Privacy Policy

Diwo, LLC (“Diwo,” “we,” “our,” or “us”) is committed to protecting the privacy of individuals who visit our website, evaluate our products, or use our enterprise decision intelligence platform. This Privacy Policy explains what information we collect, how we use and share it, and the rights and choices available to you.

This policy applies to information we collect through the website at diwo.ai, our product interfaces (including Diwo Decide and Diwo Catalyst), and related sales, support, and marketing interactions. It does not apply to information our enterprise customers process in their own Diwo environments on behalf of their own end users; that information is governed by the customer’s agreement with us and their own privacy practices.

We collect information in three ways: information you provide directly, information collected automatically when you interact with our services, and information we receive from third parties.

Information you provide directly

When you request a demo, contact sales, subscribe to our newsletter, submit a form, or otherwise communicate with us, we may collect identifying information such as your name, business email address, company name, job title, phone number, and any message content you choose to share.

Information collected automatically

When you visit our website or use our products, we and our service providers may automatically collect technical information including IP address, browser type and version, device type, operating system, referring URL, pages visited, session duration, and aggregated usage statistics. We use standard logging, analytics, and cookies to collect this information.

Information from third parties

We may receive information about you from business partners, data enrichment vendors, event co-hosts, analyst firms, and publicly available sources (such as professional networking profiles) in order to verify details you have submitted, personalize our outreach, or qualify enterprise opportunities.

We use the information we collect for the following purposes:

• To provide, operate, maintain, and improve our website and products;
• To respond to inquiries, deliver requested demos, reports, or documentation, and provide customer support;
• To send transactional communications such as account notices, security alerts, and service updates;
• To send marketing and product communications where permitted by law, and to tailor those communications to your interests;
• To monitor and analyze usage and trends in order to improve user experience and product performance;
• To detect, investigate, and prevent fraudulent activity, abuse, and security incidents;
• To comply with legal obligations, enforce our agreements, and protect the rights, property, and safety of Diwo, our customers, and the public.

We do not sell personal information. We share information only in the limited circumstances described below.

Service providers

We share information with vendors and subprocessors who perform services on our behalf, such as cloud hosting, email delivery, analytics, CRM, customer support, and payment processing. These providers are bound by contractual commitments to process data only on our instructions and to maintain appropriate security.

Business transfers

If Diwo is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. We will notify affected individuals where required by applicable law.

Legal and safety

We may disclose information when we believe in good faith that disclosure is necessary to comply with a legal obligation, respond to a lawful request from a public authority, protect the safety of any person, investigate fraud, or enforce our Terms of Service.

With your direction

We may share information with third parties when you direct us to do so, for example when you elect to integrate a third-party system with your Diwo environment.

Certain features of our Services use artificial intelligence and large language models (“LLMs”) provided by us or by third-party LLM providers (such as OpenAI, Anthropic, or Google) to generate insights, summaries, and recommendations. When you use these features, your prompts and the relevant context needed to answer them — which may include limited personal information if you include it — are transmitted to the configured LLM provider for processing.

Third-party LLM providers act as our subprocessors and are contractually required to process data only as needed to return a response. We do not use personal information to train third-party foundation models for the benefit of other customers, and we do not sell personal information. Enterprise customers can, within their product configuration, select an LLM provider and model appropriate for their data sensitivity and regulatory requirements; that provider’s own terms and privacy practices will apply to the data they process.

AI outputs are probabilistic and may be inaccurate. We do not make automated, legally significant decisions about individuals through the Services, and we expect our customers to keep a qualified human in the loop for any decision affecting an individual. See our Terms of Service for the responsibilities that apply when AI outputs are used to inform decisions.

We use cookies, pixels, local storage, and similar technologies to recognize your device, maintain authenticated sessions, remember preferences, measure website performance, and support our marketing efforts. Some cookies are strictly necessary for the site to function; others are used only with your consent where required.

You can control cookies through your browser settings and, where applicable, through the cookie preference controls we present on first visit. Disabling cookies may limit the functionality of certain features.

We retain personal information for as long as necessary to fulfill the purposes described in this policy, including to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. When personal information is no longer needed, we securely delete or anonymize it.

Categories of data we retain

When you use our services, we may store the following:

• Account information. Name, business email, company, role, and any other information you provide during signup or in your profile.
• Authentication tokens. Encrypted credentials, session tokens, and refresh tokens necessary to authenticate you.
• Usage data. Logs of your interactions with the service, including queries you submit, time of access, IP address, browser/device metadata, and feature usage.
• User-generated content. Conversations, recommendations, dashboards, decision flows, pinned cards, and any data you upload or connect to the service.
• Audit logs. Records of significant administrative actions (account creation, deletion, role changes) for compliance purposes.

Retention timelines

For the 15-day Diwo Catalyst Trial Service (see our Terms of Service), we apply the following retention timeline:

• Days 1–15 (active trial): Your trial data is held in our active production environment for use by you.
• Days 16–45 (read-only): Trial data is held read-only. You can view but not modify or extend it.
• Day 46 (archived): The account is archived and login is disabled. We email you a final export bundle.
• Day 90 (hard deletion): All trial-generated data, including Postgres rows, uploaded CSV tables, and generated artifacts, is permanently deleted from our active systems. A small audit record (your email, company name, and the dates of your Trial) is retained for compliance.

For paid customer environments, retention is governed by the terms of the applicable customer agreement. For marketing-site interactions (forms, GA4 analytics), we apply a 26-month retention window consistent with GA4 defaults, after which the data is deleted or aggregated.

Right to deletion

You may request deletion of your data at any time. Trial users can use the “Delete my trial” option in their Catalyst account settings to immediately remove their account and all associated data. All users may also email us at [email protected]with the subject “Data Deletion Request”; we will acknowledge within seven (7) business days and complete the deletion within thirty (30) days, except where we are required to retain data for legal, regulatory, or audit purposes.

Export before deletion

Before any automatic or user-initiated deletion of trial data, we send you a downloadable export bundle in JSON format containing all of your generated artifacts. Production database tables you connected to Catalyst remain on your own infrastructure and are unaffected by our deletion process — only metadata about those connections is removed from our systems.

What we do not retain

Diwo does not store:

• The contents of your production databases that you connect to Catalyst. We query them on demand and discard results after they are returned to you.
• Raw CSV file uploads on disk. CSV files are parsed in memory and inserted directly into our Postgres tables; the source file bytes are never written to a filesystem.
• Your database connection passwords in plaintext. They are encrypted at rest with a Fernet symmetric key.

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Our security program is described in more detail on our Security page and Security Policy.

No method of transmission over the internet or electronic storage is completely secure. While we work hard to protect your information, we cannot guarantee absolute security.

While Diwo employs commercially reasonable security practices to protect your data, no system is impenetrable. In the event we become aware of a security incident affecting your data, we will respond as follows.

Notification timeline

We will notify affected users within 72 hours of becoming aware of a confirmed security incident that has caused or is likely to cause material harm to your data, including:

• Unauthorized access to your account information or user-generated content;
• Theft, modification, or destruction of your data by a third party;
• Loss of access to your data due to ransomware or similar attacks;
• A confirmed compromise of any cryptographic key, password hash, or authentication token associated with your account.

What we will tell you

The notification will include, to the extent we know at the time of sending:

• The nature of the incident;
• The categories of your data that were affected;
• The likely consequences of the incident;
• The measures we have taken or will take to mitigate the incident;
• A point of contact for further questions.

If we discover additional information after the initial notification that materially changes our understanding of the incident, we will send a follow-up.

What we cannot promise

We cannot promise that all incidents will be detected. We cannot promise that all incidents that we detect will be detected within the 72-hour window. We cannot promise to recover lost data. The limitations and disclaimers in our Terms of Service — Service availability and limitations apply with full force to security incidents.

Reporting a suspected issue

If you suspect a security issue affecting your account or our systems, please email [email protected]. We treat all reports as confidential and respond as quickly as possible.

Diwo is headquartered in the United States. If you access our services from outside the United States, your information will be transferred to, stored, and processed in the United States or in other jurisdictions where we or our service providers operate. We take steps to ensure that cross-border transfers are subject to appropriate safeguards, including standard contractual clauses where required.

Depending on where you live, you may have certain rights with respect to your personal information, including the right to:

• Access or obtain a copy of the information we hold about you;
• Correct inaccurate or incomplete information;
• Request deletion of your information;
• Object to or restrict certain processing activities;
• Receive your information in a portable format;
• Withdraw consent where processing is based on consent;
• Opt out of direct marketing communications at any time by using the unsubscribe link included in those communications or by contacting us.

California residents have specific rights under the California Consumer Privacy Act, as amended, including the right to know, delete, correct, and limit the use of sensitive personal information, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information as those terms are defined under the CCPA.

To exercise any of these rights, contact us using the details in the Contact us section below. We will respond within the timeframe required by applicable law.

Our services are designed for use by enterprise organizations and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided information to us, please contact us and we will take appropriate steps to delete it.

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. If the changes are material, we will provide a more prominent notice (including, for certain services, by email notification). We encourage you to review this policy periodically to stay informed about our practices.

If you have questions about this Privacy Policy or our privacy practices, or you wish to exercise any of the rights described above, please contact us: