MenuBar

GLOBAL PRIVACY POLICY - AI PRODUCTS

1. PURPOSE AND SCOPE

1.1 This Privacy Policy explains how Inncircles Technologies Inc. (“Inncircles,” “we,” “our,” or “us”) collects, uses, shares, and protects Personal Data when any individual or entity (“you” or “Customer”)

  • visits or interacts with any Inncircles website, portal, or mobile application,
  • creates or administers an account for the Inncircles Construction AI Suite, including InnDoc AI, InnClock AI, and any future modules,
  • accesses our application programming interfaces (APIs) or software development kits (SDKs), or
  • communicates with us for sales, support, or professional services.

2. DEFINITIONS

For the purposes of this Privacy Policy:

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, whether or not by automated means.
  • "Controller" means the natural or legal person which determines the purposes and means of the Processing of Personal Data.
  • "Processor" means the natural or legal person which Processes Personal Data on behalf of the Controller.
  • "Sub-processor" means a Processor engaged by Inncircles to assist in fulfilling Inncircles' obligations with respect to the Processing of Personal Data.
  • "Services" means the Inncircles Construction AI Suite, related APIs, professional services, and any associated support.

3. CATEGORIES OF PERSONAL DATA COLLECTED

3.1 Data you provide directly

  • Identification and contact details – name, business e-mail address, telephone number, job title, company name, and preferred language.
  • Authentication credentials – username, password, and multi-factor tokens.
  • Communication content – messages, feedback, survey responses, support requests.

3.2 Data created in the course of use

  • Usage and log data – IP address, browser type, device identifier, operating system, session start and end time, feature activation statistics, and error diagnostics.
  • AI interaction data – prompts, queries, chat transcripts, correction annotations, and model outputs.

3.3 Data uploaded or generated by Customers

  • Documents, images, time logs, forms, geolocation tags, and any metadata embedded in such files.
  • Structured and unstructured content stored or processed through integrations with third-party platforms such as enterprise resource planning systems or electronic signature services.

3.4 Data from third-party sources

  • Publicly available corporate information for compliance screening.
  • Integration data retrieved under Customer instruction from cloud storage, collaboration suites, or identity providers.

4. LEGAL BASES FOR PROCESSING

Inncircles Processes Personal Data only when at least one lawful basis under applicable law is satisfied. Common bases include:

  • Performance of a contract – to deliver the Services you have subscribed to.
  • Legitimate interests – to maintain platform security, prevent fraud, and improve product performance in ways that do not override your fundamental rights and freedoms.
  • Consent – for optional activities such as training Inncircles' machine-learning models on anonymised data or sending product-related marketing. You may withdraw consent at any time.
  • Legal obligation – where Processing is required to comply with tax, accounting, or regulatory mandates.

5. PURPOSES OF PROCESSING

We Process Personal Data strictly for the following purposes:

  • To create, maintain, and secure user accounts and workspaces within the Construction AI Suite.
  • To deliver contractual functionality, including document comprehension, attendance tracking, reporting, and integrations.
  • To provide technical support, troubleshooting, and incident response.
  • To monitor, analyse, and improve service performance, scalability, and usability.
  • To notify users of material changes to the Services or this Privacy Policy.
  • To comply with applicable laws, enforce our agreements, and protect Inncircles' rights, Customers, personnel, and property.

We never sell Personal Data. We do not use Personal Data for behavioural advertising unless we have obtained your explicit opt-in consent.

6. DATA SHARING AND DISCLOSURE

6.1 Within the Inncircles corporate group – Personnel with a need-to-know may access Personal Data under strict confidentiality and role-based access controls.

6.2 Sub-processors – We engage reputable infrastructure, analytics, and customer-support providers under written agreements that impose data protection obligations consistent with this Policy. A current list of Sub-processors is available upon request.

6.3 Integration partners – Data flows to third-party platforms only when you enable an integration or authorise an API call.

6.4 Legal disclosures – We may disclose Personal Data when legally compelled or when reasonably necessary to protect the vital interests of any person.

6.5 Business transfers – In the event of a merger, acquisition, or sale of assets, Personal Data may be transferred subject to confidentiality protections and the continuation of privacy commitments.

7. INTERNATIONAL TRANSFERS

Inncircles is headquartered in the United States and maintains infrastructure in multiple regions. Whenever Personal Data is transferred across borders, we apply one or more of the following safeguards:

  • European Commission Standard Contractual Clauses.
  • UK International Data Transfer Addendum.
  • EU–US Data Privacy Framework and any successor programme.
  • Adequacy decisions issued by competent authorities.
  • Binding corporate policies or intra-group agreements.

8. DATA SECURITY

Inncircles implements administrative, technical, and organisational measures aligned with ISO 27001 and SOC 2 Type II standards. Core controls include:

  • Encryption of data in transit with TLS 1.2 or higher and at rest with AES-256.
  • Segregated production environments and network firewalls.
  • Role-based access with multifactor authentication and least-privilege enforcement.
  • Continuous vulnerability scanning, penetration testing, and security monitoring.
  • Documented incident response procedures with customer notification within seventy-two hours of a confirmed breach involving Personal Data.

9. DATA RETENTION AND DELETION

Personal Data is retained only for the duration necessary to meet the purposes described in this Policy or longer if required by law. Default periods are:

  • Active subscription – data stored until the Customer deletes it or requests account closure.
  • Support logs – up to twelve months for audit and troubleshooting.
  • Backup archives – thirty days in encrypted form before automated purge.

Upon verified request, Inncircles will delete or return Personal Data in a machine-readable format unless retention is mandated by applicable law.

10. YOUR PRIVACY RIGHTS

Depending on your jurisdiction, you may have the right to:

  • Access, correct, or update Personal Data.
  • Request deletion or anonymisation.
  • Object to or restrict Processing.
  • Receive a portable copy of Personal Data.
  • Withdraw consent at any time.
  • Complain to a supervisory authority.

Requests on the above can be made by emailing info@inncircles.com. We will respond within the timeframe required by law, generally thirty days.

11. CHILDREN'S PRIVACY

The Services are directed to business users. We do not knowingly collect Personal Data from anyone under sixteen years of age. If we learn that such data has been collected, we will delete it without undue delay.

12. CHANGES TO THIS POLICY

We reserve the right to revise this Privacy Policy to reflect changes in law or our Services. Material updates will be announced via email or in-product notifications at least thirty days before the new version takes effect.

DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement (“Agreement”) is entered into by and between the entity identified in the Order Form or Master Subscription Agreement (“Controller”) and Inncircles Technologies Inc. (“Processor”). It supplements each contract governing the provision of Services.

1. SUBJECT MATTER, TERM, AND SCOPE

1.1 The Processor will process Personal Data solely to provide and support the Services set forth in the underlying agreement.

1.2 This Agreement takes effect on the effective date of the underlying agreement and continues until deletion or return of all Personal Data in accordance with section 11.

2. Annex I – Details of the Processing

ItemDescription
A. Data exporter (Controller)The Customer entity identified in the Order Form or Master Subscription Agreement.
B. Data importer (Processor)Inncircles Technologies Inc., 16192 Coastal Hwy, Lewes, Delaware 19958, USA.
C. Purpose of processingProvision of the Inncircles Construction AI Suite (InnDoc AI, InnClock AI, and future modules), including hosting, support, analytics, and optional model-training improvements if Customer opts in.
D. Nature of processingCollection, storage, retrieval, display, transmission, analysis (ML/NLP), comparison, reporting, and deletion of Customer-provided data.
E. Categories of data subjectsEmployees, subcontractors, consultants, suppliers, and any individuals whose personal data appears in documents or logs uploaded by the Customer.
F. Categories of personal dataContact details, identification photos, document text, images, time logs, geotags, device/user IDs, authentication data, AI prompts/outputs, and any metadata embedded in those files.
G. Sensitive data processedNot anticipated. If the Customer uploads special-category data, it is processed only under the Customer's instructions and protected by the same Terms of Use (TOMs).
H. Frequency of processingContinuous for the term of the subscription; intermittent for ad-hoc uploads or API calls initiated by the Customer.
I. Retention periodFor the subscription term, plus up to 30 days (for live systems) and 90 days (for encrypted backups), unless a different period is required by law or the Customer instructs earlier deletion.

3. CONTROLLER OBLIGATIONS

Controller represents and warrants that:

  • It has complied with all obligations to provide notices and obtain consents required by applicable law.
  • It will not instruct the Processor to Process Personal Data in a manner that violates any law.

4. PROCESSOR OBLIGATIONS

Processor shall:

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure that persons authorised to Process Personal Data are bound by confidentiality.
  • Implement appropriate security measures described in Annex II.
  • Assist the Controller in fulfilling data subject requests, data protection impact assessments, and consultations with supervisory authorities.
  • Notify the Controller without undue delay, and no later than seventy-two hours after confirmation, of any Personal Data breach.
  • Make audit reports and certifications available, and allow reasonable inspections, subject to confidentiality requirements.

5. SUB-PROCESSORS

The Processor may engage Sub-processors provided that:

  • The processor enters into a written contract with equivalent data protection obligations.
  • The processor remains liable for the acts and omissions of its sub-processors.

6. INTERNATIONAL TRANSFERS

Where transfers of Personal Data to a country without adequate protection are necessary, the Processor shall implement a valid transfer mechanism, including the Standard Contractual Clauses module two or any successor instrument.

7. Annex II – Technical and Organisational Measures

Control domainKey measures (public-facing summary)
Governance & riskISO 27001-aligned ISMS overseen by a CISO; annual risk and DPIA reviews.
Access controlRBAC enforced through SSO & MFA; least-privilege and time-bound admin access.
EncryptionTLS 1.2+ for data in transit; AES-256 for data at rest; keys managed in AWS KMS.
Infrastructure securityIsolated VPCs, WAF-protected endpoints, continuous vulnerability management & quarterly pen-tests.
Monitoring & incident response24×7 SIEM, log retention ≥12 months, breach notification ≤72 h.
Application & model securitySecure SDLC, automated code scans, prompt-injection defences, and tenant isolation.
Business continuityDaily encrypted backups to secondary region; RPO ≤ 24 h, RTO ≤ 4 h.
Sub-processor oversightWritten DPAs, annual reassessments, and advance notice of changes.
Data deletionCustomer-triggered deletion in live systems ≤30 days; backups ≤90 days; media wiped per NIST 800-88.

8. DATA SUBJECT REQUESTS

The Processor shall promptly forward any data subject request received directly to the Controller, unless prohibited by law or regulation. The processor shall provide reasonable assistance in facilitating the response.

9. DATA RETURN AND DELETION

Upon termination or expiry, Processor will, at Controller's choice, return all Personal Data or delete it from live systems within thirty days and from backups within ninety days, unless retention is required by law.

10. LIABILITY AND INDEMNITY

The liability limitations in the Master Subscription Agreement apply equally to this Agreement. Each party shall indemnify the other for losses arising out of its breach of this Agreement or applicable data protection laws, subject to the limitations specified herein.

11. GOVERNING LAW AND DISPUTE RESOLUTION

This Agreement is governed by the law as stated in the Master Subscription Agreement. Any dispute shall be resolved in accordance with that agreement's venue and dispute resolution provisions.

TERMS OF USE

1. ACCEPTANCE OF TERMS

By creating an account, executing an Order Form, or using any portion of the Services, you agree to be bound by these Terms, the Privacy Policy, and the DPA. If you do not agree, you must not use the Services.

2. LICENSE AND USE RESTRICTIONS

2.1 Subject to timely payment of all fees, Inncircles grants you a limited, revocable, nonexclusive, and nontransferable right to access and use the Services for your internal business purposes.

2.2 You shall not:

  • Copy, modify, or create derivative works of the Services.
  • Reverse engineer, decompile, or attempt to derive the source code of any component.
  • Circumvent security features or access the Services to build a competing product or service.
  • Upload or transmit any content that is unlawful, harmful, or infringes intellectual property rights.

3. ACCOUNTS AND SECURITY

You must maintain the confidentiality of your authentication credentials and promptly notify Inncircles of any unauthorised use or security incident. You are responsible for the actions of anyone who accesses the Services using your credentials.

4. FEES AND PAYMENT

4.1 Subscription fees, billing frequency, and payment methods are specified in the Order Form.

4.2 Late payments may incur interest at a defined percentage per month or the maximum rate permitted by law. Inncircles may suspend Services for nonpayment after prior written notice.

5. SERVICE LEVELS AND SUPPORT

Service availability and support response targets are set out in the Service Level Agreement (“SLA”), which forms part of your subscription. Remedies for SLA failures are your sole and exclusive remedy for any unavailability of the Services.

6. INTELLECTUAL PROPERTY

All intellectual property rights in and to the Services and underlying technology are and will remain the exclusive property of Inncircles and its licensors. Customer content remains the property of Customer.

7. CONFIDENTIALITY

Each party agrees to protect the other party's Confidential Information with the same degree of care it uses to protect its own information of like importance, but never with less than reasonable care. The confidentiality obligations remain in effect for five years after termination, except for trade secrets, which continue to be confidential as long as they are considered trade secrets.

8. LIMITATION OF LIABILITY

Neither party will be liable for any consequential, incidental, or special damages. The total aggregate liability of each party arising under these Terms will not exceed the amount paid or payable by Customer to Inncircles for the twelve months preceding the event giving rise to the claim.

9. WARRANTY DISCLAIMER

Except as expressly stated in a service level commitment, the Services are provided “as is” and “as available.” Inncircles disclaims all implied warranties, including merchantability, fitness for a particular purpose, and non-infringement.

10. TERM, TERMINATION, AND SUSPENSION

10.1 These Terms remain in effect for the duration of the subscription term, unless terminated earlier.

10.2 Either party may terminate for material breach not cured within thirty days after written notice.

10.3 Upon termination, all licenses terminate, and Customer shall cease using the Services. Sections concerning fees due, confidentiality, intellectual property, warranty disclaimer, limitation of liability, and governing law survive termination.

11. GOVERNING LAW AND VENUE

If the Customer entity is organised within the United States, these Terms are governed by the laws of the State of Delaware without regard to conflict-of-law rules, and any dispute shall be litigated exclusively in state or federal courts located in Wilmington, Delaware. If the Customer entity is organised outside the United States, the law and forum stated in the Master Subscription Agreement will apply.

12. CHANGES TO TERMS

Inncircles may modify these Terms by providing at least thirty days' notice. Continued use of the Services after the effective date constitutes acceptance of the revised Terms.

© 2025 Inncircles Technologies Inc. All rights reserved.