Privacy Policy

Alt Option Shift, LLC, a Delaware limited liability company, doing business as PreMortem ("PreMortem," "we," "us," or "our") respects your privacy and is committed to protecting it through our compliance with this Privacy Policy ("Policy").

This Policy describes the types of information we may collect from you or that you may provide when you use the Gnosis AI Platform ("Platform"), and our practices for collecting, using, maintaining, protecting, and disclosing that information.

1. SCOPE AND APPLICATION

1.1 What This Policy Covers

This Policy applies to information we collect:

Through the Gnosis AI Platform
In email and other electronic communications between you and us
When you create an account or use Platform features
Through uploaded documents and content (when that feature is enabled)

1.2 What This Policy Does Not Cover

This Policy does not apply to information collected by:

Third-party services integrated with our Platform
Any other websites or applications operated by us or third parties
Offline interactions or communications

1.3 Agreement to This Policy

By accessing or using the Platform, you agree to this Policy. If you do not agree with our policies and practices, do not use the Platform.

2. INFORMATION WE COLLECT

2.1 Personal Information

We collect the following types of personal information:

Identity Information: First and last name, email address
Professional Information: Company name and affiliation
Account Information: Username and authentication credentials
Communication Data: Chat histories, messages, and Platform interactions
Content Data: Documents, files, and other content you upload (when that feature is enabled)

2.2 Automatically Collected Information

We automatically collect:

Device Information: IP address, browser type, operating system, device identifiers
Usage Information: Access times, pages viewed, features used, click patterns
Technical Information: Error logs, performance data, system diagnostics

2.3 Third-Party Authentication

When using Microsoft OAuth for authentication, we may receive:

Basic profile information from your Microsoft account
Email address and name associated with your Microsoft account
Authentication tokens (which we do not store permanently)

3. HOW WE COLLECT INFORMATION

3.1 Direct Collection

We collect information directly when you:

Create an account
Upload documents or submit content (when that feature is enabled)
Interact with the AI platform through chat or other features

3.2 Automatic Collection

We automatically collect information through:

Cookies and Similar Technologies: We use session cookies for authentication and functionality
Analytics Tools: Including error tracking and usage monitoring services
Server Logs: Automatic logging of Platform access and usage

3.3 Third-Party Integrations

We collect information through our integration with:

Microsoft OAuth: — authentication services
Email service Resend — automated communications
Error tracking & analytics AppSignal — system monitoring and performance
AI processing OpenAI — for generating AI-powered responses and insights
Hosting DigitalOcean — for hosting the web application and data storing

4. HOW WE USE YOUR INFORMATION

4.1 Platform Services

We use your information to:

Provide access to the Gnosis AI Platform
Process your requests and generate AI responses
Facilitate PreMortem methodology exercises
Provide strategic advice and coaching features
Enable document analysis and knowledge management

4.2 Service Improvement

We use your information to:

Enhance Platform functionality and user experience
Develop new features and capabilities
Conduct quality control and service optimization
Analyze usage patterns and Platform performance

4.3 Communication

We use your information to:

Send service-related notifications
Provide customer support
Respond to your inquiries and requests
Send important Platform updates

4.4 Legal and Security

We use your information to:

Comply with legal obligations and requests
Protect against fraud and unauthorized access
Maintain Platform security and integrity
Enforce our Terms of Service

5. LEGAL BASIS FOR PROCESSING

We process only two categories of personal information - your business e‑mail address and name - and we do so on the following bases:

Contract Performance: to create your account, authenticate you, and deliver the Platform services your company has ordered.
Legitimate Interests: to secure the Platform, monitor performance, and improve functionality in ways that do not override your privacy rights.
Legal Compliance: to satisfy applicable laws, court orders, and regulatory requirements.
We do not process any sensitive personal information.

6. INFORMATION SHARING AND DISCLOSURE

6.1 Company Information

Your company owns the content and data you provide. We maintain confidentiality but may use aggregated, anonymized insights to improve the Platform.

6.2 Service Providers

We may share information with third-party service providers who assist us in:

Platform hosting and infrastructure (DigitalOcean)
AI processing services (OpenAI)
Email communications (Resend)
Error tracking and analytics (Appsignal)
Code repository management (GitHub)

All third‑party service providers we rely on operate under their own SaaS terms, which include confidentiality and data‑protection commitments. They may process your information only to deliver their services to PreMortem and for no other purpose.

6.3 Legal Disclosures

We may disclose information when required by law or to:

Comply with court orders, subpoenas, or legal processes
Protect our rights, property, or safety
Protect the rights, property, or safety of our users or others
Investigate fraud or security incidents

6.4 Business Transfers

If PreMortem is involved in a merger, acquisition, reorganisation, or sale of substantially all of its assets, any limited personal information we hold may be transferred to the successor entity only under the following safeguards:

The transfer remains subject to this Privacy Policy (or a policy offering materially equivalent protection).
Your company administrator will receive advance notice and may instruct us to delete the data instead of transferring it.

No other disclosure or sale of personal information is contemplated.

6.5 What We Don't Do

We do not:

Sell your personal information to third parties
Use your data to train AI models for external purposes
Share your specific content with other companies or users

7. DATA RETENTION

7.1 Retention Period

We retain your information for the duration of your company’s active engagement and for up to twelve (12) months thereafter, unless your company administrator instructs us to delete it sooner as permitted in the Statement of Work. Audit logs are retained for one (1) year from the date each log entry is created. Aggregated, anonymized analytics may be retained indefinitely.

7.2 Early Deletion

We will delete your information earlier upon:

Request from your company administrator
Termination of your company's engagement (if requested)
Legal requirement to delete

7.3 Backup Systems

Backup snapshots are retained for 7 days and are automatically purged after that period.

8. DATA SECURITY

8.1 Security Measures

We implement industry-standard security measures including:

Encryption: All data is encrypted in transit (HTTPS/TLS) and at rest
Access Controls: Role-based access and authentication requirements
Application Security: Protection against XSS, CSRF, and SQL injection attacks
Infrastructure Security: Secure hosting environment with firewalls and monitoring
Annual third‑party penetration testing of the Platform

8.2 Ruby on Rails Security

Our Platform leverages Ruby on Rails' built-in security features including:

Secure session management
CSRF protection
SQL injection prevention
XSS filtering

8.3 Your Responsibilities

You are responsible for:

Maintaining the confidentiality of your login credentials
Using strong, unique passwords
Reporting suspected security incidents promptly

8.4 Limitations

While we implement strong security measures, no system is completely secure. We cannot guarantee absolute security of information transmitted over the internet.

8.5 Security Incident Notification

In the event of a confirmed security incident, PreMortem will notify affected company administrators within forty‑eight (48) hours of confirmation and will provide timely updates until resolution.

9. YOUR RIGHTS AND CHOICES

9.1 Access and Correction

You may:

Access your personal information held by us
Request correction of inaccurate information
Delete any and all chat messages

9.2 Data Portability

You may request a copy of your personal information in a structured, machine-readable format.

9.3 Deletion Rights

You or your company administrator may request deletion of:

Your individual account and associated data
All company-related data (company administrator only)
Specific content or documents

9.4 Communication Preferences

You may:

Opt out of non-essential communications
Update your email preferences
Request to stop receiving certain types of notifications

9.5 Exercising Your Rights

To exercise these rights, contact us at david@kidder.net or through your company administrator.

10. INTERNATIONAL DATA TRANSFERS

10.1 U.S.-Based Service

Our Platform operates primarily in the United States. Your information is processed and stored in the U.S.

10.2 Third-Party Services

All primary processing and storage for the Platform take place on infrastructure located in the United States. If any sub‑processor must handle data outside the U.S. for redundancy or support, that transfer will occur only under recognized safeguards (e.g., Standard Contractual Clauses) and will be disclosed to your company in advance.

11. CHILDREN'S PRIVACY

The Platform is intended for use by adults aged 18 and older in professional settings. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected information from someone under 18, we will delete it promptly.

12. CALIFORNIA PRIVACY RIGHTS

12.1 CCPA Rights

If you are a California resident, you have the right to:

Know what personal information we collect and how we use it
Request deletion of your personal information
Opt out of the sale of personal information (though we do not sell personal information)

Not be discriminated against for exercising these rights

12.2 Exercising CCPA Rights

To exercise these rights, contact us at david@kidder.net. We will verify your identity before processing requests.

13. COOKIES AND TRACKING TECHNOLOGIES

13.1 Types of Cookies

We use two first‑party cookie types:

Strictly Necessary Cookies – a session cookie required for secure login and CSRF protection.
Performance Cookies: – a small AppSignal cookie that helps us measure error rates and page‑load times.

We do not use advertising, analytics, or preference‑saving cookies.

13.2 Cookie Management

You can disable or delete cookies through your browser settings.

Please note that blocking our strictly necessary session cookie will prevent you from logging in, and blocking our performance cookie will limit error tracking that helps us keep the Platform stable.

14. CHANGES TO THIS POLICY

14.1 Policy Updates

We may update this Policy periodically. Material changes will be communicated by:

Email notification to registered users
Notice on the Platform
Updated "Last Modified" date at the top of this Policy

14.2 Continued Use

Your continued use of the Platform after changes become effective constitutes acceptance of the updated Policy.

15. CONTACT INFORMATION

15.1 Privacy Questions

For questions about this Policy or our privacy practices, contact us at:

Email: david@kidder.net

Mail: Alt Option Shift, LLC (DBA PreMortem), David Kidder, Greenhaven Rd, Rye, NY 10580

15.2 Data Protection Officer

For specific data protection inquiries, you may contact our designated privacy contact at david@kidder.net.

Last Updated: July 15, 2025

BY USING THE GNOSIS AI PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THE PRACTICES DESCRIBED IN THIS PRIVACY POLICY.