Privacy Policy

Last updated: June 19, 2026

This is a plain-language draft and not legal advice. Have it reviewed by qualified counsel and aligned to your actual deployment before relying on it.

1. Who we are

Black Box Lite is provided by Geogentia. This policy explains what we process when you use the Service and how we handle it. Black Box Lite is designed to be self-hosted on infrastructure the operator controls; where you run your own instance, you are the controller of the data within it.

2. What we process

• Account data — your name, email, employer, job role, and password (stored only as a salted bcrypt hash).
• Case data — the cases, messages, uploaded files, entities, notes, and exhibits you create ("Your Content").
• Usage & audit records — actions, model/tool usage, token counts, and cost, recorded in a tamper-evident audit log for security and billing.
• Voice — if you use voice features, audio is sent for transcription and is not retained as audio beyond producing the transcript.

3. How we use it

We process this data to operate the Service: to authenticate you, run investigations you request, retrieve your case files, meter usage, and maintain the audit trail. We do not train AI models on Your Content.

4. Where data lives & security

Provider API keys are held server-side and never sent to your browser; the client only ever sees presence flags, never a raw secret. Secrets are encrypted at rest (Windows DPAPI where available, otherwise AES-256-GCM under a server key). Each user is isolated and sees only their own cases. Access is restricted by authentication, and admins can review a hash-chained audit log. No security measure is perfect; you should apply your own controls appropriate to your data.

5. Subprocessors

To deliver model, search, and voice capabilities, the Service routes requests through third-party providers (for example an LLM gateway and a text-to-speech provider). These providers process the content of the specific requests you make. We abstract them behind the Service and select providers that support a no-retention / no-training posture where available, but their processing is governed by their own terms.

6. Retention

Your Content is retained for as long as your case exists or until you delete it. Operators can configure a data-retention policy, which is recorded and surfaced on export; deletion is performed by you or your administrator. Audit records are retained for integrity and billing purposes.

7. Subject data & lawful basis

Investigations may involve personal data about third parties. You are responsible for having a lawful basis to collect and process that data and for honoring applicable rights and obligations. The Service provides optional best-effort PII redaction on export, which is an aid, not a guarantee of de-identification.

8. Your rights

Depending on your jurisdiction, you may have rights to access, correct, export, or delete your account data. You can edit your profile in the app and delete your cases. For account-level requests, contact us through your engagement or onboarding channel.

9. Children

The Service is for professional use and is not directed to children.

10. Changes

We may update this policy; material changes will be reflected by the "Last updated" date.

11. Contact

Privacy questions: Geogentia. Use the contact channel provided in your engagement or onboarding.

← Back to home