Legal

Privacy Policy

Last updated: April 2026  ยท  Effective: April 2026
๐Ÿ›ก๏ธ

Our core commitment: Datasets and model files you upload for audit are processed entirely in memory and deleted immediately after the audit completes. We never store, analyze, or share your training data. Your model's intellectual property remains yours.

1 Data We Collect

ModelPassport collects the minimum data necessary to provide the audit service. We do not sell data to third parties, ever.

  • Audit inputs (transient): CSV dataset files and optional joblib model files you upload are held in server memory for the duration of the audit only. They are never written to persistent storage.
  • Audit parameters: Model name, organization name, deployment domain, target column name, and protected attribute column names are stored as part of the certificate record.
  • Certificate data: Audit scores, layer results, certificate ID, SHA-256 hash, and issued timestamp are stored permanently in the certificate registry to enable public verification.
  • Usage logs: Server access logs (IP address, timestamp, endpoint, response code) are retained for 30 days for security monitoring. No user-identifying data is linked to these logs.
  • Contact data: If you contact us via email, we retain your email address and message content to respond to your inquiry.

2 How We Use It

  • To execute the four-layer bias audit pipeline and generate your certificate.
  • To store and serve your certificate for public verification purposes.
  • To monitor API usage, detect abuse, and maintain service reliability.
  • To respond to support inquiries and bug reports you submit.
  • We do not use your data to train AI models, for advertising, or for any purpose other than providing the ModelPassport service.

3 Data Retention

๐Ÿ”’ Datasets and model files uploaded for audit are deleted from server memory immediately after the audit pipeline completes. We never store training data on disk.

  • Uploaded files: Deleted from memory immediately after audit completion.
  • Certificate metadata: Retained indefinitely โ€” this enables public verification, which is a core feature of the service.
  • Server logs: Retained for 30 days, then automatically purged.
  • Email correspondence: Retained for the duration of the support interaction plus 90 days.

4 Security Measures

  • All API communication is encrypted in transit via TLS 1.3.
  • Audit files are processed in isolated server memory โ€” no disk writes occur for uploaded files.
  • Certificate data is integrity-protected with SHA-256 hashing.
  • The API does not require authentication for read operations (public certificate verification); write operations (audits) are rate-limited per IP.
  • Infrastructure is hosted on Google Cloud Run โ€” a managed, serverless environment with automatic security patching.

5 Third-Party Services

ModelPassport uses the following third-party services in the course of providing the audit:

  • Google Gemini AI API: The Gemini governance layer sends combined audit result data (scores and metrics โ€” not your raw uploaded data) to Google's Gemini API to generate the plain-language governance narrative. This data is governed by Google's API Terms of Service and Privacy Policy.
  • Google Cloud Run: Our API is hosted on Cloud Run. No user data is shared with Google beyond what is inherent in using their infrastructure (standard server logs).

6 Your Rights

  • You may request deletion of a certificate from the public registry by contacting us with proof that you are the certificate holder.
  • You may request a copy of all data we hold associated with your audits.
  • You may opt out of server logging by using the API anonymously (no login required).

7 Contact

For privacy-related questions, data deletion requests, or to exercise your rights, contact us at:

contact@modelpassport.ai

We aim to respond to all privacy inquiries within 5 business days.