Overlook Privacy Policy

1. Introduction and Scope

This Privacy Policy describes how Overlook AI, Inc., a Delaware corporation (“Overlook,” “we,” “us,” or “our”), collects, uses, discloses, stores, protects, and otherwise processes information relating to an identified or identifiable individual (“Personal Information”) in connection with our websites, hosted software-as-a-service offerings, downloadable software, packaged distributions, customer support channels, professional services, training, workshops, events, communications, and related business operations (collectively, the “Services”). This Privacy Policy is intended to provide clear public notice of our privacy practices and should be read together with the applicable Terms of Service, Subscription and Software License Agreement, Data Processing Addendum, Professional Services Addendum, Security Addendum, Order Form, and other agreement governing use of the Services, as applicable.

Overlook provides business-oriented services for organizations and their personnel. The Services are not intended for personal, household, or consumer use. The Services are intended for users who are at least eighteen (18) years old. We do not knowingly collect Personal Information from children, and the Services are not directed to children.

This Privacy Policy applies to Personal Information for which Overlook determines the purposes and means of processing, including information collected through our websites, account administration, billing administration, marketing communications, support operations, security operations, and professional services administration. Where Overlook processes Personal Information contained in Customer Data solely on behalf of a customer and pursuant to the customer’s instructions, Overlook generally acts as a processor or service provider, and the customer’s agreement with Overlook, including any applicable Data Processing Addendum, governs that processing.

2. Roles: Customer Data, Controller Processing, and Processor Processing

Overlook’s relationship to Personal Information depends on the context in which the information is processed. When we process business contact information, account information, payment and billing metadata, website data, security logs, support communications, marketing information, and similar information for our own business purposes, we generally act as an independent controller or business under applicable privacy laws. When we process Personal Information that a customer or its authorized users submit to, configure in, or load into the Services for the customer’s business purposes, including Customer Data processed through the Overlook platform, Overlook generally acts as a processor, service provider, contractor, or similar role under applicable law.

Customer Data may include information entered into Overlook AI Profiles, Business-led AI Management Canvas entries, assessment responses, customer-specific scorecard inputs and results, operating-area records, customer ownership fields, notes, configuration settings, training-session inputs, continuation plans, and other customer-specific artifacts created through the Services or through professional services engagements. To the extent those materials contain Personal Information, the privacy and data processing terms applicable to Customer Data govern Overlook’s processing of such Personal Information. Customers are responsible for providing any legally required notices to their personnel and authorized users and for ensuring that they have a lawful basis to provide Customer Data to Overlook.

This Privacy Policy does not transfer ownership of any data, content, methodology, or intellectual property. Customer ownership of Customer Data and Overlook ownership of the Services, methodologies, assessment logic, scorecard structure, Business-led AI Management Canvas design, training materials, facilitation methods, and other Overlook intellectual property are governed by the applicable agreements. For clarity, Customer Data does not include Overlook’s proprietary methodologies, templates, scorecard logic, canvas structure, internal know-how, service-delivery methods, product workflows, or derivative improvements to Overlook materials, even if such materials are used to provide the Services or professional services.

3. Information We Collect

We may collect Personal Information directly from individuals, from customers and their administrators, from authorized users, from payment processors and other service providers, from identity providers, from integrations configured by customers, from communications with us, from public or commercially available sources where permitted by law, and automatically through interaction with the Services.

The Personal Information we collect may include business contact information such as name, title, employer, business email address, business telephone number, department, business role, and professional affiliation. We may collect account and authentication information, such as usernames, account identifiers, organization identifiers, role or permission information, authentication metadata, and security settings. We may collect billing and transaction metadata, such as subscription plan, invoice information, payment status, tax information, billing contact, and limited payment metadata received from payment processors. We do not store complete payment card numbers.

We may collect usage, device, and technical information, including IP address, browser type, device identifiers, operating system, referring pages, approximate location derived from IP address, log data, diagnostic information, pages or features accessed, date and time of activity, session activity, product telemetry, performance data, and security event information. We may collect support and communications information, including messages sent to support@overlookai.com or other Overlook contacts, support tickets, chat or email communications, call notes, meeting information, and related attachments supplied by a customer or user.

When customers purchase or participate in professional services, training, workshops, onboarding, assessments, canvas facilitation, implementation support, or enablement sessions, we may process information shared in those engagements. This may include names, business roles, stakeholder responsibilities, customer-provided AI descriptions, operating areas, business objectives, assessment responses, completed Business-led AI Management Scorecard information, Business-led AI Management Canvas entries, AI Profile content, ownership information, training-session participation, workshop notes, and customer-specific continuation plans. Overlook processes this information to deliver the engagement and support use of the platform, subject to the applicable agreements.

If a customer configures integrations, single sign-on, identity providers, data imports, or related product features, we may process information made available through those configurations. The customer is responsible for configuring integrations lawfully, limiting information shared with Overlook to information appropriate for the Services, and obtaining any required permissions or notices.

4. Payment Processing and Stripe

Overlook uses third-party payment processors, including Stripe, to process payments, manage self-service billing, issue invoices, support subscription changes, and administer payment methods. Stripe may collect and process payment information directly in accordance with its own terms and privacy practices. Overlook receives limited payment and billing metadata, such as customer identifier, subscription status, invoice details, payment status, last four digits of a payment card where made available, and similar transaction information. Overlook does not store complete payment card numbers, bank account numbers, card security codes, or other full payment credentials.

5. Cookies, Analytics, and Similar Technologies

We and our service providers may use cookies, local storage, pixels, software development kits, analytics tools, and similar technologies to operate the Services, maintain sessions, remember preferences, improve performance, understand use of our websites and products, secure accounts, prevent fraud, and support marketing communications where permitted. Some technologies are necessary to provide the Services, while others may be used for analytics, preferences, or marketing depending on the context and applicable consent requirements.

Where required by law, we will provide choices or obtain consent for non-essential cookies and similar technologies. Browser settings may allow users to block or delete certain cookies, but doing so may affect functionality. We do not currently respond to all “Do Not Track” browser signals because no uniform industry standard has been adopted; however, where legally required, we will recognize and process legally effective opt-out preference signals, including Global Privacy Control signals, in a manner consistent with applicable law.

6. How We Use Personal Information

Overlook uses Personal Information to provide, operate, maintain, secure, support, and improve the Services; to authenticate users; to create and administer accounts; to manage organizations, roles, entitlements, and permissions; to process subscriptions, payments, invoices, renewals, and plan changes; to provide customer support; to deliver professional services, onboarding, workshops, training, and implementation support; to communicate about the Services; and to respond to inquiries.

We may use Personal Information to monitor performance, troubleshoot errors, conduct analytics, develop and improve product features, understand product adoption, maintain and enhance security, detect and prevent fraud or abuse, enforce our agreements and policies, comply with legal obligations, protect rights and safety, and administer corporate transactions or business operations. Where legally required, we rely on appropriate lawful bases for such processing, as described in this Privacy Policy.

We may use aggregated, anonymized, or de-identified information to understand product usage, improve the Services, develop insights, improve training and guidance, enhance product workflows, and improve Business-led AI Management methodologies and materials. We do not use de-identified information to identify an individual except as permitted by law, such as to test de-identification methods or comply with legal obligations. Nothing in this Privacy Policy grants customers rights in Overlook proprietary methodologies, scorecard logic, canvas design, internal concepts, or derivative improvements.

We may send administrative communications, such as service notices, security notices, account messages, billing messages, and policy updates. We may send marketing communications where permitted by law. Recipients may opt out of marketing emails by using the unsubscribe mechanism in the message or contacting us, but we may continue to send non-marketing administrative communications.

7. Professional Services, Assessments, Scorecards, Canvas Data, and Customer Artifacts

Overlook’s professional services may involve guided completion of the Business-led AI Management Scorecard, facilitated use of the Business-led AI Management Canvas, translation of customer-provided information into Overlook AI Profiles and related product records, platform configuration assistance, training, enablement, and continuation planning. Personal Information processed in connection with those activities is processed for the purpose of delivering the Services and supporting the customer’s use of Overlook.

Customer owns the customer-specific information it supplies or causes to be supplied during a professional services engagement, including customer-provided AI descriptions, business information, operating-area information, customer-specific assessment responses, customer-specific scorecard results, completed customer-specific Canvas entries, customer priorities, customer ownership information, customer-specific AI Profile content, and customer-specific outputs loaded into the customer’s Overlook environment. To the extent such materials contain Personal Information, they are processed subject to the customer’s agreement with Overlook, including the applicable data processing terms.

Overlook retains ownership of the Business-led AI Management Assessment, the Business-led AI Management Scorecard, scoring logic, scorecard structure, interpretation methods, the Business-led AI Management Canvas design, canvas structure, facilitation methods, training materials, templates, internal playbooks, service-delivery methods, non-public concepts, product workflows, know-how, reusable tools, documentation, and derivative improvements to Overlook materials. Customer-specific content may be Customer Data without transferring ownership of the underlying Overlook methods used to collect, structure, interpret, or present that content.

Customers and authorized users should not provide sensitive regulated data, personal data unrelated to the engagement, or confidential third-party information during workshops, assessments, canvas sessions, training, or data loading unless expressly permitted by the applicable agreement and appropriate safeguards have been agreed in writing. Customers are responsible for the accuracy, completeness, legality, and authorization of information supplied during professional services engagements.

8. Restricted and Sensitive Data

The Services are designed for business operational data, AI management metadata, customer business context, ownership records, product configuration, and related enterprise management information. Unless expressly authorized in a written agreement, the Services are not intended to store or process protected health information subject to HIPAA, payment card data subject to PCI DSS requirements, classified government information, export-controlled technical data, precise geolocation data unrelated to the Services, biometric identifiers, children’s data, special-category personal data, or other highly sensitive regulated data requiring specialized safeguards.

If a customer believes its intended use requires processing of sensitive or regulated data, the customer must contact Overlook before submitting such data so the parties can determine whether appropriate contractual, technical, and operational safeguards are available. Overlook may reject, delete, restrict, or require removal of data that violates applicable agreements, the Acceptable Use Policy, or this Privacy Policy.

9. How We Disclose Personal Information

We may disclose Personal Information to service providers, contractors, subprocessors, and vendors that perform services for us or support delivery of the Services. These recipients may include cloud hosting and infrastructure providers, including Amazon Web Services, payment processors, including Stripe, identity and authentication providers, analytics providers, customer support platforms, communications providers, security vendors, professional advisors, auditors, and business operations vendors. We require such providers to process information in accordance with contractual obligations appropriate to their role and the nature of the information.

We may disclose Personal Information to customers and their administrators where the information relates to the customer’s account, organization, authorized users, product usage, professional services engagement, support matter, security matter, or Customer Data. We may disclose information to integration partners or third-party services when a customer or authorized user directs us to enable an integration or transmit information to that service.

We may disclose Personal Information where we believe disclosure is necessary or appropriate to comply with law, legal process, subpoenas, court orders, government requests, national security or law-enforcement requests, or regulatory obligations; to enforce our agreements and policies; to protect the rights, property, security, or safety of Overlook, customers, users, or third parties; to investigate fraud, abuse, or security incidents; or to defend legal claims.

We may disclose Personal Information in connection with a corporate transaction, such as a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, subject to appropriate confidentiality and legal protections. We may also disclose Personal Information with consent or at the direction of the relevant individual, customer, or authorized administrator.

Overlook does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising as those terms are defined under California privacy law. We do not knowingly sell or share Personal Information of individuals under sixteen (16) years of age.

10. Hosting, AWS, GovCloud, and International Processing

Overlook may host, store, and process information in the United States and other jurisdictions where Overlook or its service providers operate. Overlook uses Amazon Web Services for cloud hosting and infrastructure and may support AWS commercial regions, AWS GovCloud environments, dedicated environments, customer-managed environments, or other deployment models as stated in the applicable customer agreement. The location of processing may depend on the Services purchased, the deployment model, product configuration, customer instructions, and the applicable Order Form.

Where Personal Information is transferred from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction requiring transfer safeguards to a jurisdiction not deemed adequate, Overlook relies on lawful transfer mechanisms where required, which may include standard contractual clauses, the United Kingdom international data transfer addendum, customer-specific data processing terms, or other lawful mechanisms. Customers using the Services as controllers are responsible for determining whether their use of the Services complies with applicable data transfer requirements.

11. Security

Overlook maintains commercially reasonable administrative, technical, and organizational measures designed to protect Personal Information against unauthorized access, disclosure, alteration, and destruction, taking into account the nature of the information, the Services, and the risks presented by processing. These measures may include access controls, authentication controls, encryption in transit, encryption at rest where appropriate, logging, monitoring, vulnerability management, personnel confidentiality obligations, vendor management, and incident response processes.

No method of transmission, processing, or storage is completely secure. Overlook cannot guarantee absolute security, and customers and users are responsible for maintaining secure credentials, appropriate account permissions, endpoint security, customer-managed infrastructure security, and lawful use of the Services. If you believe your account or information has been compromised, contact support@overlookai.com promptly.

12. Retention

We retain Personal Information for as long as reasonably necessary to provide the Services, administer accounts, perform agreements, provide professional services, comply with legal obligations, resolve disputes, enforce agreements, maintain security, prevent fraud, support business operations, and meet legitimate recordkeeping requirements. Retention periods vary depending on the type of information, the nature of the Services, customer instructions, legal requirements, backup cycles, security needs, tax and accounting rules, and dispute preservation obligations.

Customer Data processed on behalf of a customer is retained, returned, or deleted in accordance with the applicable agreement, product functionality, customer instructions, backup and deletion cycles, and legal requirements. We may retain limited records after account closure where necessary for legal, security, compliance, billing, dispute, or legitimate business purposes.

13. Customer Responsibilities and Authorized Users

Customers are responsible for administering authorized users, configuring access controls, determining what Customer Data is submitted to the Services, providing required privacy notices to personnel and other individuals, obtaining necessary consents or authorizations, responding to data subject requests where the customer is the controller, and ensuring that Customer Data is accurate, lawful, and appropriate for processing through the Services. If you are an authorized user of a customer account, you should direct privacy requests relating to Customer Data to the customer unless Overlook is the appropriate party to respond under applicable law.

Customers are responsible for ensuring that information shared during workshops, assessments, canvas sessions, support interactions, and professional services engagements does not include restricted or prohibited data unless expressly authorized in writing. Customers are also responsible for reviewing and validating any Customer Data entered into the Services, including AI Profile content, Canvas entries, scorecard responses, and customer-specific engagement outputs.

14. Privacy Rights and Requests

Depending on your location and the context in which we process your Personal Information, you may have rights to request access to Personal Information, correction of inaccurate Personal Information, deletion of Personal Information, restriction of processing, objection to processing, portability of Personal Information, withdrawal of consent where processing is based on consent, and appeal of certain decisions. Some rights are subject to limitations and exceptions under applicable law.

To exercise privacy rights, contact privacy@overlookai.com. We may need to verify your identity and authority before responding. If you are submitting a request on behalf of another person, we may require proof of authorization. If your request relates to Customer Data controlled by an Overlook customer, we may direct you to the relevant customer or notify the customer so it can respond as controller, unless applicable law requires Overlook to respond directly.

We will respond to privacy requests within the time required by applicable law. If we deny a request, in whole or in part, we will explain the basis for denial where required and provide any appeal process required by applicable law.

15. California Privacy Notice

This section provides additional information for California residents under the California Consumer Privacy Act, as amended and its implementing regulations (“CCPA”). Terms used in this section have the meanings given under the CCPA unless otherwise stated.

During the preceding twelve (12) months, Overlook may have collected the following categories of Personal Information, depending on the individual’s interaction with us: identifiers, such as name, business email address, account identifiers, IP address, and similar identifiers; customer records information, such as business contact details and billing information; commercial information, such as subscription plan, transaction records, and service history; internet or other electronic network activity information, such as usage logs, device information, browser information, and interaction with the Services; approximate geolocation information derived from IP address; professional or employment-related information, such as employer, title, role, department, and business responsibilities; audio, electronic, or similar information if calls, meetings, or training sessions are recorded with notice or consent; and inferences or preferences derived from product usage or business interactions, such as feature preferences or account engagement patterns.

Overlook does not seek to collect sensitive Personal Information except limited information that may be necessary for account security, authentication, or compliance, such as account credentials or security information. Overlook does not use sensitive Personal Information to infer characteristics about California residents. Customers should not submit highly sensitive, regulated, or prohibited data to the Services unless expressly authorized in a written agreement.

We collect and use the categories of Personal Information described above for the business and commercial purposes described in this Privacy Policy, including providing the Services, administering accounts, processing transactions, securing the Services, providing support, delivering professional services, improving products, communicating with users, complying with law, and enforcing agreements. We disclose these categories of Personal Information to the categories of recipients described in Section 9, including service providers, contractors, subprocessors, professional advisors, legal authorities where required, transaction parties, customers and administrators, and integrations configured by customers.

Overlook does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising. Overlook does not knowingly sell or share Personal Information of individuals under sixteen (16). California residents may have rights to know, access, correct, delete, obtain, opt out of sale or sharing, limit use of sensitive Personal Information where applicable, and not be discriminated against for exercising privacy rights. Because Overlook does not sell or share Personal Information and does not use sensitive Personal Information to infer characteristics, opt-out and limitation rights may not apply in the same way they would apply to businesses that engage in those practices.

California residents may submit requests by contacting privacy@overlookai.com. Authorized agents may submit requests where permitted by law, but Overlook may require evidence of authority and may require the consumer to verify their identity directly. Overlook will not discriminate against California residents for exercising rights under the CCPA.

16. European Economic Area, United Kingdom, and Similar Jurisdictions

If you are located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with similar data protection laws, this section provides additional information. For controller processing described in this Privacy Policy, Overlook AI, Inc., 8 The Green STE B, Dover, DE 19901, USA, is the controller unless another Overlook entity or customer is identified as controller in a specific context. For Customer Data processed on behalf of a customer, the customer is generally the controller and Overlook is generally the processor.

The legal bases for our controller processing may include performance of a contract, where processing is necessary to provide the Services, administer accounts, process transactions, and provide support; legitimate interests, where processing is necessary for security, fraud prevention, service improvement, business communications, analytics, professional services administration, and enforcement of agreements, provided those interests are not overridden by individual rights and interests; consent, where required for certain marketing communications, cookies, or optional processing; and legal obligations, where processing is necessary to comply with applicable law, legal process, tax rules, accounting rules, or regulatory obligations.

Individuals in these jurisdictions may have rights to access, rectify, erase, restrict, object to processing, receive portability of Personal Information, withdraw consent, and lodge a complaint with a supervisory authority. These rights are subject to legal conditions and exceptions. Requests may be submitted to privacy@overlookai.com. If a request relates to Customer Data, Overlook may refer the request to the relevant customer or assist the customer in accordance with the applicable Data Processing Addendum.

Overlook is based in the United States. Where required, transfers of Personal Information to the United States or other jurisdictions will be supported by appropriate safeguards, such as standard contractual clauses or other lawful mechanisms. If Overlook is required by applicable law to appoint a representative or data protection officer, Overlook will identify the relevant contact information in this Privacy Policy or through another appropriate notice.

17. Automated Decision-Making, AI Management Outputs, and Readiness Insights

Overlook provides business-led AI management tools, readiness insights, assessment results, scorecard outputs, guidance, and related platform or professional services outputs. These outputs are intended to support organizational management, product adoption, workflow configuration, and business-led AI management practices. They are not intended to be used as the sole basis for decisions about individuals that produce legal or similarly significant effects, such as decisions about employment, credit, healthcare, housing, insurance, education, or legal rights.

Overlook does not use Personal Information collected under this Privacy Policy to make automated decisions about individuals that produce legal or similarly significant effects unless expressly disclosed in a specific notice and permitted by applicable law. Customers remain responsible for how they use Overlook outputs, readiness insights, AI Profile content, assessment results, or professional services deliverables in their own organizations.

18. Marketing, Events, and Communications

We may process business contact information to communicate with current and prospective customers, respond to inquiries, provide product information, invite participation in events or webinars, send newsletters, and conduct business development activities. Where required by law, we will obtain consent before sending marketing communications. Recipients may opt out of marketing communications by following the unsubscribe instructions in the communication or contacting us. Opting out of marketing does not affect administrative, transactional, security, or service communications.

19. Third-Party Services and Integrations

The Services may include links to third-party websites, integrations with third-party services, or customer-configured connections to external systems. This Privacy Policy does not apply to third-party services that Overlook does not control. Customers and users should review the privacy practices of any third-party service before enabling integrations or providing information to that service. Overlook is not responsible for the privacy practices of third parties except as expressly stated in an agreement with Overlook.

20. Public Sector and Government Deployments

Where Services are provided to government customers or deployed in AWS GovCloud, dedicated, customer-managed, on-premises, or air-gapped environments, the processing of Personal Information may be governed by additional contractual terms, deployment documentation, security requirements, and customer instructions. Unless expressly agreed in writing, the Services are not intended for classified information, controlled unclassified information requiring specialized controls, export-controlled technical data, or other government-regulated data requiring safeguards beyond those expressly agreed by Overlook.

21. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, professional services, legal requirements, operational practices, or business needs. If we make material changes, we will provide notice as appropriate, which may include posting the updated Privacy Policy, updating the effective date, notifying account administrators, or providing other notice required by law. Continued use of the Services after an updated Privacy Policy becomes effective is subject to the updated Privacy Policy to the extent permitted by law.

22. Contact Information

Questions or requests regarding this Privacy Policy or Overlook’s privacy practices may be directed to privacy@overlookai.com. Legal notices may be directed to legal@overlookai.com. Billing inquiries may be directed to billing@overlookai.com, and support inquiries may be directed to support@overlookai.com. Written correspondence may be sent to Overlook AI, Inc., 8 The Green STE B, Dover, DE 19901, USA.

If you are an authorized user of a customer account and your request relates to information controlled by your employer or organization, you should also contact that organization’s account administrator or privacy contact.