How I work: ethical, privacy-first AI

I treat your data, your customers, and your brand like my own.

Data handling

• I only use data you explicitly approve for this project and purpose.

• I minimize sensitive details and do not paste them into public chat tools.

• When possible, I configure zero-retention or private deployments so prompts and outputs aren’t stored or used for model training.

• I do not scrape or ingest third-party content you don’t own or license.

• For demos and testing I use de-identified or synthetic data whenever feasible.

Tool selection and model provenance

• I vet tools for privacy controls, encryption, enterprise terms, and retention settings.

• If your company bans a tool, I propose alternative approaches.

• When feasible, I build inside your accounts or with your API keys so you remain in control.

• Preference for vendors with independent security attestations (for example, SOC 2/ISO) and with clear documentation about training-data sources and training opt-outs.

• For IP-sensitive use cases, I avoid generative tools whose training sources are unclear or likely to include unlicensed material.

Access and security

• Least-privilege access only; I request the minimum permissions required on all project-related accounts.

• Devices are encrypted; secrets and passwords are kept in a password manager—never in plain text.

• Files live in approved folders with encryption at rest and in transit; when sharing.

• If email is unavoidable, attachments are encrypted and keys are shared via a separate channel.

Data lifecycle and deletion

• We agree up front on what I receive, where it lives, who can access it, and for how long.

• I maintain a simple data inventory for the project.

• On project close, I delete local copies and temporary artifacts within the agreed timeframe and confirm in writing.

• Backups and logs follow the same timelines unless your policy requires different handling.

Transparency and approvals

• Every workflow ships with a plain-English one-pager: inputs, steps, tools used, privacy notes.

• Any external integrations, automations, or data connections require written approval.

• I align with your legal and IT policies and adjust after your review.

• A current list of tools and sub-processors used on your project is available on request.

Human oversight and safety

• AI outputs are drafts until a human approves them; nothing auto-sends to customers without your sign-off.

• I test for prompt risks, hallucinations, and data leakage before recommending production use.

• Where relevant, I add guardrails.

• I monitor outputs in pilots and adjust prompts, data, or workflows when necessary.

Copyright and IP

• I avoid ingesting third-party content you don’t own or license.

• Deliverables, custom GPTs, prompts, and workflow documents created for your business are yours as defined in our agreement.

• I do not reuse your proprietary datasets, or workflows in other client work.

• I won’t cross-pollinate competitive strategies between clients without explicit permission.

Marketing use and confidentiality

• I do not use your name, logo, or results in marketing without written permission.

• Testimonials and case studies are drafted for your approval before publication and can be anonymized.

Incident response

• If I detect a data exposure or security issue, I notify your point of contact promptly with facts, scope, and next steps.

• We pause affected workflows until risks are addressed, then document the fix.

• I keep a simple incident log for transparency.

Compliance alignment

• I am not a law firm; I flag issues early and follow your counsel’s guidance.

• If needed, we can add a short data-processing addendum naming approved tools/sub-processors and regions.

• For regulated data (for example, PHI, PCI, or government identifiers), we either put additional controls and agreements in place or avoid using it altogether.

• If your policies require specific data residency, we configure regional controls where vendors support them.

Client choices and controls

• You can require zero-retention modes where supported and available.

• You choose data-residency preferences when tools support region selection.

• You can opt out of any nonessential analytics or logging for assistants I build.

• You approve the data sources a workflow may read and the channels it may write to.

Contact

Questions or requests about privacy and security: douglas@legacymaven.ai

Last updated: August 12, 2025 (HST)