR TRAINING

4.1 Anonymization Techniques. To protect user privacy while enabling AI improvement, we employ various anonymization techniques, including:

1. Data Minimization. We collect and retain only the data necessary for legitimate AI training and improvement purposes, following the principle of data minimization.
2. Pseudonymization. Where possible, we replace directly identifying information with pseudonyms or codes, separating personal identifiers from the content data used for training.
3. Aggregation. We may combine data from multiple users to create aggregate datasets that do not reveal information about specific individuals.
4. Redaction. We may systematically remove or mask specific types of information such as names, contact details, identification numbers, and other potentially sensitive data.

4.2 Anonymization Verification Process. Before any user data is incorporated into training datasets, it undergoes a multi-stage verification process to ensure proper anonymization:

1. Automated scanning to identify and redact potentially sensitive information
2. Sampling and manual review by trained personnel to verify the effectiveness of automated anonymization
3. Data quality assessment to ensure anonymized data remains useful for training purposes
4. Documentation of anonymization methods applied to each dataset
5. Periodic re-evaluation of anonymization effectiveness against emerging re-identification techniques
6. Risk assessment to determine whether anonymization is sufficient or if additional safeguards are required

4.3 Data Access Controls. Access to training data, including anonymized user data, is strictly controlled and limited to authorized personnel within Innovatica who:

1. Have a legitimate need to access such data for AI training and improvement purposes
2. Have received appropriate training on data protection and privacy requirements
3. Are bound by confidentiality obligations
4. Are subject to authentication, authorization, and auditing measures

5. OPT-OUT OPTIONS FOR AI TRAINING CONTRIBUTIONS

5.1 User Controls. Brilio provides users with options to control how their data may be used for AI training and improvement:

1. Platform-wide Opt-out. Users can opt out of having their data used for AI training and improvement purposes through their account settings. This setting can be modified at any time.
2. Session-based Opt-out. Users may designate specific sessions or conversations as “private,” which excludes that data from being used for training purposes.
3. Agent-specific Settings. Agent creators can configure whether data from interactions with their Agents may be used for training purposes, and may set different defaults for private versus public Agents.

5.2 Impact of Opt-out. When a user opts out of AI training contributions:

1. Existing data that has not yet been incorporated into training datasets will be excluded within 30 days of the opt-out request
2. Future data from the user will not be collected for training purposes
3. For data already incorporated into training datasets in anonymized form, we will implement commercially reasonable efforts to exclude such data from future training iterations, while acknowledging that complete retroactive removal from existing models may not be technically feasible
4. The functionality of the Platform will not be affected by the decision to opt out
5. Users will receive confirmation once their opt-out request has been processed

5.3 Enterprise Controls. For enterprise customers, additional controls are available as specified in the Enterprise Subscription Agreement and Data Processing Agreement, including:

1. Organization-wide opt-out settings configurable by administrators
2. Data residency and processing restrictions
3. Custom data handling and retention policies
4. Additional security measures for sensitive corporate information

6. SAFEGUARDS AGAINST TRAINING ON SENSITIVE DATA

6.1 Preventive Measures. We implement various safeguards to prevent sensitive data from being incorporated into AI training datasets:

1. Content Filtering. Automated systems scan and filter content before it is used for training to identify and exclude sensitive information.
2. Context Awareness. Our systems are designed to recognize contextual indicators of sensitive information, even when not explicitly marked as such.
3. User Education. We provide guidance to users on how to avoid sharing sensitive information with the Platform in ways that might be captured for training purposes.
4. Agent Creator Responsibilities: Agent creators are responsible for ensuring that the data they use to train their Agents is appropriate and that they have the necessary rights to use such data, as detailed in the Agent Creator Agreement.

6.2 Data Classification. We classify data according to sensitivity levels, with specific handling requirements for each level:

1. Public: General information that poses minimal privacy or security risk if disclosed
2. Internal: Non-sensitive information intended for use within Brilio but not publicly disclosed
3. Confidential: Business or personal information that requires protection from unauthorized access
4. Restricted: Highly sensitive information that requires enhanced security measures and is excluded from training datasets

6.3 Monitoring and Auditing. We maintain robust monitoring and auditing systems to ensure compliance with our data handling policies:

1. Regular audits of training data to verify appropriate classification and handling
2. Monitoring for potential data leakage or unauthorized access
3. Review of data anonymization effectiveness
4. Documentation of all data processing activities for compliance purposes

7. ETHICAL GUIDELINES FOR AI TRAINING

7.1 Ethical Principles. Our AI training activities are guided by the following ethical principles, which are regularly reviewed and updated to align with evolving global standards for responsible AI:

1. Fairness and Non-discrimination. We strive to ensure that our AI systems do not perpetuate or amplify biases based on race, gender, age, religion, sexual orientation, disability, or other protected characteristics.
2. Transparency. We provide clear information about how user data is utilized for AI training and improvement, enabling users to make informed decisions about their participation.
3. Accountability. We take responsibility for the performance and outputs of our AI systems and maintain governance structures to address issues that may arise.
4. Privacy by Design. We incorporate privacy protections into our AI development processes from the outset, rather than as an afterthought.
5. Human Oversight: We maintain human oversight of AI training and improvement to ensure alignment with our ethical principles and to detect and address potential issues.

7.2 Bias Mitigation. We employ various techniques to identify and mitigate potential biases in our AI systems:

1. Diverse and representative training datasets from varied sources and demographics
2. Regular bias audits and testing using multiple fairness metrics and evaluation frameworks
3. Feedback mechanisms to identify and address biased outputs, including user-reported instances
4. Ongoing research and development to improve fairness metrics and implement state-of-the-art debiasing techniques
5. Cross-functional review of training methodologies and results by teams with diverse backgrounds and expertise
6. Collaboration with external experts and affected communities to identify blind spots
7. Transparent reporting of bias metrics and mitigation efforts to relevant stakeholders

7.3 Ethical Review Process. AI training initiatives within Brilio are subject to ethical review, which includes:

1. Assessment of potential risks and benefits
2. Evaluation of data sources and processing methods
3. Consideration of potential impacts on users and society
4. Documentation of ethical considerations and mitigations
5. Periodic reassessment as systems evolve

8. PERFORMANCE MEASUREMENT AND IMPROVEMENT METRICS

8.1 Key Performance Indicators. We evaluate the performance of our AI systems using various metrics, including:

1. Accuracy and Relevance. Precision and recall for information retrieval:
   1. Response accuracy for factual queries
   2. Relevance of responses to user inputs

• Consistency of outputs across similar queries

1. User Satisfaction:
   • User feedback ratings and scores
   • Task completion rates
   • User retention and engagement metrics
   • Agent-specific ratings and reviews
2. Safety and Responsibility:
   1. Rate of policy-violating outputs
   2. Effectiveness of content filtering

• Fairness across different user demographics

1. Robustness against adversarial inputs

1. Efficiency:
2. Response time and latency
3. Computational resource utilization

• Scalability under varying load conditions

1. Energy efficiency and environmental impact

8.2 Continuous Evaluation. Performance metrics are monitored and evaluated on an ongoing basis through:

1. Automated testing and benchmarking
2. Human evaluation of model outputs
3. Comparison against baseline and competitor systems
4. Analysis of user feedback and reported issues
5. Regular review of system logs and error reports

8.3 Improvement Prioritization. Improvements to AI systems are prioritized based on:

1. Impact on user experience and satisfaction
2. Alignment with ethical principles and company values
3. Technical feasibility and resource requirements
4. Regulatory and compliance considerations
5. Strategic business objectives

Results of performance measurements are documented and used to inform the development of new model versions and features.

9. MODEL UPDATE FREQUENCY AND NOTIFICATION PROCESS

9.1 Update Schedule. AI models within the Brilio platform are updated according to the following general schedule:

1. Critical updates: Deployed immediately as needed to address security vulnerabilities, harmful outputs, or significant performance issues
2. Major updates: Typically deployed on a quarterly basis, introducing substantial improvements to model capabilities or performance
3. Minor updates: Deployed monthly, focusing on incremental improvements and refinements
4. Experimental features: Made available to select users for testing and feedback before general release

The actual frequency of updates may vary based on business needs, technical considerations, and user feedback.

9.2 Update Communication. Users are notified of AI model updates through various channels:

1. In-platform Notifications. Users receive notifications within the Brilio platform when significant model updates are deployed, including information about new capabilities or improvements.
2. Release Notes. Detailed release notes are published for each update, providing information about changes, improvements, and known issues.
3. Email Notifications. Users who have opted in to receive product updates may receive email notifications about significant model changes.
4. Developer Documentation. For Agent creators and developers, technical documentation is updated to reflect changes in model behavior, capabilities, or integration requirements.

9.3 Backward Compatibility and Version Management. When deploying model updates, we strive to maintain backward compatibility to minimize disruption to existing Agents and integrations. Where backward compatibility cannot be maintained:

1. Users are notified at least 30 days in advance of the potential impact, except for critical security updates
2. Detailed guidance and documentation are provided on how to adapt to the changes
3. Transition periods of at least 90 days are established when feasible to allow for adjustments
4. Previous model versions may remain available for up to 180 days to facilitate testing and migration
5. For enterprise customers, extended support for legacy versions may be available under separate agreement

10. COMPLIANCE WITH DATA PROTECTION REGULATIONS

10.1 Global Compliance Framework. Our AI training and improvement activities comply with applicable data protection regulations worldwide, including but not limited to:

1. General Data Protection Regulation (GDPR) in the European Union
2. California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and other state privacy laws in the United States
3. Personal Data Protection Law in the United Arab Emirates and the UAE Cabinet Resolution No. (21) of 2024 on the Regulations of the Federal Decree Law No. (7) of 2023 Concerning the Protection of Personal Data
4. Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
5. Personal Data Protection Act (PDPA) in Singapore
6. Brazil’s General Data Protection Law (LGPD)
7. Australia’s Privacy Act
8. Japan’s Act on the Protection of Personal Information (APPI)
9. China’s Personal Information Protection Law (PIPL) and Cyberspace Administration of China (CAC) regulations on generative AI
10. We maintain a dedicated compliance team that continuously monitors regulatory developments and updates our practices accordingly.

10.2 Legal Basis for Processing. We process user data for AI training and improvement purposes based on one or more of the following legal grounds, depending on the applicable jurisdiction:

1. User consent, which can be withdrawn at any time through the opt-out mechanisms described in Section 5
2. Legitimate interests in improving our services and developing new features, balanced against potential privacy impacts
3. Performance of our contract with users to provide and enhance the Brilio platform
4. Compliance with legal obligations where applicable

10.3 International Data Transfers. When transferring data across international borders for AI training and improvement purposes, we implement appropriate safeguards in accordance with applicable data protection laws, which may include:

1. Standard Contractual Clauses approved by relevant authorities
2. Binding Corporate Rules
3. Adequacy decisions where available
4. Additional technical and organizational measures as necessary

For more information about international data transfers, please refer to our Privacy Policy and Data Sovereignty Addendum.

10.4 Data Subject Rights. We respect and facilitate the exercise of data subject rights in relation to AI training data, as required by applicable law. These rights may include:

1. The right to access personal data
2. The right to rectification of inaccurate data
3. The right to erasure (“right to be forgotten”)
4. The right to restrict processing
5. The right to data portability
6. The right to object to processing

For information on how to exercise these rights, please refer to our Privacy Policy.

11. SECURITY MEASURES FOR TRAINING DATA

11.1 Technical Safeguards. We implement robust security measures to protect training data, including:

1. Encryption of data in transit and at rest using TLS 1.2 or higher and AES-256
2. Secure access controls and multi-factor authentication mechanisms
3. Regular security audits and vulnerability assessments conducted by both internal and independent third-party security firms
4. Intrusion detection and prevention systems with 24/7 monitoring
5. Data loss prevention technologies and automated data exfiltration alerts
6. Secure development practices following a Security Development Lifecycle (SDL) methodology
7. Regular penetration testing and red team exercises
8. Confidential computing techniques for sensitive training operations where technically feasible

11.2 Administrative Controls. Administrative security controls for training data include:

1. Role-based access control with least privilege principles
2. Regular security training for personnel
3. Background checks for employees with access to sensitive data
4. Documented security policies and procedures
5. Incident response plans and regular drills
6. Third-party security assessments and penetration testing

11.3 Physical Security. Physical security measures for systems storing or processing training data include:

1. Secure data centers with controlled access
2. Environmental controls and monitoring
3. Redundant power and connectivity
4. Disaster recovery capabilities
5. Asset management and disposal procedures

For more detailed information about our security practices, please refer to our Security Policy.

12. CHANGES TO THIS POLICY

We may update this AI Training and Improvement Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this Policy, we will provide notice at least 30 days before the changes take effect, except for changes required by law or addressing security vulnerabilities, which may be implemented immediately. Notification methods include:

1. Displaying a prominent notice on the Brilio platform
2. Sending an email to registered users
3. Including a notification in release notes or platform updates
4. Updating the “Last Updated” date at the top of this Policy
5. Maintaining an archive of previous versions accessible to users

For significant changes that materially alter your rights or our obligations regarding AI training data, we may request renewed consent. We encourage users to periodically review this Policy to stay informed about our AI training and improvement practices. We encourage users to periodically review this Policy to stay informed about our AI training and improvement practices.

13. AI SYSTEM CARDS AND MODEL DOCUMENTATION

13.1 Transparency Documentation. For each significant AI model deployed on the Brilio platform, we maintain comprehensive documentation that includes:

1. Model purpose and intended use cases
2. Training data types and sources (described in general terms to protect proprietary information)
3. Performance metrics and limitations
4. Known biases and mitigation strategies
5. Environmental impact considerations
6. Testing methodologies and results
7. Responsible AI considerations

13.2 Access to Documentation. System Cards for our primary AI models are available to users upon request, subject to confidentiality requirements. Enterprise customers may receive more detailed documentation as specified in their agreements.

13.3 Updates to Documentation. Model documentation is updated with each significant release or when material changes are made to model architecture, training data, or deployment context. Version history of documentation is maintained for reference and compliance purposes.

14. AI ALIGNMENT AND SAFETY PROTOCOLS

14.1 AI Safety Practices. We implement a multi-layered approach to ensuring the safety and beneficial alignment of our AI systems, including:

1. Red-teaming exercises to identify potential vulnerabilities or misuse scenarios
2. Adversarial testing to enhance robustness against manipulation
3. Constitutional AI principles that guide model behavior and responses
4. Regular audits to verify adherence to ethical guidelines
5. Monitoring systems to detect aberrant model behaviors

14.2 AI Alignment Methodologies. Our AI alignment strategies include:

1. Value learning techniques to capture and represent human preferences accurately
2. Constitutional AI approaches that establish behavioral boundaries
3. Reinforcement learning from human feedback to improve alignment over time
4. Interpretability research to better understand model decision-making
5. Regular review of emerging alignment research and best practices

 

14.3 Incident Response. In the event of an AI safety incident or alignment failure:

1. Affected systems will be isolated or disabled if necessary to prevent harm
2. A detailed incident analysis will be conducted to determine root causes
3. Remediation steps will be implemented and verified before re-deployment
4. Notifications will be provided to affected users as appropriate
5. Lessons learned will be incorporated into future alignment protocols

15. ENVIRONMENTAL IMPACT OF AI TRAINING

15.1 Environmental Considerations. We recognize that AI model training can have significant environmental impacts through energy consumption and carbon emissions. We are committed to measuring, reporting, and reducing these impacts through:

1. Energy-efficient computing infrastructure selection
2. Optimization of training algorithms to reduce computational requirements
3. Use of renewable energy sources where possible for computing operations
4. Carbon offsetting programs for unavoidable emissions

15.2 Efficiency Metrics. We track and publish the following metrics related to our AI training operations:

1. Energy consumption per training run
2. Carbon emissions estimates
3. Efficiency improvements over time
4. Environmental targets and progress

15.3 Research and Development. We invest in research and development of more environmentally sustainable AI training methods, including:

1. Parameter-efficient fine-tuning techniques
2. Knowledge distillation to create smaller, more efficient models
3. Optimized inference procedures that reduce operational environmental impact
4. Collaboration with industry partners on green AI initiatives

16. CONTACT INFORMATION

16.1 CONTACT INFORMATION. If you have questions, concerns, or requests regarding this AI Training and Improvement Policy or our AI practices, please contact us at:

Innovatica Technologies FZ-LLC VUNE0632, Compass Building – Al Hulaila Al Hulaila Industrial Zone-FZ Ras Al Khaimah, United Arab Emirates

Email: info@innovatica.ai
Phone: +971 509 083 742 Website: https://innovatica.ai/

16.2 EMERGENCY CONTACT INFORMATION: For urgent matters related to AI training and improvement processes, such as suspected data breaches, model misbehavior, or other critical issues, please contact our emergency response team at:

Email: security@innovatica.ai

Phone: +971 509 083 742 (24/7 emergency line)

For time-sensitive security concerns, please clearly indicate “SECURITY EMERGENCY” in your communication to ensure immediate attention.

By using the Brilio platform, you acknowledge that you have read and understood this AI Training and Improvement Policy and agree to its terms, subject to your right to opt out of certain data processing activities as described herein.

COOKIE POLICY

Last Updated: 19/May/2025 22:46

1. INTRODUCTION

1.1 Overview. Innovatica Technologies FZ-LLC (“Innovatica,” “we,” “us,” or “our”), registered in the United Arab Emirates with License No. 47020067, operates the Brilio platform (“Brilio,” “Platform,” or “Service”) available at brilio.ai. This Cookie Policy explains how we use cookies and similar technologies when you visit our Platform, and your choices regarding these technologies.

1.2 Relationship to Other Policies. This Cookie Policy forms an integral part of our legal framework and should be read in conjunction with our Terms of Service and Privacy Policy. The processing of personal data collected via cookies is governed by applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), UAE Federal Decree Law No. 45 of 2021 on Personal Data Protection, and other applicable regional privacy regulations.

References to data processing, data retention, and third-party services in this document are elaborated in greater detail in our Privacy Policy and Data Processing Agreement.

1.3 Applicable Regulations. This Cookie Policy is designed to comply with relevant electronic privacy regulations, including the EU ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC), commonly known as the “Cookie Law,” the Privacy and Electronic Communications Regulations (PECR) in the UK, and similar regulations worldwide. Where conflicts exist between different regulations, we apply the higher standard of protection for your privacy rights.

1.4 Scope of Application. This policy applies to all users of the Brilio platform, including Agent creators, users of Agents, and visitors to our website, regardless of geographic location.

2. COOKIE CONSENT MECHANISM

Cookies are small text files that are placed on your device when you visit a website. They are widely used to make websites work more efficiently and provide information to the website owners. Cookies can be “persistent” (remaining on your device until you delete them) or “session-based” (deleted when you close your browser).

2.1 Initial Consent. When you first visit our Platform, you will be presented with a cookie banner that informs you about our use of cookies and requests your consent for non-essential cookies. The banner will provide options to:

1. Accept all cookies
2. Reject non-essential cookies
3. Customize your cookie preferences

2.2 Lawful Basis for Processing. We process cookie data on the following legal bases:

1. Essential cookies: Legitimate interest and contractual necessity to provide our services
2. Functional cookies: Consent (opt-in)
3. Analytics and Performance cookies: Consent (opt-in)
4. Targeting and Advertising cookies: Consent (opt-in)

2.3 Consent Withdrawal. You may withdraw your consent at any time through our cookie preference center. When you withdraw consent, the relevant cookies will be deleted, and we will stop collecting data through those cookies.`

3. TYPES OF COOKIES WE USE

3.1 Essential Cookies. These cookies are necessary for the Platform to function properly and cannot be disabled in our systems. They are usually set in response to actions you take that constitute a request for services, such as setting your privacy preferences, logging in, or filling out forms.

Examples include:

1. Authentication cookies to verify your identity when you log in
2. Security cookies to prevent unauthorized access
3. Load balancing cookies to distribute traffic across our servers
4. Session management cookies to remember your preferences during your visit

Lifespan: Most essential cookies are session-based and expire when you close your browser. Others may persist for up to 30 days to maintain necessary functionality.

3.2 Functional Cookies. These cookies enable enhanced functionality and personalization on our Platform. They may be set by us or by third-party providers whose services we have added to our pages.

Examples include:

1. Language preference cookies
2. Interface customization cookies
3. Agent interaction history cookies
4. Feature preference cookies

Lifespan: Functional cookies typically persist for 30-90 days, depending on their specific purpose.

3.3 Analytics and Performance Cookies. These cookies allow us to count visits and traffic sources, measure and improve the performance of our Platform. They help us understand which pages are the most and least popular and see how visitors navigate the Platform.

Examples include:

1. Google Analytics cookies
2. Performance monitoring cookies
3. Error tracking cookies
4. A/B testing cookies

Lifespan: Analytics cookies may persist for up to 2 years, though most expire within 90 days.

3.4 Targeting and Advertising Cookies. These cookies may be set through our Platform by our advertising partners. They may be used to build a profile of your interests and show you relevant advertisements on other sites.

Examples include:

1. Behavioral advertising cookies
2. Retargeting cookies
3. Social media sharing cookies
4. Campaign effectiveness measurement cookies

Lifespan: Targeting and advertising cookies typically persist for 30-180 days.

4. THIRD-PARTY COOKIES

4.1 Payment Processing. Our Platform uses Stripe for payment processing. Stripe may place cookies on your device to facilitate secure transactions, prevent fraud, and improve the payment experience. For more information on how Stripe uses cookies, please visit Stripe’s Cookie Policy.

4.2 Analytics Services. We use analytics services like Google Analytics to understand how users interact with our Platform. These services place cookies on your device to collect information about your usage patterns. For more information, please visit Google’s Privacy & Terms.

4.3 Cloud Infrastructure. Brilio is hosted in Microsoft Azure services, currently in North Europe – Ireland. Microsoft Azure may use cookies for service optimization, security, and performance monitoring. For more information, please visit Microsoft’s Privacy Statement.

4.4 AI Services. Brilio platform utilizes third-party services and products from companies such as OpenAI, Claude, LlamaIndex, etc. These services may place cookies on your device for authentication, session management, and personalization purposes. Please refer to each service provider’s cookie policy for specific details.

4.5 Other Third-Party Services. We integrate with various third-party services to enhance functionality, including analytics platforms, cloud services, and customer support tools. Each of these services may place cookies on your device in accordance with their own cookie policies.

5. SIMILAR TECHNOLOGIES

In addition to cookies, we may use other similar technologies to store and track information about your interaction with our Platform:

5.1 Web Beacons. Also known as “clear gifs” or “pixel tags,” web beacons are tiny graphics with a unique identifier that may be included on our Platform for tracking and analytics purposes.

5.2 Local Storage. We may use local storage technologies, such as HTML5 localStorage and indexedDB, to store information about your preferences and activities on our Platform.

5.3 Session Replay. We may use session replay technologies to understand how users interact with our Platform, helping us identify and fix usability issues.

5.4 Device Fingerprinting. In limited circumstances, we may use device fingerprinting to identify devices for security and fraud prevention purposes.

5.5 Cookie Information Disclosure. For transparency, we provide the following technical information about our use of cookies:

1. Cookie names and identifiers
2. Cookie domains and origins
3. Cookie types and purposes
4. Cookie lifespans

A detailed, regularly updated list of all cookies used on our Platform is available at brilio.ai/cookie-list.

5.6 Cross-Device Tracking. We may use cookies and similar technologies to recognize you when you use different devices to access our Platform. This enables us to provide a seamless experience across your devices. We achieve this through:

1. Device fingerprinting technologies that collect information about your device
2. Account-based recognition when you are logged in
3. Probabilistic matching techniques that analyze usage patterns

You can opt out of cross-device tracking by disabling third-party cookies in your browser settings or through our cookie preference center.

6. COOKIE MANAGEMENT

6.1 Browser Settings. Most web browsers allow you to control cookies through their settings. You can usually find these settings in the “Options” or “Preferences” menu of your browser. You can also consult the browser’s help menu for more information.

6.2 Platform Cookie Settings. We provide a cookie preference center on our Platform that allows you to selectively enable or disable non-essential cookies.

6.3 Third-Party Opt-Out Tools. For third-party cookies, you may opt out using tools provided by:

1. Google Analytics: Google Analytics Opt-out Browser Add-on
2. Digital Advertising Alliance: WebChoices Tool
3. European Interactive Digital Advertising Alliance: Your Online Choices

6.4 Do Not Track. Some browsers support a “Do Not Track” feature, which signals to websites that you do not want your online activities tracked. Since there is no industry standard for recognizing Do Not Track signals, our Platform currently does not respond to them.

7. IMPACT OF DISABLING COOKIES

7.1 Essential Cookies. Disabling essential cookies will significantly impair your ability to use our Platform, as these cookies are necessary for core functionality such as authentication, security, and session management.

7.2 Functional Cookies. Disabling functional cookies may result in reduced personalization and certain enhanced features becoming unavailable.

7.3 Analytics and Performance Cookies. Disabling analytics cookies will not affect your ability to use our Platform but may result in less optimized experiences over time as we will not have insights into user behavior to make improvements.

7.4 Targeting and Advertising Cookies. Disabling targeting cookies will not affect core Platform functionality but may result in less relevant advertisements being displayed to you on third-party websites.

8. DATA PROCESSING AND RETENTION

8.1 Data Collection. Information collected through cookies is processed in compliance with applicable data protection regulations, including GDPR. For detailed information on how we process personal data, please refer to our Privacy Policy.

8.2 Data Retention. Cookie data is retained for varying periods as specified in the lifespan descriptions above. For more detailed information on our data retention practices, please refer to our Data Retention and Deletion Policy.

8.3 Data Security. All sensitive data, including data collected through cookies, is encrypted both in transit and at rest using TLS 1.2 or higher for data in transit and AES-256 for data at rest. Our approach to data security follows Privacy by Design principles. We implement technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose is processed. This principle applies to cookie data collection, storage duration, accessibility, and the extent of processing.

8.4 Your Rights Regarding Cookie Data. Under applicable data protection laws, you have rights regarding your personal data, including data collected through cookies:

1. Right to Access: You can request information about what cookie data we have collected about you.
2. Right to Rectification: You can request correction of inaccurate data.
3. Right to Erasure: You can request deletion of your cookie data.
4. Right to Restriction of Processing: You can request that we limit how we use your cookie data.
5. Right to Data Portability: You can request a copy of your cookie data in a structured, machine-readable format.
6. Right to Object: You can object to our processing of your cookie data.
7. Rights Related to Automated Decision Making: You can request human intervention for decisions based solely on automated processing.

To exercise these rights, please contact us using the information in Section 12.

9. INTERNATIONAL DATA TRANSFERS

Cookie data may be transferred to and processed in countries outside your country of residence, including countries where our servers and third-party service providers are located, such as Ireland (EU), United States, and other countries where our technology partners operate. We maintain an updated list of all data processors and their locations in our Data Processing Agreement.

We ensure that such transfers comply with applicable data protection laws by implementing appropriate safeguards, such as Standard Contractual Clauses. For more information, please refer to our Data Sovereignty Addendum.

10. CHILDREN’S PRIVACY

The Brilio platform has no age restrictions (4+). However, we do not knowingly collect personal information from children under 13 years of age without verifiable parental consent. For more information on how we handle children’s data, please refer to our Child Safety Policy.

11. UPDATES TO THIS POLICY

11.1 Policy Changes. We may update this Cookie Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other purposes. When we make material changes to this policy, we will provide notice as appropriate, such as by displaying a prominent notice on our Platform or by sending you an email.

11.2 Notice Period. For any significant changes to our policies, including this Cookie Policy, we will provide users with a minimum 30 days’ notice. This notice will be communicated via email, in-app notifications, or other appropriate channels.

11.3 Compliance Audits. We regularly audit our cookie practices to ensure compliance with applicable laws and regulations. These audits include:

1. Technical reviews of implemented cookies
2. Assessment of consent mechanisms
3. Validation of cookie lifespans and purposes
4. Verification of proper data protection measures

We document these audits in our internal compliance records and make necessary adjustments to maintain legal compliance.

12. CONTACT US

If you have any questions, concerns, or requests regarding this Cookie Policy or our use of cookies, please contact us at:

Email: info@innovatica.ai
Phone: +971 509 083 742
Address: VUNE0632, Compass Building – Al Hulaila, Al Hulaila Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates

13. LEGAL FRAMEWORK

This Cookie Policy is subject to the Governing Law and Dispute Resolution provisions set forth in our Master Terms of Service, which are incorporated by reference herein.

14. CONSENT

By continuing to use our Platform, you consent to the use of cookies and similar technologies as described in this Cookie Policy. You acknowledge that you have read and understood this policy and agree to be bound by its terms.