auto_awesomeAI mode
Security & privacy

Built for organisations that answer to regulators.

Contexto serves health, research and government organisations. Data handling isn't a feature we added — it's the architecture. Here's exactly how visitor data is collected, stored, used, and deleted.

Eight things that are true of every deployment.

Not options, not upgrades — the default posture for every Contexto concierge, on every plan.

Regional data residency

Visitor conversations are stored in-region: Australian data in Australia, EU data in Frankfurt. Changing a client's region never silently moves existing data.

GDPR compliance

EU visitors choose whether to be remembered. A 12-month retention purge runs automatically, and export or erasure is available on request.

EU AI Act transparency

Contexto always identifies as AI, carries an accuracy disclaimer and a privacy link, and behaves as the transparency rules for a limited-risk assistant expect.

No training on your data

Visitor conversations are never used to train AI models — ours or anyone else's. They exist to answer the question in front of them, nothing more.

Grounded answers only

The concierge cannot introduce content from outside your published site. That means it cannot leak, invent, or contradict what you have approved.

Minimal data by design

No names, emails or accounts are required to use the concierge. Visitors are anonymous by default.

Tenant-scoped access

Client dashboards are strictly tenant-scoped: your team sees your data only, never another organisation's, enforced on every request.

Hardened by default

Origin and CORS validation, request rate-limiting, outbound-request (SSRF) protection, and URL-scheme screening on every link the concierge can surface.

Your visitors' data stays in your region.

Every tenant has a data region. Australian organisations' conversation data — sessions, messages and the analysis built from them — is stored in Australia; European organisations' data is stored in the EU (Frankfurt). Requests are routed to the correct region automatically, and changing a tenant's region does not silently migrate existing data. There is no single global pool your visitors' conversations flow into.

Consent, retention and erasure, handled by design.

Contexto collects as little as possible: visitors are anonymous by default, and no name, email or account is required to get an answer. EU visitors are asked whether they would like to be remembered before any returning-visitor memory is kept. Conversation data is automatically purged after 12 months by a scheduled job that runs across both regional databases.

When a visitor — or a client on their behalf — exercises the right to access or erasure, we look the visitor up by ID and either return a full export of their sessions and messages, or hard-delete them from the regional database. See the privacy policy for the full detail.

Transparent by default, because that's what the rules expect.

Contexto is a limited-risk AI assistant, and it behaves like one. It always identifies itself as AI, it carries a visible accuracy disclaimer and a link to the relevant privacy policy, and — because it answers only from your published content and cites its sources — a visitor can always trace an answer back to where it came from. The AI providers behind it operate under data-processing agreements. If a visitor asks about its compliance, it can state its posture plainly rather than dodging.

Retrieval on our infrastructure, generation under agreement.

Finding the right passages from your content — retrieval — runs on our own infrastructure. Generating the answer uses enterprise AI providers under agreements that exclude training on submitted data. The full list of providers, and what each one does, is maintained at our subprocessors page.

Hardened at the edges, not just in policy.

The commitments above are backed by how the system is built: strict origin and CORS validation on the widget API, rate-limiting on sensitive endpoints, outbound-request (SSRF) protection on anything Contexto fetches, URL-scheme screening on every link the concierge can surface, and tenant-scoped authorisation on every dashboard and API request so one client can never reach another's data. The anti-hallucination guardrails are part of the security story too: an assistant that can't invent a URL can't be steered into leaking one.

Security & privacy, in detail

Is Contexto GDPR compliant?expand_more

Yes. Contexto uses regional hosting, consent-based memory for EU visitors, automated 12-month retention limits, and export and erasure on request. Visitors are anonymous by default and no personal data is required to use the concierge.

How does consent work for EU visitors?expand_more

EU visitors are asked, after a few messages, whether they would like to be remembered on their next visit — and the concierge does not persist a returning-visitor memory until they choose. Australian visitors are handled under local expectations. Logged-in users on your own platform follow your existing consent.

Where is Australian data stored? And EU data?expand_more

Australian visitor data is stored in Australia. EU visitor data is stored in the EU (Frankfurt). Data does not move between regions, and changing a client's configured region does not migrate existing data.

How long do you keep conversation data?expand_more

Conversation data is automatically purged after 12 months by a scheduled job that runs across both regional databases. You can also request earlier erasure for any individual visitor at any time.

Do you use our visitors' conversations to train AI?expand_more

No. Visitor conversations are never used to train AI models. Generation runs on enterprise AI providers under agreements that exclude training on submitted data. Retrieval runs on our own infrastructure.

How does Contexto address the EU AI Act?expand_more

Contexto operates as a transparency-first, limited-risk assistant. It clearly identifies itself as AI, carries an accuracy disclaimer and a link to the relevant privacy policy, and runs on providers covered by data-processing agreements. If a visitor asks, it can state its own compliance posture plainly.

How does right to erasure and export work?expand_more

A visitor — or a client acting on their behalf — can request an export or deletion by visitor ID. We either return a full JSON export of that visitor's sessions and messages, or hard-delete them from the regional database. Nothing is retained in a shadow copy.

Can we get security documentation for procurement?expand_more

Yes. Book a call and we'll provide the documentation your procurement and information-security teams need, including our subprocessor list and data-handling detail.

Need it in writing for procurement?

Book a call and we'll walk your information-security and procurement teams through exactly how Contexto handles data.

30 minutes, no obligation