Responsible AI — How BrandCurb Protects Your Data and Upholds AI Ethics

Responsible AI

AI that earns your trust. Not just asks for it.

We think the AI industry has a transparency problem. Too many companies bury their data practices in legal boilerplate and trust you won't read it. Here's what we actually do — in plain English.

PIPEDA-compliantTLS 1.3 + AES-256No data trainingHuman oversight built in

How we build

Six non-negotiables on every project.

These aren't aspirational values. They're build decisions that apply to every client, every project, without exception.

Your data is never used to train public models

When we integrate with API-based AI providers (OpenAI, Anthropic, Google), your data is sent to generate a response and discarded — it doesn't enter their training pipeline. For highly sensitive use cases, we deploy open-source models that never leave your infrastructure.

Encryption end-to-end, by default

All data in transit is encrypted via TLS 1.3. Data at rest is encrypted with AES-256. We don't offer an unencrypted option. This isn't a feature you pay extra for — it's the baseline.

Every automation is explainable

We write plain-language documentation for every automation we build: what it monitors, what triggers it, what decisions it makes, and what it does with the result. Your team always understands what's running in the background.

Humans stay in the loop

Every automation includes escalation thresholds. When the AI encounters ambiguity, unusual input, or a scenario outside its confidence range, it hands off to a human rather than guessing. We define those thresholds with you during the build.

You control the off switch

Every tool we build can be paused, adjusted, or disabled by your team without contacting us. We don't build black boxes. We build systems you understand well enough to operate yourself if needed.

Strict access controls and data minimisation

We only request the minimum data and API permissions each tool needs to function. Access credentials are stored in encrypted vaults, rotated regularly, and revoked immediately at project end. We don't retain copies of your data after a project closes.

Our limits

What we won't build. Ever.

Responsible AI means declining work that conflicts with our ethics — regardless of budget or who's asking. These are firm limits, not negotiable on a case-by-case basis.

  • Build tools designed to deceive customers or impersonate humans without disclosure
  • Deploy AI in high-stakes medical, legal, or financial decisions without licensed professional oversight
  • Build surveillance or employee monitoring tools outside of explicit legal and policy frameworks
  • Store or process data beyond what's needed for the stated purpose
  • Use your data for our own commercial benefit or share it with third parties for theirs

Data Processing Agreement included

Every client project includes a signed Data Processing Agreement (DPA) documenting exactly what data we process, why, how long we retain it, and how we delete it. This isn't optional paperwork — it's our commitment to you in writing.

  • Scope of processing clearly defined
  • Sub-processors listed and vetted
  • Deletion timeline committed in writing
  • Incident notification within 72 hours
View full Data Processing Agreement

Compliance by jurisdiction

We build for the laws your customers live under.

🇨🇦

Canada

PIPEDA

Personal Information Protection and Electronic Documents Act

All client projects are PIPEDA-compliant by default. We follow Canadian principles for consent, data minimisation, and purpose limitation.

🇺🇸

United States

CCPA

California Consumer Privacy Act

For US clients, we design for CCPA alignment — data subject rights, opt-out mechanisms, and data inventory documentation.

🇬🇧

United Kingdom

UK GDPR

UK General Data Protection Regulation

For UK clients, we implement lawful basis documentation, data processing agreements, and retention schedules aligned with UK GDPR.

🇦🇺

Australia

Privacy Act 1988

Australian Privacy Principles

For Australian clients, we follow the APPs — transparency, data quality, and security requirements for personal information.

We are not lawyers and this is not legal advice. For specific compliance questions, consult a qualified privacy professional in your jurisdiction.

Still have data questions?

Ask us anything about how we handle your data.

We're happy to share our full security documentation, walk you through our build process, or connect you with our DPA before you decide to work with us.