Privacy Policy
How we collect, use, and protect your data.
What we collect
- Contact form submissions — name, email, and message when you reach out to us
- Survey responses — NPS scores, comments, and driver selections submitted by your clients or employees, collected on behalf of your firm
- Platform usage — basic analytics to improve the service (page views, feature usage). We do not use third-party tracking pixels
- Account information — name, email, role, and firm association for authenticated platform users
How we use your data
- Deliver survey programs and feedback reports to your firm
- Generate anonymised insights and analytics using AI (see below)
- Improve and maintain the platform
- Respond to your enquiries
We do not sell, rent, or share your personal information with third parties for marketing purposes.
Ephemeral Data Retention
Our Ephemeral Data Retention framework gives each firm direct control over how long verbatim comments are retained — from same-day deletion for firms with strict data minimisation requirements, through to extended retention for firms that want longer review windows. No other client feedback platform offers this level of firm-controlled retention.
NPS scores, loyalty driver selections, and response metadata (dates sent and submitted, and the assigned professional) persist indefinitely as structured data for trend analysis and contain no free-text content. Free-text comments are retained only for the period your firm chooses, then permanently deleted by an automated process that runs hourly.
EphemeralAI™ Processing
Most of our platform uses no third-party AI at all. Dashboards, trend charts, NPS benchmarks, and longitudinal reports all run on structured data we hold ourselves. We use AI in three specific features, and each has a privacy posture matched to what that feature needs to do:
- Custom Reports (available to all firms) — AI assists with drafting executive commentary. Aggregate scores, driver selections, and verbatim feedback are sent to OpenAI under their enterprise data processing agreement. OpenAI is contractually prohibited from training their models on this data, and all transmission is encrypted. Every report is reviewed and customised by our team before delivery.
- Advisory Preparation Assistant (available for firm pilots) — helps professionals draft client advice and memos from their firm's knowledge base. Personal identifiers (names, emails, organisation names) are detected and stripped before any data reaches OpenAI. The AI receives only anonymised, de-identified text.
- Horizon Scanning Tool (available for firm pilots) — a proactive advisory tool that surfaces relevant legislative, regulatory, and market developments for professionals' clients. Same anonymisation posture as the Advisory Preparation Assistant.
Data retention
- Survey verbatim comments — retained according to your firm's chosen retention period, then automatically deleted
- Anonymised themes and scores — retained for ongoing analytics and benchmarking
- Account data — retained while your firm's account is active, deleted on request
- Contact form data — retained only as long as needed to respond to your enquiry
Sub-processors
We use a small number of trusted third-party services to operate the platform. All sub-processors are contractually bound to protect your data.
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Application hosting and edge network | Singapore |
| Prisma Postgres | Database hosting | Singapore |
| Resend | Transactional and survey email delivery | Tokyo, Japan |
| OpenAI | AI analysis (see EphemeralAI for details) | US |
Vercel, Resend, and Prisma Postgres all run on Amazon Web Services infrastructure. Details of downstream sub-processors are available in each provider's own trust documentation.
Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your personal information
- Object to or restrict certain processing
- Withdraw consent where processing is based on consent
To exercise any of these rights, contact privacy@clientculture.com.
Regional compliance
Client Culture operates under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). For clients in the United Kingdom and European Economic Area, we also comply with UK GDPR and EU GDPR respectively. Regional addenda covering specific obligations are included in our full privacy policy.
Our complete privacy policy — including detailed data processing terms and regional addenda — is available at app.clientculture.com/privacy.
Questions?
For privacy enquiries, contact privacy@clientculture.com. For security-related concerns, contact security@clientculture.com.