AI data handling

Last updated

This page states precisely when your data is transmitted to a third-party AI model and when it is not. The rule in one line: document content reaches an AI provider only as the direct result of an action you took, never as a side effect.

Principles

  • Extraction is local. Reading text out of your uploaded files (PDF, DOCX, PPTX, XLSX, CSV) happens in your browser, client-side. Uploading a file transmits it to storage — not to any AI model.
  • Transmission is explicit. Content goes to an AI provider only when you trigger an AI action on it: generate a summary, a brief, a memo; run a review; submit verification evidence for classification.
  • Scope is per-user. AI requests are built from data your account can read under Row Level Security. There is no cross-tenant context, ever.

When data reaches an AI provider

ActionWhat is sent
AI panel conversationYour message plus page context from your own data
Document review / summaryThe text of the specific document you requested analysis on
Deal brief / investment memoThe company's profile or watchlist data you can already see
Intake parsingThe text you pasted or files you uploaded to the parser
Verification classificationThe evidence document you submitted to the slot

Requests are processed through the provider's API under API data-use terms — API inputs are not used to train the provider's models.

What never happens

  • No document is sent to an AI provider because you uploaded it.
  • No background job reads your documents into a model without an action from you.
  • No AI request ever includes another user's private data.
  • Nothing the AI produces is shown to a counterparty without your confirmation.

Technical safeguards

  • AI provider keys live server-side as encrypted secrets — never in the browser bundle.
  • All AI calls route through server functions that enforce authentication, rate limits, and timeouts.
  • Usage is metered per user per day, bounded by plan limits.