Privacy Policy

How we handle your data and protect your privacy

Overview

This Privacy Policy explains how the AAR (After-Action Review) Agent collects, uses, and protects information when you use our service. We are committed to transparency about our data practices.

Last Updated: July 29, 2025

What Information We Collect

When you use the AAR Agent, we process the following information:

  • Incident Information: Descriptions of incidents, affected systems, and business impact details you provide through our forms
  • Uploaded Files: Any .txt, .md, .log, or .json files you upload to populate form fields
  • Analysis Preferences: Your selected analysis goals and preferences for report generation
  • Technical Information: Basic server logs including IP addresses, timestamps, and user agent information for system operation
  • Session Data: Temporary session information to maintain your experience during analysis
No Personal Identification: We do not collect names, email addresses, or other personally identifiable information. The service is designed to be used anonymously.

How We Use and Share Your Information

Data Processing

Your incident information is used solely for:

  • Generating AI-powered After-Action Review reports
  • Providing analysis and recommendations based on your incident data
  • Maintaining your session during the analysis process
Third-Party Sharing - OpenAI Processing
Important: All incident information you provide is sent to OpenAI's API for AI analysis. This includes all text, uploaded file contents, and analysis preferences.
  • OpenAI Terms Apply: Your data is subject to OpenAI's Terms of Use and Privacy Policy
  • Processing Purpose: OpenAI processes your data to generate incident analysis and recommendations
  • Data Residency: We do not control where OpenAI processes or temporarily stores your data
  • No Other Sharing: We do not share your information with any other third parties

Data Retention and Storage

Our Data Retention
  • No Permanent Storage: We do not permanently store your incident data or analysis results on our servers
  • Session-Only: Data exists only in your browser session during analysis and is automatically cleared when your session ends
  • Server Logs: Basic technical logs (IP addresses, timestamps) are retained for 30 days for system maintenance and security purposes
  • No Database Storage: We do not maintain a database of user submissions or analysis results
OpenAI Data Retention

OpenAI's data retention is governed by their policies. As of our last update, OpenAI retains API data for 30 days for abuse and misuse monitoring, then deletes it. However, you should review OpenAI's current privacy policy for the most up-to-date information.

Data Security

We implement the following security measures:

  • HTTPS Encryption: All data transmission is encrypted using HTTPS/TLS
  • Secure Sessions: Session data is protected using secure session management
  • No Local Storage: We minimize security risks by not storing sensitive data
  • API Security: Communications with OpenAI use secure, authenticated API connections
  • Access Controls: Limited system access and regular security monitoring
Data Security: While we use HTTPS encryption for data transmission, you should evaluate whether your incident information is appropriate for third-party AI processing based on your organization's security and compliance requirements.

Your Rights and Choices

  • Voluntary Use: Use of this service is entirely voluntary
  • Information Control: You control what information you submit for analysis
  • Session Management: You can clear your session data at any time by closing your browser or clearing browser data
  • Sensitive Data: Do not submit personally identifiable information, passwords, API keys, or other sensitive credentials
  • Organizational Approval: Ensure you have proper authorization to submit incident information

Since we do not collect personal identification information and do not permanently store your data, traditional data subject requests (access, deletion, etc.) are not applicable to this service.

Important Considerations for Organizations

Before using this service with organizational data, consider:

  • Compliance Requirements: Evaluate if third-party AI processing complies with your industry regulations (GDPR, HIPAA, SOX, PCI DSS, etc.)
  • Data Classification: Ensure incident information is appropriate for external processing based on your data classification policies
  • Legal Review: Consider having your legal team review OpenAI's terms and this privacy policy
  • Risk Assessment: Evaluate the benefits of AI analysis against potential data exposure risks
  • Internal Approval: Obtain necessary approvals from security, compliance, and management teams

Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact: If you have questions about this privacy policy, you can contact Michael Janzen via the information available at michaeljanzen.com/about.