Legal

Privacy policy

Effective date: April 1, 2026

Plain-language summary — read this first

What matters most about how we handle your data

→We collect only what we need to provide our services. Nothing more. Section 2
→We do not sell your data. To anyone. Ever. Section 6
→We do not use your product data, codebase, or design files to train AI models. Section 5
→Your data stays yours. We process it on your behalf, not for our benefit. Section 5
→You can request access to, correction of, or deletion of your data at any time. Section 11
→We store data primarily in the US with vetted subprocessors who are contractually bound to protect it. Section 6
→If we discover a breach affecting you, we notify you and the relevant supervisory authority within 72 hours. Section 8
→We use a cookie consent banner for non-essential cookies. You can manage or withdraw consent at any time. Section 9

Contents

01 —Who we are and how to contact us
02 —What data we collect and why
03 —How we collect data
04 —How we use your data
05 —AI and your data — the full picture
06 —Who we share data with
07 —How long we keep your data
08 —How we protect your data and breach notification
09 —Cookies and consent
10 —International data transfers
11 —Your rights
12 —California residents (CCPA/CPRA)
13 —Children's privacy (COPPA and GDPR)
14 —Changes to this policy

Who we are and how to contact us

Enspirit Technology Services ("Enspirit," "we," "us," or "our") is an AI-native product design and engineering studio incorporated in Texas, USA, with offices in Austin, TX and Hyderabad, India.

We operate enspirit.co and three software products: AURA (release confidence), Tenet (design governance), and Rekindle (codebase modernization).

For the purposes of data protection law, Enspirit is the data controller for personal data collected through our website and products. Where we process personal data on behalf of clients as part of a services engagement, we act as a data processor and are bound by the terms of the relevant data processing agreement.

Data Protection Officer (DPO)

Enspirit has not appointed a formal Data Protection Officer at this time. Under the General Data Protection Regulation (GDPR), a DPO is required only where an organisation carries out large-scale systematic monitoring of individuals or large-scale processing of special category data. Enspirit does not currently meet those thresholds.

As our EU and UK client base grows, we will review this position and appoint a DPO when required. In the meantime, all privacy and data protection matters are handled directly by Enspirit leadership and should be directed to:

Privacy contact
Enspirit Technology Services, Austin, TX, USA
Email: contact@enspirit.co
Subject line: Privacy enquiry

What data we collect and why

We collect only the data needed to provide our services. The tables below describe what we collect for each context and why.

Website visitors

Data type	Why we collect it
Name and email	Contact form submissions and conversation requests
IP address, browser, device type	Security, fraud prevention, and aggregate analytics
Pages visited, time on site	Understanding how visitors use the site so we can improve it
Geographic region	Aggregated analytics only — not used for individual profiling

AURA users Product

Data type	Why we collect it
Account name and email	Account creation and communication
API schemas, endpoint structure	Running validation checks to produce the Release Confidence Score
UI state and interaction data from your software	Full-stack validation across your release layers
Backend state and data integrity samples	Validating correctness of backend behavior across releases
Test run logs and scores	Storing your Release Confidence Score history and audit trail
Usage and session data	Product improvement and support (anonymized where possible)

Tenet users Product · Early access

Data type	Why we collect it
Account name and email	Account creation and communication
Figma file metadata and design tokens	Scanning for design system violations and drift
Design decision records and rationale	Building your institutional design memory
Component and token history	Enabling Tenet to surface context when new decisions are made
Usage and session data	Product improvement and support (anonymized where possible)

Rekindle engagements Service

Data type	Why we collect it
Contact and engagement data	Engagement setup and communication
Codebase and dependency data	Analyzing the codebase and scoping the modernization work
Test coverage and CI/CD configuration	Establishing baseline and measuring improvement over the engagement

Rekindle codebase data is processed under the specific data processing terms in your engagement agreement, which takes precedence over this general privacy policy for that data.

How we collect data

Directly from you: When you contact us, create an account, connect your software environment to AURA, connect Figma to Tenet, or begin a Rekindle engagement.
Automatically: Through cookies, logs, and usage tracking when you visit our website or use our products. See Section 9 for full cookie and consent details.
From your systems: AURA and Tenet pull data from software environments and Figma respectively, as configured by you or your team. You control what is connected.
From third parties: We may receive basic contact information from CRM tools, referral partners, or event organizers if you engage with us at conferences or through partner introductions.

How we use your data

We use the data we collect to:

Provide and operate our products and services.
Set up and manage your account.
Communicate with you about your account, services, and relevant updates.
Respond to support requests and resolve issues.
Detect and prevent fraud, abuse, or security threats.
Improve the performance and reliability of our products using anonymized and aggregated usage data.
Comply with legal obligations.

We do not use your data for advertising, behavioral targeting, or sale to third parties. We do not create individual profiles of your users or employees beyond what is needed to provide our services to you.

AI and your data — the full picture

Our firm commitment on AI and data:

We do not use your data — your codebase, your release data, your Figma files, your design decisions, or any other content you provide — to train, fine-tune, or improve any AI model. Not ours. Not anyone else's. This is a firm policy, not a default that changes based on your subscription tier.

How AI processes your data

Our products use AI to analyze your data and produce outputs. Specifically:

AURA's AI orchestration layer analyzes your release data to identify patterns, anomalies, and risk signals in order to produce the Release Confidence Score.
Tenet's AI layer scans your design files and surfaces context from past decisions in order to identify drift and recall intent.
Rekindle uses AI tooling to analyze your codebase, generate test coverage, and accelerate the modernization work.

In all cases, AI processes your data to deliver a service to you. It does not retain, learn from, or use your data for any purpose beyond that delivery.

Third-party AI providers

Our products may use AI infrastructure from third-party providers. Where this is the case, we ensure those providers are contractually bound not to use your data for model training. We will disclose which AI infrastructure providers we use in the relevant product documentation and data processing agreements.

AI output accuracy

AI systems can produce incorrect or incomplete results. You are responsible for reviewing and validating any AI-generated output before using it to make decisions. Enspirit does not guarantee the accuracy of AI outputs.

Who we share data with

We do not sell your data. We share data only in the following circumstances:

Subprocessors

We use a limited number of third-party service providers ("subprocessors") to operate our business, including cloud hosting, analytics, payment processing, and communication tools. All subprocessors are contractually bound to protect your data, subject to appropriate data processing agreements, and selected for their data protection standards.

Our current subprocessors are listed below. We update this list when we add or change providers.

Subprocessor	Purpose	Data location
Amazon Web Services (AWS)	Cloud infrastructure and data storage	USA
Vercel	Website hosting and deployment	USA
Stripe	Payment processing	USA
PostHog	Product analytics (anonymized)	USA / EU
Resend	Transactional email	USA

Enterprise clients may request a full data processing agreement with a complete subprocessor schedule. Email contact@enspirit.co with the subject line "DPA request."

Legal requirements

We may disclose data if required to do so by law, court order, or regulatory authority. Where possible, we will notify you before disclosing, unless we are legally prohibited from doing so.

Business transfers

If Enspirit is acquired, merges with another company, or transfers substantially all of its assets, your data may be transferred as part of that transaction. We will notify you and ensure the recipient is bound by privacy obligations at least as protective as this policy.

With your consent

We may share your data in other circumstances if you have given explicit consent.

How long we keep your data

Data type	Retention period
Contact and inquiry data	3 years after last contact, or until you request deletion
Account data (active users)	Duration of the account, plus 90 days after closure for data export
AURA release data and scores	Duration of the subscription, plus 90 days after termination
Tenet design decisions and records	Duration of the subscription, plus 90 days after termination
Rekindle codebase data	Duration of the engagement, plus 30 days after completion (see note)
Usage and analytics data (anonymized)	Up to 24 months in anonymized form
Financial and billing records	7 years, as required by US tax law
Security and audit logs	12 months

Note on Rekindle codebase data: The standard 30-day post-engagement window covers routine deletion. If there is an active legal dispute, a warranty claim, or a contractual obligation requiring retention beyond that window, we will retain only the data necessary to resolve the matter and delete it as soon as that purpose is fulfilled. Your engagement agreement will specify any extended retention terms applicable to your project.

After the relevant retention period, we delete or irreversibly anonymize data. You can request earlier deletion at any time — see Section 11.

How we protect your data and breach notification

Security measures we have in place include:

Encryption of data in transit (TLS) and at rest.
Role-based access controls limiting who within Enspirit can access client data.
Regular security reviews of our infrastructure and subprocessors.
Secure development practices across our engineering team.
Documented incident response procedures with defined notification timelines.

Breach notification

No system is completely secure. If we discover a personal data breach that is likely to affect your rights or freedoms, we will:

Notify you within 72 hours of becoming aware of the breach, where feasible.
Notify the relevant supervisory authority — for example, the applicable EU data protection authority under the GDPR, or the California Attorney General where required under US state law — within 72 hours.
Provide a description of the nature of the breach, categories of data affected, likely consequences, and measures taken or planned to address it.

To report a suspected security vulnerability, email contact@enspirit.co with the subject line "Security vulnerability." We will investigate promptly.

Cookies and consent

Our website uses cookies and similar tracking technologies. We use a cookie consent banner to obtain your consent for non-essential cookies before placing them. Strictly necessary cookies are set automatically as they are required for the site to function.

Cookie type	Purpose	Consent required?
Strictly necessary	Core site functionality and security. The site cannot function without these.	No — set automatically
Analytics	Understanding how visitors use the site in aggregate. We use privacy-respecting analytics that do not build individual profiles.	Yes — opt-in via banner
Preference	Remembering settings or choices you have made on the site.	Yes — opt-in via banner

Managing your preferences

When you first visit enspirit.co, our cookie consent banner will ask for your consent to non-essential cookies. You can accept all, accept only necessary, or choose by category. You can change or withdraw your consent at any time by clicking the cookie settings link in the site footer.

We do not use advertising cookies or third-party tracking for behavioral targeting. We do not share analytics data with advertising networks.

We honor Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we treat it as a request to opt out of analytics cookies.

EU and UK users GDPR · ePrivacy

Our cookie consent mechanism is designed to comply with the EU ePrivacy Directive and GDPR. Consent is collected before non-essential cookies are placed. Consent records are stored and can be audited. If you are an EU or UK user and believe our cookie practice is not compliant, please contact us so we can investigate and correct it.

International data transfers

Enspirit operates from the United States (Austin, TX) and India (Hyderabad). Data may be accessed and processed in both locations. Our team in India operates under the same data protection standards and confidentiality obligations as our US team.

Transfers for EEA and UK users GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, your data may be transferred to countries outside the EEA/UK. When this happens, we ensure appropriate safeguards under the GDPR and UK GDPR, including:

Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to the US and India.
UK International Data Transfer Agreements (IDTAs) for UK-origin transfers where applicable.
Data processing agreements with all subprocessors that carry equivalent protections.

You can request a copy of the relevant safeguards at contact@enspirit.co.

Your rights

We honor the following rights regardless of your jurisdiction:

Access

You can request a copy of the personal data we hold about you.

Correction

You can ask us to correct inaccurate or incomplete data.

Deletion

You can ask us to delete your personal data. We will do so unless we have a legal obligation to keep it.

Portability

You can request your data in a structured, machine-readable format.

Objection

You can object to processing. We will stop unless we have compelling legitimate grounds to continue.

Restriction

You can ask us to limit how we use your data in certain circumstances.

Withdraw consent

Where processing is based on consent, you can withdraw it at any time without affecting past processing.

Automated decisions

You can request human review of any significant automated decision that affects you.

To exercise any of these rights, email contact@enspirit.co with the subject line "Privacy rights request." We will respond within 30 days, or up to 60 days for complex requests — we will let you know if that applies.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection authority. For EU residents, this is the supervisory authority in your country of residence. For UK residents, this is the Information Commissioner's Office (ICO). We would welcome the opportunity to address concerns directly before any escalation.

California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you additional rights:

Right to know: You can request details about the personal information we collect, use, disclose, and sell (we do not sell).
Right to delete: You can request deletion of personal information we hold about you.
Right to correct: You can request correction of inaccurate personal information.
Right to opt out of sale or sharing: We do not sell or share personal information for cross-contextual advertising. No opt-out action is required.
Right to limit use of sensitive personal information: We do not use sensitive personal information beyond what is necessary to provide our services.
Non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise California rights: email contact@enspirit.co with "California Privacy Request" in the subject line. We will verify your identity and respond within 45 days.

Annual disclosure: Enspirit does not sell personal information and does not disclose personal information for cross-contextual advertising. This disclosure is reviewed and reconfirmed annually. Last confirmed: April 2026.

Children's privacy (COPPA and GDPR)

Our products and website are designed for professional and enterprise use only. They are not directed at children. We apply the following age thresholds in accordance with applicable law:

United States (COPPA): We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently done so, we will delete it promptly.
European Economic Area and United Kingdom (GDPR / UK GDPR): We do not knowingly collect personal data from children under 16. In EEA member states where the applicable age of digital consent is lower (minimum 13 under GDPR), we apply the local threshold where known.

If you believe we have inadvertently collected data from a child below either threshold, please contact us at contact@enspirit.co and we will investigate and delete it promptly.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and notify active users and customers by email at least 30 days before changes take effect.

Continued use of our services after an updated policy takes effect means you accept the changes. If you do not accept the changes, please stop using our services and contact us to discuss your situation.