Privacy Policy

E-ARI (Enterprise AI Readiness Assessment) is a platform operated by E-ARI that enables organizations to assess their preparedness for AI adoption across eight strategic pillars: Strategy & Vision, Data & Infrastructure, Talent & Culture, Governance & Ethics, Technology & Tools, Process & Operations, Customer & Market, and Innovation & Agility. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our platform at e-ari.com and any associated subdomains, APIs, and services.

By accessing or using E-ARI, you agree to the data practices described in this policy. If you are using E-ARI on behalf of an organization, you represent that you have the authority to bind that organization to this policy. We encourage you to read this document carefully and review it periodically, as we may update it from time to time. When we make material changes, we will notify you through the platform or by email before the changes take effect.

Our approach to privacy is guided by the same principles that underpin our assessment methodology: transparency, rigor, and accountability. We do not sell your data. We do not use your assessment responses to train AI models for third parties. And we design our data architecture so that only the minimum information necessary is processed at each stage of the assessment pipeline.

We collect information that you provide directly, information generated through your use of the platform, and technical information collected automatically. Each category serves a distinct purpose in delivering the assessment experience and generating your results.

2.1 Information You Provide

• Account information: Full name, email address, organization name, job title, industry sector, and password (stored as a bcrypt hash). This information is necessary to create and manage your account and to tailor assessment outputs to your organizational context.
• Assessment responses: Your answers to the 8-pillar assessment questionnaire, including selected options for each question, free-text elaborations, and any clarifying notes. These responses form the foundation for all scoring, insights, and recommendations generated by the platform.
• Organization details: Organization size, sector, geographic region, and current AI initiatives. This context enables the Discovery Agent and benchmark comparisons to produce sector-relevant outputs rather than generic advice.
• Payment information: When you subscribe to the Professional ($99/month) or Enterprise (custom pricing) plan, we collect billing details through our payment processor. E-ARI does not store credit card numbers on our servers; they are handled exclusively by our PCI-compliant payment provider.
• Communication preferences: Your opt-in choices for product updates, assessment reminders, and marketing communications.

2.2 Information Generated by the Platform

• Assessment scores: Calculated pillar scores (0-100), overall readiness score, maturity band classifications (Emerging, Developing, Established, Leading), and weighted adjustments generated by the Scoring Agent using deterministic methodology (Scoring v5.3).
• AI-generated insights: Strategic narratives produced by the Insight Agent, organizational landscape analysis from the Discovery Agent, learning path recommendations from the Literacy Agent, and interactive Q&A responses from the Assistant Agent. These are generated by large language models (LLMs) processing your assessment data.
• Reports: PDF reports compiled by the Report Agent, including executive summaries, benchmark comparisons, roadmaps, and strategic recommendations.
• Benchmark data: Sector-specific benchmarks generated from our curated dataset covering eight industry sectors (Financial Services, Healthcare, Manufacturing, Retail, Technology, Government, Energy, Education). Your anonymized scores may contribute to aggregate benchmark statistics.

2.3 Automatically Collected Information

• Usage data: Pages visited, features used, time spent on assessments, click patterns, and navigation paths. This helps us understand how users interact with the platform and identify areas for improvement.
• Device and browser information: Browser type and version, operating system, screen resolution, device type, and IP address. This ensures the platform renders correctly and helps detect unauthorized access.
• Performance metrics: Agent pipeline execution times, API response latencies, and error rates. These operational metrics help us maintain platform reliability and performance.

We use the information we collect for the following purposes, each of which is necessary to deliver the E-ARI service or required by law:

• Delivering assessments: Processing your questionnaire responses through the 6-agent pipeline (Scoring, Insight, Discovery, Report, Literacy, Assistant) to generate pillar scores, strategic narratives, benchmark comparisons, roadmaps, and PDF reports.
• Account management: Creating and maintaining your account, authenticating your identity, managing subscriptions (Starter, Professional, Enterprise tiers), and processing payments.
• Personalization: Tailoring assessment questions, insights, benchmarks, and recommendations to your sector, organization size, and maturity level. Without this contextual information, agents would produce generic outputs that do not reflect your organization's actual readiness landscape.
• Platform improvement: Analyzing usage patterns to improve question design, scoring methodology, agent accuracy, user interface, and overall platform performance. We use aggregated and anonymized data for these purposes whenever possible.
• Communication: Sending assessment results, account notifications, security alerts, and (with your consent) product updates and marketing communications. You can manage your communication preferences at any time from your account settings.
• Security and fraud prevention: Detecting unauthorized access, preventing abuse, and protecting the integrity of assessment results and scoring methodology.
• Legal compliance: Fulfilling legal obligations, responding to lawful requests from public authorities, and enforcing our terms of service.

E-ARI uses large language models (LLMs) to power four of its six AI agents: the Insight Agent, the Discovery Agent, the Literacy Agent, and the Assistant Agent. This section explains how your data interacts with these models and the safeguards we have implemented.

4.1 What Is Sent to LLMs

When your assessment is processed, the following data is included in prompts sent to our LLM provider: your pillar scores, per-question answer details (selected options and any free-text responses), your organization's sector and size, and the assessment context. This information is necessary for the agents to produce contextually relevant, organization-specific analysis rather than generic outputs. Without per-question detail, agents would have no basis for differentiated insights.

4.2 LLM Provider and Data Handling

We use OpenAI as our LLM provider. Under our agreement with OpenAI, data sent through the API is not used to train or improve their models. Prompts and completions are retained by OpenAI for a maximum of 30 days for abuse monitoring purposes, after which they are permanently deleted. We do not use OpenAI consumer-facing products (such as ChatGPT) for processing your assessment data; all processing occurs through the enterprise API.

4.3 What Is NOT Sent to LLMs

The Scoring Agent and Report Agent operate deterministically and do not send data to LLMs. The Scoring Agent calculates pillar scores using a fixed, auditable methodology (Methodology v5.3) with no AI involvement. The Report Agent compiles pre-generated content into PDF format without LLM processing. Additionally, we never send your email address, password, payment information, or personally identifiable contact details to LLM providers as part of assessment processing.

4.4 AI-Generated Content Labeling

All content generated by LLM-powered agents is clearly labeled as AI-generated within the platform. This includes insight narratives, discovery analysis, literacy recommendations, and assistant responses. We believe in transparency: you should always know whether a piece of content was calculated by deterministic methodology or generated by an AI model. Scores are never altered by AI; LLM-generated content is supplementary narrative that helps interpret the scores.

We do not sell, rent, or trade your personal information or assessment data to third parties. We share information only in the following specific circumstances:

• LLM providers: As described in Section 4, assessment responses and context are sent to OpenAI for agent processing. This data is subject to OpenAI's enterprise API data policies and is not used for model training.
• Payment processors: Billing information is processed by our PCI-compliant payment provider. We do not store full credit card numbers on our infrastructure.
• Infrastructure providers: We use cloud hosting providers for application hosting, database storage, and file storage. These providers are contractually obligated to process data only as instructed by E-ARI and maintain appropriate security certifications (SOC 2, ISO 27001).
• Enterprise customers: If your organization has an Enterprise agreement, designated administrators within your organization may access aggregate assessment data and usage analytics for users within that organization. Individual assessment responses are not shared with organization administrators unless you explicitly opt in.
• Legal requirements: We may disclose information when required by law, regulation, legal process, or governmental request. We will notify you of such disclosure unless we are legally prohibited from doing so.
• Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and update this policy before any such transfer occurs.

We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction. Our security practices are designed to meet enterprise and government-grade requirements.

6.1 Encryption

All data in transit is encrypted using TLS 1.3. All data at rest is encrypted using AES-256 encryption. Database backups are encrypted and stored in geographically separate locations. Encryption keys are managed through a dedicated key management service with regular rotation schedules.

6.2 Access Controls

Access to production systems and databases is restricted to authorized personnel on a least-privilege basis. All access is logged and audited. Engineers cannot view individual assessment responses without explicit authorization and a documented business need. We use multi-factor authentication for all administrative access.

6.3 Infrastructure Security

Our infrastructure is hosted on cloud providers that maintain SOC 2 Type II and ISO 27001 certifications. We perform regular vulnerability assessments, penetration testing, and security audits. Our application undergoes code review and security scanning as part of the development pipeline.

6.4 Incident Response

We maintain an incident response plan and will notify affected users within 72 hours of discovering a data breach that poses a risk to their rights and freedoms, in accordance with applicable data protection laws. Notifications will include the nature of the breach, the data affected, and the steps we are taking to remediate it.

We retain your information for as long as your account is active or as needed to provide you services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

• Account data: Retained for the duration of your account. Upon account deletion, personal information is removed within 30 days, except where retention is required by law.
• Assessment responses and results: Retained for the duration of your account plus 90 days, allowing you to access historical assessments and trend analysis. After this period, assessment data is permanently deleted.
• AI-generated content: Retained alongside the associated assessment for the same period. When an assessment is deleted, all associated AI-generated insights, reports, and narratives are also deleted.
• Usage and analytics data: Anonymized and aggregated within 90 days of collection. Raw usage logs are deleted after 180 days.
• Payment records: Retained for 7 years as required by financial regulations and tax compliance obligations.
• LLM prompts and completions: Not stored by E-ARI beyond the duration of the API request. OpenAI retains API data for up to 30 days for abuse monitoring, after which it is permanently deleted from their systems.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: You can request a copy of the personal information we hold about you, including your assessment responses, scores, and AI-generated content. You can access most of this information directly from your account dashboard.
• Rectification: You can update your account information at any time. If you believe assessment results contain errors due to inaccurate input data, you can retake the assessment with corrected responses.
• Erasure: You can request deletion of your account and all associated data. Upon confirmation, we will delete your personal information within 30 days, except where retention is required by law (such as financial records).
• Portability: You can export your assessment results, scores, and reports in machine-readable formats (JSON, PDF) from your account dashboard.
• Objection: You can object to the processing of your data for direct marketing purposes by updating your communication preferences. For other processing activities, you may object on grounds relating to your particular situation.
• Restriction: You can request that we restrict the processing of your data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests.
• Automated decision-making: E-ARI's scoring methodology is deterministic and auditable, not automated decision-making in the legal sense. AI-generated insights are supplementary narratives and do not make decisions about you. You have the right to be informed about the logic involved in scoring and insight generation.

To exercise any of these rights, contact us at privacy@e-ari.com. We will respond to your request within 30 days. If we are unable to comply with your request, we will explain why.

E-ARI uses cookies and similar tracking technologies for the following purposes:

• Essential cookies: Required for authentication, session management, and security (e.g., CSRF protection). These cannot be disabled without breaking core platform functionality.
• Functional cookies: Store your preferences such as theme settings, language, and assessment progress. These enhance your experience but are not strictly necessary.
• Analytics cookies: Help us understand how users interact with the platform, including page views, feature usage, and error rates. We use anonymized data and do not track individual users across sessions for advertising purposes.

We do not use advertising cookies or sell data to advertising networks. You can manage your cookie preferences through the cookie banner displayed on your first visit or through your browser settings. Disabling certain cookies may affect the functionality of the platform.

E-ARI is a professional platform designed for organizations assessing their AI readiness. Our services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that information promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@e-ari.com.

E-ARI operates globally and your data may be transferred to and processed in countries other than your country of residence. We ensure that all international transfers are protected by appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms. When data is transferred to our LLM provider (OpenAI), appropriate safeguards are in place as described in our Data Processing Agreement.

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we comply with the General Data Protection Regulation (GDPR) and applicable local data protection laws. Our legal basis for processing includes: performance of the contract (delivering assessment services), legitimate interests (platform improvement and security), consent (marketing communications), and legal obligations (financial record retention).

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting a prominent notice on the platform, sending an email to the address associated with your account, or both. The updated policy will be effective as of the "Last updated" date shown at the top of this page.

We encourage you to review this policy periodically. Your continued use of E-ARI after any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you may close your account by contacting us at privacy@e-ari.com.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using any of the following methods:

• Email: privacy@e-ari.com
• Data Protection Officer: dpo@e-ari.com
• Mailing address: E-ARI, Attn: Privacy Team

For EU/EEA residents: If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with your local supervisory authority. We are committed to resolving any concerns you may have and encourage you to contact us before filing a formal complaint.