Data Protection and Usage Policy

Last Updated: February 1, 2026

1. Overview

Hill Country Guide AI operates as both a data processor (for our clients) and a data controller (for certain operational data). This policy explains:

• What data we collect and process
• How we protect and secure that data
• How we use data to improve our services
• Your rights and our responsibilities
• Our compliance with data protection regulations

2. Types of Data We Handle

2.1 End User Data (Data We Process for Clients)

Data Category	Examples	Purpose
Identity Data	Name, username, title	Personalization, lead identification
Contact Data	Email, phone number, address	Communication, lead delivery
Conversation Data	Chat messages, questions, responses	Service delivery, AI training
Technical Data	IP address, browser type, device ID	Security, analytics, optimization
Usage Data	Session duration, click patterns, timestamps	Performance monitoring, improvements
Business Data	Company name, industry, preferences	Lead qualification, customization

2.2 Client Data (Our Business Customers)

Data we collect from businesses that use our chatbot services:

• Business contact information and credentials
• Chatbot configuration and customization preferences
• Integration settings and API keys
• Billing and payment information
• Support and communication history

2.3 Operational Data

Data we generate internally to operate our services:

• System logs and error reports
• Performance metrics and analytics
• Security and fraud detection data
• AI model training datasets (anonymized)

3. Data Processing Activities

3.1 Primary Processing Activities

ENCRYPTED Real-Time Conversation Processing

• Receiving and interpreting user messages
• Generating AI-powered responses
• Maintaining conversation context and history
• Extracting lead information for client delivery

SECURED Lead Capture and Delivery

• Identifying potential customer information
• Validating and formatting lead data
• Delivering leads to client CRM systems
• Tracking lead status and quality metrics

ENCRYPTED Analytics and Reporting

• Aggregating usage statistics
• Measuring chatbot performance
• Generating client reports and insights
• Identifying optimization opportunities

SECURED AI Model Training and Improvement

• Anonymizing conversation data
• Training AI models on anonymized datasets
• Testing and validating model improvements
• Fine-tuning chatbot responses

3.2 Data Processing Roles

4. Data Security Measures

4.2 Organizational Security Measures

• Security Training: Mandatory security awareness training for all employees
• Background Checks: Comprehensive background checks for personnel with data access
• Confidentiality Agreements: NDAs and confidentiality clauses in employment contracts
• Incident Response: 24/7 security monitoring and incident response team
• Business Continuity: Disaster recovery and business continuity plans
• Third-Party Audits: Regular independent security assessments

4.3 Infrastructure Security

Our infrastructure is built on enterprise-grade cloud platforms with:

• SOC 2 Type II certified data centers
• ISO 27001 certified security management
• Redundant systems across multiple availability zones
• Automated backup and disaster recovery systems
• 99.9% uptime SLA with our infrastructure providers

5. Data Retention and Deletion

5.1 Retention Periods

Data Type	Retention Period	Rationale
Active Conversations	Session + 90 days	Service delivery, quality assurance
Lead Information	2-5 years (client-defined)	Business relationship management
Anonymized Analytics	3 years	Service improvement, benchmarking
System Logs	1 year	Security, troubleshooting
Client Account Data	Duration of relationship + 7 years	Legal, accounting requirements
Financial Records	7 years	Tax and legal compliance

5.2 Data Deletion Procedures

When data reaches the end of its retention period or upon request:

• Secure Deletion: Data is permanently deleted using secure deletion methods
• Backup Purging: Data is removed from all backup systems within 90 days
• Verification: Deletion is verified and documented
• Certificate of Deletion: Available upon request for compliance purposes

5.3 Legal Hold

Data subject to legal proceedings, investigations, or regulatory requests may be retained beyond standard periods as required by law.

6. Data Sharing and Transfers

6.1 Data Recipients

Primary Recipients:

• Our Clients: End-user data is shared with the client whose website hosts the chatbot
• AI Service Providers: Anthropic (Claude AI) for natural language processing
• Cloud Infrastructure: AWS, Google Cloud, or Azure for hosting and storage
• Analytics Platforms: Aggregated, anonymized data for performance monitoring

Secondary Recipients (as needed):

• CRM and marketing automation platforms (on behalf of clients)
• Payment processors for billing (client data only)
• Legal and professional advisors (under confidentiality)
• Law enforcement or regulatory agencies (when legally required)

6.2 International Data Transfers

We primarily store data in United States data centers. When transferring data internationally, we ensure:

• Compliance with applicable data transfer regulations (GDPR, CCPA, etc.)
• Use of Standard Contractual Clauses (SCCs) where required
• Adequacy decisions or equivalent protections
• Transparency with clients about data locations

6.3 Third-Party Data Processing Agreements

All third-party processors are required to:

• Sign comprehensive data processing agreements
• Maintain equivalent security standards
• Undergo regular security assessments
• Provide sub-processor disclosure
• Comply with our data protection requirements

7. Data Subject Rights

7.1 Your Rights

Depending on your location and applicable laws, you may have the following rights:

Right to Access

• Request a copy of your personal data
• Receive information about how we process your data
• Obtain data in a portable format

Right to Rectification

• Correct inaccurate personal data
• Complete incomplete data

Right to Erasure ("Right to be Forgotten")

• Request deletion of your personal data
• Subject to legal retention requirements

Right to Restriction

• Limit how we use your data
• Object to certain processing activities

Right to Data Portability

• Receive data in a structured, machine-readable format
• Transfer data to another service provider

Right to Object

• Object to processing for direct marketing
• Object to automated decision-making

Right to Withdraw Consent

• Withdraw previously given consent
• Opt out of certain data uses

7.2 Exercising Your Rights

To exercise any of these rights:

1. Submit a request via email to privacy@hillcountryguideai.com
2. Include "Data Subject Request" in the subject line
3. Provide sufficient information to verify your identity
4. Specify which right(s) you wish to exercise

Response Time: We will respond to verified requests within 30 days (or as required by applicable law)

Verification: We may request additional information to verify your identity before processing requests

No Fee: Requests are generally processed free of charge (excessive or repetitive requests may incur reasonable fees)

8. AI and Machine Learning Data Usage

8.1 Training Data

We use conversation data to improve our AI models with the following protections:

• Anonymization: All personal identifiers are removed before use in training
• Aggregation: Data is combined with thousands of other conversations
• Opt-Out Available: Users can opt out of having their data used for training
• Quality Control: Human review to remove sensitive or inappropriate content
• Client Control: Clients can specify if their chatbot data should not be used for training

8.2 Model Improvement Process

1. Collection of conversation data from active chatbots
2. Automated removal of personal information (PII)
3. Human review for quality and appropriateness
4. Aggregation with broader training datasets
5. Model training and testing
6. Validation and deployment of improved models

8.3 Third-Party AI Services

We use Claude AI by Anthropic for natural language processing:

• Anthropic maintains their own data protection and privacy standards
• Data sent to Claude AI is subject to Anthropic's commercial terms
• We use enterprise API access with enhanced privacy protections
• Conversation data is not used to train Anthropic's general models (per enterprise agreement)

9. Compliance and Certifications

9.1 Regulatory Compliance

We comply with applicable data protection regulations including:

• GDPR (EU): General Data Protection Regulation
• CCPA (California): California Consumer Privacy Act
• CPRA (California): California Privacy Rights Act
• VCDPA (Virginia): Virginia Consumer Data Protection Act
• CPA (Colorado): Colorado Privacy Act
• Other State Laws: Compliance with evolving US state privacy laws

9.2 Industry Standards

We align with recognized security and privacy frameworks:

• ISO 27001 Information Security Management
• SOC 2 Type II Security and Privacy Controls
• NIST Cybersecurity Framework
• OWASP Secure Coding Practices

9.3 Regular Audits

• Annual third-party security audits
• Quarterly internal compliance reviews
• Ongoing vulnerability assessments
• Privacy impact assessments for new features

10. Data Breach Response

10.1 Incident Response Procedures

In the event of a data breach, we follow a structured response process:

1. Detection and Containment: Immediate isolation of affected systems
2. Assessment: Evaluation of scope, impact, and affected data
3. Notification: Timely notification to affected parties as required by law
4. Remediation: Implementation of fixes and security enhancements
5. Documentation: Comprehensive incident reporting and analysis
6. Prevention: Updates to prevent similar incidents

10.2 Notification Timeline

• Clients: Notified within 24-48 hours of confirmed breach
• Affected Individuals: Notified as required by applicable law (typically within 72 hours)
• Regulatory Authorities: Notified as required by jurisdiction

10.3 Support and Remediation

In the event of a breach affecting your data, we provide:

• Dedicated incident response support
• Clear communication about impact and remediation
• Credit monitoring services (if applicable)
• Assistance with mitigation measures

11. Children's Data Protection

Our services are not directed to children under 13 (or applicable age in your jurisdiction):

• We do not knowingly collect data from children
• If we discover data from a child, we delete it immediately
• Parents/guardians can request deletion of child data
• Chatbots can be configured with age verification

12. Client Responsibilities

12.1 Data Controller Obligations

Our clients (as data controllers) are responsible for:

• Obtaining proper consent from end users
• Providing privacy notices to their website visitors
• Ensuring lawful basis for data processing
• Handling data subject requests for their data
• Configuring chatbots in compliance with their privacy policies

12.2 Data Processing Agreements

We enter into Data Processing Agreements (DPAs) with all clients that include:

• Scope and purpose of data processing
• Types of data and categories of data subjects
• Security measures and obligations
• Sub-processor disclosure and approval
• Data breach notification requirements
• Assistance with data subject rights
• Terms for data deletion upon contract termination

13. Updates to This Policy

We may update this Data Protection and Usage Policy to reflect:

• Changes in our data processing activities
• New features or services
• Changes in applicable laws or regulations
• Enhanced security measures
• Feedback from audits or assessments

Notification: Material changes will be communicated via:

• Email notification to clients
• Prominent notice on our website
• Updated "Last Updated" date on this policy

14. Contact and Data Protection Officer

15. Additional Resources

For more information about our practices:

• Privacy Policy - User privacy practices
• Terms and Conditions - Service terms
• Security Documentation - Technical security details (for clients)
• Compliance Certifications - Current certifications and audit reports
• Data Processing Agreement Template - Standard DPA for clients

---

© 2026 Hill Country Guide AI. All rights reserved.