Introduction
Detekta ("we," "our," or "us") provides AI-powered breach reporting solutions for GCC financial institutions. This Privacy Policy explains how we collect, use, and protect your information when you use our services.
We are committed to protecting your privacy and handling your data with transparency. Our architecture is designed with privacy-by-design principles at its core.
Privacy-First AI Architecture
Unlike traditional AI services, Detekta implements a privacy-by-design approach:
- Anonymization Before Processing: All personally identifiable information (PII) is anonymized before being sent to AI providers.
- Zero-Retention Subprocessors: Our AI providers (OpenAI, Anthropic) operate under enterprise contracts with zero data retention.
- Local PII Storage: Original identifiers are stored only in encrypted local mapping tables, never transmitted externally.
Data We Collect
Information You Provide
- Account information (name, email, organization)
- Breach incident details submitted for report generation
- Communications with our support team
Information Collected Automatically
- Usage analytics (pages visited, features used)
- Device and browser information
- IP address and general location
Anonymization Process
When you submit breach details for report generation, we apply the following anonymization techniques:
- Pseudonymization: Names replaced with tokens (e.g., "John Doe" → "[Customer-12345]")
- Redaction: Emails, phone numbers, and IDs removed or masked
- Generalization: Specific addresses reduced to city/country level
AI providers receive only anonymized data. Original identifiers are restored only after AI processing, within your secure environment.
Subprocessors
We use the following third-party services to provide our platform:
| Provider | Purpose | Data Retention |
|---|---|---|
| OpenAI | AI report generation | Zero retention (Enterprise) |
| Anthropic | AI processing | Zero retention (Enterprise) |
| Vercel | Website hosting | Standard logs |
All subprocessors maintain SOC 2 Type 2 or equivalent certifications. We notify customers 30 days before adding new subprocessors.
Data Retention
- Account Data: Retained while your account is active, deleted within 30 days of account closure.
- Breach Reports: Retained for 7 years (GCC regulatory requirement), then securely deleted.
- Audit Logs: Retained for 7 years for compliance purposes.
- AI Processing Data: Zero retention at subprocessor level (deleted immediately after processing).
Security Measures
- AES-256 encryption for data at rest
- TLS 1.2+ encryption for data in transit
- Role-based access controls (RBAC)
- Annual penetration testing
- SOC 2 Type 2 certification (in progress)
GCC Regulatory Alignment
Our data handling practices are designed to comply with GCC data protection regulations:
- UAE Federal Decree-Law No. 45/2021 (PDPL)
- Saudi Arabia Personal Data Protection Law (PDPL)
- Bahrain Personal Data Protection Law (PDPL)
- DIFC Data Protection Law
- ADGM Data Protection Regulations
Your Rights
You have the right to:
- Access your personal data
- Correct inaccurate data
- Request deletion of your data
- Export your data in a portable format
- Object to certain processing activities
- Withdraw consent where applicable
Contact Us
For privacy-related inquiries or to exercise your rights:
- Email: info@detekta.tech
Policy Updates
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on our website. Your continued use of Detekta after changes become effective constitutes acceptance of the revised policy.