Privacy Policy

This Privacy Policy (“Privacy Policy”) describes the types of personal information that Enso Insights (“Enso Insights”, “we”, “our”, and/or “us”) collects, uses, and discloses from individuals (“you” or “your”) who use our website (including https://www.ensoinsights.us) and the services that link to this Privacy Policy (collectively, our “Services”). As used in this Privacy Policy, personal information means any information relating to an identified or identifiable individual.

By using our Services, you agree to the collection, use, disclosure, procedures, and other processing described in this Privacy Policy. Beyond this Privacy Policy, your use of our Services is also subject to our Master Subscription Agreement.

This Privacy Policy does not apply to the extent we process personal information in the role of a processor or service provider on behalf of our customers, including where we offer our software-as-a-service platform to our customers. In that context, our customers are the data controllers, and our processing of that personal information is governed by our Data Processing Agreement and the underlying customer contract.

1. Personal information we collect

We collect a variety of personal information from or about you or your devices from various sources, as described below. Where applicable we indicate why you must provide the information and the consequence of not providing it. If you do not provide information when requested, you may not be able to use our Services if that information is necessary to provide them or if we are legally required to collect it.

A. Information you provide to us

• Account information. When you sign up for the Services, we collect the email address you authenticate with, the brand name and competitor names you submit for analysis, the category context you provide, and any profile information you choose to add (display name, role, organization).
• Audit inputs. The prompts, brand names, competitor names, market context, and any free-text instructions you submit when running an audit. These are the inputs to our scoring engines.
• Communications.When you contact us by email or fill out a form on the Services (including the “Start free audit” form or any inquiry or contact form), we collect your name, email address, employer, role, and the contents of your message and any attachments.
• Newsletter / marketing. If you subscribe to product updates or downloadable resources, we collect your email address. When we send you marketing email, we may use embedded pixels to track whether you opened the email or clicked links so we can improve our communications.
• Payment information. If you purchase a paid plan, our third-party payment processor collects card or bank details on our behalf; the current provider is identified on our Subprocessors page. We do not store full payment card numbers on our systems; we store only the masked identifier and the customer record returned by the processor.
• Careers. If you apply for a role with us, we collect the contact information, work history, and other materials you submit through the application process.

B. Information we collect when you use the Services

• Audit outputs. The reports, scorecards, citations, and AI-generated summaries we produce in response to your audit inputs. These are stored in your account so you can review historical trends.
• Location information. We infer general location (typically country / region) from your internet protocol (IP) address.
• Device information. IP address, device type, web browser type and version, operating system, language, and timezone — collected from request headers when you load the Services.
• Usage information. Pages visited, features used, the timestamps and durations of your visits, referring URLs, and the success or failure of audit jobs we run on your behalf.
• Cookies and similar technologies. See the table below.

C. Cookies and similar technologies

We and our third-party providers use cookies and similar technologies to authenticate users, remember preferences, secure the Services, and understand how the Services are used. We use the following categories of cookies:

We do not currently set functional, analytics, performance, or advertising cookies, and we will update this notice before deploying any non-essential cookies. We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies, and we do not sell or share your personal information for cross-context behavioral advertising. You can block or delete cookies through your browser settings; if you block strictly-necessary cookies you will not be able to sign in to the Services.

2. How we use personal information

We use the personal information we collect to:

• Provide, maintain, secure, improve, and enhance the Services;
• Run the AI audits you request, generate reports, and store the results so you can review historical trends in your account;
• Personalize your experience, such as pre-filling your most recent brand and category context on the dashboard;
• Communicate with you, provide updates and information you request, respond to support inquiries, and otherwise operate the relationship;
• Send marketing emails and product updates (only with your consent where required by law, and you can unsubscribe at any time using the link in any email);
• Generate aggregated, de-identified statistics about how the Services are used so we can improve them and publish industry benchmarks. Aggregated data does not identify you and is not personal information;
• Process payments and manage billing through our payment processor;
• Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Master Subscription Agreement;
• Comply with our legal obligations, respond to lawful requests from public authorities, and enforce our agreements;
• Other purposes for which we provide specific notice at the time the information is collected and obtain consent where required.

We do not train artificial-intelligence or machine-learning models on your Customer Data. The audit inputs and outputs that you submit and we generate are used only to provide the Services to you. We pass prompts to third-party model providers under terms that contractually prohibit those providers from using your prompts to train their models. The current list of those providers is identified on our Subprocessors page.

Use of artificial-intelligence systems

The Service uses third-party large-language-model (LLM) systems and a third-party web-search system to generate brand-presence scores, citations, and summaries in response to the audit inputs you submit. The current list of AI engines and the purposes for which we use them is published on our Subprocessors page. We do not use artificial-intelligence systems to make legal, financial, employment, housing, health-care, insurance, educational, or other consequential decisions about you, and we do not use AI to profile you in any manner that would result in such decisions being made about you. Outputs of the Service are analytical signals about how third-party AI engines describe brands, products, and markets — they are not, and should not be relied on as, decisions about any individual.

3. Legal bases for processing (EEA, UK, Switzerland)

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, we only process your personal information when we have a valid legal basis under the applicable Data Protection Law:

• Performance of a contract. We process your account information, audit inputs and outputs, and communications because doing so is necessary to perform the agreement under which we provide the Services to you.
• Legitimate interests. We process device, usage, and aggregated data for our legitimate interests in operating, securing, debugging, and improving the Services, in product analytics, and in detecting fraud and abuse. We have weighed these interests against your rights and we will not process information where your rights override our interests.
• Consent. Where required by law, we rely on your consent to send you marketing emails or to set non-essential cookies. You can withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal obligation. We process information where we have a legal obligation to do so, for example to comply with tax, accounting, or legal-process obligations.

4. How we disclose personal information

We do not sell your personal information. We disclose personal information only as described below.

• Subprocessors and service providers. We share information with the third-party providers that help us run the Services (hosting, database, AI scoring engines, web grounding, transactional email, payment processing). A current list is published at https://www.ensoinsights.us/legal/subprocessors and is incorporated into our Data Processing Agreement. We bind every subprocessor by contract to confidentiality and security obligations no less protective than ours.
• AI model providers. Audit prompts you submit are sent to third-party LLM subprocessors for scoring under terms that prohibit them from using your prompts to train their models. Web context used for grounding is retrieved from a third-party search subprocessor. The current list of those providers is identified on our Subprocessors page.
• Affiliates. If we have or in the future create affiliates, we may share information among affiliates for the purposes described in this Privacy Policy.
• Required by law.We may access, preserve, and disclose information if we believe it is required or appropriate to (a) comply with law-enforcement requests and legal process such as a court order or subpoena; (b) respond to your requests; (c) protect your, our, or others’ rights, property, or safety; (d) protect against legal liability; or (e) investigate fraud or other unlawful activity. Where permitted, we will notify you in advance of any such disclosure.
• Corporate transactions. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred to the successor or acquirer subject to confidentiality protections substantially similar to those in this Privacy Policy.
• With your consent. We may share your information for any other purpose with your consent.

5. Your choices and rights

Marketing communications

You can unsubscribe from our promotional emails at any time using the link at the bottom of any email or by emailing us at support@ensoinsights.us. Even if you opt out of marketing email, you will continue to receive transactional and operational messages about your account and the Services.

Account information

You can review, update, or correct your account information at any time by signing in and editing your profile, or by contacting us at support@ensoinsights.us.

Data subject rights (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the applicable Data Protection Law:

• Right of access. Request a copy of the personal information we hold about you.
• Right of rectification. Request that we correct inaccurate or incomplete personal information.
• Right of erasure. Request that we delete personal information about you, subject to exceptions in law.
• Right to restrict processing. Request that we restrict the processing of your personal information in certain circumstances.
• Right to data portability. Request a copy of your personal information in a structured, machine-readable format and transmit it to another controller.
• Right to object. Object to processing based on our legitimate interests, including profiling and direct marketing.
• Right to withdraw consent. Where we rely on your consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint. Lodge a complaint with the supervisory authority in your country of residence, place of work, or where the alleged infringement took place. A list of EU supervisory authorities is available at edpb.europa.eu.

You may exercise these rights by emailing legal@ensoinsights.uswith the subject “Data subject request.” Before fulfilling your request we may ask for reasonable information to verify your identity. We will respond within the time period required by applicable law and may extend that period where the law permits. There are exceptions to each of these rights — for example we may retain personal information for backups, archiving, fraud prevention, analytics, or where we have a legitimate reason to do so.

Do Not Track and Global Privacy Control

There is no industry-standard way to respond to “Do Not Track” signals, and we do not currently respond to such signals. We do not engage in cross-site tracking.

We honor browser-level Global Privacy Control (GPC) signals as opt-out-of-sale and opt-out-of-share requests where applicable, including under the California Consumer Privacy Act as amended by the California Privacy Rights Act. Because Enso Insights does not sell personal information and does not share personal information for cross-context behavioral advertising, this signal acts as an affirmation of our existing practice.

6. California privacy rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), provides you with specific rights regarding your personal information. The categories of personal information we collect, the sources, the business purposes, and the categories of third parties with whom we share are described elsewhere in this Privacy Policy. The following table summarizes our practices for purposes of CCPA disclosure:

We do not sell your personal information as that term is defined under the CCPA, and we do not share your personal information for cross-context behavioral advertising. We have not done so in the preceding twelve (12) months.

Subject to applicable verification requirements, California residents have the right to:

• Know what personal information we collect, use, disclose, and (if applicable) sell.
• Access a copy of the specific pieces of personal information we have collected about you.
• Delete personal information we have collected about you, subject to exceptions in law.
• Correct inaccurate personal information we maintain about you.
• Opt out of sale or sharing of personal information (we do not sell or share, but you may still submit a request).
• Limit use of sensitive personal information (we do not use sensitive personal information for purposes that trigger this right).
• Non-discrimination for exercising any of the above rights.

To exercise any of these rights, email support@ensoinsights.uswith the subject “California privacy request.” You may use an authorized agent to submit a request on your behalf; we will require written authorization and we may verify your identity directly.

California residents under the age of 16 have the right to opt in to the sale of personal information. Because we do not sell personal information and our Services are not directed to minors, this right does not currently apply.

7. Texas privacy rights (TDPSA)

If you are a Texas resident, the Texas Data Privacy and Security Act (the “TDPSA”) provides you with specific rights regarding personal data we process about you as a controller. These rights are in addition to any rights you may have under federal law.

Your Texas rights

• Confirm and access. Confirm whether we are processing your personal data and access that personal data.
• Correct. Correct inaccuracies in personal data we maintain about you, taking into account the nature of the data and the purpose of processing.
• Delete. Delete personal data provided by or obtained about you, subject to exceptions in law.
• Portability. Obtain a copy of personal data you previously provided to us in a portable and, to the extent technically feasible, readily usable format.
• Opt out of sale. Opt out of the sale of your personal data. We do not sell personal data as that term is defined under the TDPSA, and we have not done so in the preceding twelve (12) months.
• Opt out of targeted advertising. Opt out of the processing of personal data for the purpose of targeted advertising. We do not engage in targeted advertising and do not process personal data for that purpose.
• Opt out of profiling. Opt out of profiling in furtherance of a decision that produces a legal or similarly significant effect concerning you. We do not engage in profiling for such consequential decisions; see also the AI-systems disclosure in Section 2.

Sensitive data

We do not knowingly collect or process “sensitive data” as defined by the TDPSA (which includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, genetic or biometric data processed to uniquely identify an individual, personal data of a known child, and precise geolocation) in the ordinary course of providing the Services. We do not request or require you to submit sensitive data as part of an audit. If you choose to include sensitive data in audit inputs or other free-text submissions, you do so at your own discretion and we will treat that data in accordance with this Privacy Policy.

Universal opt-out (Global Privacy Control)

Effective January 1, 2025, the TDPSA requires controllers that process personal data for sale or for targeted advertising to recognize universal opt-out mechanisms such as the Global Privacy Control (GPC). Because we do not sell personal data and do not engage in targeted advertising, this requirement does not change our processing; nevertheless, when we detect a GPC signal we treat it as a Texas-resident opt-out request that confirms our existing practice.

How to submit a Texas privacy request

To exercise any of the rights above, email legal@ensoinsights.uswith the subject “Texas privacy request” and describe the right you wish to exercise. We will respond within forty-five (45) days of receipt of a verifiable request and may extend that period by an additional forty-five (45) days where reasonably necessary, in which case we will notify you of the extension and the reason for it. You may use an authorized agent to submit a request on your behalf; we will require written authorization and we may take reasonable steps to verify your identity directly.

Right to appeal

If we decline to take action on a request to exercise your data rights under this section, we will notify you in writing of the refusal, the reason for the refusal, and instructions for appealing our decision. You may appeal that decision within a reasonable period (we recommend within thirty (30) days of our notice) by emailing legal@ensoinsights.us with the subject “Appeal of Texas privacy request.” We will respond in writing to your appeal within sixty (60) days of receipt, including written notice of the action taken or not taken in response to the appeal and the reasoning for that decision. If we deny your appeal, you may submit a complaint to the Texas Attorney General using the consumer-complaint form at texasattorneygeneral.gov/consumer-protection/file-consumer-complaint.

8. Third-party links and services

Our Services may contain links to other websites, products, or services that we do not own or operate, including the third-party AI engines whose outputs we score (ChatGPT, Gemini, Perplexity, and others). We are not responsible for the privacy practices of these third parties. This Privacy Policy does not apply to your activities on those third-party services or any information you disclose to them. We encourage you to read their privacy policies before providing any information to them.

9. Data retention

We retain personal information for as long as necessary to provide the Services and for the purposes described in this Privacy Policy. The retention periods we apply depend on the type of information and the purpose for which we process it:

10. Security

We implement reasonable and appropriate technical and organizational measures designed to protect personal information from unauthorized access, alteration, disclosure, or destruction, including:

• TLS 1.3 in transit and AES-256 at rest;
• Row-level security at the database layer scoping every query by user;
• Passwordless one-time-password (OTP) authentication;
• Least-privilege access for personnel, with audit logs maintained through the underlying infrastructure providers;
• Periodic review of application dependencies and risk-prioritized application of security patches;
• Written confidentiality obligations for all personnel and contractors with access to personal information.

The Services are built on top of the underlying controls of established cloud infrastructure providers, each of which maintains its own independent security attestations; the current list of those providers is identified on our Subprocessors page. Despite our reasonable efforts, no electronic transmission or storage of information is ever completely secure, and we cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately at legal@ensoinsights.us.

11. Children’s privacy

Our Services are intended for business users and are not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information in violation of this Privacy Policy, please contact us at support@ensoinsights.us and we will take steps to delete the information.

12. International visitors and data transfers

Our Services are hosted in the United States and intended primarily for visitors and customers located in the United States. If you choose to use our Services from the EEA, the UK, Switzerland, or other regions with laws governing data collection and use that differ from U.S. law, you understand that you are transferring your personal information outside those regions for storage and processing in the United States.

For transfers of personal information from the EEA, UK, or Switzerland to the United States and other third countries that have not received an adequacy decision, we rely on appropriate safeguards including the European Commission’s Standard Contractual Clauses (Module 2 controller-to-processor and Module 3 processor-to-subprocessor), the UK Information Commissioner’s International Data Transfer Addendum, and equivalent Swiss safeguards. These mechanisms are incorporated into our Data Processing Agreement. You may request a copy of the safeguards we apply by contacting us.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the “Last updated” date at the top. If we make material changes, we will provide additional notice (such as by email to the address on your account or through a prominent banner on the Services) at least 30 days before the change takes effect, where required by law. Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance.

Recent changes:

• April 19, 2026. Added Section 7 (Texas privacy rights) to implement the Texas Data Privacy and Security Act (TDPSA), including a rights enumeration, sensitive-data and universal-opt-out disclosures, request channel, and the statutory appeal mechanism. Added an artificial-intelligence-systems disclosure to Section 2 stating that the Service does not use AI to make consequential decisions about individuals. Renumbered subsequent sections accordingly. No substantive change to data-handling practices.

14. Contact

Enso Insights is responsible for, and the data controller for, the processing of your personal information described in this Privacy Policy. If you have any questions, comments, or concerns about our processing activities, or you wish to exercise any of the rights described above, please use the contact below that best fits your request:

• Privacy & data-protection requests, formal legal notices, and regulator inquiries: legal@ensoinsights.us
• Product support and account questions: support@ensoinsights.us

For privacy-specific requests, please use the subject line “Privacy request” so we can route your message to the right team. Where required by applicable law, we will respond within the statutory timeline and may extend that period where the law permits.