Our data convenant
Your data stays where it belongs. We did not build a privacy policy and call it security. We built a system where your data does not leave your environment in the first place. This page explains how Comfrey AI works and how we handle personal information in accordance with applicable laws, including the Personal Information Protection Act (British Columbia) and PIPEDA.
Our commitments reflect how the layer is designed to operate. In limited cases, we may process minimal information where necessary to provide the service, maintain security, or comply with legal obligations.
The Universal Agentic Reasoning Layer operates like navigation device guiding your AI stack. It never takes your data, prompts, outputs outside your environment. If your cloud account is SOC 2 certified, UARL runs in a SOC 2 certified environment. If your account is FedRAMP authorised, UARL runs inside a FedRAMP authorised environment. We do not ask you to extend trust to our compliance posture. We run inside the compliance posture you already maintain and already certify.
Data Privacy Commitment 1 | We do not train on your data.
Customer data, including prompts, documents, and model outputs, is not used to train, fine-
tune, or improve Comfrey AI. We do not use customer data for general model training
purposes.
Data Privacy Commitment 2 | We do not retain your prompts or outputs.
The platform is designed to process data within your environment. We do not store prompts or
outputs in our systems, except where strictly necessary for transient processing,
troubleshooting, or as required by law.
Data Privacy Commitment 3 | We do not share or sell your data.
We do not sell personal information or use it for advertising. We do not disclose customer data
to third parties except where necessary to provide the service (such as payment processing), to
comply with legal obligations, or with your instruction.
Data Privacy Commitment 4 | Limited operational data only.
Where limited data is transmitted (such as for license validation), it is restricted to the minimum
required to operate the service. This does not include prompts, documents, or model outputs.
Data Privacy Commitment 5 | Customer-controlled performance analysis.
Where we support performance measurement or hallucination prevention, the data used for
evaluation remains within your environment. We do not retain or reuse this data outside your deployment except where necessary to provide the agreed service.
Data Privacy Commitment 6 | Changes to this policy.
If we update this policy, we will provide notice prior to the changes taking effect where required
by law or contract.
How it works
Comfrey AI deploys inside your own cloud environment (AWS, GCP, or Azure). You provision and control the infrastructure. The model runs within your environment, not ours. As a result, your documents, prompts, and outputs are not required to be transmitted to or stored on Comfrey AI systems in order for the platform to function.
What about certifcations?
We are an early-stage company. We do not yet hold SOC 2 Type II, ISO 27001, or FedRAMP certifications. We are working toward SOC 2 Type II and expect to complete it by end of 2026.
What we offer instead is structurally more meaningful for most enterprise deployments, because the model runs inside your own cloud account, your organisation’s existing cloud compliance certifications, SOC 2, FedRAMP, ISO 27001, cover the infrastructure where UARL runs. You are not extending trust to our infrastructure. You are running on infrastructure you already trust and already certify.
When you deploy Comfrey AI inside your own AWS, GCP, or Azure account, the compute infrastructure is covered by your organisation’s existing compliance certifications, not ours. If your cloud account is SOC 2 certified, the infrastructure running RRM-1 is SOC 2 certified. If your cloud account is FedRAMP authorised, RRM-1 runs inside a FedRAMP-authorised environment. We do not ask you to extend trust to our compliance posture. We run inside the compliance posture you already maintain.
What personal information we collect
To operate the service, we collect limited personal information:
- Name and email address (account creation and communication)
- Organisation name and deployment configuration (licensing and service delivery)
- Billing information (processed by our payment provider)
- We do not collect prompts, documents, or model outputs as part of normal platform operation.
How we use personal information
We use personal information to:
- Create and manage user accounts
- Provide, operate, and support the platform
- Process payments and maintain billing records
- Communicate with you about your account or service
- Comply with legal and regulatory obligations
We do not use personal information for advertising, profiling, or model training.
Consent
By creating an account, entering into an agreement, or otherwise providing personal
information, you consent to its collection, use, and disclosure as described in this policy. Where
required, we obtain express consent.
Disclosure and service providers
We may share personal information with a limited number of service providers that support our
operations, such as payment processing. These providers are contractually required to protect
personal information and use it only for the purposes for which it was disclosed. Current providers include: Stripe, payment processing. We do not use advertising networks, data brokers, or third-party analytics providers.
Cross-border transfers
Some service providers may process or store personal information outside of Canada. Where this occurs, the information may be subject to the laws of those jurisdictions.
Retention
We retain personal information only as long as necessary: account and billing information is retained for up to 7 years to meet legal and tax obligations. Licensing and deployment configuration data is deleted within 30 days of contract termination. Because the model runs within your environment, we do not retain prompts, documents, or
outputs.
Accuracy and safeguards
We take reasonable steps to ensure personal information is accurate, complete, and up to date.
We implement appropriate administrative, technical, and physical safeguards to protect
personal information against unauthorized access, use, or disclosure.
Deployment cards
Azure | Microsoft Azure Deploys via ARM template. Runs inside your VNet. Managed identity authentication.
AWS | Amazon Web Services Deploys via CloudFormation. Runs inside your VPC. IAM roles scoped to minimum required permissions.
GCP | Google Cloud Deploys via Terraform. Runs inside your VPC. Service account with least-privilege IAM.
How long we keep your information?
We retain account and billing information for seven years following the end of your contract as required by Canadian tax law. Licence and deployment configuration data is deleted within 30 days of contract termination. Because the model runs inside your own cloud environment, no query data, document content, or completions are held by us at any time, there is nothing to delete on our side when you leave.
Breach notification
If a breach of security safeguards involving personal information creates a real risk of significant harm, we will notify affected individuals as soon as feasible and report to the Office of the Information and Privacy Commissioner for British Columbia as required by law.
Your rights
You have the right to: request access to your personal information, request correction of inaccurate information, withdraw consent, subject to legal and contractual limitations. To exercise these rights, contact: questions@comfrey.ai. If you are not satisfied with our response, you may contact the Office of the Information and Privacy Commissioner for British Columbia at https://www.oipc.bc.ca
Privacy officer
Comfrey AI has designated a Privacy Officer responsible for compliance with applicable privacy
laws. Contact: questions@comfrey.ai
Governing Law
- This policy is governed by the laws of British Columbia, Canada, and applicable federal laws
including PIPEDA. Effective March 1, 2026