Privacy policy

    Effective Date: October 2, 2025

    Alethia ("Alethia," "we," "our," or "us") provides Sensory Intelligence™ services that help organizations perceive pattern emergence and act with foresight. This Privacy Policy explains how we collect, use, disclose, and protect Personal Data when we act as a controller (e.g., on our websites, for the Sensory Intelligence Quotient assessment, events, demonstrations, and communications). When we deliver our Sensory Intelligence™ platform to enterprise customers, we generally act as a processor (service provider), and that processing is governed by the customer agreement and the Data Processing Addendum (DPA), not this Policy.

    If you have questions, contact privacy@alethiaintel.com

    1. Scope & roles

    Controller activities (this Policy): Our websites and subdomains, contact forms, events, marketing communications, the Sensory Intelligence Quotient (SiQ™) assessment, demonstrations, and product analytics tied to these properties.

    Processor activities (governed by DPA): Enterprise deployments of the Sensory Intelligence™ platform and services where we process Customer Data solely under the customer's instructions.

    2. What we collect

    A. Personal data we collect as controller

    • Identity & contact: Name, work email, phone, company, role, region.
    • Professional profile: Department, seniority, functional area.
    • SiQ™ assessment responses: Answers, scores, benchmarks, free-text comments.
    • Website & usage data: Log data (IP addresses, timestamps), device/browser information, cookie IDs, session telemetry, page interactions, referring pages, and preference settings.
    • Communications: Inquiries, meeting notes (if you email us), webinar/event registrations, support tickets.
    • Media you provide: Files or messages you choose to upload when contacting us or requesting materials.

    B. Customer data we process as processor (enterprise deployments)

    Under customer control and configuration, our platform may process operational signals and contextual data (e.g., asset telemetry, infrastructure events, quality/defect data, supplier risk indicators, environmental inputs, market signals). Outputs may include derived insights (e.g., risk scores, prioritized alerts, recommended actions). The specific data sources, categories, and retention periods are determined by the customer.

    Platform architecture:

    • Core – Cross-dimensional pattern detection and knowledge graph
    • Edge – Distributed signal capture for IoT and field data
    • Pulse – Real-time monitoring and alerting
    • Flow – Data integration and orchestration
    • Studio – Design and simulation environment
    • Lens – Role-aware interface and contextual delivery

    The platform analyzes signals across the Five Dimensions of Perception (Temporal, Spatial, Behavioral, Systemic, Economic) to surface patterns and recommended actions.

    C. Sources

    You directly; your organization (customer). Connected systems, sensors, and data services configured by the customer. Service providers and commercial data partners. Public and licensed data sources for environmental/market context.

    3. How we use personal data (controller context)

    • Provide, maintain, secure, and improve our sites, content, SiQ™ assessment, and communications.
    • Generate assessment results (capability scores, benchmarks, recommendations).
    • Respond to inquiries; schedule briefings, demonstrations, or workshops; manage events.
    • Detect and prevent fraud or abuse; ensure integrity and security.
    • Comply with law and enforce our terms.

    We may aggregate or de-identify Personal Data and use it for analytics, research, and service improvement. We maintain de-identified data in de-identified form and will not attempt to re-identify it unless required by law.

    4. How we process data in enterprise deployments (processor context)

    When providing our platform to enterprise customers, we process Customer Data only under the customer's instructions and the DPA. The platform analyzes signals to surface patterns and recommended actions. Humans interpret, validate, and decide (unless a customer configures specific automated responses for defined control processes). Customers retain control over data sources, purposes, retention, and disclosures.

    5. Product Improvement, Fleet Learning, and your choices

    Enterprise Customer Data (processor): We do not use Customer Data from enterprise deployments to train generalized models or to build features for other customers unless the customer provides explicit written permission (e.g., DPA addendum) and we apply robust de-identification and aggregation.

    Fleet Learning (cross-deployment insights): With customer permission and using only de-identified/aggregated signal patterns and performance metadata, we may improve detection quality, pattern recognition, and recommendations across deployments—analogous to how vehicle fleets learn from aggregate road conditions. This process never exposes one customer's confidential data to another and never re-identifies individuals. Controls and opt-outs are honored per agreement.

    Websites, demonstrations, and assessments (controller): We may use de-identified/aggregated usage data to improve experience and accuracy, with consent where required (e.g., cookies/analytics preferences).

    Opt-out: Where applicable, you (or your organization) can opt out of analytics improvement that relies on your data by emailing privacy@alethiaintel.com or as provided in your customer agreement.

    6. Cookies & similar technologies

    We use cookies and SDKs to operate our site (strictly necessary), and—where required by law and with your consent—performance/analytics and functional cookies to improve experience and measure usage. Manage preferences via our cookie banner and browser controls. See our Cookie Notice for categories, providers, and retention periods.

    7. Legal cases (EEA/UK/Switzerland)

    • Contract performance (e.g., providing the assessment results you requested).
    • Legitimate interests (security, product analytics proportionate to impact, business-to-business communications).
    • Consent (non-essential cookies/marketing where required).
    • Legal obligations (compliance and regulatory requirements).

    8. Disclosures of personal data (controller context)

    • Service providers/subprocessors: Hosting, monitoring, security, analytics, support, communications—bound by contract to act on our instructions.
    • Affiliates: For uses consistent with this Policy.
    • Business transfers: In connection with a transaction (e.g., merger, acquisition), subject to appropriate safeguards.
    • Legal, safety, and integrity: To comply with law, enforce terms, protect rights, safety, and security.
    • Your organization: If you use a corporate email/account connected to a business account.
    • Third parties you choose: E.g., if you share links or connect third-party systems.

    We do not sell Personal Information or share it for cross-context behavioral advertising. We do not process sensitive Personal Information to infer characteristics.

    9. International transfers

    We may transfer personal data to countries with different data protection laws (including the United States) with appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) and the UK Addendum.

    EU/UK Representatives (if applicable): [EU Rep] · [UK Rep].

    Subprocessors: We maintain a current list at https://alethia.io/legal/subprocessors and provide notice of material changes where required.

    10. Security

    We employ administrative, technical, and organizational controls including encryption at rest and in transit, role-based access, least privilege principle, logging and auditing, vulnerability management, and incident response. We align to SOC 2 Type II controls and support sector-specific frameworks (e.g., NERC CIP, ISO 27001) as required by customer engagements. No system is perfectly secure; please use caution when sharing information.

    11. Retention

    • SiQ™ Assessment: 24 months (or earlier upon request).
    • Website logs/telemetry: 12–18 months.
    • Support tickets: 24 months after closure.
    • Enterprise deployments: Per customer agreement/DPA; deletion at termination or customer instruction.

    We may retain de-identified data for analytics, safety, and integrity purposes.

    12. Your rights & choices

    Depending on your location, you may have rights to access, delete, correct, port, object to processing, restrict processing, and withdraw consent where processing is based on consent. Submit requests to privacy@alethiaintel.com. We verify requests to protect your data. We honor Global Privacy Control (GPC) where required.

    CCPA/CPRA (California): We do not sell or share Personal Information for cross-context behavioral advertising and do not process sensitive Personal Information to infer characteristics. You have rights to know, delete, correct, and be free from discrimination for exercising rights.

    13. Automated decision-making & profiling

    We use analytics and machine learning to analyze signals, identify patterns, and prioritize risks and recommendations. In our controller context, we do not make solely automated decisions with legal or similarly significant effects on individuals. In enterprise deployments, any automated responses are customer-configured; Alethia provides controls, logs, and review mechanisms. Humans interpret, validate, and decide (unless a customer activates specific automated control processes).

    14. Children

    Our Services are intended for professional use and are not directed to children. We do not knowingly collect Personal Data from children under 13 (or under 16 in the EEA/UK). If you believe a child provided data to us, contact privacy@alethiaintel.com

    15. Regulated sector alignment

    Where customers operate in regulated sectors (insurance, energy/utilities, manufacturing, government/public sector), we support compliance with relevant frameworks such as NAIC model law, FERC/NERC CIP, ISO 9001/27001, NIST SP 800-53/800-171, and applicable state/federal data protection laws. Customer obligations remain defined by the customer agreement and DPA.

    16. Changes

    We may update this Policy from time to time. We will post the updated Policy with a new effective date and provide additional notice where required by law.

    17. Contact

    If you have questions about this Privacy Policy or how we handle your personal data, please contact us at: legal@alethiaintel.com