Last Updated: April 22, 2025
Alephic, LLC is committed to protecting personal data and complying with all applicable privacy laws. This Privacy Policy explains how Alephic, LLC (“we”, “us”, “our”) collects, uses, and discloses personal information in the course of providing AI-first technology solutions for enterprise marketing organizations—including engineering and deploying proprietary AI systems that transform unstructured marketing data into actionable insights and automate complex marketing processes. It also describes the rights individuals have regarding their personal data. This Policy is designed to meet international standards, including the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and other applicable laws. We align our practices with industry frameworks such as SOC 2 to ensure robust privacy and security controls.
B2B Services - No Data Sale or Sharing: Alephic, LLC primarily provides business-to-business services (developing and implementing custom AI solutions for enterprise marketing organizations). We act as a service provider/data processor on behalf of our clients in many cases. We do not sell personal information to third parties, and we do not share personal information for cross-context behavioral advertising purposes as defined under U.S. state privacy laws.
We ensure secure handling of client data throughout every phase of development and deployment.
For information on how we design, test, and deploy AI systems responsibly—including fairness, transparency, and human oversight—please see our Responsible AI Policy.
This Policy applies to personal information we collect from clients, website users, and other individuals with whom we interact in the conduct of our business. It does not cover aggregated or de-identified data, or information related to Alephic employees (which is addressed in separate internal policies). By using our website or services, you acknowledge the practices described in this Privacy Policy.
Sources include: information you give us; corporate clients; automatic collection via cookies or SDKs; limited third-party integrations.
We do not knowingly collect sensitive personal information (“SPI”) as defined by the CPRA, nor data from children under 13. If we ever need to process SPI in the future, we will limit its use to essential service purposes and provide the CPRA “Limit Use of Sensitive Personal Information” mechanism.
We use essential cookies that are necessary for our site to function and security cookies that help detect fraud and abuse. Non-essential (analytics) cookies are set only with your consent via our cookie banner. Details of each cookie type and its typical lifespan are summarized below. We will also publish a standalone Cookie Notice at https://www.alephic.com/cookies once it is available. You can manage cookie preferences at any time in your browser or by using the banner's settings link. We also recognize the Global Privacy Control (GPC) browser signal as a valid request to opt-out of any sale or sharing of personal information as defined by the CPRA.
Purposes (and lawful bases where applicable):
We do not sell or share personal information for advertising. Accordingly, opt-out rights for targeted advertising or profiling under Virginia CDPA, Colorado CPA, Connecticut PA-22-15, and similar laws are satisfied by default. We also do not sell “covered information” as defined by Nevada SB-220.
We engage a limited number of carefully-vetted third-party service providers (“sub-processors”) to help us deliver and secure our services. Each is bound to process personal data only on our instructions and to apply security measures that meet or exceed Alephic's standards.
Categories of service providers we use include:
Roster available on request (under NDA): Existing or prospective clients may obtain our current sub-processor list by emailing privacy@alephic.com and agreeing to an appropriate non-disclosure agreement. We provide at least 30 days' advance notice before authorizing any new sub-processor so that clients may lodge objections under GDPR Art. 28(2) or equivalent rights.
We use EU-approved Standard Contractual Clauses, participate in the EU-U.S. Data Privacy Framework (once certified), and apply equivalent safeguards for transfers from other jurisdictions.
Encryption in transit & at rest • Role-based access control • Continuous monitoring • Incident-response plan • Annual SOC 2 Type II audit • Privacy-by-design reviews.
We keep personal information only as long as necessary for the purposes described above or as required by law, then securely delete or anonymize it. Retention criteria by category:
| Category | Primary Purpose | Typical Retention | Rationale |
|---|---|---|---|
| Identifiers & Contact Info | Client relationship management, support | Up to 3 years after last interaction or project end | Maintain contracts & audit trail |
| Professional / Employment Info | Same as above | Up to 3 years | Same |
| Online Activity Data | Security & analytics | 12-24 months | Pattern detection & service optimization |
| Communication Records | Support history, dispute resolution | ≤ 5 years | Legal defense & service QA |
| Client-Provided Data | Service delivery on client's behalf | Duration of contract + 60 days (unless otherwise agreed) | Return or delete per DPA |
Longer retention may apply where law requires (e.g. tax, accounting) or for legal claims. If deletion is not immediately feasible (e.g. in backups) data is isolated until purge.
Submit requests:
We verify identity, respond within legally mandated timeframes, and offer an appeal process where applicable. Exercising any privacy right will not result in discriminatory treatment, pricing, or service quality.
Our services are not directed to children under 13, and we do not knowingly collect their data. Parents may contact us for deletion of any inadvertent collections.
Material changes will be announced on our site and, where required, we will seek consent. “Last Updated” date appears below.
We prefer to resolve concerns directly; EU/UK residents may also lodge complaints with their supervisory authority. Our lead EU supervisory authority is the Irish Data Protection Commission (www.dataprotection.ie).