UNCASE
Whitepaper
Comenzar
Whitepaper
Comenzar

Privacy Policy

Last updated: February 25, 2026

UNCASE ("we," "us," or "our") operates the UNCASE platform — an open-source, privacy-first AI infrastructure for generating synthetic conversational data and fine-tuning language models in regulated industries. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, API services, dashboard application, and open-source framework (collectively, the "Service").

1. Information We Collect

1.1 Information You Provide Directly

  • Account Information: When you create an account or organization, we collect your email address, organization name, and authentication credentials (hashed passwords or OAuth tokens).
  • API Keys: API keys you generate for accessing the UNCASE API. These are stored encrypted at rest using Fernet symmetric encryption.
  • LLM Provider Credentials: If you configure third-party LLM providers (OpenAI, Anthropic, Google, etc.) through our Provider Registry, your API keys are encrypted at rest and never logged or transmitted in plaintext.
  • Seed Data: Domain-specific seed schemas you create or upload, including conversation patterns, roles, tools, and objectives. Seeds are designed to contain zero personally identifiable information (PII) by architecture.
  • Knowledge Base Documents: Documents you upload to the knowledge base for domain context (facts, procedures, terminology). These are chunked server-side and stored in PostgreSQL with organization-level isolation.
  • Support Communications: Any information you provide when contacting us for support or submitting issues on GitHub.

1.2 Information Collected Automatically

  • Usage Metrics: API request counts, endpoint usage patterns, generation job metadata (timestamps, durations, status codes), and cost tracking data. These are recorded via our usage metering system with event-level granularity.
  • Audit Logs: Immutable records of API actions (seeds created, evaluations run, models trained) for compliance traceability. Audit logs capture action types and metadata but never capture conversation content.
  • Server Logs: IP addresses, request timestamps, HTTP methods, response codes, and user-agent strings for security monitoring and debugging.
  • Observability Data: Prometheus metrics including request rates, latency percentiles, error rates, and resource utilization for infrastructure monitoring.

1.3 Information We Do NOT Collect

  • Real Conversation Content: UNCASE is architecturally designed so that real conversations are never stored, logged, or transmitted through our infrastructure. The Seed Engine (Layer 0) strips all PII before any data enters the pipeline.
  • PII from Synthetic Data: Generated synthetic conversations undergo mandatory privacy evaluation (Presidio + SpaCy NER) with a required privacy score of 0.00 — zero PII tolerance.
  • Training Data from Your Models: LoRA adapters trained through our pipeline remain your property. We do not access, copy, or use your trained models or training datasets.

2. How We Use Your Information

  • Service Operation: To provide, maintain, and improve the UNCASE platform, including seed processing, synthetic generation, quality evaluation, and LoRA fine-tuning.
  • Authentication & Authorization: To verify your identity, manage organization-level access control, and enforce API key permissions.
  • Usage Metering & Billing: To track API usage per organization, calculate LLM costs across providers, and support billing for enterprise tiers.
  • Compliance & Audit: To maintain immutable audit trails required for regulatory compliance in healthcare (HIPAA), financial services, legal, and other regulated industries.
  • Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
  • Communications: To send service-related notifications, security alerts, and (with your consent) product updates.

3. Privacy-First Architecture

UNCASE is built from the ground up with privacy as a non-negotiable requirement. Our 5-layer SCSF (Synthetic Conversational Seed Framework) pipeline implements privacy at every stage:

  • Layer 0 — Seed Engine: Dual-strategy PII detection using Microsoft Presidio NER and custom regex patterns. All personally identifiable information is eliminated before data enters the pipeline. Privacy score must equal 0.00 — no exceptions.
  • Layer 1 — Parser: Multi-format ingestion (ChatML, ShareGPT, WhatsApp, JSONL) with automatic PII scanning on all imported data.
  • Layer 2 — Evaluator: 6-gate quality evaluation including a mandatory privacy gate. Any generated content with a privacy score above 0.00 is automatically rejected.
  • Layer 3 — Generator: Synthetic conversations are generated from abstract seed structures — no real data is ever used as input to the LLM.
  • Layer 4 — LoRA Pipeline: Differential Privacy Stochastic Gradient Descent (DP-SGD) with epsilon ≤ 8.0 during fine-tuning. Extraction attack success rate verified to be below 1%.

3.1 Privacy Interceptor

All traffic through the LLM Gateway passes through the Privacy Interceptor, which scans inbound and outbound messages in real-time. The interceptor operates in three modes:

  • Audit mode: Logs PII detections without blocking (for monitoring).
  • Warn mode: Flags PII detections and notifies the user.
  • Block mode: Automatically strips or rejects any request/response containing PII.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share information in the following limited circumstances:

  • LLM Providers: When you use the LLM Gateway, your prompts (which by design contain no PII) are routed to your configured LLM provider (OpenAI, Anthropic, Google, etc.). Each provider's own privacy policy governs their handling of that data. UNCASE encrypts provider API keys at rest and never logs prompt content.
  • Infrastructure Providers: We use cloud infrastructure providers to host the Service. These providers process data on our behalf under strict data processing agreements.
  • E2B Sandboxes: When using cloud sandbox features, isolated MicroVMs are provisioned through E2B. Each sandbox is ephemeral — artifacts are exported before automatic destruction, and no data persists after sandbox termination.
  • Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of UNCASE, our users, or others.
  • Business Transfers: In connection with any merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.

5. Data Security

We implement industry-standard security measures including:

  • Encryption at rest for all sensitive data (API keys, provider credentials) using Fernet symmetric encryption.
  • Encryption in transit (TLS 1.2+) for all API communications.
  • Organization-level data isolation — each organization's seeds, knowledge, and audit logs are strictly separated.
  • Immutable audit logging for all API actions with compliance-grade retention.
  • Configurable data retention policies with TTL-based automatic expiration.
  • HMAC-signed webhook payloads for secure event delivery.
  • JWT authentication with refresh token rotation for dashboard access.
  • Rate limiting and abuse detection on all API endpoints.

6. Data Retention

  • Account Data: Retained for the duration of your account plus 30 days after deletion to allow for recovery.
  • Seeds and Synthetic Data: Retained until you delete them or your account is terminated. You may export and delete your data at any time through the API.
  • Audit Logs: Retained according to your configured data retention policy (default: 90 days for standard tier, configurable up to 7 years for enterprise/compliance requirements).
  • Usage Metrics: Aggregated usage data may be retained indefinitely for service improvement. Individual event-level usage data follows your retention policy.
  • Server Logs: Retained for 30 days for security and debugging purposes.
  • Sandbox Data: E2B cloud sandboxes are ephemeral and auto-destruct after 5–60 minutes. No data persists after sandbox termination.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

7.1 Under GDPR (EU/EEA)

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate personal data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Portability: Receive your data in a structured, machine-readable format.
  • Restriction: Request limitation of processing of your personal data.
  • Objection: Object to processing of your personal data for specific purposes.
  • Automated Decision-Making: Right not to be subject to decisions based solely on automated processing.

7.2 Under CCPA/CPRA (California)

  • Right to know what personal information is collected and how it is used.
  • Right to delete personal information.
  • Right to opt-out of the sale of personal information (we do not sell personal information).
  • Right to non-discrimination for exercising your privacy rights.
  • Right to correct inaccurate personal information.
  • Right to limit use and disclosure of sensitive personal information.

7.3 Under LFPDPPP (Mexico)

  • ARCO rights: Access, Rectification, Cancellation, and Opposition regarding your personal data.
  • Right to revoke consent for data processing.
  • Right to limit the use or disclosure of your personal data.

To exercise any of these rights, contact us at privacy@uncase.dev. We will respond within 30 days (or as required by applicable law).

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. When we transfer data internationally, we implement appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data processing agreements with all sub-processors.
  • Verification that recipient countries provide adequate data protection or that appropriate safeguards are in place.

9. Industry-Specific Compliance

UNCASE is designed for use in regulated industries. While the framework provides the technical infrastructure for compliance, users are responsible for ensuring their specific use case meets applicable regulatory requirements:

  • Healthcare (HIPAA): UNCASE's zero-PII architecture means Protected Health Information (PHI) is eliminated before entering the pipeline. The framework supports BAA (Business Associate Agreement) requirements for enterprise customers.
  • Financial Services (SOX, PCI-DSS): Immutable audit logging, full traceability from seed to adapter, and encryption at rest support financial compliance requirements.
  • Legal (Attorney-Client Privilege): Seed abstraction ensures no privileged communications are stored or transmitted. Only structural patterns are captured.
  • EU AI Act: Full traceability, quality evaluation gates, and documented data lineage support transparency requirements for high-risk AI systems.
  • GDPR / CCPA / LFPDPPP: Privacy-by-design architecture, data minimization, purpose limitation, and configurable retention policies align with global privacy regulations.

10. Cookies and Tracking

The UNCASE website and dashboard use minimal cookies strictly necessary for service operation:

  • Authentication cookies: To maintain your session and verify your identity.
  • Preference cookies: To remember your theme (light/dark), language, and UI preferences.
  • Security cookies: CSRF tokens and rate-limiting identifiers.

We do not use third-party tracking cookies, advertising cookies, or analytics services that track individual users across websites. We do not participate in cross-site tracking or behavioral advertising.

11. Children's Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

12. Open Source Considerations

UNCASE is released under the Apache License 2.0. When you use the self-hosted open-source version:

  • All data processing occurs on your own infrastructure — we have no access to your data.
  • You are the data controller and are responsible for compliance with applicable privacy laws.
  • This Privacy Policy applies only to our hosted services, website, and API — not to self-hosted deployments.
  • Community contributions (pull requests, issues, discussions) on GitHub are subject to GitHub's privacy policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email or a prominent notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: