virtualbackroom.ai - Security & Privacy

AI Data Privacy

API-Based AI Processing

We use AI providers through their commercial API services. According to their published policies (as of November 2025), API data is generally not used for model training:

OpenAI API: By default, data submitted via the API is not used to train models (Enterprise Privacy)
Google Gemini API: Data processed through Vertex AI is not used for model training (Data Processing Terms)
Anthropic API: Commercial API usage does not contribute to model training (Privacy Policy)

Important: Provider policies may change. We recommend reviewing each provider's current terms for the most up-to-date information. Some providers may retain data temporarily for abuse monitoring or service improvement purposes.

How We Handle AI Interactions

API-Based Processing

Your data is sent to AI providers via secure APIs for processing. We use commercial/enterprise API tiers where available, which typically offer stronger privacy protections.

Limited Retention

AI providers may temporarily retain data for abuse monitoring (typically 30 days for OpenAI, varies by provider). Check each provider's data retention policy for specifics.

No Training Opt-Out

We use API endpoints that default to not using your data for model training. This is a standard feature of commercial API access from major providers.

Multi-Provider Approach

Access multiple AI models (GPT-4, Gemini, Claude) with consistent privacy practices across providers, plus intelligent fallback for reliability.

Encryption & Security

Encryption in Transit

All data transmitted between your browser, our servers, and AI providers uses:

TLS 1.2+ encryption
HTTPS-only connections
Secure API endpoints

Secure Infrastructure

Our platform infrastructure includes:

Secure cloud hosting
Environment variable encryption for API keys
No plaintext credential storage

AI Provider Security: All our AI providers (OpenAI, Google, Anthropic) maintain SOC 2 Type II compliance and enterprise-grade security certifications for their API infrastructure.

Data Handling Practices

Data Type	How It's Used	Retention
AI Conversations	Processed by AI providers for immediate response	Ephemeral - not stored by AI providers
Uploaded Documents	Analyzed for regulatory compliance checks	Session-based or user-controlled
Account Information	Authentication and personalization	Stored securely in our database
Assessment Results	Track your compliance progress	Stored for your reference

Important: We never sell, share, or monetize your data. Your regulatory information is used solely to provide you with compliance assistance.

Authentication & Access Control

Secure Authentication

OAuth 2.0 with PKCE for secure login
Support for Google, GitHub, and Apple sign-in
Secure session management
Token validation with expiration checks

Access Control

Invite-only access during beta
Role-based permissions
Automatic session timeout
Secure logout with session cleanup

AI Provider Privacy Policies

We integrate with major AI providers through their commercial APIs. Review each provider's current policies for the most accurate information:

OpenAI

API data not used for training by default

View Policy

Google Gemini

Vertex AI processing terms apply

Data Processing

Anthropic

Commercial API terms for Claude

View Policy

Perplexity

API usage and data handling

View Policy

Multi-Provider Architecture: Our intelligent fallback system (Gemini → OpenAI → Anthropic → Perplexity) provides reliability. We encourage you to review each provider's current data handling policies.

Your Controls & Transparency

Account Management

Manage your profile, preferences, and access settings at any time.

Conversation History

View and manage your AI conversation history for compliance tracking.

Data Export

Request export of your data for your records or auditing purposes.

Security Questions?

If you have questions about our security practices or need additional information for your compliance requirements, please contact us.

Contact Security Team