Overview
SchneeAI is a platform for operating AI features in production. This policy explains what personal data we process, why, on what lawful basis, how long we keep it, who we share it with, and the controls available to you.
Controller and contact
The data controller responsible for your personal data is the legal entity operating SchneeAI. Entity name, registered address, and jurisdiction will be confirmed before general availability.
For privacy questions or to exercise any right in this policy, contact us at hello@schneeai.com. A dedicated Data Protection Officer or EU representative will be designated before general availability if required by applicable law.
Lawful basis (GDPR)
Where SchneeAI processes personal data of individuals in the European Economic Area or the United Kingdom, we rely on the following lawful bases under Article 6 of the GDPR:
- Performance of a contract (Art. 6(1)(b)) — operating the platform, routing requests, recording audit events, and billing for usage as agreed with the customer.
- Legitimate interests (Art. 6(1)(f)) — detecting and preventing abuse, monitoring service reliability, and improving core functionality, balanced against your privacy interests through configuration controls and data minimization.
- Legal obligation (Art. 6(1)(c)) — retaining records to meet applicable accounting, tax, or regulatory obligations.
- Consent (Art. 6(1)(a)) — for specific optional activities such as marketing communications, where you have opted in. Consent can be withdrawn at any time.
What SchneeAI processes
- Account information — email, tenant membership, role assignments, and authentication identifiers needed to operate your account.
- Usage metadata — structured records of AI interactions (service, tenant, user, model, latency, cost) used for observability, audit, and billing.
- Prompt and output content — stored separately in the Vault, with its own retention and access controls.
- Billing information — email and payment instrument references (card details are handled by our payment processor under PCI-DSS; we do not store full card numbers).
- Operational logs — technical logs (timestamps, request identifiers, error codes) used for reliability and debugging.
Purposes
We process the above to:
- Operate the platform — route requests, enforce policies, record audit events.
- Bill for usage — track consumption against credits, budgets, and subscriptions.
- Improve reliability — detect incidents, monitor performance, debug issues.
- Meet legal obligations — respond to valid legal requests, prevent abuse, maintain required records.
We do not use customer prompt or output content to train SchneeAI’s own models. Customers may independently use the Dataset Builder to compile training datasets from their own Vault data; that flow requires consent, redaction, and review, and is governed by the customer’s own purposes and applicable law.
Configurable data controls
- Retention windows — administrators can configure how long usage metadata and raw content are kept.
- Access control — roles determine who can view prompts, logs, and policies.
- Tenant isolation — data is separated by tenant and service. Cross-tenant access is refused by default.
- Vault — raw prompt and output content is stored separately from operational metadata, with its own retention and access controls.
- PII handling — configurable policies for detecting and masking sensitive content in prompts and outputs.
Sub-processors and third parties
We rely on the following categories of third parties to operate the platform. A complete list with legal entities and processing locations will be published before general availability.
- AI model providers — requests are routed to upstream providers (such as OpenAI, Anthropic, Google, and Groq) based on the model you select. These providers process prompt and output content under their applicable API terms, which generally restrict training on customer content submitted via API and designate them as processors for that content. They may act as independent controllers for their own operations (such as service safety and abuse monitoring) to the extent permitted by their terms.
- Cloud infrastructure — hosting, object storage, and database providers.
- Payment processing — our payment processor handles card data under PCI-DSS.
- Transactional email — for operational notifications.
International data transfers
SchneeAI and its providers may process data in regions different from where it was collected. Where this involves a transfer of personal data out of the European Economic Area, the United Kingdom, or other regulated regions, we rely on appropriate safeguards such as Standard Contractual Clauses, or another lawful transfer mechanism. A list of transfer destinations and the safeguard relied upon for each will be published before general availability.
Data retention
This policy covers two contexts that are retained separately.
Marketing site (schneeai.com)
- Contact form submissions — retained for up to 12 months after the last relevant communication, then deleted.
- Server logs — retained for 30 days for security and reliability debugging.
- Analytics data — none collected today. If analytics are introduced, a cookie policy will describe retention.
- Email subscriptions — retained until you unsubscribe or request deletion.
Platform (when you register an account)
Platform retention is configurable per data class by tenant administrators. In the absence of explicit configuration, the platform applies class-level defaults aligned to the purposes described in this policy. Indicative ranges by data class:
| Data class | Indicative retention | Use |
|---|---|---|
| Usage Ledger | 3–7 years | Aggregated analytics and billing reconciliation |
| Vault (raw prompt/output) | 2–3 years | Investigated via Dataset Builder only; direct access refused by default |
| Redacted Analysis Dataset | 3–5 years | Analytics and evaluation |
| Training Eligible Dataset | 3–5 years | Only after consent, redaction, and review |
| Model Lineage | 5+ years | Audit purposes |
Operational audit logs are retained on a rolling operational window; the specific retention for audit events tied to governance actions will be confirmed with counsel before general availability.
Tenants may configure shorter or longer retention within the limits permitted by their plan and applicable law. When a tenant configures a shorter retention period, the platform deletes the affected data via the retention worker within the configured window.
When you request earlier deletion of personal data, we will action the request within one month, subject to legal retention obligations (such as billing and tax records we are required to keep).
Your rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your data, subject to legal retention obligations.
- Restriction — request that we limit processing pending review of another request.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests or for direct marketing.
- Withdrawal of consent — where processing relies on consent.
- Right to lodge a complaint — with your local data protection authority. We encourage you to contact us first, but you may complain to a supervisory authority in your jurisdiction without doing so.
To exercise these rights, contact hello@schneeai.com from the email associated with your account. We respond without undue delay and in any event within one month of receipt. Where a request is complex or numerous, we may extend this period by up to two further months and will inform you of the extension.
California residents (CCPA)
If you are a California resident, the California Consumer Privacy Act provides additional rights:
- Right to know — the categories and specific pieces of personal information we collect and how we use them.
- Right to delete — request deletion of your personal information.
- Right to opt-out of sale or share — SchneeAI does not sell personal information. If this changes, we will provide a clear “Do Not Sell or Share My Personal Information” link and update this policy.
- Right to non-discrimination — we will not discriminate against you for exercising your rights.
To exercise California privacy rights, contact hello@schneeai.com.
Children
SchneeAI is not directed to children. We do not knowingly process personal data of:
- Children under 16 in the European Economic Area, the United Kingdom, or other jurisdictions applying the GDPR default, or
- Children under 13 in the United States under COPPA, or
- Children under the age required by any other applicable jurisdiction.
If you believe we have collected personal data from a child in violation of these standards, contact hello@schneeai.com and we will delete it.
Cookies and analytics
The marketing site (schneeai.com) uses essential cookies required to operate the site. A detailed cookie policy and consent banner will be published before general availability if any non-essential cookies or analytics tools are introduced. The platform itself does not rely on advertising cookies.
Security
See the Security page for the controls we ship today. Sensitive artifacts such as raw prompts and outputs receive application-layer controls on top of underlying storage encryption. We use TLS for data in transit and rely on provider-managed encryption at rest supplemented by application-layer controls.
Changes to this policy
We will notify customers of material changes by email at least 30 days before the changes take effect, and update the effective date below. Continued use after changes take effect constitutes acceptance. We will keep prior versions available on request.
Contact
For privacy questions or to exercise your rights, email hello@schneeai.com.
Effective date: to be set before general availability.