Security

AI Governance

Last reviewed: May 2026

TL;DR

User Intuition does not use customer data to train AI models and does not sell customer data. Its AI sub-processors are configured to prevent training on customer content: OpenAI runs with training opt-out enabled, Google Gemini operates on the paid API tier, and the voice provider runs in HIPAA-enabled mode, which retains no recordings or transcripts after a session. User Intuition applies layered prompt-injection defenses, requests participant consent before recording, and extends GDPR and CCPA data-subject rights to AI-derived transcripts, summaries, and reports.

Training on customer data

User Intuition does not use customer data to train AI models. We do not sell customer data. Our AI sub-processors are configured under contracts and technical settings that prevent training on customer content:

  • OpenAI: Training opt-out enabled. OpenAI does not use User Intuition prompts or responses to train models.
  • Google Gemini: Paid Gemini API tier. Per Google's published terms, content from paid services is not used to improve their machine learning products.
  • Voice provider: HIPAA-enabled mode. No information is used for training; no call logs, recordings, or transcripts are retained provider-side after the session.

Model providers

Our AI sub-processors include OpenAI for analysis, Google (Gemini) for report generation, and a voice provider for moderation — all SOC 2 Type 2 certified and US-based. Our voice provider additionally offers a HIPAA Business Associate Agreement. The full sub-processor list, including provider names, is on our sub-processors page.

Prompt-injection defenses

Our AI surfaces apply layered defenses against prompt-injection attacks: system prompts are isolated from user input, untrusted input is sanitized before being incorporated into prompts, and tool execution is gated by explicit allowlists. Outputs that direct the system to take actions outside its scope are not executed automatically.

Recording consent

For voice interviews, our recording consent plan automatically requests consent from participants before recording begins; recording starts only after consent is granted. In addition, customers configure pre-session notices that disclose AI moderation, recording, and intended use of the session content.

Participant PII protection

User Intuition does not intentionally collect personally identifiable information from research participants. Pre-session notices warn participants against sharing PII; if PII is shared incidentally, it is treated with the same retention and deletion controls as transcript content. See data protection for retention details.

Data subject rights for AI-derived data

Data subject rights — including access, deletion, and portability under GDPR and CCPA — extend to AI-derived data such as transcripts, summaries, and generated reports. Requests can be submitted to privacy@userintuition.ai.

Customer-facing AI audit log

Customer-accessible audit logs covering AI processing events are not currently offered. This capability is on our 2026 roadmap for enterprise customers.

← Back to Security & Trust