Ensoul

Privacy Policy

Last updated: March 2026

1. Introduction

Ensoul LLC ("Ensoul," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use the Ensoul platform, APIs, SDKs, and related services (the "Service") available at ensoul-ai.com.

This Privacy Policy applies to all users of the Service, including visitors to our website, account holders, and API consumers. It should be read alongside our Terms of Service and Cookie Policy.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, additional rights and disclosures apply (see Section 10).

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Password (stored as a cryptographic hash; we never store plaintext passwords)
  • Organization name (if applicable)
  • Billing information (processed and stored by Stripe; we do not store payment card details)

2.2 Service Usage Data

When you use the Service, we automatically collect:

  • API request logs (endpoint, timestamp, response status, latency; not the content of requests or responses)
  • Token usage and cost metrics (for billing and analytics)
  • Feature usage patterns (pages visited, actions taken within Ensoul Studio)
  • Error reports and diagnostic data (via Sentry)

2.3 Customer Content

You may provide the following content through the Service:

  • Domain configurations (personality frameworks, tier definitions, settings)
  • Persona definitions (names, personality traits, backstories, custom fields)
  • Chat messages and conversation histories
  • Simulation configurations and results
  • Memory entries (both manually created and AI-generated)

Customer Content is stored to provide the Service and is not used by Ensoul for any purpose other than operating and improving the Service.

2.4 Technical Data

We collect standard technical data including:

  • IP address and approximate geographic location (country/region)
  • Browser type and version
  • Operating system
  • Referring URL
  • Cookies (see our Cookie Policy)

3. Synthetic Persona Data Is Not Personal Data

A core feature of Ensoul is the creation and management of synthetic personas. We want to be clear about the distinction between personal data and synthetic data:

  • Synthetic persona data (personality vectors, AI-generated memories, simulated conversations, trait scores, archetype definitions) is computationally generated and does not relate to any identified or identifiable natural person. It is not personal data under GDPR, CCPA, or other data protection laws.
  • Exception: If you input real personal data about identifiable individuals into persona definitions (e.g., creating a persona based on a real person with their name and personal details), that input data constitutes personal data and is subject to applicable data protection law. You are responsible for ensuring you have a lawful basis for such processing.

Ensoul does not cross-reference synthetic persona data with external databases, social media, or other sources to identify real individuals.

4. LLM Provider Data Sharing

To generate persona responses, Ensoul sends data to third-party large language model (LLM) providers. This section explains what data is shared and how it is handled.

4.1 What Data Is Sent to LLM Providers

For each persona interaction, Ensoul constructs a prompt that may include:

  • Persona personality definition (traits, backstory, behavioral guidelines)
  • Relevant conversation history from the current session
  • Retrieved memory context (hierarchical memory entries relevant to the conversation)
  • Domain configuration context (entity type, custom fields)
  • Your chat message or simulation input

4.2 Managed Plans (Default Provider)

For managed plans (Free Demo and Custom), Ensoul uses Anthropic's commercial Claude API as the default LLM provider. Anthropic's commercial API provides the following data protections:

  • Anthropic does not use commercial API inputs or outputs for model training
  • API data is retained by Anthropic for up to 30 days for trust and safety monitoring, then deleted
  • Anthropic does not share API data with third parties

For full details, refer to Anthropic's commercial API terms and privacy documentation. If Ensoul changes its default LLM provider, this policy will be updated and customers will be notified.

4.3 BYOK Plans (Customer-Chosen Provider)

BYOK (Bring Your Own Key) customers choose their own LLM provider and supply their own API credentials. Under BYOK:

  • Data is sent to the LLM provider you have configured, using your API key
  • Ensoul does not control and is not responsible for how your chosen provider handles data sent via your API key
  • You are responsible for reviewing your provider's data handling, privacy, and training policies
  • You should ensure your provider's policies are compatible with your own data protection obligations (e.g., GDPR, CCPA)

Ensoul recommends using LLM providers that offer commercial API agreements with no-training guarantees when processing sensitive or personal data.

4.4 LLM Models Used

Ensoul's managed plans use Anthropic's Claude model family by default, with different models selected for different operations (e.g., smaller models for memory consolidation, larger models for complex interactions). BYOK customers may use any models available through their chosen provider.

5. How We Use Your Information

We use your information for the following purposes:

  • Providing the Service: Account management, authentication, persona generation, chat inference, memory storage, simulation execution, and billing
  • Service improvement: Analyzing usage patterns, identifying bugs, improving performance and features (using aggregated, de-identified data)
  • Communication: Sending transactional emails (account confirmation, password reset, billing receipts), service announcements, and security alerts
  • Security: Detecting and preventing fraud, abuse, and unauthorized access; enforcing our Acceptable Use Policy
  • Legal compliance: Fulfilling legal obligations, responding to lawful requests from authorities, and protecting our rights

We do not sell your personal data. We do not use your personal data for advertising or marketing purposes beyond occasional product updates related to the Service, which you can opt out of.

6. How We Share Your Information

We share your information only in the following circumstances:

  • Service providers: We share data with trusted third-party service providers who assist us in operating the Service, subject to contractual data protection obligations. See our Data Processing Agreement for a current list of sub-processors.
  • LLM providers: As described in Section 4, we share persona context and conversation data with LLM providers (Anthropic by default for managed plans, or your chosen provider under BYOK) for the purpose of generating persona responses.
  • Payment processor (Stripe): Billing information is shared with Stripe for payment processing. Ensoul does not have access to your full payment card details.
  • Error monitoring (Sentry): Error reports may contain technical data (stack traces, request metadata) but are configured to exclude personal data and Customer Content.
  • Legal requirements: We may disclose information to comply with applicable law, legal process, or governmental request, or to protect the rights, property, or safety of Ensoul, our users, or the public.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to the same privacy protections described in this policy.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Secure authentication using Auth.js with JWT-based sessions
  • CSRF protection on all state-changing operations
  • API key encryption and secure storage
  • Infrastructure hosted on Google Cloud Platform (SOC 2 Type II, ISO 27001 certified)
  • Role-based access controls and the principle of least privilege
  • Regular security reviews and dependency updates

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you discover a security vulnerability, please report it to security@ensoul-ai.com.

8. Data Retention

We retain your data for the following periods:

Data TypeRetention Period
Account dataDuration of account + 30 days post-deletion
Customer ContentDuration of account + 30-day export period + 30-day deletion window
API logs (metadata only)90 days
Billing records7 years (as required by tax law)
Error reports (Sentry)90 days
Backup dataOverwritten through normal rotation, not exceeding 90 days

9. Your Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) provides you with the following rights:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, used, disclosed, or sold about you in the preceding 12 months
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions
  • Right to Correct: You may request correction of inaccurate personal information we maintain about you
  • Right to Opt-Out of Sale/Sharing: We do not sell or share (for cross-context behavioral advertising) personal information, so this right does not currently apply
  • Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Service
  • Right to Opt-Out of Automated Decision-Making: Ensoul does not use automated decision-making technology to make decisions that produce legal or similarly significant effects on you. If this changes, we will provide an opt-out mechanism
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

Categories of personal information collected: Identifiers (name, email, IP address), commercial information (billing records, subscription details), internet activity (usage logs, feature interactions), and professional information (organization name). We do not collect or process sensitive personal information as defined under CPRA.

Global Privacy Control (GPC): We honor Global Privacy Control signals. If your browser or extension sends a GPC signal, we treat it as a valid opt-out request under CPRA.

To exercise your rights, contact us at support@ensoul-ai.com. We will verify your identity before processing your request and respond within 45 days.

10. Rights for EEA, UK, and Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent legislation provide you with additional rights.

10.1 Legal Bases for Processing

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service under our Terms
  • Legitimate interests (Art. 6(1)(f)): Service improvement, security, and fraud prevention
  • Legal obligation (Art. 6(1)(c)): Compliance with tax, accounting, and other legal requirements
  • Consent (Art. 6(1)(a)): Where specifically requested (e.g., marketing communications), which you may withdraw at any time

10.2 Your GDPR Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request limitation of processing
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Where processing is based on consent

To exercise these rights, contact us at support@ensoul-ai.com. We will respond within 30 days.

10.3 Automated Decision-Making (Article 22)

Ensoul generates synthetic persona responses using AI, but does not use automated processing to make decisions that produce legal effects or similarly significantly affect you as a data subject. The AI-generated outputs (persona responses, simulated conversations) are synthetic content, not decisions about real individuals.

If you deploy Ensoul in a way that involves automated decision-making about real individuals, you (as the data controller) are responsible for ensuring compliance with Article 22, including providing meaningful information about the logic involved and ensuring appropriate human oversight.

10.4 Data Protection Impact Assessment

Ensoul has conducted a Data Protection Impact Assessment (DPIA) covering the data flows through the Service, including transmission of data to LLM providers, risks of personal data appearing in prompts or outputs, and security measures for data in transit and at rest. If you deploy Ensoul in ways that involve processing personal data of EU individuals — particularly if creating personas based on real individuals — you should conduct your own DPIA to assess the risks specific to your deployment.

10.5 Data Transfers

Your data is processed and stored in the United States. For transfers from the EEA/UK to the US, we rely on:

  • EU-US Data Privacy Framework (DPF): Where applicable, we rely on our own or sub-processor certifications under the EU-US Data Privacy Framework as our primary transfer mechanism
  • Standard Contractual Clauses (SCCs): We incorporate the EU Commission-approved SCCs (Module 2: Controller to Processor) as a supplementary transfer mechanism
  • UK International Data Transfer Addendum: For UK transfers, the ICO-approved addendum to the EU SCCs applies

We conduct Transfer Impact Assessments to evaluate the legal framework and surveillance laws of any country where data is processed, and implement supplementary technical measures (encryption, pseudonymization) where risks are identified. See our Data Processing Agreement for details.

10.6 Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates applicable law.

10.7 EU Representative (Article 27)

Ensoul LLC is based in the United States and does not maintain an establishment in the European Union. Under GDPR Article 27, a non-EU entity that offers goods or services to EU data subjects must appoint an EU representative regardless of company size. Ensoul will appoint an EU representative before actively offering the Service to EU customers. Once appointed, the representative's name and contact details will be published on this page.

11. AI-Specific Disclosures

11.1 EU AI Act Transparency

Ensoul provides tools for generating synthetic AI content (persona responses, simulated conversations). Under the EU AI Act (Regulation 2024/1689), providers and deployers of AI systems that generate synthetic content must ensure transparency. Ensoul:

  • Discloses that all persona outputs are AI-generated
  • Provides metadata labeling in API responses identifying content as AI-generated
  • Will implement machine-readable content marking in compliance with Article 50 requirements (effective August 2026), including appropriate metadata in API response headers and output payloads

If you deploy Ensoul-generated content in the EU, you are responsible for ensuring end users are informed they are interacting with AI-generated content and for maintaining AI-generated markings in any downstream distribution.

11.2 US State AI Laws

Several US states have enacted or are enacting AI-specific legislation. The following may apply depending on your use of the Service:

  • Colorado AI Act (SB 24-205): Effective February 2026, applies to "high-risk AI systems" that make consequential decisions about individuals (employment, housing, credit, education, healthcare). Ensoul is a general-purpose simulation framework — whether it constitutes a "high-risk" system depends on your specific deployment. If you use Ensoul for consequential decisions about real individuals in Colorado, you may have obligations as a "deployer" including impact assessments and disclosure requirements.
  • Tennessee ELVIS Act: Prohibits using AI to simulate a real person's voice or likeness without consent. Do not use Ensoul to create personas that replicate identifiable real individuals without their explicit permission.
  • Other state laws: Various states are enacting AI transparency, deepfake, and automated decision-making laws. You are responsible for compliance with all laws applicable to your deployment and jurisdiction.

11.3 AI Output Accuracy

AI-generated persona outputs may contain inaccuracies, biases, inconsistencies, or content that does not reflect real-world facts. Ensoul does not guarantee the accuracy, completeness, or appropriateness of any AI-generated content. You are responsible for reviewing all AI-generated output before any downstream use, particularly in contexts where accuracy is material.

12. Children's Privacy

The Service is not directed to individuals under 18 years of age (or the applicable age of majority). We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will promptly delete it. If you believe a child has provided us with personal data, please contact us at support@ensoul-ai.com.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Material changes will be communicated by email or through a notice on the Service. The "Last updated" date at the top of this page indicates the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

For questions about this Privacy Policy or to exercise your privacy rights, contact us: