Privacy Policy

Production AI Institute is operated by Troy Gamble as a sole trader, based in Victoria, Australia (the “Operator”, “we”, “us”). We run productionai.institute, the PAI Studio web application at /studio, the PSF Compliance Standard, and a set of free and paid AI assurance certifications. The site serves practitioners worldwide; Australian privacy rules apply to our Australian establishment, and we describe international transfers below.

This policy explains what personal data we collect when you use the website, the Studio, the assessments, the certification exams, the newsletter, and the contact and waitlist forms; how we use that data; who we share it with; and what rights you have.

The organisation responsible for personal data collected through this site is Production AI Institute, operated by Troy Gamble as a sole trader established in Victoria, Australia. For any privacy or data-rights request, contact hello@productionai.institute. We respond within thirty (30) days.

When you create an account

We use Clerk for authentication. When you sign up we collect your email address, an optional name, and sign-in metadata (last sign-in time, IP, user agent). Passwords are stored hashed by Clerk — we never see them. If you sign in via a third-party provider (Google, GitHub) we receive only the basic profile that provider returns to Clerk.

When you subscribe or buy a certification

We use Stripe for payments. We do not see, store, or process your card number or CVV. Stripe sends us a stripe_customer_id, the product you bought, and the date. Your billing address and tax details are stored only inside Stripe.

When you take an assessment

The PSF assessment at /assess collects your contact email (optional), system name, organisation name, and your yes/partial/no responses. These are stored in our Supabase database. By default an assessment is private. You can choose to publish a shareable score page via an explicit consent checkbox at submission. Your contact email and raw responses are never shown publicly, even on a published assessment. You can request removal at any time by emailing hello@productionai.institute.

When you take a certification exam

We record the questions you were asked, the answers you gave, your score, pass/fail status, a timestamp, and a per-window attempt counter. If you pass, a certification record is created (your name, cert ID, and issue date).

When you use AI features in PAI Studio

Your workflow is stored in your browser's localStorage only. When you trigger an AI feature (Wizard, Heal, Generate, Automate, Executive Brief, PSF Analyzer), the relevant workflow content is sent to our API route, then forwarded to OpenAI's GPT-4.1 via the OpenAI Responses API. OpenAI receives this content in order to produce a response. Per OpenAI's API terms, content sent through the API is not used to train their models. We do not retain the request body on our servers beyond the time needed to forward it and return the response.

When you sign up for the newsletter

We store your email address in our Supabase database with a timestamp, the resource or page you signed up from, and any campaign parameters supplied in the URL. We use this to send relevant follow-up, measure which resources are working, and improve the site. Every newsletter or nurture email we send via Resend includes a one-click unsubscribe link. We do not sell the newsletter list or use it for third-party ad targeting.

When you sign the AI Right-To-Know Declaration or publish an AI System Disclosure

We collect the details you submit so we can record the declaration, prevent duplicate signatures, operate the public registry, and review disclosure submissions. Your email address is never displayed publicly. If you separately tick the email-updates checkbox, we also add your email to the newsletter list; if you do not tick it, signing the declaration or publishing a disclosure does not subscribe you to marketing email.

When you contact us

The /contact form captures name, email, organisation (optional), and message. These flow into our Supabase database and trigger an admin notification email via Resend. We use these messages only to reply to you.

Cookies and analytics

We use Plausible Analytics, a privacy-respecting, cookie-less analytics tool. Plausible records aggregated, anonymised page-view data and does not set tracking cookies, build a profile of you, or share data with advertising networks. Clerk and Stripe set their own session cookies as required to authenticate you and process payments.

We also use the Google Ads tag to measure paid advertising performance and conversion activity. Google Ads conversion measurement can set cookies or store ad-click identifiers so Google can attribute conversions to ads. We do not load Google Analytics, Facebook Pixel, or LinkedIn Insight Tag on this site.

The third parties that process your personal data on our behalf are listed in full at /legal/sub-processors. The current list includes Clerk, Supabase, Stripe, Resend, OpenAI, Plausible Analytics, and Vercel. We commit to updating that page within 14 days of any change.

We use your data to operate your account, process payments, deliver AI features, issue and verify certifications, send transactional email, send the newsletter (only if you opted in), reply to contact messages, and monitor for security incidents. We do not use your data for advertising, do not sell it, and do not share it with anyone outside the sub-processor list.

Account profile: retained while the account exists, deleted within 30 days of account deletion request. Assessment data: until you request deletion. Certification records: for the lifetime of the certification plus 12 months. Newsletter email: until you unsubscribe. Contact messages: 24 months. Vercel request logs: 30 days. AI request bodies: not retained — in-memory only during the forward to OpenAI.

You have the right to access, correct, delete, export, object to processing of, and restrict your personal data. To exercise these rights, email hello@productionai.institute. We respond within 30 days. You may also lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au) or your local data protection authority.

The Production AI Institute is a B2B and professional-development product. We do not knowingly process data of anyone under 16. If we learn we have collected such data, we delete it.

Our infrastructure spans Vercel (global edge), Supabase (ap-southeast-2, Sydney), Clerk (United States), Stripe (Australia and United States), OpenAI (United States), Resend (United States), and Plausible (Germany). When personal data leaves Australia, the receiving sub-processor is bound by their published data-protection terms. We rely on the data-export mechanisms each provider offers.

We host on Vercel over HTTPS only. Database connections to Supabase use TLS. Authentication runs through Clerk; we do not store passwords. Webhooks from Stripe and Clerk are signature-verified. Production secrets are stored in Vercel environment variables and never exposed in client bundles. For more, see /security.

When we change this policy in a way that affects your rights, we increment the version number and notify you via an in-app banner the next time you sign in, or by email. Material changes take effect 30 days after notice. Minor clarifications take effect immediately.

For any privacy question, request, or complaint: hello@productionai.institute.

This policy was written and self-attested by the Operator. It is not legal advice.