Privacy Policy

Effective date: May 13, 2026  ·  Proceva Inc.  ·  privacy@proceva.ai

Proceva Inc. ("Proceva", "we", "us") operates Proceva Compass, an AI readiness assessment platform at proceva.ai. This policy explains what personal data we collect, why we process it, how long we keep it, who we share it with, and your rights as a user.

Data controller

Proceva Inc. is the data controller for personal data collected through proceva.ai. Where Proceva processes personal data on behalf of a business customer (for example, when a company's employees use Proceva Compass under a subscription), Proceva acts as a data processor for that business customer's data, and the business customer acts as the data controller. For questions or data requests, contact us at privacy@proceva.ai.

What we collect

We collect only information you explicitly provide:

• Assessment responses — the answers you enter during a Compass assessment. Used only to generate your report. If you do not save your report, these responses are not retained after your session ends.
• Name, email, and company name — collected only if you choose to save your report. Providing this is entirely optional.
• Marketing consent preference — recorded if you choose to opt in to follow-up emails when saving your report. We retain this record to document the basis for any follow-up communications we send you.
• Technical logs — limited security and administrative event logs (including IP address and browser type) recorded only for failed authentication attempts, unauthorized access probes, and administrative actions. These are not collected during normal assessment usage and are not used for marketing or profiling.

We do not use advertising cookies, tracking pixels, or third-party marketing analytics scripts. We do use Google Fonts for typography, which may result in your browser making a request to Google's servers. See the Subprocessors section below for details.

AI processing and no-training guarantee

Your assessment responses are processed via the Anthropic Claude API (operated by Anthropic, PBC), which maintains enterprise-grade data isolation and SOC 2 Type II compliance. Response data is stored and served from Microsoft Azure infrastructure. Your data is used for inference only — to generate your report — and is not retained by our AI subprocessors beyond the immediate generation window.

We do not use your assessment responses or contact data to train, tune, fine-tune, or improve any third-party AI or machine learning model, including the model used to generate your report. Your responses are used solely to generate your report. De-identified outcome data may be used to improve Proceva's own scoring engine and benchmarks as described in the How We Use section above.

Automated processing and your right to human review

We use automated systems and profiling to analyze your assessment responses in order to personalize your experience and generate your readiness results. In certain instances, this processing may result in recommendations that significantly affect your organization's planning decisions.

We do not make fully automated decisions that produce legal or similarly significant effects without meaningful human review, unless the decision is necessary for a contract, authorized by law, or you have given explicit consent. You have the right to challenge any automated recommendation, express your point of view, and request that a qualified member of our team manually review the output. You can exercise this right by contacting us at privacy@proceva.ai.

How we use your information

We use personal data to:

• Generate and deliver your AI readiness report via Proceva Compass
• Send you a permanent retrieval link if you save your report
• Send automated follow-up check-ins at 30, 60, and 90 days — only if you explicitly consent to receiving them at the time you save your report. You may withdraw this consent at any time by clicking the unsubscribe link in any check-in email or by emailing privacy@proceva.ai
• Provide customer support and respond to your requests
• Detect and prevent security incidents and abuse
• Improve Proceva Compass's scoring accuracy — assessment outcomes including recommendation type, scores, industry, and a truncated process description (up to 200 characters of what you enter) may be retained in our internal calibration dataset. Your name, email, company name, and full conversation content are never used for this purpose

We do not use your information for advertising, profiling for marketing, or any purpose beyond those listed above.

What we never do

• We do not sell your personal data to any third party
• We do not share your data with advertisers or data brokers
• We do not use your data to train, fine-tune, or improve any third-party AI or machine learning model, including the model used to generate your report. Proceva's internal scoring engine is calibrated using anonymized performance metrics and metadata — such as process categorization, industry, and model scores — but never the text of your conversations or any personally identifiable information
• We do not engage in automated decision-making that produces legal or similarly significant effects on individuals
• We do not commingle your data with other customers' data in a way that exposes it to other customers

Subprocessors and data storage

We use the following third-party subprocessors to operate Proceva Compass:

• Anthropic, PBC — AI inference (Claude API). SOC 2 Type II certified. Data used for inference only; not retained for training.
• Microsoft Azure — data storage and application hosting. SOC 2 and ISO 27001 certified.
• PDFShift — PDF report generation. Assessment report content is transmitted to generate downloadable PDFs. PDFShift processes this data solely to render the PDF and does not retain it. See PDFShift's Privacy Policy.
• Resend — transactional email delivery (report links, follow-up check-ins). Email address and report retrieval link are transmitted to deliver emails on Proceva's behalf. See Resend's Privacy Policy.
• Google Fonts — web font delivery. Google may log IP addresses when fonts are requested from their CDN. No personally identifiable data from Proceva is shared with Google for this purpose. See Google's Privacy Policy.

Data is primarily processed and stored in the United States. For users in the EEA or UK, international transfers rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms. A current list of subprocessors is available on request at privacy@proceva.ai.

Data retention

• Unsaved assessment sessions — data is not stored after your session ends
• Saved reports and contact data — retained for up to 24 months from last activity, then deleted or de-identified, unless you request earlier deletion or applicable law requires a different period
• Technical logs — security and administrative event logs retained for up to 12 months, then deleted. Normal assessment requests do not generate persistent technical logs
• Aggregate calibration data — de-identified outcome data may be retained indefinitely for scoring calibration. This data contains no personal information

Security

We implement administrative, technical, and physical safeguards appropriate to the risk, including use of Microsoft Azure with industry-standard certifications. No system is perfectly secure. In the event of a confirmed security incident affecting your personal data, we will notify affected users and relevant regulators as required by applicable law, without undue delay.

European Economic Area and United Kingdom (GDPR)

Legal basis for processing

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your personal data under the following legal bases:

• Contract performance — processing your assessment responses is necessary to deliver the Proceva Compass report you requested
• Consent — sending automated follow-up check-in emails at 30, 60, and 90 days. You provide this consent explicitly via a checkbox when you save your report. You may withdraw consent at any time by clicking the unsubscribe link in any check-in email or by emailing privacy@proceva.ai. Withdrawal does not affect the lawfulness of any processing that occurred prior to withdrawal
• Legitimate interest — security and fraud prevention, technical logging, and scoring calibration using aggregate outcome data. We have assessed that these interests are not overridden by your rights and freedoms
• Legal obligation — where applicable law requires us to retain or disclose data

Where we rely on legitimate interest, you have the right to object at any time by contacting privacy@proceva.ai. Where we rely on consent, you may withdraw it at any time by clicking the unsubscribe link in any follow-up email or by contacting privacy@proceva.ai. Withdrawing consent will stop any future follow-up emails.

Your GDPR rights

If you are located in the EEA or UK, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate personal data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Restriction — request that we limit processing of your personal data
• Portability — receive your personal data in a structured, machine-readable format
• Object — object to processing based on legitimate interest, including for direct marketing
• Lodge a complaint — with your local data protection supervisory authority

To exercise any of these rights, email privacy@proceva.ai. We will respond within 30 days as required by GDPR, with a possible one-month extension for complex requests.

International transfers

Your personal data is primarily processed and stored in the United States. Transfers from the EEA or UK to the United States are governed by Standard Contractual Clauses (SCCs, Module 2 — Controller to Processor) or other lawful transfer mechanisms. For questions about transfer safeguards, contact privacy@proceva.ai.

Data processing agreements

Business customers subject to GDPR whose use of Proceva Compass involves processing personal data of EEA or UK individuals may request a Data Processing Agreement (DPA) by emailing privacy@proceva.ai.

California residents (CCPA / CPRA)

How we handle California personal information

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), may provide you with additional rights regarding your personal information.

Proceva Compass is a business-to-business (B2B) service. We process personal information in the context of business relationships and do not target consumers. To the extent the CCPA applies to our processing of your personal information, the following applies:

• We do not sell your personal information to third parties
• We do not share your personal information for cross-context behavioral advertising
• We process personal information solely for the business purposes described in this policy and our Terms of Service
• We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA

Your California rights

Subject to certain exceptions and limitations, California residents may have the right to:

• Know — request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties with whom we share it
• Delete — request deletion of personal information we have collected from you
• Correct — request correction of inaccurate personal information
• Opt out — opt out of the sale or sharing of personal information (we do not sell or share personal information)
• Non-discrimination — we will not discriminate against you for exercising your CCPA rights

How to submit a request

To exercise your California rights, email privacy@proceva.ai. We will respond within 45 days as required by law, with a possible 45-day extension upon notice. We may need to verify your identity before processing your request.

Categories of personal information collected

In the past 12 months, we have collected the following categories of personal information (as defined under the CCPA): identifiers (name, email address); professional or employment-related information (company name); internet or other electronic network activity information (IP address, browser type, and timestamps, recorded only for security event logging and administrative actions — not collected during normal assessment usage); and inferences drawn from assessment responses to generate your assessment report. We have not collected sensitive personal information as defined under the CPRA.

Your rights (all users)

Regardless of your location, you may request access to, correction of, or deletion of your personal data at any time by emailing privacy@proceva.ai. You may withdraw your consent to receive follow-up check-in emails at any time by clicking the unsubscribe link in any check-in email or by emailing us directly.

Disclaimer of advice and limitation of liability

Proceva Compass provides information and AI readiness recommendations based solely on the responses you enter during the assessment. Output from Proceva Compass does not constitute professional, legal, financial, or technical advice.

Recommendations are generated based on the information you provide and are intended as a starting point for your own evaluation. You are solely responsible for any decisions made — including whether to build, buy, or walk away from an AI initiative — and for all outcomes that result from those decisions.

To the fullest extent permitted by applicable law, Proceva Inc. accepts no liability for any loss, cost, damage, or adverse outcome arising directly or indirectly from reliance on any output, recommendation, or report generated by Proceva Compass.

Children

Proceva Compass is intended for business use by adults (18 years or older). We do not knowingly collect personal data from anyone under 16. If you believe we have collected data from a minor, contact privacy@proceva.ai and we will take steps to delete it promptly.

Changes to this policy

We will post material changes on this page and update the effective date above. For significant changes, we will provide notice by email or in-product notification where practicable. Your continued use of Proceva Compass after any update constitutes acceptance of the revised policy.

Questions or data requests: privacy@proceva.ai