Privacy policy

Information you provide. When you submit a form on our website — to request a demo, contact sales, subscribe to research updates, or apply for a role — we collect the information you choose to share, typically your name, work email, employer, role, and any free-text context. When you create an account in Wren, we additionally collect professional licensure where relevant and the building addresses you authorize Aedifice to work on.

Building and engagement data. When a client assigns a building to Wren, we ingest filings, inspections, permits, drawings, photos, correspondence, and operating records that are either furnished directly by the client or retrieved from a lawful public record on the client’s behalf.

Account and usage data. We record sign-in events, session metadata, feature usage, and audit-log entries describing privileged actions taken inside Wren.

Analytics and cookies. We use a small number of first-party and reputable third-party analytics tools to understand how the website and product are used. These tools set cookies or similar identifiers and collect IP address, approximate location, browser, device, and referring URL. Where required, we ask for your consent before non-essential cookies are set.

We do not purchase personal information from data brokers and do not ingest building records that have not been shared with us either by the client or by a lawful public record.

We use the information we collect to provide and operate the service, maintain the institutional memory of each building under active engagement, communicate with the professionals and clients responsible for that building, secure our systems, comply with legal obligations, and improve Wren’s drafting and review workflows.

We do not use client building records to train foundation models. Aggregated, de-identified signal about how Wren performs its drafting and review tasks is used to improve those workflows over time. A client may opt a given engagement out of this aggregated improvement program by request to privacy@aedificeai.com.

We share information with sub-processors that are necessary to run the service, including hosting and infrastructure providers, observability and analytics providers, identity providers, email and notification providers, and the foundation-model providers that operate the underlying language models. Each sub-processor is bound by a written contract with confidentiality and security commitments no less protective than those in this policy. A current sub-processor list is available on request.

We do not sell personal information, do not share personal information for cross-context behavioral advertising, and do not disclose client building records to third parties except on the client’s instruction, in response to a lawful legal process, or to protect against fraud or serious harm.

We retain records associated with an active engagement for as long as the engagement is active and for a reasonable period afterward, so that the institutional record of the building remains available to the professionals responsible for it. Retention windows vary by jurisdiction and record type; for example, filings associated with inspection cycles governed by local law are retained for at least the length of that cycle.

Marketing-form submissions are retained for up to 24 months from last activity. Analytics data is retained for up to 26 months. A client may request deletion of information associated with a closed engagement, subject to our obligations to retain records under applicable law and under the professional standards of the licensed practitioners involved.

Depending on where you live, you have rights regarding the personal information we hold about you. These may include the right to access a copy of your data, correct inaccuracies, delete information, port your data to another provider, object to or restrict certain uses, and withdraw consent. Residents of the European Economic Area, the United Kingdom, and Switzerland have rights under the GDPR. Residents of California, Colorado, Connecticut, Virginia, and other US states with comparable frameworks have analogous rights under those statutes, including under the CCPA as amended by the CPRA.

To exercise a right, write to privacy@aedificeai.com. We will respond within the period required by the applicable law and may request information sufficient to verify your identity. You will not be discriminated against for exercising a right.

We maintain administrative, physical, and technical safeguards designed to protect information against loss, misuse, and unauthorized access. These include TLS 1.2 or higher for data in transit, AES-256 encryption for data at rest, envelope encryption with managed keys, role-based access controls keyed to engagement, audit logging of privileged actions, third-party penetration testing, and regular review of our security posture. SOC 2 Type II and ISO 27001 audits are in progress.

No service is perfectly secure. We commit to notifying affected clients without undue delay in the event of a confirmed incident that compromises client building records or personal information, consistent with applicable law.

Aedifice operates primarily from the United States. For clients and building records originating in other jurisdictions, personal information may be transferred to and processed in the United States or in other countries where Aedifice or its sub-processors operate. Where required, these transfers are carried out under appropriate safeguards, including the European Commission’s Standard Contractual Clauses and the UK Addendum, and we make available, on request, a description of the technical and organizational measures that supplement them. Regional data residency is available for institutional clients on Enterprise contracts.

Aedifice is a business product. We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, write to privacy@aedificeai.com and we will delete it.

Questions about this policy, or requests under it, can be directed to privacy@aedificeai.com. The data controller for personal information collected under this policy is Aedifice, Inc.

This policy is reviewed periodically. Material changes will be announced via email and on this page.