Privacy Policy

1.1Account and Registration Information. When you register for an account or enter into a commercial agreement with us, we collect: full name; business email address; company name; job title and department; billing and payment information (processed by our payment sub-processor; we do not store raw payment card data); telephone number; and the jurisdiction or country of your organization.

1.2Customer Data. Seismic data and subsurface survey files (SEG-Y, LAS, GeoTIFF, and related formats); AI interpretation results and work products (denoised volumes, horizon picks, fault surfaces, anomaly maps); annotation records created through human-in-the-loop review; and any other content you or your Authorized Users upload to, process through, or generate using the Service. We treat Customer Data as strictly confidential and process it solely to provide the Service.

1.3Usage and Telemetry Data. We automatically collect information about how you interact with the Service, including: API call logs (endpoint, timestamp, response code, latency); pipeline execution metadata (job identifiers, stage durations, processing status); feature usage patterns; session identifiers; IP addresses; browser type and version; operating system; and referring URLs. This data is used for operational monitoring, security, and service improvement.

1.4Communications. When you contact us for support, sales inquiries, or other purposes, we collect the content of your communications, including email content, chat transcripts, and any attachments you provide.

1.5Cookies and Tracking Technologies. We use cookies and similar technologies as described in Section 10.

2.1Service Delivery and Operations. To provision, operate, maintain, and improve the Service, including running machine learning inference pipelines, orchestrating workflows, storing and retrieving Customer Data, and generating interpretation outputs.

2.2Account and Billing Management. To create and administer your account, authenticate identity, process and collect payments, send invoices and billing notifications, and manage subscription renewals.

2.3Customer Support and Communications. To respond to your support requests, technical inquiries, and other communications; to send you service-related notifications (e.g., maintenance windows, security alerts, SLA reports); and to provide onboarding and training.

2.4Security, Fraud Prevention, and Compliance. To monitor for and detect security incidents, unauthorized access, abuse, and fraudulent activity; to maintain cryptographic audit logs as required by our SOC 2 Type II controls; to comply with applicable legal obligations and respond to lawful requests from governmental authorities; and to enforce our agreements and policies.

2.5Service Improvement and Research. To analyze aggregated, anonymized usage patterns in order to improve the Service and develop new features. We do not use Customer Data (i.e., seismic files or interpretation results) to train, fine-tune, or benchmark our machine learning models without your explicit, prior written consent.

2.6Marketing and Promotional Communications. With your consent where required by applicable law, to send you product updates, event invitations, case studies, and other marketing communications. You may unsubscribe at any time.

For individuals in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data on the following legal bases under GDPR Article 6:

3.1Article 6(1)(b) — Contractual Necessity. Processing is necessary to perform our contract with you or to take pre-contractual steps at your request, including: provisioning and operating the Service; processing payments; and providing customer support.

3.2Article 6(1)(c) — Legal Obligation. Processing is necessary to comply with our legal obligations, including: retaining financial records for tax and audit purposes; maintaining SOC 2 audit logs; and responding to lawful governmental requests.

3.3Article 6(1)(f) — Legitimate Interests. Processing is necessary for our legitimate interests in: operating and improving the Service; detecting and preventing fraud and security incidents; communicating with existing customers about product updates; and enforcing our agreements, provided such interests are not overridden by your rights and interests.

3.4Article 6(1)(a) — Consent. Where we rely on consent as the legal basis, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. Withdrawal of consent will not affect the continued provision of the Service to the extent processing is also based on another legal ground.

3.5For processing of special categories of personal data (GDPR Article 9), we rely on your explicit consent or another applicable basis under Article 9(2). We do not anticipate that our Service will involve special category data in ordinary course operations.

4.1Sub-processors. We share data with third-party service providers (sub-processors) who assist us in operating the Service, as described in Section 5. Each sub-processor is bound by data processing agreements that are no less protective than this Policy.

4.2Legal Compliance and Safety. We may disclose information if required by applicable law, regulation, legal process, or governmental request; to enforce our agreements and policies; to protect the rights, property, or safety of Seismic Swift AI, our customers, or others; or to prevent, detect, or investigate illegal activity, fraud, or security incidents.

4.3Business Transfers. In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity as part of the transaction. We will provide at least thirty (30) days' advance notice of any such transfer and the opportunity to delete your account if you object.

4.4With Your Consent. We may share information with third parties with your explicit prior consent, such as when you authorize a third-party integration through our API or platform settings.

4.5No Sale of Data. We do not sell, rent, lease, or exchange your personal information or Customer Data to third parties for their own marketing or commercial purposes. This commitment is absolute and is not qualified by any “business purpose” exception.

5.1We engage the following categories of sub-processors to assist in delivering the Service. We maintain a complete and current sub-processor list at seismicswiftai.com/legal/sub-processors.

5.2We will notify you at least thirty (30) days before adding or replacing a sub-processor that will process your personal data. You may object to a new sub-processor by contacting your account representative; if the objection cannot be resolved, you may terminate the affected service.

6.1Seismic Swift AI is headquartered in the United States. To the extent that processing involves a transfer of personal data from the EEA, United Kingdom, or Switzerland to a country not recognized by the European Commission as providing an adequate level of protection, we rely on the following transfer mechanisms:

6.2Standard Contractual Clauses (SCCs). We rely on the Standard Contractual Clauses adopted by the European Commission Decision 2021/914 (Module Two: Controller-to-Processor or Module One: Controller-to-Controller as applicable). Our DPA, available at /legal/dpa, incorporates the relevant SCC modules.

6.3EU-U.S. Data Privacy Framework. To the extent Seismic Swift AI or its sub-processors are certified under the EU-U.S. Data Privacy Framework, we rely on that framework as an additional transfer mechanism.

6.4UK Addendum. For transfers from the United Kingdom, we rely on the International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner's Office.

6.5We have conducted Transfer Impact Assessments (TIAs) for our primary data transfers to the United States. Copies of our TIA methodology and supplementary technical measures are available to Enterprise customers upon request under a non-disclosure agreement.

6.6Customer may configure its subscription to store and process Customer Data exclusively within a specific Azure region (e.g., US East, West Europe, Southeast Asia). Please contact your account representative to enable region-lock configuration.

7.1Customer Data. We retain Customer Data for the duration of the Subscription Term. Upon termination or expiration, we provide a thirty (30)-day data retrieval window. Following that window, Customer Data is securely and permanently deleted within ninety (90) days using NIST 800-88 compliant methods, and a deletion certificate is issued to Customer upon request.

7.2Account Information. We retain account information, including contact details and billing records, for a period of seven (7) years following the end of the commercial relationship, as required by applicable U.S. tax and accounting laws.

7.3Audit Logs. Cryptographic audit logs maintained pursuant to our SOC 2 Type II controls are retained for a minimum of seven (7) years. These logs contain metadata (timestamps, user identifiers, action types, IP addresses) but not the content of Customer Data.

7.4Security Incident Records. Records of security incidents are retained for seven (7) years to satisfy legal, regulatory, and insurance requirements.

7.5Marketing Data. Contact information used for marketing communications is retained until you unsubscribe or request deletion, plus one (1) year to honor opt-out preferences.

7.6Aggregated Data. Anonymized and aggregated statistical data that cannot identify any individual or customer may be retained indefinitely for product development and benchmarking purposes.

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

8.1Right of Access (GDPR Art. 15; CCPA). You may request a copy of the personal data we hold about you, including information about its source, purpose of processing, recipients, and retention period.

8.2Right to Rectification (GDPR Art. 16). You may request correction of inaccurate or incomplete personal data without undue delay.

8.3Right to Erasure (GDPR Art. 17; CCPA). You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where processing is unlawful. This right is subject to our legal retention obligations.

8.4Right to Portability (GDPR Art. 20). You may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and have it transmitted to another controller where technically feasible.

8.5Right to Restriction (GDPR Art. 18). You may request that we restrict processing of your personal data in certain circumstances, for example while the accuracy of the data is contested or your objection is being considered.

8.6Right to Object (GDPR Art. 21). You may object at any time to the processing of your personal data for purposes based on legitimate interests or for direct marketing.

8.7Rights Related to Automated Decision-Making (GDPR Art. 22). We do not make decisions based solely on automated processing that produce significant legal or similarly significant effects. Our AI interpretation outputs are always subject to human review.

8.8CCPA Additional Rights. California residents have the right to: know what personal information is collected, used, disclosed, or sold; request deletion of personal information; opt out of the sale or sharing of personal information (we do not sell data); limit use of sensitive personal information; and not be discriminated against for exercising these rights.

8.9To exercise any of these rights, submit a request to privacy@seismicswiftai.com or through your account settings. We will respond within thirty (30) days for GDPR requests and forty-five (45) days for CCPA requests. We may extend the response period by up to ninety (90) additional days for complex requests, with notice. We reserve the right to verify your identity before processing any request.

8.10You also have the right to lodge a complaint with your competent supervisory authority. For EU residents, a list of supervisory authorities is available at edpb.europa.eu. For UK residents, the relevant authority is the Information Commissioner's Office (ico.org.uk).

9.1The Service is a professional B2B platform and is not directed to, nor intended for use by, individuals under the age of eighteen (18). We do not knowingly collect personal information from individuals under 18.

9.2If we become aware that we have inadvertently collected personal information from a person under 18, we will take immediate steps to delete such information from our systems. If you have reason to believe that a person under 18 has provided personal information to us, please contact privacy@seismicswiftai.com.

10.1Strictly Necessary Cookies. These cookies are essential for the operation of the Service, including session management, authentication token storage, CSRF protection, and load balancing. They cannot be disabled without impairing Service functionality. Legal basis: contractual necessity (GDPR Art. 6(1)(b)).

10.2Functional Cookies. These cookies remember your preferences (e.g., language, time zone, dashboard layout) to provide a personalized experience. Legal basis: legitimate interests (GDPR Art. 6(1)(f)) or consent.

10.3Analytics Cookies. With your explicit consent, we use first-party analytics to understand how the Service is used, identify performance bottlenecks, and guide product development. We do not use third-party analytics services that share data with advertising networks. Legal basis: consent (GDPR Art. 6(1)(a)).

10.4No Advertising Cookies. We do not use advertising, retargeting, or cross-site tracking cookies. We do not participate in any advertising network or data broker program.

10.5On your first visit, a cookie consent banner allows you to accept or decline non-essential cookies. You may change your preferences at any time through the Cookie Settings link in the footer. You may also disable cookies through your browser settings, although doing so may impair certain Service functionality.

11.1We implement comprehensive technical and organizational security measures appropriate to the risks presented by the processing, including:

• Encryption at rest: AES-256 encryption for all stored Customer Data.
• Encryption in transit: TLS 1.3 for all data transmissions between clients and the Service.
• Access control: Role-based access control (RBAC) with strict tenant isolation; multi-factor authentication (MFA) required for all privileged access.
• Audit logging: Cryptographic audit chains with Ed25519 digital signatures for all data access, modification, and deletion events.
• Network security: Azure Virtual Network with private endpoints; Web Application Firewall (WAF); DDoS protection.
• Vulnerability management: Annual third-party penetration testing; continuous automated dependency scanning; responsible disclosure program.
• Compliance: SOC 2 Type II certification covering Security, Availability, and Confidentiality trust service criteria.

11.2In the event of a security incident affecting your personal data, we will notify you and applicable supervisory authorities within seventy-two (72) hours of becoming aware of the incident, as required by GDPR Article 33 and applicable law. The notification will include the information specified in Article 33(3).

11.3No security measure is completely infallible. We encourage you to use strong, unique passwords and to enable MFA for your account.

12.1We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The “Last Updated” date at the top of this page indicates when the Policy was last revised.

12.2For material changes — defined as changes that meaningfully affect your rights or our obligations regarding your personal data — we will provide at least thirty (30) days' prior notice by: (a) posting a notice on our website; (b) sending an email to the address associated with your account; and/or (c) displaying a prominent in-product notification.

12.3For non-material changes (e.g., typographical corrections, contact details updates, or clarifications that do not affect your substantive rights), we may update this Policy without prior notice.

12.4Your continued use of the Service after the effective date of any revised Policy constitutes your acceptance of the changes. If you do not agree to a material change, you may terminate your account prior to the effective date.

For questions about this Privacy Policy, to exercise your data subject rights, or to raise any privacy concern, please contact our Data Protection Officer:

Questions? Contact legal@seismicswiftai.com