Delfyn's Advanced AI Agents

Platform Agents Why Delfyn Solutions Foundations

Schedule a Demo

Deflyn Privacy Policy

Effective Date: 20 October 2025

Last Updated: 20 October 2025

Plain Language Summary

Introduction: Our Commitment to Your Privacy

The Scope of This Policy

The Information We Collect and Why

How We Use Your Information. "No-Training" Guarantee

Our Use of Third-Party Services: A Shield for Your Data

Your Data's Journey: A Step-by-Step Overview

International Data Transfers

Your Data Protection Rights

Data Security, Integrity, and Retention

10.

Cookies and Tracking Technologies

11.

Children's Privacy

12.

Data Breach Notification

13.

Changes to This Privacy Policy

14.

How to Contact Us & Lodge a Complaint

15.

Frequently Asked Questions (FAQ)

0. Plain Language Summary

We believe privacy policies should be easy to understand. This summary gives you the key points of our policy in simple terms. The full policy follows this section.

What We Collect and Why: We collect basic account information (like your name and email) to run your account. The main data we handle is the content you provide for analysis (your "User Content"). We use this only to provide our AI services to you. We also collect technical data to keep our service secure and working well.
How Our AI Agents Use Your Data: Think of our AI agents as a team of digital specialists. You give them a task by providing your User Content (like a document to analyze). The agent uses that content to perform its specific job—like a financial analyst (Finalysis) or a research expert (Intellisights). Your data is the raw material for the work you ask them to do.
Our "No-Training" Guarantee: This is our most important promise. We never use your confidential User Content to train our AI models or any third-party AI models. Your data is used to generate results for you, and that's it. Your strategic information remains yours alone.
How We Protect Your Data (An Analogy): Imagine your data is a sensitive package. When you send it to us, it travels in an armored, encrypted truck (HTTPS). We process it inside a secure vault (our encrypted AWS environment) and enrich it with our own data and intelligence. When we need a specialized tool (like a frontier LLM from Google or OpenAI), the enriched package travels in a new armored, encrypted truck (HTTPS) to the LLM’s encrypted bunker, where it is used to generate new data, and then it is deleted after the new data is sent back to us (via HTTPS).
Your Rights Explained Simply: You have control over your data. You have the right to ask for a copy of your information, correct it, or have it deleted entirely. Our policy explains how you can easily make these requests.

1. Introduction: Our Commitment to Your Privacy

1.1. Welcome to Delfyn

Welcome to Delfyn, Harmonai’s human-enhanced machine intelligence platform engineered for strategic interactions and analyses. This Privacy Policy explains how we collect, use, protect, and share information from you and about you. At Harmonai, we believe that trust is the foundation of any valuable relationship. Protecting your privacy and the confidentiality of your information is fundamental to our mission and a responsibility we take with great seriousness. This policy is designed to be transparent and straightforward, helping you understand our data practices and the choices you have.

1.2. Who We Are

In this policy, "Delfyn," "we," "us," or "our" refers to the entities that provide the Services: Harmonai Ltd., a company registered in the UK, and the developer and owner of Delfyn. "You" or "user" refers to the individual using our Services or the organization you represent.

1.3. Our Global Privacy Standard

Delfyn is committed to a unified, high standard of data protection for all our users, regardless of their location. This policy is designed to meet the rigorous requirements of key global data protection regulations, including Singapore’s Personal Data Protection Act (PDPA), the UK General Data Protection Regulation (UK GDPR), and the European Union's General Data Protection Regulation (EU GDPR). Where the requirements of these laws differ, we are committed to applying the highest standard of protection to your data.

2. The Scope of This Policy

2.1. Services Covered

This Privacy Policy applies to your use of the Delfyn AI platform, our associated websites (including delfyn.ai and harmonai.com), and any related services, products, or features we offer (collectively, the "Services").

2.2. What is "Personal Data"?

For the purposes of this policy, "Personal Data" (or "personal information") means any information that relates to an identified or identifiable individual. This could be information that identifies you on its own, such as your name or email address, or information that can identify you when combined with other data we hold, such as your IP address or employment information. It is important to note that under certain regulations like Singapore's PDPA, "Business contact information" (such as your name, position, business telephone number, and business email address) may be excluded from some personal data protection provisions.

2.3. Our Role: Controller and Processor

Understanding our role is key to understanding our responsibilities for your data under laws like the GDPR. Our relationship with you determines this role, and it differs depending on the type of data involved.

Data Controller for Your Account Information: When we process Personal Data for our own business purposes, such as managing your account, processing payments, and communicating with you, Delfyn acts as the Data Controller. In this role, we determine the purposes for which and the means by which your Personal Data is processed.
Data Processor for Your User Content: When you submit data to our Services for analysis—such as documents you upload or text you enter into prompts (collectively, "User Content")—you are the Data Controller. You own and control this content. In this capacity, Delfyn acts as your Data Processor. Our role is strictly to process this User Content on your behalf and in accordance with your instructions to provide the Services you have requested. This distinction is fundamental to our service model; it legally and contractually frames our responsibility as securing your data and processing it only as directed, not owning it or using it for our own purposes.

3. The Information We Collect and Why

We are committed to the principles of purpose limitation and data minimization, meaning we only collect the information we need to provide and improve our Services, and we are transparent about why we need it. The following sections detail the categories of data we collect.

3.1. User-Provided Information

This is information you actively provide to us when you interact with our Services.

Account & Contact Data: When you register for an account, we collect information such as your name, email address, company name, and password. This is essential for creating and securing your account.
Financial Data: If you subscribe to a paid plan, we will require you payment information to process your payments.
User Content: This is the core data you provide for analysis by the Delfyn platform. It includes any files you upload and the text you enter into prompts for our AI agents (e.g., Finalysis, Sensia, Intellisights, Counterpoint, SwiftScribe and Omni) to process.
Communications: We collect information you provide when you contact our support team, send us feedback, or otherwise communicate with us.

3.2. Automatically Collected Information

This is information we collect automatically as you use our Services.

Usage & Technical Data: Like most digital services, we collect technical data about how you interact with our platform. This includes your IP address, browser type, device information, operating system, and usage logs (e.g., features accessed, agents used, timestamps). This information is vital for maintaining the security, performance, and reliability of our Services.
Cookies: We use cookies and similar tracking technologies to operate and administer our Services. This includes essential cookies required for the platform to function and analytics cookies that help us understand usage patterns.

3.3. Information from Third Parties

As part of its functionality, Delfyn's AI agents are designed to conduct research on your behalf by accessing publicly available information on the internet. This processing of publicly sourced data is performed as part of the Service you request.

3.4. How We Handle Your Data Between Sessions (Agent Memory & File Uploads)

To provide a seamless and intelligent experience, Delfyn is designed with a form of "memory" that enhances its contextual understanding.

Session Context: Within a single conversation thread, the platform retains the context of your last 10 queries and their responses. This allows the AI agent to understand follow-up questions and maintain a coherent dialogue without you needing to repeat information.
Uploaded File Handling: When you upload a file with a query, it is used in two ways to enhance the service:
1.
Immediate Context: The entire file is provided as immediate context for the agent to answer your current query.
2.
Future Retrieval: The file is broken down into smaller "chunks," and these chunks are stored in a secure, encrypted search index (OpenSearch) only accessible to you. This allows the platform to retrieve relevant snippets from your past uploads to provide more informed answers to future queries, saving you the effort of re-uploading the same documents. If an individual user marks an upload as “private”, its chunks will only be available for this specific user’s future queries. If an upload is not marked as “private”, it will be accessible to queries of other users within the same company account. No uploads will ever be shared across different accounts.

Table: Our Data Processing Activities

To ensure maximum transparency, the table below outlines our data processing activities, the purpose of that processing, and for our users in the UK and EU, the lawful basis for that processing under the GDPR.

Category of Data	Examples	Purpose of Processing	Lawful Basis (for UK/EU GDPR Users)
Account & Contact Data	Name, email address, company, password	To create and manage your account, authenticate you, and provide customer support.	Performance of a Contract
Financial Data	Payment card details or equivalent (processed by our payment partner)	To process payments for your subscription to the Services.	Performance of a Contract
User Content	Documents you upload, text prompts you send to our AI Agents.	To provide the core functionality of the Delfyn platform, enabling our AI Agents to perform the tasks as requested by you.	Performance of a Contract (i.e., to fulfill our service agreement with you).
Usage & Technical Data	IP address, browser/device info, feature interaction logs.	To monitor security threats, prevent fraud, maintain and improve the performance and functionality of our Services, and understand user needs for new product development.	Legitimate Interests (e.g., securing our platform against unauthorized access, and improving our services by analyzing usage trends to inform product updates).
Communications Data	Support tickets, feedback submissions	To respond to your inquiries and improve our Services.	Legitimate Interests (e.g., providing high-quality customer service and using feedback to enhance our platform).
Marketing Data	Email address (for newsletters).	To send you information about our products and services from which you can opt-out at any time.	Consent

4. How We Use Your Information. "No-Training" Guarantee

4.1. Fulfilling Our Service to You

Our primary use of your information is to deliver the Services you have requested. As established in our data processing table, the lawful basis for this under the GDPR is the "Performance of a Contract". We use your Account Data to manage your access and your User Content as the direct input for analysis by Delfyn's specialized AI agents.

4.2. Improving and Securing Our Services

We use Usage & Technical Data to ensure our Services are secure, reliable, and effective. This falls under our "Legitimate Interests" to operate and improve our business. This data helps us identify security threats, diagnose performance issues, and understand which features are most valuable to our users, guiding our future development. Where possible, this analysis is performed on aggregated or anonymized data to protect your privacy.

4.3. Specific Purposes of Our AI Agents

Your User Content is processed by our specialized AI agents to perform specific, high-value tasks as part of the Service. Each agent is engineered with a distinct purpose and workflow:

Finalysis (Financial Analyst): This agent analyzes a company's financial statements and related documents to assess its financial health, profitability drivers, and resiliency.
Sensia (Sentiment Analyst): This agent performs a forensic analysis of text to identify and classify the specific emotions of different stakeholder groups on key topics.
Intellisights (Research Analyst): This agent acts as an expert researcher, autonomously gathering information from publicly available internet sources to build a comprehensive, verifiable knowledge base on your query.
Counterpoint (Critique Analyst): This agent acts as a "red team" to systematically challenge a plan, strategy, or argument you provide.
SwiftScribe (Communications Architect): SwiftScribe is an elite Strategic Communications Architect.
Omni (Dispatcher): Omni is the platform's intelligent nerve center. It is a highly specialized AI model engineered for a single, critical purpose: to perform sophisticated intent analysis on user queries and route them with precision to the correct specialized agent.

4.4. Our AI Model Training Policy: Your Content is Not Our Product

Delfyn does not use your User Content (including your prompts, any files you upload, or the output generated by our AI agents) to train or improve our proprietary AI models or any third-party AI models.

Your confidential information and intellectual property are yours alone. This policy aligns with the robust, enterprise-grade "no-training" guarantee that has become the industry standard for paid, professional-grade AI services. This ensures that the insights you generate with Delfyn remain your strategic advantage.

5. Our Use of Third-Party Services: A Shield for Your Data

To provide a powerful and resilient service, we partner with leading third-party providers. This section explains how we select and manage these partners to ensure your data, particularly your sensitive User Content, remains protected. This architecture is designed to shield Delfyn, and by extension you, from data privacy risks related to these third parties.

5.1. Our Partners (Subprocessors)

We engage a limited number of third-party service providers, known as subprocessors, to support the delivery of our Services. These include:

Cloud Infrastructure Provider: We use Amazon Web Services (AWS) for secure hosting of our platform and all associated data.

Foundation Model Providers: Our proprietary Delfyn agentic layer integrates and orchestrates various Large Language Models (LLMs) from providers like OpenAI and Google to act as generative engines.

Payment Processors: We use industry-leading payment processors to handle subscription payments securely.

5.2. The "Data Enclave" Model: How We Protect Your Content

To provide our generative AI features, we partner with foundation model providers like Google and OpenAI. When you submit User Content for analysis, our platform assembles the necessary context within our secure AWS environment. This data is then sent via a secure, encrypted (HTTPS) connection to the provider's API to be processed. The provider generates a response, which is sent back to Delfyn and delivered to you.

5.3. Contractual Firewalls with LLM Providers

Our data protection model is built on robust, legally-binding contractual "firewalls" with our LLM providers. We have enterprise-grade Data Processing Agreements (DPAs) in place that contractually obligate these providers to uphold our strict privacy standards. These agreements ensure that:

No Training: They are prohibited from using any User Content sent via their API to train or improve their AI models.

Zero/Limited Retention: They are contractually bound to delete your User Content immediately after the response is generated or after a short, contractually-defined period (e.g., for abuse monitoring).

Data Processor Role: They act only as our Data Processor, meaning they can only process the data according to our specific instructions and for no other purpose.

Under this model, your User Content is processed by our partners, but it is governed by our strict enterprise agreements.

6. Your Data's Journey: A Step-by-Step Overview

To provide full transparency, here is a step-by-step description of how your data flows through the Delfyn platform when you submit a query.

Submission: You enter a prompt and may upload a file through our secure web interface. All data is immediately encrypted in transit using HTTPS.

Secure Storage: Your data arrives in our secure, private cloud environment hosted on AWS.

Uploaded Files: The raw content of your uploaded file is stored in an encrypted Amazon S3 bucket.
Queries and Responses: Your prompts and the AI-generated responses are stored in an encrypted RDS (PostgreSQL) database.
File Processing for Future Use: The content of your uploaded file is broken into chunks, converted into numerical representations (embeddings), and both are stored in an encrypted OpenSearch database to make them searchable for your future queries.

Context Assembly: To answer your query, our system assembles the necessary context. This includes your current prompt, relevant data from the file you just uploaded, and potentially relevant chunks from files you have uploaded in the past.

Secure AI Processing: This complete context is passed to the appropriate foundation model (e.g., from OpenAI or Google) for processing, as described in Section 5.3.

Response Delivery: The LLM generates a response, which is sent back to you through our platform and stored in our encrypted RDS database as part of your conversation history.

At every step, your data is protected by encryption, both when it is in transit over the internet and when it is at rest in our storage systems (S3, RDS, OpenSearch).

7. International Data Transfers

As a global business with entities in Singapore and the UK, and using cloud infrastructure that may be located in different geographic regions, your Personal Data may be transferred and processed in countries outside of where you reside. We ensure that all such transfers are conducted in full compliance with applicable data protection laws.

Transfers from the UK and EU to the US: For transfers of Personal Data from the United Kingdom and the European Union to the United States, we rely on adequacy mechanisms. This includes the UK-US Data Bridge and the EU-US Data Privacy Framework. We transfer data to third-party partners, such as AWS, that are certified under these frameworks, which confirm that they provide a level of data protection considered adequate by UK and EU authorities.
Transfers from Singapore: Singapore’s PDPA requires that organizations transferring personal data overseas ensure the recipient provides a "comparable standard of protection".We fulfill this obligation through our legally binding contracts with our subprocessors, such as AWS, which contain enforceable obligations requiring them to protect the data to a standard that is comparable to the protection under the PDPA.
Other Transfers: For any international transfers not covered by a specific adequacy decision, we will implement appropriate safeguards as required by law. This includes using the European Commission’s Standard Contractual Clauses (SCCs), supplemented where necessary by the UK’s International Data Transfer Addendum (IDTA), to govern the transfer.

8. Your Data Protection Rights

We are committed to ensuring you have control over your Personal Data. In line with our "highest standard" approach, we provide all our users with a comprehensive set of data protection rights, consistent with those granted by the GDPR.

You have the following rights with respect to your Personal Data:

Right of Access: You have the right to request a copy of the Personal Data we hold about you and information about how we process it.
Right to Rectification: You have the right to request that we correct any inaccurate or incomplete Personal Data we hold about you.
Right to Erasure ('Right to be Forgotten'): You have the right to request the deletion of your Personal Data when it is no longer necessary for the purposes for which it was collected, or in certain other circumstances.
Right to Restrict Processing: You have the right to request that we temporarily suspend the processing of your Personal Data in certain situations, for example, if you are contesting the accuracy of the data.
Right to Data Portability: You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to have it transmitted to another party where technically feasible.
Right to Object: You have the right to object to our processing of your Personal Data where we are relying on our legitimate interests as the legal basis for processing.
Right to Withdraw Consent: Where our processing is based on your consent (for example, for marketing communications), you have the right to withdraw that consent at any time.

8.1. How to Exercise Your Rights

Exercising your rights is simple. To make a request related to any of the rights listed above, please email our Data Protection Officer at dpo@harmonai.com.

Example - Requesting Access: To request a copy of your data, you can send an email with the subject line "Data Subject Access Request." We will verify your identity and then provide you with a copy of the personal data we hold about you.
Example - Requesting Erasure: To request the deletion of your account and associated data, you can send an email with the subject line "Data Erasure Request." Upon verifying your identity, we will initiate the process to delete your data in accordance with our retention policy.

We will respond to your request in accordance with applicable data protection laws.

9. Data Security, Integrity, and Retention

9.1. Our Security Measures

We are committed to protecting the security of your information. In line with the "Protection Obligation" of the PDPA and the "Integrity and Confidentiality" principle of the UK/EU GDPR, we implement appropriate technical and organizational measures to safeguard your Personal Data from unauthorized access, use, disclosure, alteration, or destruction. These measures include encryption of data in transit and at rest, strict access controls, regular security assessments of our systems, and employee training.

9.2. Data Minimization

We practice data minimization by collecting only the personal data that is strictly necessary to provide our Services. For example:

When you sign up, we only require the essential information needed to create and manage your account (e.g., name, email), not extraneous personal details.
When analyzing platform usage to improve our services, we strive to use aggregated or anonymized data whenever possible to avoid processing individual-level information.

9.3. Data Retention

We adhere to the principle of "Retention Limitation". We will retain your Personal Data only for as long as is necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Account Information:Retained for the duration your account is active and for up to 180 days after account closure to satisfy legal and regulatory obligations.
User Content (Queries, Responses, Uploaded Files):All User Content, including your prompts, AI-generated responses, uploaded files, and their associated chunks and embeddings, will be permanently deleted from our systems 90 days after your account is closed. While your account is active, this content is retained to provide you with the Service and your conversation history.
Usage & Technical Data:Anonymized or aggregated technical data used for analytics may be retained for up to 24 months. Specific security logs containing IP addresses are retained for a maximum of 12 months.

10. Cookies and Tracking Technologies

We use cookies that are essential for the Delfyn platform to function correctly. We may also use cookies for analytical purposes to help us understand how our Services are used and to improve them. For any non-essential cookies, we will obtain your consent before placing them on your device, in compliance with applicable laws. You can manage your cookie preferences through our website's cookie management tool.

11. Children's Privacy

Our Services are not directed to or intended for use by individuals under the age of 18 (or the applicable age of consent in your jurisdiction). We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected Personal Data from a child, we will take steps to delete it as soon as possible.

12. Data Breach Notification

In the unlikely event of a data breach that compromises your Personal Data, we have a clear procedure in place to respond swiftly and transparently.

Containment: For Our first priority is to immediately take steps to contain the breach and secure our systems to prevent any further unauthorized access.

Assessment: We will promptly assess the nature and scope of the breach, including the type of data involved and the potential risk to individuals.

Notification: If the assessment indicates that the breach is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant data protection authorities (such as Singapore's PDPC and the UK's ICO) without undue delay. This notification will describe the nature of the breach, the likely consequences, and the measures we are taking to address it.

13. Changes to This Privacy Policy

The world of technology and data privacy is constantly evolving. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or the law. If we make a material change, we will provide you with notice, for example, by sending an email or displaying a prominent notice within our Services. We encourage you to review this policy periodically.

14. How to Contact Us & Lodge a Complaint

14.1. Data Protection Officer (DPO)

To oversee our compliance with data protection laws, we have appointed a Data Protection Officer (DPO). If you have any questions about this Privacy Policy or our data protection practices, you can contact our DPO at:
dpo@harmonai.com

14.2. Questions and Concerns

For general privacy-related inquiries, please email us at privacy@harmonai.com.

14.3. Supervisory Authorities

You have the right to lodge a complaint with a data protection authority if you have concerns about how we are processing your Personal Data.

For users in Singapore, the relevant authority is the Personal Data Protection Commission (PDPC).
For users in the United Kingdom, the relevant authority is the Information Commissioner’s Office (ICO).
For users in the European Union, you may lodge a complaint with the supervisory authority in your country of residence.

15. Frequently Asked Questions (FAQ)

Q: Is my data used to train Delfyn's AI or any other AI?
A: Absolutely not. We have a strict "no-training" guarantee. Your User Content is used exclusively to generate responses for you and is never used to train or improve any AI models.
Q: What happens to the files I upload?
A: Uploaded files are used for two purposes: first, to provide immediate context for the query you upload them with, and second, they are securely indexed to provide context for your future queries so you don't have to upload the same information repeatedly.
They are deleted 90 days after you close your account.
Q: How do I delete my account and all my data?
A: You can request the deletion of your account and all associated data by emailing our Data Protection Officer at dpo@harmonai.com with the subject line "Data Erasure Request." We will guide you through the process.
Q: Who are your main third-party service providers?
A: Our primary infrastructure provider is Amazon Web Services (AWS). We also use foundation AI models from providers like Google and OpenAI.
Q: How long is my data stored?
A: Your account information is kept while your account is active and for 180 days after closure. All your User Content (prompts, responses, files) is deleted 90 days after you close your account. Please see Section 9.3 "Data Retention" for full details.