Security

AI Governance

Last reviewed: April 2026

Training on customer data

User Intuition does not use customer data to train AI models. We do not sell customer data. Our AI sub-processors are configured under contracts and technical settings that prevent training on customer content:

  • OpenAI: Training opt-out enabled. OpenAI does not use User Intuition prompts or responses to train models.
  • Google Gemini: Paid Gemini API tier. Per Google's published terms, content from paid services is not used to improve their machine learning products.
  • Voice provider: HIPAA-enabled mode. No information is used for training; no call logs, recordings, or transcripts are retained provider-side after the session.

Model providers

Our AI sub-processors include OpenAI for analysis, Google (Gemini) for report generation, and a voice provider for moderation — all SOC 2 Type 2 certified and US-based. Our voice provider additionally offers a HIPAA Business Associate Agreement. The full sub-processor list, including provider names, is on our sub-processors page.

Prompt-injection defenses

Our AI surfaces apply layered defenses against prompt-injection attacks: system prompts are isolated from user input, untrusted input is sanitized before being incorporated into prompts, and tool execution is gated by explicit allowlists. Outputs that direct the system to take actions outside its scope are not executed automatically.

Recording consent

For voice interviews, our recording consent plan automatically requests consent from participants before recording begins; recording starts only after consent is granted. In addition, customers configure pre-session notices that disclose AI moderation, recording, and intended use of the session content.

Participant PII protection

User Intuition does not intentionally collect personally identifiable information from research participants. Pre-session notices warn participants against sharing PII; if PII is shared incidentally, it is treated with the same retention and deletion controls as transcript content. See data protection for retention details.

Data subject rights for AI-derived data

Data subject rights — including access, deletion, and portability under GDPR and CCPA — extend to AI-derived data such as transcripts, summaries, and generated reports. Requests can be submitted to privacy@userintuition.ai.

Customer-facing AI audit log

Customer-accessible audit logs covering AI processing events are not currently offered. This capability is on our 2026 roadmap for enterprise customers.

← Back to Security & Trust