Privacy Policy

For personal information you submit about yourself to use the Service, COSTTRAIL is the data controller. For Customer Data you upload to process through the Service (files, documents, accounting records, cloud logs, etc.), COSTTRAIL acts as a data processor on behalf of your organization, which is the controller.

Questions, access requests, or complaints:
Privacy: privacy@ai2bihub.com
Data Protection Officer: dpo@ai2bihub.com
Mailing address: COSTTRAIL INC, 1900 Pleasant Street, Noblesville, Indiana 46061-0813, USA.

• Provide, maintain, and secure the Service and your account.
• Process Customer Data on your documented instructions to produce AI-generated answers, reports, or outputs.
• Bill you for usage, send transactional emails (sign-up, verification, MFA, receipts, incident notices), and meet legal and accounting obligations.
• Detect and prevent fraud, abuse, and security incidents, including rate-limiting and suspending offending accounts.
• Improve the reliability and performance of the Service using aggregated, de-identified metrics.
• With your consent, for purposes stated at the time of collection.

• Contract: to deliver the Service you signed up for.
• Legitimate interests: security, fraud prevention, service improvement — balanced against your rights.
• Legal obligation: tax, accounting, responding to lawful requests.
• Consent: optional cookies and opt-in communications, which you can withdraw at any time.

We ask Customers not to upload special-category personal data (health, biometric, genetic, sex-life, trade-union, political, religious data) or government identifiers (e.g. full SSN, Aadhaar, passport) unless strictly necessary and unless you have a documented legal basis. The Service is not designed or warranted for use as a system of record for these categories.

Payment card primary account numbers (PAN) should never be uploaded to the Service. Card data entered into our billing flow is transmitted directly to Stripe; we do not store PANs on our servers.

Protected Health Information (PHI) as defined under the U.S. Health Insurance Portability and Accountability Act (HIPAA) has special handling requirements. We do not currently offer a Business Associate Agreement (BAA) on our standard plans. Accordingly, you must not upload PHI to the Service unless and until a BAA has been executed with COSTTRAIL. If your use case involves PHI, contact privacy@ai2bihub.com to discuss private-deployment or on-prem options described at /legal/deployment-modes. See also /legal/data-handling.

AI2BI Hub uses large language models hosted via Amazon Bedrock and, for certain tools, other inference providers listed in our sub-processor schedule. Prompts and outputs are sent to these providers on an inference-only basis under contractual terms that prohibit the use of Customer Data for training foundation models. We do not train models on Customer Data.

We share personal information with:

• Infrastructure providers — Amazon Web Services (US), for hosting, storage, authentication (Cognito), and email (SES).
• Model providers — Amazon Bedrock (Anthropic Claude family and others) for inference.
• Payment processor — Stripe, Inc. (US), for billing.
• Authentication providers — Google (for Google SSO, when you choose it).
• Operational tooling — productivity, ticketing, and monitoring vendors listed at /legal/data-handling.
• Professional advisors — legal, accounting, and audit firms, under confidentiality.
• Authorities — when required by law or to protect rights, safety, or property.

We do not sell personal information and we do not share it for cross-context behavioral advertising.

The Service is hosted in the United States. If you access it from outside the US, personal information will be transferred to and processed in the US. Where required, we rely on EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or comparable safeguards with our sub-processors.

We retain account information for the life of your account and for a reasonable period afterward for legal, tax, and audit purposes. Customer Data is retained per your configuration: files you upload are deleted when you delete them, or when your tenant is closed, subject to short retention in encrypted backups (up to 35 days) and audit logs (up to 400 days). Billing records are retained for up to 7 years.

We protect personal information using TLS 1.2+ for transit, AES-256 for storage, least-privilege IAM, MFA for administrators, audit logging, automated backups, point-in-time recovery on critical databases, and vulnerability scanning. SOC 2 Type II is in progress. A full control summary is available at /legal.

Depending on your location, you may have rights to access, correct, delete, restrict or object to processing, port your data, and withdraw consent. California residents have additional rights under the CCPA/CPRA, including the right to know, delete, and opt out of the sale or sharing of personal information (we do not sell or share as defined by those laws). To exercise rights, email privacy@ai2bihub.com. We will respond within the timeframes required by applicable law.

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided information, contact us and we will delete it.

We use strictly necessary cookies for authentication. We honor opt-outs through our cookie banner and the Global Privacy Control (GPC) signal. See our Cookie Policy.

We may update this Policy. Material changes will be posted on this page with a new “Last updated” date and, where appropriate, communicated by email or in-product notice.

COSTTRAIL INC
1900 Pleasant Street, Noblesville, Indiana 46061-0813, USA
Privacy: privacy@ai2bihub.com
DPO: dpo@ai2bihub.com