Security & privacy

Your competitive strategy
stays in your account.
Full stop.

You're sharing your ICP, your positioning, your competitor analysis, and your go-to-market strategy with ameena.ai. We understand why that requires more than a generic privacy policy — so here's exactly how we protect it.

01

Your strategy data never trains AI models

Everything you share — your ICP, competitive positioning, messaging, campaign data — is used only to generate your responses. It is never used to train, fine-tune, or improve any AI model. Not ours. Not Anthropic's. Not anyone's.

02

Your data is isolated from every other account

There is no shared data layer between organisations. Your company context, conversations, and outputs are isolated at the database level and are only readable by users within your organisation.

03

Encrypted in transit and at rest

All data is encrypted in transit and at rest. API keys stored via BYOK are encrypted before being written to the database — the encryption key is never stored alongside the key it protects.

Questions we get asked

The questions your IT and legal team will ask.

Answered directly, without the marketing language.

Could our competitive strategy end up in a competitor's AI output?

No. Your data is organisation-isolated at the database level. There is no mechanism by which one organisation's inputs can surface in another's outputs — and your data is never used to train any model that other organisations use.

Does ameena.ai use our data to improve its own product?

We use anonymised, aggregated usage metrics (which features are used, how often) to improve the platform. We do not use your company context, conversation content, or strategic outputs for any product improvement purpose.

What do I give our IT or legal team to get this approved?

This page is the starting point. We can also provide a completed security questionnaire on request — email ameena.arsheen@gmail.com with your requirements. For enterprise agreements requiring a custom DPA (Data Processing Agreement), contact us directly.

Are we GDPR compliant?

We process data in accordance with GDPR. Personal data (name, email) is collected with a lawful basis, stored with appropriate protections, and deletable on request. If you need a DPA or have specific GDPR requirements, reach out to ameena.arsheen@gmail.com.

What happens to our data if we cancel?

You can export or delete your data at any time from your account settings. When an account is closed, all associated data is deleted within 30 days. We do not retain conversation history or company context after deletion.

Data transparency

What we store, and why.

Everything we collect, why we need it, how long we keep it, and who can access it.

WhatWhy we need itRetentionAccess
Company context (ICP, positioning, competitors)Powers agent responses specific to your businessUntil you delete itYour org only
Conversation historyContinuity across sessionsUntil you delete itYour org only
API keys (BYOK)Authenticating with your model providerUntil you remove themEncrypted — your org only
Account details (name, email)Authentication and billingUntil account deletionAmeena.ai internal
Usage metricsBilling and rate limiting90 daysAmeena.ai internal

Model providers

What happens when your data reaches an AI model.

Your prompts are processed by a model provider. Here's what each provider's data policy says — in plain language.

Anthropic (Claude)

Anthropic does not train on API inputs by default. Data submitted via the API is not used for model training unless you explicitly opt in. This is the default for all ameena.ai accounts.

View policy →
OpenAI (BYOK)

When you bring your own OpenAI key, your requests are governed by OpenAI's API data usage policy. OpenAI does not train on API data by default.

View policy →
Google Gemini (BYOK)

When you bring your own Gemini key, your requests are governed by Google's API terms. Google does not use API data to train models by default.

View policy →

API key security (BYOK)

How we store your API keys.

If you use Bring Your Own Key (Starter plan), your API key is encrypted before being written to the database. The encryption key is not stored alongside the API key.

Your key is decrypted in memory only when a request is being made, and is never logged, displayed in full, or transmitted anywhere other than directly to your chosen model provider.

Key storage flow

1

You enter your API key

Input masked on screen

2

Encrypted at rest

Before database write

3

Stored encrypted in DB

Encryption key stored separately

4

Decrypted in memory only

At request time, never logged

5

Sent directly to provider

Anthropic / OpenAI / Gemini

SOC 2 status

In progress — we'll be honest about it.

We are working toward SOC 2 Type II certification and will publish the report here when complete. If your procurement process requires it before then, email us — we'll complete your security questionnaire directly and work with your timeline.

Talk to us directly

Security review? DPA? Custom requirements?

Enterprise security reviews, custom DPA requests, GDPR queries, or specific questions about our data handling — we respond within one business day.

ameena.arsheen@gmail.com →