PRISM
← Back to PRISM

Privacy Policy

Last updated: 6 May 2026

1. What Data We Collect

PRISM collects only the minimum data required to provide the service:

  • ·Your email address and authentication credentials when you create an account.
  • ·PDF documents you choose to upload for analysis.
  • ·Queries you submit and the AI-generated responses.
  • ·Usage metadata — document count, query count, and token consumption — for billing and plan enforcement.
  • ·Audit logs — timestamped records of document uploads, queries, and deletions for your own security transparency.

2. How Your Data Is Stored

All data is stored on infrastructure operated by Supabase and Microsoft Azure, both of which maintain SOC 2 Type II compliance.

  • ·At rest: All files and database records are encrypted using AES-256.
  • ·In transit: All data is transmitted exclusively over HTTPS with TLS 1.3.
  • ·Isolation: Your documents are mathematically locked to your user identity using Row Level Security. No other user, firm, or tenant can access your files.

3. Your Right to Delete

You retain absolute control over your data. You can permanently delete any document at any time directly from the PRISM interface. Deletion is immediate and irreversible — it purges the original PDF, all extracted text chunks, all vector embeddings, and the complete chat history associated with that document. A timestamped Destruction Receipt is issued as cryptographic proof of permanent deletion.

To request deletion of your entire account and all associated data, contact us at the address below. We will process the request within 7 business days.

4. AI Training Policy

Your documents and chat history are never used to train any AI model. PRISM processes your documents in memory to generate answers. The AI infrastructure operates with content logging disabled. No third party — including our AI infrastructure provider — retains your document content after processing is complete.

5. Data Retention

Documents are retained for as long as your account is active and you choose to keep them. You can delete individual documents at any time. If you close your account, all associated data is permanently deleted within 30 days.

6. Who Can Access Your Data

Only you can access your documents. PRISM staff do not access user documents except where explicitly required to resolve a technical support issue you have raised, and only with your consent. We do not sell, share, or transfer your data to any third party for commercial purposes.

7. Nigeria Data Protection Act 2023 Compliance

PRISM processes all personal data in accordance with the Nigeria Data Protection Act 2023 (NDPA) and the General Application and Implementation Directive issued by the Nigeria Data Protection Commission (NDPC). Epopteia operates as a data controller in respect of account and usage data, and as a data processor in respect of documents you upload for analysis.

  • ·Lawful basis: Personal data is processed on the basis of contractual necessity — to provide the service you have signed up for.
  • ·Data minimisation: Only the minimum personal data necessary to operate the service is collected and retained.
  • ·Cross-border transfers: Document processing may involve transfer of data to AI infrastructure operated by Microsoft Azure and Google Cloud. Both providers operate under data processing agreements that comply with NDPA cross-border transfer requirements.
  • ·Your rights: Under the NDPA, you have the right to access, rectify, object to processing of, and request erasure of your personal data. To exercise any of these rights, contact us at the address in Section 8.
  • ·Data breach notification: In the event of a personal data breach affecting your data, we will notify you and the NDPC within 72 hours of becoming aware of the breach, in accordance with NDPA requirements.

8. Contact

For privacy-related enquiries or data deletion requests, contact Epopteia at privacy@epopteia.com

Security Architecture →Back to PRISM