Skip to main content
InfoLensConnect
Sign in

Privacy Policy

Last updated: May 27, 2026

1. Introduction

This Privacy Policy explains how GD Labs ("we", "us", or "our") collects, uses, shares, and protects personal information when you use the InfoLens Connect platform, including its web application, APIs, embeddable widgets, SDKs, and related services (collectively, the "Service").

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect your email address, display name, and password (stored as a salted cryptographic hash). Tenant administrators may also store organizational identifiers associated with your account.

2.2 Documents & Content

You may upload documents (PDF, DOCX, TXT, HTML, Markdown, and other supported formats) to the Service for ingestion into your knowledge base. We store the original files, extracted text, generated vector embeddings, and associated metadata.

2.3 Conversations & Queries

When you use chat, search, or RAG features, we record your queries, the AI-generated responses, retrieved source citations, and conversation metadata (timestamps, conversation IDs). This data is stored within your tenant boundary.

2.4 Usage Data

We automatically collect technical information such as IP addresses, browser type, operating system, pages visited, API endpoints called, request timestamps, and error logs. This data is used for security monitoring, performance optimization, and audit purposes.

2.5 Widget Data (Embedded Sites)

When the InfoLens Connect embeddable widget is deployed on a third-party website, it stores conversation history in the visitor's browser using localStorage. This data remains on the visitor's device and is not transmitted to our servers unless the visitor actively sends a chat message, at which point the message content is processed by the Service. Widget interactions are associated with the agent's tenant, not with an individual user account.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Process your documents through our RAG pipeline (parsing, chunking, embedding generation, knowledge graph construction).
  • Generate AI-powered responses to your queries using retrieved document context.
  • Provide semantic search across your knowledge base.
  • Enforce role-based access control (RBAC) and tenant isolation.
  • Generate audit logs for compliance and security review by tenant administrators.
  • Send transactional communications (account verification, password reset, service alerts).
  • Detect and prevent security threats, abuse, and unauthorized access.
  • Comply with applicable legal obligations.

4. Multi-Tenant Data Isolation

InfoLens Connect is designed as a multi-tenant platform. Each tenant (organization) operates within a logically isolated boundary. This means:

  • Document isolation: Documents, collections, and knowledge graphs belonging to one tenant are never accessible by users of another tenant.
  • Conversation isolation: Chat histories and search queries are scoped to the originating tenant.
  • User isolation: User accounts are bound to a single tenant. Cross-tenant user enumeration is not possible.
  • RBAC isolation: Role definitions and permission assignments are tenant-specific. A role in one tenant has no effect in another.
  • API key isolation: API keys are scoped to their tenant and agent. They cannot be used to access resources outside their scope.

Platform super-administrators have limited cross-tenant visibility for operational purposes (tenant provisioning, suspension, platform health) but do not have access to tenant document content or conversation data.

5. Data Retention

Data retention periods are configurable by tenant administrators within the following framework:

  • Documents & knowledge bases: Retained for the lifetime of the tenant account, or until explicitly deleted by an authorized user.
  • Conversations: Retained until explicitly deleted by the user or tenant administrator.
  • Audit logs: Default retention of 90 days, configurable per tenant via tenant settings.
  • Account data: Retained while the account is active. Upon account deletion, personal data is removed within 30 days; anonymized usage statistics may be retained.
  • Backups: Database backups may retain deleted data for up to 30 additional days beyond the deletion date.

6. Third-Party Services

The Service integrates with the following third-party providers to deliver its functionality:

6.1 Google Gemini (Large Language Model)

Document summaries, AI-generated responses, embeddings, and content generation are powered by Google Gemini models. When you submit a query, relevant document excerpts and your query are sent to the Gemini API for processing. Google's data usage policies apply to this processing. We use API-based access, meaning your data is not used to train Google's models. Google AI Terms of Service.

6.2 Object Storage (S3-Compatible)

Uploaded documents are stored in S3-compatible object storage (MinIO or AWS S3, depending on deployment configuration). Files are stored with tenant-scoped key prefixes to maintain isolation.

6.3 PostgreSQL (Database)

All structured data (user accounts, metadata, vector embeddings, conversation records, RBAC policies) is stored in PostgreSQL with pgvector extension. The database may be self-hosted or provider-managed depending on deployment.

7. Cookies & Local Storage

The Service uses:

  • JWT tokens: Stored in browser memory or httpOnly cookies for authentication session management. These are essential for the Service to function and cannot be disabled.
  • Theme preference: A localStorage value to remember your light/dark mode preference.
  • Language preference: A localStorage or cookie value to remember your selected language.
  • Widget conversation state: The embeddable widget stores conversation history in the host page's localStorage to persist conversations across page reloads.

We do not use third-party tracking cookies or advertising cookies.

8. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS for all API and web traffic).
  • Cryptographic password hashing (bcrypt) -- we never store plaintext passwords.
  • Role-based access control (Casbin RBAC engine) with per-tenant policy enforcement.
  • Tenant-scoped API keys with revocation capability.
  • Audit logging of security-relevant events.
  • Input validation and parameterized queries to prevent injection attacks.

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to [email protected].

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate personal data.
  • Erasure: Request deletion of your personal data ("right to be forgotten"). This includes your account, uploaded documents, and conversation history.
  • Data portability: Request your data in a structured, machine-readable format. Documents can be downloaded in their original format; conversation data and metadata can be exported via the API.
  • Restriction: Request limitation of processing of your personal data in certain circumstances.
  • Objection: Object to processing of your personal data for certain purposes.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact your tenant administrator or reach us at [email protected]. We will respond within 30 days.

10. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If a tenant deploys InfoLens Connect in an educational context involving minors, the tenant is responsible for ensuring compliance with applicable child privacy laws (e.g., COPPA, FERPA) and obtaining necessary parental or guardian consent.

11. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence, including where our servers, third-party LLM providers, or object storage services operate. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where required under GDPR.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify users through the Service interface or via email. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

See also our Terms of Service.