Overview

This policy safeguards the handling of personal data during AI interactions, ensuring that AI-generated content, prompts, and logs do not violate data protection obligations under GDPR. The policy applies to all AI use cases where user data, customer information, or regulated personal data might be present. It works by monitoring and enforcing restrictions on personal identifiers and sensitive data from being ingested, processed, or exposed by LLMs.

What the Policy Does

Purpose

The Data Privacy Policy ensures that sensitive and personally identifiable information (PII) is neither inadvertently shared with nor generated by the AI system. By integrating this policy, organisations can:

  • Ensure compliance with global data protection regulations.
  • Prevent data leaks by restricting access to confidential information.
  • Monitor and control AI-generated responses to prevent unauthorized data exposure.

Scope

Prompt Configuration

Before user inputs are processed by the LLM, the Data Privacy Policy scans and manages data transmission according to the following settings:

  • Regulation Selection
    Users can select predefined regulatory frameworks (e.g., GDPR, HIPAA, PCI-DSS) that automatically apply protective rules.

  • Operational Modes

    • Monitor Only – Detects sensitive data in user inputs without blocking the request.
    • Monitor & Override – Prevents the transmission of prompts containing sensitive data, ensuring compliance and security.

  • Purpose
    Ensures that confidential data is never inadvertently shared with the AI system.

Response Configuration

This configuration governs how LLM-generated responses are managed before being presented to users:

  • Regulation Selection
    Users can apply regulations to govern how the system detects and controls sensitive content in LLM-generated responses.

  • Operational Modes

    • Monitor Only – Flags AI responses that may contain sensitive information without restricting visibility.
    • Monitor & Override – Blocks AI-generated responses containing sensitive information, ensuring secure communication.

  • Purpose
    Protects end-users and organisations from receiving or distributing non-compliant or confidential information.

Key Features

  • Predefined Regulatory Frameworks – Seamless compliance with industry standards.
  • Real-time Monitoring & Enforcement – Detects and prevents unauthorized data exposure dynamically.

Why Use This Policy?

Benefits

  • Enhances Data Security – Prevents data breaches and unauthorized access.
  • Ensures Regulatory Compliance – Aligns AI interactions with global data protection laws.
  • Mitigates Risk – Reduces legal and reputational risks associated with data mishandling.

Use Case: Law Firm Compliance

Scenario

A law firm uses AI to assist with contract drafting, legal research, and case summarisation. Given the sensitive nature of legal data, ensuring compliance with GDPR and attorney-client privilege is critical.

Challenge

The firm must prevent confidential client information (e.g., case numbers, legal arguments, settlement amounts) from being exposed during AI interactions.

Solution: Implementing the Data Privacy Policy

  1. Prompt Configuration
    GDPR and CPRA compliance rules are activated.
    Monitor & Override mode is enabled to block unauthorized input transmissions.

  2. Response Configuration
    AI-generated responses are reviewed under Monitor Only mode.
    After initial evaluation, the setting is switched to Monitor & Override to restrict confidential disclosures.

How to Use the Policy

Note: The steps below guide you through configuring the Data Privacy Policy using the policy workflow interface.

Step 1: Navigate to the Policy Workflow

  1. From the Dashboard, open the Project Overview by selecting your project from the Project Table.
  2. In the Policy section of the Project Overview, click Edit Policy to launch the policy configuration workflow.

Step 2: Select and Enable the Data Privacy Policy

  1. In the Configure Policies tab, a list of available policies will be displayed.
  2. Click on Data Privacy to view its configuration options on the right-hand side.
  3. Toggle the Enable Policy switch to ON at the top of the panel to begin editing.

Step 3: Select Compliance Framework(s)

  1. Under the Compliance section, check the boxes for any applicable standards you wish to enforce (Example: GDPR, PCI-DSS , HIPAA etc.):
  2. You may select one or multiple frameworks based on your organisational requirements.

Step 4: Set Application Scope

  1. Under the Apply Policy To section, choose one of the following options:
    • Prompt – Apply the policy to user input only.
    • Response – Apply the policy to AI-generated responses only.
    • Both – Enforce the policy on both user inputs and model outputs.

Step 5: Configure Enforcement Behaviour

  1. Under Behaviour, choose how you want the policy to respond to violations:
    • Log Only – Log violations for visibility without blocking interactions.
    • Log and Override – Block the interaction and return a smart response, based on your response configuration.

Step 6: Save, Test, and Apply the Policy

  1. Click Save Changes to store your current configuration.
  2. (Optional) Navigate to the Test Policies tab to validate your setup in a sandbox environment with a live chatbot.
  3. When ready, navigate back to the project dashboard to see and enforce your configuration.
  4. A success message will confirm the policy has been successfully applied to the project.

With the Data Privacy Policy, AltrumAI empowers your organisation to enforce strong data protection controls that align with leading compliance frameworks—ensuring responsible and secure AI usage.

Entity Types and Regulatory Compliance

Entity TypeEntity LabelEntity DescriptionRegulatory Compliance
PIIGenderTerms indicating gender identity or sexual orientation, including slang terms: male; female; males; females; bisexual; transCPRA, GDPR, APPI
PIIPhysical AttributeDistinctive bodily attributes, including terms indicating race: I’m 190cm tall; He belongs to the Black students’ association.CPRA, GDPR, APPI
PIICountryCountry names: Canada; NamibiaGDPR, APPI
PIILanguageNames of natural languages: Korean; French; English; GermanGDPR, APPI
PIIStateState, province, territory, or prefecture names: Ontario; Arkansas; Ich lebe in NRWGDPR, APPI
PIIPlace of OriginTerms indicating nationality, ethnicity, or provenance: Canadian; Sri LankanCPRA, GDPR, Quebec Privacy Act, APPI
PIIPolitical AffiliationTerms referring to a political party, movement, or ideology: liberal; RepublicanCPRA, GDPR, Quebec Privacy Act, APPI
PIIReligionTerms indicating religious affiliation: Hindu; PresbyterianCPRA, GDPR, Quebec Privacy Act, APPI
PIIUsernameUsernames, login namesCPRA, GDPR, APPI
PIIAgeNumbers associated with an individual’s age: 27 years old; 18 months oldCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIDate of BirthDates of birth: Born: March 7, 1961CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIDriving License NumberDriver’s permit numbers: DL# 134711-320CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIE-mailEmail addresses: email@example.comCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIINHS NumberHealthcare numbers and health plan beneficiary numbers: Policy No.: 5584-486-674-YMCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIIP AddressInternet IP address, including IPv4 and IPv6 formats: 192.168.0.12001:db8:0:0:0:8a2e::7334CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIILocationMeta-class for any named location reference; See sub-classes below: Eritrea; Lake VictoriaGDPR, HIPAA, APPI
PIIAddressFull or partial physical mailing addresses, which can include: building name or number, street, city, county, state, country, zip code: 25/300 Adelaide T., Perth WA 6000, Aus. 145 Windsor St. Mail to: Kollwitzstr 13, 10405, BerlinCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIStreet NameA subclass of “Address”, covering: a building number and street name, plus information like a unit numbers, office numbers, floor numbers and building names, where applicable: 25/300 Adelaide T., Perth WA 6000, Aus. 145 Windsor St. Mail to: Kollwitzstr 13, 10405, BerlinCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIICityMunicipality names, including villages, towns, and cities: Toronto; Berlin; DenpasarCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIGeographical CoordinatesGeographic positions referred to using latitude, longitude, and/or elevation coordinates: We’re at 40.748440 and -73.984559CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIPost CodeZip codes (including Zip+4), postcodes, or postal codes: 90210; B2N 3E3CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIINameNames of individuals, not including personal titles such as ‘Mrs.’ or ‘Mr.’: Dwayne Johnson; Mr. KhannaCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIFamily NameNames indicating a person’s family or community; often a last name in Western cultures and first name in Eastern cultures: François Truffaut; Ozu YasujirōCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIFirst NameNames given to an individual, usually at birth; often first / middle names in Western cultures and middle / last names in Eastern cultures: François Truffaut; Ozu YasujirōCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIProfessional Medical NameFull names, including professional titles and certifications, of medical professional, such as doctors and nurses: Attending physician: Dr. Kay Martinez, MDCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIINumerical PIINumerical PII (including alphanumeric strings) that doesn’t fall under other categories. See also a section below on international variants as some of them are mapped to this category, for example, Belgian BTW nummer or European VAT number.CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIPassport NumberPassport numbers, issued by any country: PA4568332; NU3C6L86S12CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIContact NumberTelephone or fax numbers: +4917643476050CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIISocial Security NumberSocial Security Numbers or international equivalent government identification numbers: 078-05-1120; --3256CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIURLInternet addresses: Unlock Your Business Potential with Aligne ConsultingCPRA, GDPR, Quebec Privacy Act, HIPAA
PIIVehicle ID NumberVehicle identification numbers (VINs), vehicle serial numbers, and license plate numbers: 5FNRL38918B111818; BIF7547CPRA, GDPR, APPI, HIPAA
PHIBlood GroupBlood types: She’s type AB positiveCPRA, GDPR, Quebec Privacy Act, HIPAA
PHIMedical ConditionNames of medical conditions, diseases, syndromes, deficits, disorders: chronic fatigue syndrome; arrhythmia; depressionCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PHIMedicationMedications, vitamins, and supplements: advil; Acetaminophen; PanadolCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PHIInjuryBodily injuries, including mutations, miscarriages, and dislocations: broke my arm; I have a sprained wristCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PHIMedical ProcedureMedical processes, including treatments, procedures, and tests: heart surgery; CT scanCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PCIBank Account NumberBank account numbers and international equivalents, such as IBAN: Acct. No.: 012345-67CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA, PCI DSS
PCICredit Card NumberCredit card numbers: 0123 0123 0123 0123 **** **** ****4252CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA, PCI DSS
PCICredit Card Expiry DateExpiration date of a credit card: Expires: July 2023; Exp: 02/28CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA, PCI DSS
PCICVV3- or 4-digit card verification codes and equivalents: CVV: 080CPRA, GDPR, Quebec Privacy Act, APPI, HIPAA, PCI DSS
PHIMedical CodeCodes belonging to medical classification systems such as SNOMED, ICD-10, NDC, etc.: 1981-03-11T04:11:32-03:00 Forearm sprain SNOMED-CT 70704007; Abnormal levels of other serum enzymesCPRA, GDPR, Quebec Privacy Act, APPI, HIPAA
PIIDateSpecific calendar dates, which can include days of the week, dates, months, or years: Friday, Dec. 18, 2002; Dated: 02/03/97HIPAA, Quebec Privacy Act
PHIStatisticsMedical statistics: 18% of patientsHIPAA, Quebec Privacy Act
PIIDate RangeBroader time periods, including date ranges, months, seasons, years, and decades: 2020-2021; 5-9 May; January 1984HIPAA
CustomAccount NumberCustomer account or membership identification number: Policy No. 10042992; Member ID: HZ-5235-001None
PIIPasswordAccount passwords, PINs, access keys, or verification answers: 27%alfalfa; temp1234 My mother’s maiden name is SmithCPRA, APPI
CustomMoneyNames and/or amounts of currency: 15 pesos; $94.50None
CustomFilenameNames of computer files, including the extension or filepath: Taxes/2012/brad-tax-returns.pdfNone
PIIMarital StatusTerms indicating marital status: single; common-law; ex-wife; marriedAPPI
PIIOrganisationNames of organisation or departments within an organisation: BHP; McDonald’s; LAPDQuebec Privacy Act, APPI
CustomDosageMedically prescribed quantity of a medication: limit intake to 700 mg/dayNone
PCICardholder NameA cardholder name is the name on the front (or sometimes the back) of your credit card or debit card. It is a very important security feature for both in-person and online transactions. With in-person transactions, the name on the card lets the merchant know who is authorised to use the card.PCI DSS
PCICard PINA PIN is a four- or six-digit number that the cardholder sets up when opening their account. It’s a unique and personal identification number that only the cardholder knows. The primary purpose of a PIN is to authenticate the cardholder when making a transaction.PCI DSS
PCIOne-time PINOne-time Password or OTP is a numerical code sent to your Registered Mobile Number (RMN) while you make online Credit Card transactions. The code comprises a four to six digit pass-code randomly generated through automated software when your bank or Credit Card company receives the transaction request. e.g. One Time PasswordPCI DSS
PCISwift codeRouting number associated with a bank or financial institution. Like Institution number, branch number. Swift code stands for Society for Worldwide Interbank Financial Telecommunication. It is a systematic code, used to identify financial institutions internationally. e.g. IFSC CodePCI DSS
PHIHealthcare FacilityNames of medical facilities, such as hospitals, clinics, pharmacies, etc. For example, Northwest General Hospital; Union Family Health Clinic Certain aspects related to medical facilities can involve PII when they are linked with identifiable information about individuals. Here’s how this works: Location and Contact Information: — Facility Addresses and Contact Details Payment and Insurance Information: — Billing Records: Information related to payments for medical services, including insurance claims and coverage details, often include personal identifiers such as names, addresses, and insurance policy numbers. — Financial Transactions: Details of financial transactions related to medical services, when combined with personal identifiers, constitute PII. • Electronic Health Records (EHR): — Patient IDs: Unique identifiers assigned to patients within medical facilities are considered PII because they are used to track and manage individual health records. — Health Information: Any data related to an individual’s health condition, treatments, medications, and test results is considered highly sensitive PII.Quebec Privacy Act, APPI