Compliance

Any California resident who signs up for JCIL.AI is protected by the California Consumer Privacy Act as amended by the California Privacy Rights Act. We honor:

• Right to know — you can request a copy of all data we hold about you via the account settings page.
• Right to delete — you can delete your account and all associated data, either scheduled (30-day window, recoverable) or immediate hard delete.
• Right to correct — inaccurate profile fields can be corrected in account settings.
• Right to opt out of "sale" and "sharing" — we don't sell or share personal information for cross-context behavioral advertising, so there's nothing to opt out of by default. A formal opt-out toggle is available on the privacy settings page.
• Right to non-discrimination — we don't degrade service for customers who exercise their rights.

The Family Educational Rights and Privacy Act protects student education records at institutions receiving federal funding. If your university deploys JCIL Cloud in a context where educational records flow through the widget (e.g., embedded inside a student portal):

• JCIL.AI operates as a "school official" under FERPA's §99.31(a)(1) outsourcing provision, with a legitimate educational interest limited to providing the contracted service.
• We do not redisclose education records to any party outside our subprocessor list.
• We support the direct control requirement — you can terminate our access at any time by revoking your API keys; we immediately stop processing.
• Your institution remains the FERPA covered party. We recommend adding JCIL.AI to your official subprocessor directory and notifying parents/students per your existing policy.

For a signed FERPA addendum, submit the contact form with topic: DPA / legal addendum.

The Children's Online Privacy Protection Act regulates the collection of personal information from children under 13. Our default posture is that JCIL.AI is not directed at children under 13. If your K-12 school or ministry deploys the widget in a context where under-13 children may use it:

• Your school or organization serves as the school-official "operator" under the COPPA school-authorization framework (FTC 2014 guidance) — parental consent is obtained by your institution, not by JCIL.AI directly.
• We process data only for the educational purpose you configure in the widget's custom prompt. No ad targeting, no profile building, no third-party sharing.
• We retain children's conversational data for the minimum necessary period and honor deletion requests from the parent or school of record within 30 days.
• If you deploy to students without clear school-official status, you must obtain verifiable parental consent before deployment.

JCIL.AI is not currently a HIPAA Business Associate and does not sign BAAs. If you operate a faith-based counseling practice:

• Do not submit Protected Health Information (PHI) to JCIL.AI — full names combined with diagnoses, treatment notes, prescription details, or insurance identifiers.
• JCIL.AI is a good fit for: intake triage, scheduling flows, resource referrals, FAQ automation, prayer support, and de-identified pastoral care conversations.
• Our safety-webhook system routes crisis signals to your on-call staff — we do not provide medical advice or clinical triage.
• If you need a HIPAA-eligible deployment, wait for our upcoming HIPAA tier, or ask about a dedicated single-tenant setup through compliance contact.

Multiple US states require disclosure that a user is interacting with an AI system. We comply by default:

• Every public chat interface clearly labels the assistant as AI.
• The embed widget shows a "Powered by JCIL Cloud" footer on every deployment.
• When asked "are you an AI," the model is instructed to answer truthfully and identify itself.
• Utah's AI Consumer Protection Act and Colorado SB205 obligations are met without operator configuration.

SOC 2 is on the roadmap as we scale. We are not SOC 2 certified today. The controls a Type 1 audit expects — least-privilege access, segregation of environments, encryption, change management, vulnerability scanning, incident response — are in place as practice; the third-party audit comes next.

If SOC 2 is a procurement blocker for your organization, submit the contact form with topic SOC 2 statusand we'll share our controls matrix and projected audit window.

JCIL.AI carries cyber liability insurance. Policy limits and carrier details are shared under NDA on request via the compliance contact form.

• We respond to valid legal process — subpoenas, court orders, warrants — within the timeframes required by law.
• We notify the account owner of requests concerning their account unless legally prohibited from doing so.
• We report Child Sexual Abuse Material (CSAM) to NCMEC (National Center for Missing & Exploited Children) as required by 18 U.S.C. §2258A.
• Legal process requests may be submitted via the compliance contact form with topic law enforcement.