Privacy Policy

Effective Date: 30 April 2026
Version: 2.0
Replaces: any prior privacy notice

1. Who We Are

WASH AI is operated by Baobab Tech, a trading name of Mills IT Consulting Ltd. ("Baobab Tech", "we", "us", or "our"), a company incorporated in Alberta, Canada.

This Privacy Policy explains how we collect, use, share, and protect personal data across the WASH AI platform and all of its tenants and sub-tenants, including but not limited to:

SaniHub
ACF (Action Contre la Faim / Action Against Hunger)
RWSN (Rural Water Supply Network)
Resource Recovery Toolbox
Global WASH Cluster

This policy applies to all interfaces through which the service is delivered: the public website, tenant-branded deployments, mobile applications, APIs, embedded widgets, and third-party messaging integrations such as WhatsApp and Telegram.

This policy operates alongside the WASH AI Terms of Service and any applicable Data Processing Agreement (DPA) between Baobab Tech and a tenant organisation.

Contact:
General queries: support@washai.org
Privacy and data-subject requests: privacy@washai.org
EU representative under Article 27 GDPR: to be appointed. Until an EU-established representative is formally appointed, EU data subjects can direct GDPR enquiries to privacy@washai.org.

2. Roles Under Data-Protection Law

Public service. When you interact directly with the public WASH AI service or sign up for a Baobab-Tech-operated account, Baobab Tech is the data controller for your personal data.

Tenant deployments. When you access WASH AI through a tenant organisation (for example, a SaniHub or ACF instance), the tenant is generally the controller for the personal data of its end users, and Baobab Tech acts as a processor under a Data Processing Agreement. In some cases the tenant and Baobab Tech may be joint controllers for specific processing activities, in which case the essential terms of that arrangement are made available on request, in line with Article 26 GDPR.

Model providers. Third-party AI model providers act as our sub-processors for inference. Their identities, locations, and data-handling commitments are listed in Section 6 of this policy.

3. Personal Data We Collect

We collect the minimum data necessary to deliver, secure, and improve the service.

3.1 Account data.
Name, email address, organisational affiliation, role/job title (optional), preferred language, and the password hash for credential-based logins. For SSO logins, we receive only the identity attributes the identity provider releases to us.

3.2 Conversation data.
The prompts you submit, the model responses returned, the model selected for each turn, language of the exchange, timestamps, and any user feedback (thumbs up/down, written comments).

3.3 Technical and platform telemetry.
IP address (truncated where feasible), device and browser type, operating system, approximate location derived from IP at country or city level, session identifiers, error logs, performance metrics, and feature-usage events.

3.4 Cookies and similar technologies.
Strictly-necessary cookies for authentication and session management, and (with your consent) analytics or preference cookies. See Section 11.

3.5 Communications.
Records of correspondence with our support, privacy, and security mailboxes.

3.6 Tenant-specific data.
Where a tenant configures additional fields (e.g., country of operation), the tenant determines what is collected and on what basis.

We do not intentionally collect special-category data within the meaning of Article 9 GDPR. You are asked not to submit such data through prompts. If we become aware that special-category data has been submitted, we will delete it unless retention is required by law.

4. How We Use Personal Data and Lawful Bases

Purpose	Lawful basis (Article 6 GDPR)
Creating and managing your account	Contract (Art. 6(1)(b))
Delivering AI responses to your queries	Contract (Art. 6(1)(b))
Routing queries to the chosen AI model and provider	Contract (Art. 6(1)(b))
Securing the service, preventing abuse, fraud and rate-limit evasion	Legitimate interests (Art. 6(1)(f))
Diagnosing errors and improving reliability	Legitimate interests (Art. 6(1)(f))
Analytics and product improvement	Consent (Art. 6(1)(a)) where required, otherwise legitimate interests
Sending operational emails (service notices, breach notifications)	Contract / legal obligation
Sending marketing or product-update emails	Consent (Art. 6(1)(a))
Complying with legal obligations	Legal obligation (Art. 6(1)(c))

We carry out a Legitimate Interests Assessment (LIA) for each processing activity relying on Article 6(1)(f) and balance our interests against your rights and freedoms.

We do not sell personal data and do not use your prompts or outputs to train AI models. Our integrations with model providers are configured to exclude training use wherever the provider permits.

5. AI Model Routing and Data Flow

WASH AI routes each query to a third-party AI model. Different models offer different commitments:

Data retention. Some models operate under zero-data-retention (ZDR) configurations, meaning prompt and response data is not stored by the provider beyond the time strictly needed to return the response. Others may temporarily retain data for abuse-prevention or operational purposes.
Processing region. Some models are processed exclusively in the European Union; others in the United States, the United Kingdom, or other jurisdictions.
Use for training. WASH AI configures provider integrations to exclude training-data use wherever supported.

Routing infrastructure.
Inference requests are routed in one of two ways depending on the model selected:

EcoSmart (Mistral Magistral Medium) is called via a direct API connection to Mistral AI under WASH AI's commercial agreement with Mistral, with zero data retention. The Vercel AI Gateway is not used for this route.
All other models (Fast, Medium, Medium Alt, Smart) are routed via the Vercel AI Gateway, which forwards the call to the underlying model provider selected in the user-facing model selector. The Gateway itself does not retain prompt or response content beyond the request lifecycle for WASH AI traffic; provider-side retention is governed by each model provider's terms.

EU-only routing — EcoSmart (Mistral Magistral Medium).
Users requiring EU-resident processing must select the EcoSmart option in the model selector, which is invoked through a direct API connection to Mistral AI (France). When EcoSmart is selected, inference is performed on EU infrastructure under a zero-data-retention configuration. No prompt or response personal data is transferred outside the EU/EEA in connection with the inference call itself, save for limited platform telemetry described in this policy.

Zero-data-retention preference.
For every model offered, WASH AI selects the zero-data-retention (ZDR) configuration where the underlying provider makes ZDR available. Where the provider does not offer ZDR, the provider's standard short-term retention applies (typically up to 30 days for abuse-prevention purposes). The current ZDR status of each model is shown in Section 6.2 and is reviewed when provider terms change.

For each query, the WASH AI interface displays which model produced the response. The current model-by-model breakdown — covering processing region, retention, training-exclusion, and the underlying provider — is set out in Section 6 below.

6. Sharing of Personal Data, Sub-processors, and AI Models

We share personal data only with:

Sub-processors that operate components of the service (cloud hosting, AI model providers, email delivery, analytics, error monitoring), under Article 28 GDPR contracts.
Tenant organisations that have provisioned your account, where that tenant is the controller for your access.
Professional advisers (lawyers, auditors, accountants) under confidentiality obligations.
Authorities and courts where required to comply with a legally binding request, after a proportionality review.
Successors in the context of a merger, reorganisation, or sale of assets, under equivalent protections.

We do not sell personal data and do not share personal data for cross-context behavioural advertising. Material changes to the lists below are communicated at least 30 days in advance where reasonably practicable, with an opportunity to object.

6.1 Sub-processors

Sub-processor	Function	Processing region	Transfer mechanism
Vercel (serverless functions)	Application deployment and serverless function execution	EU — Frankfurt	n/a (EU) for inference traffic; EU SCCs for any incidental US-based control-plane processing
Neon	Primary application database (account, conversation, configuration data)	EU — Frankfurt	n/a (EU)
Baobab Tech (in-house)	Authentication and account management; data stored in Neon (EU — Frankfurt)	EU — Frankfurt	n/a (EU)
Postmark	Transactional email (service notifications, security alerts)	United States	EU SCCs + supplementary measures (encryption in transit and at rest, minimised payload)
Vercel Analytics	Privacy-respecting product analytics	Multi-region	EU SCCs where applicable
Vercel (error monitoring)	Crash and error reporting	Multi-region	EU SCCs where applicable
Vercel AI Gateway	Routing and load-balancing of inference requests for the Fast, Medium, Medium Alt, and Smart models (does not route EcoSmart traffic)	Multi-region (no prompt/response retention beyond request lifecycle)	EU SCCs where applicable
Mistral AI (direct API)	Inference for EcoSmart (Mistral Magistral Medium); does not pass through the Vercel AI Gateway	European Union	n/a (EU); ZDR by contract
AI model providers (via Vercel AI Gateway)	Inference for non-EcoSmart models (see Section 6.2)	Varies by model	See Section 6.2

This list reflects Baobab Tech's current operational stack and is updated as suppliers change. The current list can be requested at any time by writing to privacy@washai.org.

6.2 AI models available in WASH AI

EcoSmart is invoked via a direct API integration with Mistral AI. All other models are accessed via the Vercel AI Gateway. Where a provider offers a zero-data-retention (ZDR) configuration, WASH AI uses it. The list below reflects the configuration in force at the effective date of this policy and is updated when provider terms or available models change.

Model (display name)	Underlying model and provider	Routing	Processing region	Data retention	Training-data use
Fast	Open-source 120B Mixture-of-Experts model, served by an inference partner	Vercel AI Gateway	Provider-dependent (typically United States)	ZDR where supported by the serving partner; otherwise short-term (≤30 days) abuse-prevention logs	Excluded
Medium	Qwen 3.6 Plus (Alibaba Cloud)	Vercel AI Gateway	Operated by Alibaba Cloud; routing region as configured by the Gateway provider	Provider-standard short-term retention (typically ≤30 days) where ZDR is not offered	Excluded under the configured commercial terms
Medium Alt	MiniMax M2.7 (MiniMax)	Vercel AI Gateway	Operated by MiniMax; routing region as configured by the Gateway provider	Provider-standard short-term retention (typically ≤30 days) where ZDR is not offered	Excluded under the configured commercial terms
EcoSmart	Mistral Magistral Medium (Mistral AI)	Direct API integration with Mistral AI (does not pass through the Vercel AI Gateway)	European Union	Zero data retention	Excluded
Smart	Claude Haiku 4.5 (Anthropic)	Vercel AI Gateway	United States	Zero data retention under Anthropic's ZDR commitment for API customers	Excluded

EU-only requirement. Select EcoSmart to keep inference within the EU under ZDR. Selecting any other model constitutes your instruction to route the query to that model's processing region under that provider's terms.

Provider terms. Each provider's data-handling terms are referenced through the Vercel AI Gateway provider catalogue. WASH AI configures the Gateway to use ZDR routes where they exist. Current provider terms can be requested from privacy@washai.org.

The in-product model selector reflects the live list of available models. When a fallback or routing decision changes the model mid-conversation, the interface flags the change.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area, the United Kingdom or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards under Chapter V GDPR, including:

Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK Addendum / Swiss-equivalent clauses where applicable;
Transfer Impact Assessments consistent with EDPB Recommendations 01/2020 (Schrems II);
Supplementary technical measures including encryption in transit (TLS 1.2+) and at rest (AES-256), pseudonymisation where feasible, strict access control, and short retention windows.

You can minimise international transfers for inference traffic by selecting an EU-resident model such as Ecosmart. A copy of the safeguards in place can be requested at privacy@washai.org.

8. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected.

Category	Indicative retention period
Account data	Duration of the account, plus 12 months after closure
Conversation data (where retained)	Up to 12 months from the date of the conversation, unless you delete it earlier or a tenant has set a shorter period
Conversation data on ZDR model paths	Not retained by the model provider; minimal logs at the WASH AI layer for security/audit, retained up to 30 days
Security and audit logs	Up to 12 months
Support correspondence	Up to 24 months from last contact
Billing records (if any paid tier)	As required by tax and accounting law (typically 6–10 years)
Backups	Up to 35 days from creation, then overwritten

Tenant-specific retention rules, where stricter, prevail.

9. Your Rights

Subject to the conditions in the GDPR, the UK GDPR, and equivalent regimes, you have the right to:

Access the personal data we hold about you (Article 15);
Rectify inaccurate or incomplete data (Article 16);
Erase your data, subject to legal-retention requirements (Article 17);
Restrict processing in certain circumstances (Article 18);
Data portability for data you have provided and that we process by automated means on the basis of consent or contract (Article 20);
Object to processing based on legitimate interests, including profiling (Article 21);
Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Article 7(3));
Not be subject to solely automated decisions producing legal or similarly significant effects (Article 22). WASH AI is a decision-support tool; you remain in the loop.
Lodge a complaint with a supervisory authority (Article 77), in particular the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, write to privacy@washai.org. We respond within one month, extendable by two further months for complex requests, in line with Article 12(3).

If you access WASH AI through a tenant deployment, you may also direct rights requests to that tenant; we will assist the tenant in fulfilling them.

10. Security

We apply technical and organisational measures appropriate to the risk in line with Article 32 GDPR. These include encryption in transit and at rest, role-based access control, MFA on administrative access, network segmentation, audit logging, vulnerability management, secure development practices, regular backups, and a documented incident-response plan.

Personal data breaches that present a risk to individuals will be notified to the relevant supervisory authority within 72 hours of becoming aware, and to affected users without undue delay where the risk is high, in line with Articles 33 and 34 GDPR.

To report a suspected security issue, write to support@washai.org.

11. Cookies and Similar Technologies

WASH AI uses cookies and similar technologies. Categories used:

Strictly necessary — authentication, session management, load balancing, security. These cannot be disabled and do not require consent under Article 5(3) of the ePrivacy Directive.
Functional — remembering your model selection, language, and interface preferences.
Analytics — measuring feature usage to improve the service.
No advertising or cross-site tracking cookies are used.

A cookie banner is being built into the WASH AI interface to provide granular, GDPR- and ePrivacy-compliant consent management. Until the banner is fully deployed across all tenant deployments, only strictly-necessary cookies are set by default; non-essential cookies are activated only after explicit opt-in. You can change your cookie preferences at any time from the in-product settings, once available, or by clearing cookies in your browser.

12. Children

WASH AI is intended for adult professional and academic use. We do not knowingly collect personal data from children below the digital-consent age set by the applicable EU Member State under Article 8 GDPR (between 13 and 16 depending on the country). If we become aware that a child has provided personal data without verifiable parental consent, we will delete it.

13. EU AI Act Transparency

WASH AI is an AI system within the meaning of Regulation (EU) 2024/1689 (the EU AI Act). You are informed at the start of each session that you are interacting with an AI. AI-generated content is labelled as such, in line with Article 50 of the AI Act. WASH AI is not deployed for any of the high-risk uses listed in Annex III of the AI Act. If a tenant intends to integrate WASH AI into a high-risk workflow, additional governance arrangements must be agreed with us in advance.

14. Digital Services Act (DSA)

Where the WASH AI service or a tenant deployment falls within the scope of Regulation (EU) 2022/2065 (the Digital Services Act), Baobab Tech operates as an online platform within the meaning of Article 3(i) DSA, and not as a mere hosting service. As an online-platform provider we maintain:

a single point of contact for authorities (Article 11) and for users (Article 12), reachable at support@washai.org;
a notice-and-action mechanism for illegal content (Article 16) accessible via support@washai.org;
internal complaint-handling procedures (Article 20);
transparency reporting obligations (Article 15) where applicable;
the necessary measures to protect minors (Article 28) by restricting use to adults and avoiding profiling-based recommendations to minors.

We are not a Very Large Online Platform (VLOP) and do not currently meet the thresholds in Article 33 DSA. If that changes, the additional obligations under Section 5 of Chapter III DSA will be implemented.

15. Automated Decision-Making and Profiling

WASH AI generates AI responses to user queries but does not make automated decisions producing legal effects or similarly significant effects on you within the meaning of Article 22 GDPR. The system is a decision-support tool, and human users remain responsible for the decisions they take based on the outputs.

We do not use your data for behavioural advertising or for profiling that targets vulnerable users.

16. Changes to This Policy

We may update this policy periodically. Material changes will be notified through the WASH AI interface or by email at least 30 days before they take effect, except where a shorter period is required by law. The "Effective Date" at the top of this policy reflects the latest version. Earlier versions are archived and available on request.

17. How to Contact Us

Baobab Tech (Mills IT Consulting Ltd.)
General queries, support, accessibility, copyright notices, and security reports: support@washai.org
Privacy and data-subject requests: privacy@washai.org

EU representative under Article 27 GDPR: to be appointed. Until an EU-established representative is formally appointed, EU data subjects can direct GDPR enquiries to privacy@washai.org.

You always have the right to lodge a complaint with your local data-protection supervisory authority.