PrimeTDAP by Primus
Sign in
← Trust Center

Privacy Policy

Effective: May 24, 2026 · Classification: Public

This Privacy Policy describes how Primus Software Corporation ("Primus", "we", "us") collects, uses, shares, and protects personal data through the PrimeTDAP platform (the "Service").

1. Scope

This policy applies to data processed by the Service. It does not cover data processed by Primus through other channels (email, in-person meetings, separate Primus systems) or by our customers through their own systems.

For data processed under an engagement governed by a Master Services Agreement and Statement of Work, the engaging customer's privacy policy may also apply to that data. The engaging customer is the controller of engagement data; Primus is the processor.

2. Personal Data We Collect

2.1 Account / authentication data

  • Email address (required to sign in)
  • Display name (rendered in audit trails)
  • Phone number (optional, used for SMS one-time-code delivery)
  • Role / title within the engaging organisation
  • Microsoft Entra identity (for users who sign in via single sign-on)

2.2 Authentication telemetry

  • Failed sign-in attempts and lockout state
  • IP address from which you sign in
  • Sign-in timestamps
  • Session cookie identifier (HMAC-signed; we do not store separate session tokens server-side beyond what is needed for verification)

2.3 Usage data

  • Pages you visit on the Service
  • Actions you take (e.g., generating a report, opening a deck, sending a chat message)
  • Chat content you submit and AI responses you receive
  • Per-call records of every AI inference (model used, token counts, cost estimate, anonymised prompt fingerprint)
  • Audit-relevant events (permission denials, rate-limit triggers, AI-budget exceedances)

2.4 Engagement content

The Service holds the substantive content of the engagement — session transcripts, analytical findings, recommendations, deck content, formal-memorandum content. This content may contain personal data of third parties (engagement stakeholders, agency personnel, named individuals discussed in sessions). That data is processed on behalf of the engaging customer under their direction.

3. How We Use Personal Data

UseLawful basis
Authenticating you and authorising access to the parts of the Service you are entitled to seePerformance of contract
Sending one-time codes by email or SMS for authenticationPerformance of contract
Providing the Service's analytical features, including AI-assisted chat and AI-generated work productPerformance of contract
Logging actions for security, fraud detection, and auditLegitimate interest (security) + legal obligation (where applicable)
Responding to data-subject requests (access, erasure, etc.)Legal obligation
Communicating with you about the Service (e.g., outage notifications, policy changes)Legitimate interest

We do not use your personal data for marketing, profiling, automated decision-making with legal effects, or any purpose unrelated to providing the Service.

4. AI Processing

The Service uses Anthropic Claude as the underlying AI model. When you use chat or trigger AI-generated content, your prompt + the relevant engagement context is sent to Anthropic over HTTPS. Anthropic does not use this data to train AI models — this is a contractual commitment under the Anthropic Commercial Terms of Service.

See the AI Disclosure / Model Card for full detail of AI behaviour, model selection, and how AI-generated output is reviewed before use.

5. How We Share Personal Data

We share personal data with the following categories of recipients:

  • Sub-processors providing infrastructure on our behalf — Microsoft (Azure hosting, identity, communications) and Anthropic (Claude API). See our Sub-Processor List for details. Each sub-processor is contractually bound to data-protection terms equivalent to those in this policy.
  • The engaging customer of the engagement — the customer is the controller of engagement data; Primus is the processor.
  • Authorised individuals within Primus and within the engaging customer — limited to those who need access for the engagement.
  • Legal authorities — only when compelled by valid legal process or when necessary to protect the rights, safety, or property of Primus, our users, or others.

We do not sell personal data. We do not share personal data with advertising networks. We do not disclose personal data to third parties for their independent use.

6. Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected:

  • Chat content: 365 days
  • AI audit log entries: 365 days, then anonymized
  • Security event log entries: 90 days
  • Account lockout records: 30 days
  • Authentication identity data: lifetime of access + 90 days post-departure
  • Engagement work product: lifetime of engagement + post-engagement archive per the engaging customer's direction
  • AI prompt versions: indefinite (for forensic accountability)

Retention is enforced automatically by a daily background task. Full per-table policy is in our internal Data Retention Policy (available on request).

7. Where We Store Personal Data

All data is stored in the United States, in Microsoft Azure datacenters in the East US 2 region. We do not transfer personal data outside the US in the course of operating the Service today.

8. Your Rights

Depending on the jurisdiction whose laws apply to you, you may have rights to:

  • Access the personal data we hold about you
  • Rectification of inaccurate data
  • Erasure of personal data ("right to be forgotten")
  • Restriction of processing
  • Portability in a machine-readable format
  • Objection to processing based on legitimate interest

To exercise any of these rights, contact us at legal@primussoft.com with the subject "Data Subject Request". We will respond within 30 days.

For engagement-content data subjects (individuals named in transcripts but who are not platform users), requests should be directed to the engaging customer's General Counsel. Primus will action requests on receiving direction from the controlling customer.

9. Security

We employ commercially reasonable technical and organisational measures to protect personal data, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Authentication via Microsoft single sign-on with multi-factor enforcement, or email/SMS one-time-code with rate-limiting and account lockout
  • Network isolation (database accessible only via Azure Private Endpoint)
  • Secrets management via Azure Key Vault with Managed Identity access
  • Per-tier access controls
  • Audit logging of security events and AI activity
  • Daily automated dependency vulnerability scanning
  • Documented incident response procedure

See our Security & Compliance overview for the public summary, and our Security Architecture Document (available on request under NDA) for the full posture.

10. Children

The Service is not intended for individuals under 18. We do not knowingly collect personal data of children.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated to active users by email. The "Effective date" at the top reflects the most recent revision.

12. Contact

For questions about engagement-specific data handling, contact the engaging customer's data protection officer or general counsel.