Privacy Policy
1. Who we are
woose.io (“woose”, “we”, “us”) provides AI governance and risk-management software and advisory services, including this website and the Governance Workbench at woose.io/app. The data controller is woose.io Governance Systems Inc. [ ● registered address ]. For any privacy question, contact governance@woose.io.
2. Information we collect
We collect only what we need to run the service and respond to you:
Information you give us
- Consultation & contact requests — your name, email, company, company size, the service you’re interested in, and any project notes you submit through our forms.
- Document & framework downloads — your name, work email, company, industry and maturity level when you request a generated governance document.
- Saved assessments — if you choose to save a governance assessment or risk register, we store
the inputs and computed results you entered, an optional system name, and an optional owner email. Saved
assessments are reachable by an unguessable link (e.g.
/assessment/<id>) that you control and choose whether to share. - Workbench artefacts you save — model cards, LLM-safety evaluations and similar outputs you explicitly choose to persist.
- Messages — text you send to the Governance Copilot or the Agent Hub.
Information collected automatically
- Security & operations logs — limited technical data such as your IP address and request metadata, used for rate-limiting, abuse prevention and debugging.
- First-party usage analytics — we measure how the site is used with our own, self-hosted analytics (no third-party trackers): pages viewed, referring site, browser and device type, language, and approximate location signals (such as your browser’s timezone). IP addresses are never stored for analytics — only a salted, daily-rotating hash. Random identifiers kept in your browser’s storage let us count returning visits; they do not identify you personally and are never shared.
- Local preferences — your light/dark theme choice is stored in your browser’s
localStorage; it never reaches our servers.
3. Data you analyse in the Workbench
Several Workbench tools (for example the Fairness Scanner, Drift & Data-Quality analysis, the Document Gap Scanner, and the on-page Governance & Risk assessors) run entirely in your browser. The datasets, documents and system details you analyse with those tools are processed locally and are not transmitted to or stored on our servers unless you (a) explicitly save an assessment, (b) ask us to fetch a remote URL through our proxy, or (c) submit text to an AI-assisted feature. Keeping raw data on your device by default is a deliberate design choice.
When you run a Workbench analysis we do record a small, non-sensitive summary of the run — which tool was used, its pass/fail band and headline score, and the system’s risk tier — to understand product usage and improve the tools. This summary never includes your uploaded datasets, documents, or prompts. It is linked only to the anonymous browser identifiers described above, not to your identity.
Our downloadable scanner, Aegis, runs fully offline and sends nothing to us by default. If you
explicitly choose to upload a report (the opt-in -submit option), the scan results are stored under an
anonymous, randomly-generated install identifier that contains no host or personal information.
4. How we use information
- To provide, operate and secure the platform and the Workbench.
- To respond to your enquiries and deliver requested documents or advisory engagements.
- To send transactional emails (e.g. confirmations and the documents you requested) from governance@woose.io.
- To maintain, troubleshoot and improve the service.
- To comply with legal obligations and enforce our terms.
We do not sell your personal data, and we do not use it for third-party advertising.
5. Legal bases (UK/EU GDPR)
Where GDPR applies, we rely on: consent (e.g. when you submit a form or save an assessment); contract (to deliver a service you requested); legitimate interests (to secure and improve the platform, balanced against your rights); and legal obligation where required.
6. Sharing & subprocessors
We share personal data only with service providers that help us run woose.io, under appropriate agreements:
- Hosting & database — our application and PostgreSQL database are hosted on Railway.
- Email delivery — transactional mail is sent via Namecheap Private Email (privatemail.com).
- AI model providers — when you use an AI-assisted feature (Copilot, Agent Loop, or our AI-written blog), the text you submit may be processed by third-party large-language-model providers we have configured (which may include DeepSeek, Google, OpenAI, Anthropic or Moonshot). Only the content needed for that feature is sent.
We may also disclose information where required by law, or as part of a corporate transaction, subject to this policy.
7. Cookies & local storage
woose.io does not use third-party advertising or cross-site tracking cookies. We use strictly-necessary browser
storage (such as localStorage for your theme preference) to make the site work. Your browser settings
let you clear this at any time.
8. Retention
We keep personal data only as long as needed for the purposes above: enquiry and lead data for our ongoing business relationship; saved assessments until you ask us to delete them; security logs for a limited period. We delete or anonymise data when it is no longer needed.
9. International transfers
Our providers may process data outside your country, including outside the UK/EEA. Where they do, we rely on appropriate safeguards such as Standard Contractual Clauses or an adequacy decision.
10. Your rights
Subject to applicable law (including UK/EU GDPR and, for California residents, the CCPA/CPRA), you may request to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing. To exercise any right, email governance@woose.io. You also have the right to complain to your local data-protection authority.
11. Security
We protect data in transit with HTTPS/TLS, apply security headers and rate-limiting, restrict access to stored data, and use tamper-evident, hash-chained logging for the Agent Control Plane ledger. No method of transmission or storage is perfectly secure, but we work to protect your information.
12. Children
woose.io is a business tool and is not directed to children under 16. We do not knowingly collect their data.
13. Changes
We may update this policy from time to time. We will revise the “last updated” date above and, where appropriate, notify you of material changes.
14. Contact
Questions or requests: governance@woose.io.