Question 1

Is User Intuition SOC 2 certified?

Accepted Answer

User Intuition is not SOC 2 certified today. SOC 2 certification is on our 2026 roadmap. We comply with GDPR, CCPA, applicable US state privacy laws, and security best practices, and all of our sub-processors maintain SOC 2 Type 2 certification. Our customer authentication provider Clerk and our voice provider both offer HIPAA Business Associate Agreements. Detailed compliance posture, sub-processor list, and security policies are publicly documented at userintuition.ai/security/.

Question 2

Where is User Intuition data stored?

Accepted Answer

User Intuition customer data is stored in the United States, specifically the US-East (Ohio) region. Database content, authentication metadata, and application files are hosted by Supabase and Railway, both running in Ohio. The User Intuition marketing website is hosted by Vercel in the United States. We do not transfer customer data outside the United States. All cloud sub-processors are US-based and SOC 2 Type 2 certified.

Question 3

Does User Intuition train AI on customer data?

Accepted Answer

User Intuition does not use customer data to train AI models. Our AI sub-processors are configured to prevent training on customer content: OpenAI is contractually opted out of training, Google Gemini operates on paid-tier defaults that exclude training, and our voice provider runs in HIPAA-enabled mode which prevents both model training and call retention. We do not sell customer data to any third party.

Question 4

Does User Intuition offer a Business Associate Agreement (BAA) for healthcare use?

Accepted Answer

User Intuition is not yet a HIPAA-certified entity; HIPAA compliance is on our 2026 roadmap. Our customer authentication provider Clerk and our voice provider both offer HIPAA Business Associate Agreements, and the voice integration runs in HIPAA-enabled mode for all User Intuition assistants. For healthcare deployments that require a direct BAA with User Intuition, contact privacy@userintuition.ai to evaluate availability under the relevant deployment scope.

Question 5

How does User Intuition handle a security breach?

Accepted Answer

User Intuition follows a documented incident response plan governed by our Threat and Incident Management Policy. We commit to notifying affected customers within 72 hours of confirmed breach detection, aligned with GDPR Article 33. Suspected security issues can be reported to security@userintuition.ai. Our coordinated vulnerability disclosure timeline is 90 days from confirmed receipt. Vulnerability remediation timelines range from 24 hours for critical findings to 90 days for low-severity issues.

Question 6

How long does User Intuition retain customer data?

Accepted Answer

User Intuition retains customer account data for the duration of the active relationship and deletes it within thirty (30) days of account closure, unless law requires longer retention (for example, litigation hold). Participant transcripts follow the same lifecycle. Our voice provider runs in HIPAA-enabled mode and does not retain recordings after the session. Customers may request deletion at any time by emailing privacy@userintuition.ai.

Security & Trust

Compliance & certifications

Data protection

Application security

Infrastructure

Access control

Incident response

AI governance

Privacy policy

Terms & conditions