Privacy Policy

CTRL MODE, Inc.(“Company,” “we,” “us,” or “our”) operates CTRL MODE, an AI-powered strategic decision-support tool. This Privacy Policy explains what data we collect, how we use it, and your rights in connection with that data.

For GDPR purposes, CTRL MODE, Inc. is the data controller. Questions or requests may be directed to our Data Protection contact: dpo@boardos.ai.

We collect the following categories of data:

2a. Account data

• Email address (required for account creation)
• Name (optional, for personalization)
• Billing information (processed by our payment provider; we do not store card numbers)
• Account settings and preferences

2b. Usage data

• Decision inputs you submit to the wizard
• AI-generated outputs returned to you
• Post-session survey responses (optional)
• Feature usage patterns (e.g., which board roles you engage with)
• Session timestamps and token-usage counts (for billing and service improvement)

2c. Technical data

• IP address
• Browser type and version
• Operating system
• Referring URLs
• Crash and error logs

2d. Communications

• Emails and support messages you send us
• Waitlist sign-up submissions

Sensitive inputs: Decision inputs may inadvertently contain sensitive business information, trade secrets, or personal data about third parties. We strongly advise against submitting information you are legally or contractually obligated to keep confidential, or any special-category personal data (health, racial origin, religion, etc.) about yourself or others.

We use your data solely for the following purposes (“purpose limitation”):

We do not use your decision inputs to train public AI models or share them with third-party model providers for training purposes. Inputs may be transmitted to our LLM inference provider(s) solely to generate your output, under data-processing agreements that prohibit training use.

We do not sell your personal data. We share data only with:

• LLM inference providers — to generate AI board feedback. Data is transmitted under data-processing agreements restricting training use.
• Payment processor — for billing. We use a PCI-DSS-compliant third party and do not store full payment card data ourselves.
• Analytics and error monitoring — third-party tools used under data-processing agreements, with data minimization applied.
• Legal and regulatory disclosure — when required by law, court order, or to protect the safety of users or the public.
• Business transfers — in connection with a merger, acquisition, or sale of company assets, subject to standard confidentiality protections.

We require all sub-processors to maintain data security standards at least equivalent to ours.

We retain your data only as long as necessary for the purposes set out in this Policy:

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request, unless legal retention is required.
• Decision inputs and outputs: Retained for up to 12 months to enable session history and outcome tracking. You can delete individual sessions at any time from your account settings.
• Aggregated analytics: Retained indefinitely (no personal identifiers).
• Billing records: Retained for 7 years as required by applicable tax and accounting law.

We apply appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Access controls limited to personnel who require access for their role
• Regular security review of third-party dependencies
• Incident response procedures with breach notification within 72 hours to supervisory authorities (GDPR) and users where required by law

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at privacy@boardos.ai.

We use strictly necessary cookies to operate the Service (e.g., session tokens). We may also use analytics cookies to understand aggregate usage patterns.

We do not use advertising or cross-site tracking cookies. You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may impair Service functionality.

Depending on your location, you may have the following rights:

For users in the EU / EEA / UK (GDPR / UK GDPR)

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your personal data (“right to be forgotten”).
• Restriction: Request that we limit processing of your data.
• Portability: Receive your data in a structured, machine-readable format.
• Object: Object to processing based on legitimate interests or direct marketing.
• Withdraw consent: Where processing is consent-based, withdraw at any time without affecting prior processing.
• Lodge a complaint: With your local supervisory authority (e.g., ICO in the UK, your national DPA in the EU).

For California residents (CCPA / CPRA)

• Know: The categories and specific pieces of personal information we collect, use, disclose, or sell.
• Delete: Request deletion of personal information we have collected (subject to legal exceptions).
• Opt-out of sale: We do not sell personal information. This right is preserved regardless.
• Correct: Request correction of inaccurate personal information.
• Non-discrimination: We will not discriminate against you for exercising CCPA rights.

To exercise any of these rights, submit a request to privacy@boardos.ai. We will respond within 30 days (or within the statutory period required by applicable law). We may need to verify your identity before fulfilling the request.

CTRL MODE, Inc. is based in the United States. If you access the Service from the EU, EEA, or UK, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and appropriate transfer mechanisms to ensure adequate protection.

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.

In accordance with the EU AI Act and applicable AI transparency regulations, we disclose:

• Automated decision-making: CTRL MODE generates informational feedback only. No automated decision-making or profiling with legal or similarly significant effects on you is performed by the Service.
• Human oversight: All consequential decisions remain yours. We do not implement AI-driven decisions on your behalf.
• Data sources: The underlying LLMs are trained by third-party model providers on data that may include publicly available text. We do not control the LLM training process and do not use your inputs for model training.
• High-risk use: CTRL MODEis not intended for, and should not be used in, “high-risk” AI system contexts as defined by applicable regulation (e.g., critical infrastructure, medical device decisions, employment automation).

We may update this Privacy Policy from time to time. For material changes, we will provide at least 14 days' notice via email or in-app notification before they take effect, and update the effective date above.

For privacy-related questions, data subject requests, or to reach our Data Protection contact:

CTRL MODE, Inc.
Privacy inquiries: privacy@boardos.ai
Data Protection contact: dpo@boardos.ai