Question 1

Is User Intuition SOC 2 certified?

Accepted Answer

User Intuition is not yet SOC 2 certified. We have engaged a SOC 2 attestation firm, implemented the SOC 2 control set, and are in active readiness assessment, targeting Type 1 attestation in H2 2026. Engagement evidence, control inventory summaries, and readiness assessment status are available under NDA via security@userintuition.ai. We comply with GDPR, CCPA, and applicable US state privacy laws today, and all of our sub-processors maintain SOC 2 Type 2 certification. Detailed compliance posture and sub-processor list are publicly documented at userintuition.ai/security/.

Question 2

Where is User Intuition data stored?

Accepted Answer

User Intuition customer data is stored in the United States, specifically the US-East (Ohio) region. Database content, authentication metadata, and application files are hosted by Supabase and Railway, both running in Ohio. The User Intuition marketing website is hosted by Vercel in the United States. We do not transfer customer data outside the United States. All cloud sub-processors are US-based and SOC 2 Type 2 certified.

Question 3

Does User Intuition train AI on customer data?

Accepted Answer

User Intuition does not use customer data to train AI models. Our AI sub-processors are configured to prevent training on customer content: OpenAI is contractually opted out of training, Google Gemini operates on paid-tier defaults that exclude training, and our voice provider runs in HIPAA-enabled mode which prevents both model training and call retention. We do not sell customer data to any third party.

Question 4

Does User Intuition offer a Business Associate Agreement (BAA) for healthcare use?

Accepted Answer

User Intuition is not yet a HIPAA-certified entity; direct HIPAA certification is on our 2026 roadmap. Our customer authentication provider Clerk and our voice provider both offer HIPAA Business Associate Agreements, and the voice integration runs in HIPAA-enabled mode for all User Intuition assistants. For healthcare deployments that require a direct BAA with User Intuition, contact privacy@userintuition.ai to evaluate availability under the relevant deployment scope.

Question 5

How does User Intuition handle a security breach?

Accepted Answer

User Intuition follows a documented incident response plan governed by our Threat and Incident Management Policy. We commit to notifying affected customers within 72 hours of confirmed breach detection, aligned with GDPR Article 33. Suspected security issues can be reported to security@userintuition.ai. Our coordinated vulnerability disclosure timeline is 90 days from confirmed receipt. Vulnerability remediation timelines range from 24 hours for critical findings to 90 days for low-severity issues.

Question 6

How long does User Intuition retain customer data?

Accepted Answer

User Intuition retains customer account data for the duration of the active relationship and deletes it within thirty (30) days of account closure, unless law requires longer retention (for example, litigation hold). Participant transcripts follow the same lifecycle. Our voice provider runs in HIPAA-enabled mode and does not retain recordings after the session. Customers may request deletion at any time by emailing privacy@userintuition.ai.

Question 7

Can I use User Intuition without creating an account?

Accepted Answer

Yes. For teams whose security or procurement requirements block new SaaS tools, User Intuition offers fully managed research with no account and no login required. You send a research brief by email to managed-research@userintuition.ai, User Intuition designs and runs the study, and you receive transcripts, reports, and requested deliverables by email reply or a secure download link. You never connect internal systems, provision an account, or grant standing platform access.

Security & Trust

Run a study without creating an account

Compliance & certifications

Data protection

Application security

Infrastructure

Access control

Incident response

AI governance

Privacy policy

Terms & conditions