Privacy Policy | AI Sandbox

Last updated: 2025-12-26

This Privacy Policy (the “Policy”) explains how eGroupAI (“we”, “us”) collects, uses, shares, protects, and otherwise processes personal data when you use the AI Sandbox official website, online demo (trial), and the AI Sandbox product that you deploy in an On‑Prem/Private environment after purchase (collectively, the “Services”). This Policy is intended to align with international privacy standards such as the GDPR (EU General Data Protection Regulation). If you have signed a data processing agreement (DPA) or other contract with us, that contract will prevail in case of conflict.

Data Controller: EGroupAI Co., Ltd. (Unified Business No. 24314136; brand: eGroupAI)
Address: No. 47, Sec. 2, Xinhai Rd., Da’an Dist., Taipei City, Taiwan
Email: service@egroupai.com
Website: https://www.egroupai.com

EU/UK representative and DPO: We have not appointed an EU/UK representative (GDPR Art. 27) or a Data Protection Officer (DPO) at this time. If we provide services in the EEA/UK and an appointment becomes legally required, we will appoint accordingly and update this Policy.

1. Scope

This Policy covers:

Website: Browsing the site, submitting the “Contact us” form, etc.
Online demo (trial): For you (on behalf of your legal entity/organization) to evaluate, assess, and perform POC validation.
AI Sandbox product and services (On‑Prem / Private): Delivered as an appliance including software and hardware, deployed within the customer’s intranet/private environment; features may include chat/workflows, document parsing, knowledge bases (RAG), Knowledge Graph, and system monitoring (depending on deployment and configuration).
Embeds / SDK (if applicable): If you embed AI Sandbox chat components into your own website/system, this Policy also applies (our roles may vary depending on the contract).

2. Data we collect

2.1 Data you provide to us

Inquiry / contact data: Company name, contact person’s name/title, email, phone, industry/use case, timeline, data sources, and any message content.
Account and identity data (if applicable): Identifiers for sign-in (e.g. email) and your role/permissions in the system (as configured by you or your organization).
Content data (On‑Prem/Private or demo): Chat inputs, uploaded documents/attachments, knowledge content, governance rules, and configuration parameters. If content contains personal data or confidential information, you represent you have the lawful right and necessary authorization to provide it (and you must not submit personal/confidential data in the online demo).

2.2 Data generated/collected automatically when you use the Services

Technical and security data: IP address, device/browser information, request timestamps, error/performance metrics (Web Vitals), and security events (e.g. CSRF token validation).
Audit and traceability logs (On‑Prem / Private): Such as who requested what, what the AI generated, and whether it was approved/executed (for auditable, verifiable delivery). These logs are typically stored in the customer environment and are configurable (subject to the contract and configuration).
Vectorization and knowledge indexing data: Such as document chunks, embedding vectors, vector index entries, and Knowledge Graph nodes/relationships (depending on deployment/configuration, typically in the customer environment).

2.3 Storage on your device (cookies / localStorage / sessionStorage)

To provide necessary functionality, we may store limited data on your device, such as:

Security cookies: e.g. CSRF protection via XSRF-TOKEN, and cookies for sign-in/session maintenance (depending on deployment and configuration).
Necessary local storage: e.g. contact form draft auto-save (up to 24 hours) and temporary state for redirecting you back to the original page after sign-in.

For more information about cookies and similar technologies, see our Cookie Policy.

Where the GDPR applies, we generally process personal data under one or more of the following legal bases:

Performance of a contract / pre-contractual steps (Art. 6(1)(b)): Responding to inquiries, providing quotes/procurement materials, and providing the services/support you request.
Legitimate interests (Art. 6(1)(f)): Website and system security, abuse prevention, audit logging, and improving quality and performance.
Consent (Art. 6(1)(a)): Where consent is required by law (e.g. non-essential cookies/tracking), we will obtain consent before processing.
Legal obligation (Art. 6(1)(c)): Compliance with applicable laws and regulatory requests.

4. On‑Prem/Private delivery, third-party models, and our role

4.1 On‑Prem / Private (production delivery)

AI Sandbox is delivered as an On‑Prem/Private appliance including software and hardware, deployed within the customer’s intranet/private environment. In general:

You (or your organization) are the controller of personal data in that environment.
Logs, audit trails, vector databases, and Knowledge Graph data are stored locally by you and can be configured.
We access such data only when authorized by you and when necessary for support/operations.

You may also choose/configure your own LLM, embedding, or other providers to meet your security and compliance needs. If you enable third-party providers, data may be transmitted to them per your configuration to perform inference, vectorization, or retrieval. For enterprise customers who require a DPA/procurement documents, please contact service@egroupai.com.

4.2 Online demo (trial / POC)

The online demo is for evaluation, assessment, and POC validation only, and is not intended for production use.

Consistent with common “evaluation environment” service notices for international AI services, you agree to the following:

Do not submit sensitive information: Do not input or upload any identifiable personal data, special categories of data (e.g. health/biometrics/political opinions/religion/sexual orientation), payment/financial information, passwords, credentials (e.g. API keys, access tokens), or any customer/internal confidential information.
Outputs are not professional advice: Demo outputs may be incomplete, inaccurate, or outdated. You must review and verify them and must not treat them as legal, medical, investment, tax, or other professional advice.
Security and abuse prevention: We may apply necessary security monitoring, rate limiting, and abuse detection. For troubleshooting and security purposes, demo inputs/outputs may be logged and, where necessary, reviewed by humans.

If you need to validate with real data or confidential content, please use the On‑Prem/Private delivery environment and define data boundaries and safeguards in the contract/DPA.

Unless you expressly consent or the contract provides otherwise, we do not use content you input/upload in the product or demo to train public models or for external reuse.

We may share your data in the following circumstances:

Service providers (processors / sub-processors): Third parties that process personal data on our behalf (e.g. website hosting/CDN, email/ticketing systems, security and monitoring). They may process data only under our instructions and are bound by contractual confidentiality obligations.
Inquiry / procurement workflow: Your contact details and inquiry content may be recorded in our internal CRM/ticketing/feedback systems to respond and follow up.
Legal requirements or rights protection: Where disclosure is required by law or needed to protect our lawful rights and security.

Sub-processor list approach: We can provide a sub-processor list (including purposes and locations) during procurement or in a DPA, or provide the latest list upon reasonable request. Please contact service@egroupai.com.

6. International data transfers

We primarily operate in Taiwan. If you are located in the EEA/UK/Switzerland, your personal data may be transferred to and processed in Taiwan or other jurisdictions (e.g. inquiry responses, support, website hosting/delivery). Where required, we will implement appropriate safeguards (e.g. EU Standard Contractual Clauses (SCCs), encryption, and access controls).

7. Retention (conservative, enterprise-oriented defaults)

We retain data only for as long as necessary to achieve the stated purposes; for enterprise customers, retention is governed by the contract/DPA. Typical defaults are as follows (we may extend retention where legally required or necessary for dispute resolution, for the minimum necessary period):

Data category	Examples	Default retention
Inquiry / contact data	Contact form content and communications	3 years from the last interaction (if you become a customer, contract/support records are governed by the contract)
Account data (if any)	Account identifiers, roles/permissions	While the account is active; deleted or anonymized within 90 days after termination/deletion (unless required by law or for disputes)
Website access logs	Server/reverse-proxy access logs	12 months (security and troubleshooting)
Security-related records	Security incidents, CSRF/abuse prevention, system errors	24 months (security investigation and protection)
In-product audit/trace logs (On‑Prem)	Operation/review/execution records	Stored and configurable in the customer environment; we recommend at least 24 months
Client-side drafts/preferences	Form drafts, redirect state	Stored by your browser; form drafts up to 24 hours (you can clear them)

8. Your rights (EEA/UK/Switzerland)

You may have the right to access, rectify, erase, restrict processing, data portability, object (including to direct marketing), withdraw consent, and lodge a complaint with a supervisory authority. You can contact us at service@egroupai.com to submit a request; we may need to verify your identity using reasonable means.

9. Security

We implement reasonable technical and organizational measures (e.g. access controls, audit logging, CSRF protection, encryption, and monitoring) to protect your data, but no system can be guaranteed 100% secure.

10. Changes

We may update this Policy from time to time and will update the “Last updated” date on this page. Material changes will be announced on our website or via other reasonable means.

Last updated: 2025-12-26

EU/UK representative and DPO: We have not appointed an EU/UK representative (GDPR Art. 27) or a Data Protection Officer (DPO) at this time. If we provide services in the EEA/UK and an appointment becomes legally required, we will appoint accordingly and update this Policy.

1. Scope

This Policy covers:

Website: Browsing the site, submitting the “Contact us” form, etc.
Online demo (trial): For you (on behalf of your legal entity/organization) to evaluate, assess, and perform POC validation.
AI Sandbox product and services (On‑Prem / Private): Delivered as an appliance including software and hardware, deployed within the customer’s intranet/private environment; features may include chat/workflows, document parsing, knowledge bases (RAG), Knowledge Graph, and system monitoring (depending on deployment and configuration).
Embeds / SDK (if applicable): If you embed AI Sandbox chat components into your own website/system, this Policy also applies (our roles may vary depending on the contract).

2. Data we collect

2.1 Data you provide to us

Inquiry / contact data: Company name, contact person’s name/title, email, phone, industry/use case, timeline, data sources, and any message content.
Account and identity data (if applicable): Identifiers for sign-in (e.g. email) and your role/permissions in the system (as configured by you or your organization).
Content data (On‑Prem/Private or demo): Chat inputs, uploaded documents/attachments, knowledge content, governance rules, and configuration parameters. If content contains personal data or confidential information, you represent you have the lawful right and necessary authorization to provide it (and you must not submit personal/confidential data in the online demo).

2.2 Data generated/collected automatically when you use the Services

Technical and security data: IP address, device/browser information, request timestamps, error/performance metrics (Web Vitals), and security events (e.g. CSRF token validation).
Audit and traceability logs (On‑Prem / Private): Such as who requested what, what the AI generated, and whether it was approved/executed (for auditable, verifiable delivery). These logs are typically stored in the customer environment and are configurable (subject to the contract and configuration).
Vectorization and knowledge indexing data: Such as document chunks, embedding vectors, vector index entries, and Knowledge Graph nodes/relationships (depending on deployment/configuration, typically in the customer environment).

2.3 Storage on your device (cookies / localStorage / sessionStorage)

To provide necessary functionality, we may store limited data on your device, such as:

Security cookies: e.g. CSRF protection via XSRF-TOKEN, and cookies for sign-in/session maintenance (depending on deployment and configuration).
Necessary local storage: e.g. contact form draft auto-save (up to 24 hours) and temporary state for redirecting you back to the original page after sign-in.

For more information about cookies and similar technologies, see our Cookie Policy.

Where the GDPR applies, we generally process personal data under one or more of the following legal bases:

Performance of a contract / pre-contractual steps (Art. 6(1)(b)): Responding to inquiries, providing quotes/procurement materials, and providing the services/support you request.
Legitimate interests (Art. 6(1)(f)): Website and system security, abuse prevention, audit logging, and improving quality and performance.
Consent (Art. 6(1)(a)): Where consent is required by law (e.g. non-essential cookies/tracking), we will obtain consent before processing.
Legal obligation (Art. 6(1)(c)): Compliance with applicable laws and regulatory requests.

4. On‑Prem/Private delivery, third-party models, and our role

4.1 On‑Prem / Private (production delivery)

AI Sandbox is delivered as an On‑Prem/Private appliance including software and hardware, deployed within the customer’s intranet/private environment. In general:

You (or your organization) are the controller of personal data in that environment.
Logs, audit trails, vector databases, and Knowledge Graph data are stored locally by you and can be configured.
We access such data only when authorized by you and when necessary for support/operations.

4.2 Online demo (trial / POC)

The online demo is for evaluation, assessment, and POC validation only, and is not intended for production use.

Consistent with common “evaluation environment” service notices for international AI services, you agree to the following:

Do not submit sensitive information: Do not input or upload any identifiable personal data, special categories of data (e.g. health/biometrics/political opinions/religion/sexual orientation), payment/financial information, passwords, credentials (e.g. API keys, access tokens), or any customer/internal confidential information.
Outputs are not professional advice: Demo outputs may be incomplete, inaccurate, or outdated. You must review and verify them and must not treat them as legal, medical, investment, tax, or other professional advice.
Security and abuse prevention: We may apply necessary security monitoring, rate limiting, and abuse detection. For troubleshooting and security purposes, demo inputs/outputs may be logged and, where necessary, reviewed by humans.

If you need to validate with real data or confidential content, please use the On‑Prem/Private delivery environment and define data boundaries and safeguards in the contract/DPA.

Unless you expressly consent or the contract provides otherwise, we do not use content you input/upload in the product or demo to train public models or for external reuse.

We may share your data in the following circumstances:

Service providers (processors / sub-processors): Third parties that process personal data on our behalf (e.g. website hosting/CDN, email/ticketing systems, security and monitoring). They may process data only under our instructions and are bound by contractual confidentiality obligations.
Inquiry / procurement workflow: Your contact details and inquiry content may be recorded in our internal CRM/ticketing/feedback systems to respond and follow up.
Legal requirements or rights protection: Where disclosure is required by law or needed to protect our lawful rights and security.

6. International data transfers

7. Retention (conservative, enterprise-oriented defaults)

Data category	Examples	Default retention
Inquiry / contact data	Contact form content and communications	3 years from the last interaction (if you become a customer, contract/support records are governed by the contract)
Account data (if any)	Account identifiers, roles/permissions	While the account is active; deleted or anonymized within 90 days after termination/deletion (unless required by law or for disputes)
Website access logs	Server/reverse-proxy access logs	12 months (security and troubleshooting)
Security-related records	Security incidents, CSRF/abuse prevention, system errors	24 months (security investigation and protection)
In-product audit/trace logs (On‑Prem)	Operation/review/execution records	Stored and configurable in the customer environment; we recommend at least 24 months
Client-side drafts/preferences	Form drafts, redirect state	Stored by your browser; form drafts up to 24 hours (you can clear them)

8. Your rights (EEA/UK/Switzerland)

9. Security

10. Changes

We may update this Policy from time to time and will update the “Last updated” date on this page. Material changes will be announced on our website or via other reasonable means.

1. Scope

2. Data we collect

2.1 Data you provide to us

2.2 Data generated/collected automatically when you use the Services

2.3 Storage on your device (cookies / localStorage / sessionStorage)

3. Purposes of processing and legal bases (GDPR)

4. On‑Prem/Private delivery, third-party models, and our role

4.1 On‑Prem / Private (production delivery)

4.2 Online demo (trial / POC)

5. Sharing and disclosure (including the concept of “sub-processors”)

6. International data transfers

7. Retention (conservative, enterprise-oriented defaults)

8. Your rights (EEA/UK/Switzerland)

9. Security

10. Changes

1. Scope

2. Data we collect

2.1 Data you provide to us

2.2 Data generated/collected automatically when you use the Services

2.3 Storage on your device (cookies / localStorage / sessionStorage)

3. Purposes of processing and legal bases (GDPR)

4. On‑Prem/Private delivery, third-party models, and our role

4.1 On‑Prem / Private (production delivery)

4.2 Online demo (trial / POC)

5. Sharing and disclosure (including the concept of “sub-processors”)

6. International data transfers

7. Retention (conservative, enterprise-oriented defaults)

8. Your rights (EEA/UK/Switzerland)

9. Security

10. Changes