Privacy Policy

1. Introduction

Filot Inc. ("Filot," "we," "our," or "us") respects your privacy and is committed to protecting it through our compliance with this policy. This Privacy Policy describes the types of information we may collect from you or that you may provide when you use our services, including our website (filot.ai), our Excel add-in, and any related applications (collectively, our "Services"), and our practices for collecting, using, maintaining, protecting, and disclosing that information.

2. Information We Collect

We collect several types of information from and about users of our Services, including:

• Account information: Name, email address, organization name, and other identifiers provided during registration.
• Usage information: Activity on our Services, including queries submitted, features used, and interaction patterns.
• User-uploaded data: Financial documents, Excel models, SEC filings, and other files you upload to or process through the platform.
• Device and connection information: Browser type, IP address, operating system, and referring URLs.

3. How We Use Your Information

We use information that we collect about you or that you provide to us, including any personal information:

• To provide, maintain, and improve our Services.
• To process transactions and send related information.
• To notify you about changes to our Services or any products or services we offer or provide.
• To carry out our obligations and enforce our rights.
• To monitor usage for billing, capacity planning, and abuse prevention.

4. Disclosure of Your Information

We may disclose aggregated information about our users without restriction. We may disclose personal information that we collect or you provide as described in this privacy policy:

• To our subsidiaries and affiliates.
• To contractors, service providers, and other third parties we use to support our business, subject to contractual obligations to protect your data.
• To fulfill the purpose for which you provide it.
• To comply with any court order, law, or legal process.
• With your consent.

5. Data Security

We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. These measures include:

• SOC 2 Type II certification: Our platform has been independently audited and certified for security, availability, and confidentiality controls.
• Encryption: AES-256 encryption at rest and TLS 1.2+ encryption in transit for all data.
• Isolated infrastructure: All services run within AWS Virtual Private Cloud (VPC) with complete network isolation.
• Access controls: Multi-factor authentication and role-based access controls for all internal systems.

However, the transmission of information via the internet is not completely secure. We cannot guarantee the security of your personal information transmitted to our Services.

6. AI Model Providers and Zero Data Retention

We use Anthropic as our primary AI model provider to power the analytical capabilities of our Services. Under our contractual agreement with Anthropic:

• Zero data retention: Anthropic does not store, log, or retain any data processed through Filot. All inputs and outputs are discarded immediately after inference.
• No model training: Your data is never used to train, fine-tune, or improve Anthropic's models.
• Contractual protections: These commitments are enforced through a formal zero data retention agreement between Filot and Anthropic.

If we engage additional AI model providers in the future, we will maintain equivalent data protection standards and update this policy accordingly.

7. User-Uploaded Data

When you upload data to our Services (including but not limited to financial documents, Excel models, SEC filings, or other proprietary information):

• We maintain strict security measures to protect your uploaded data from unauthorized access, disclosure, or use.
• Your data may be processed by our AI model provider (Anthropic) to deliver our Services, subject to the zero data retention terms described in Section 6.
• We do not sell, share, or use your uploaded data for any purpose other than providing the Services you have requested.
• You are solely responsible for ensuring you have the necessary rights and permissions to upload any data to our Services.

8. Data Retention

We retain your personal information for as long as necessary to provide our Services and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. You may request deletion of your account and associated data by contacting us at the email address provided below. Upon account deletion, we will remove your personal information and uploaded data within 30 days, except where retention is required by law.

9. Your Rights

Depending on your location, you may have certain rights regarding your personal information, including:

• The right to access and receive a copy of your personal information.
• The right to correct inaccurate personal information.
• The right to request deletion of your personal information.
• The right to object to or restrict certain processing of your personal information.
• The right to data portability.

To exercise these rights, please contact us using the information provided below. We will respond to all legitimate requests within 30 days.

10. For Users in the European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR). We process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Services you have requested.
• Legitimate interests: Processing for our legitimate business interests, such as improving our Services and preventing fraud.
• Consent: Where you have given us specific consent to process your data for a particular purpose.

You have the right to lodge a complaint with your local supervisory authority if you believe we have not complied with applicable data protection laws. For enterprise clients requiring a Data Processing Agreement (DPA), please contact us at the email address below.

11. For Users in California (CCPA)

If you are a California resident, you have the right under the California Consumer Privacy Act (CCPA) to:

• Know what personal information is being collected about you.
• Know whether your personal information is sold or disclosed and to whom.
• Opt out of the sale of your personal information. (We do not sell personal information.)
• Access your personal information.
• Request deletion of your personal information.
• Not be discriminated against for exercising your privacy rights.

12. Cookies and Tracking Technologies

We may use cookies and similar tracking technologies to track activity on our Services and hold certain information. Cookies are files with small amounts of data that are sent to your browser from a website and stored on your device. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Services.

13. Children's Privacy

Our Services are not intended for use by children under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us so that we can take necessary action.

14. International Data Transfers

Your information, including personal information, may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction. Our primary data processing occurs in the United States. By using our Services, you consent to the transfer of your information to the United States and other locations as necessary to provide our Services.

15. Sub-Processors

We use the following categories of sub-processors to deliver our Services:

• AI inference: Anthropic (zero data retention)
• Cloud infrastructure: Amazon Web Services (AWS)
• Authentication: WorkOS
• Database: MongoDB Atlas

All sub-processors are bound by contractual obligations to protect your data consistent with this Privacy Policy.

16. Changes to Our Privacy Policy

We may update our privacy policy from time to time. If we make material changes to how we treat our users' personal information, we will notify you through a notice on our website home page and update the "Last Updated" date at the top of this policy. You are responsible for periodically visiting our Services and this privacy policy to check for any changes.