01Overview
We collect what we need to run the platform, route experts to tasks, pay people, and prove compliance. We do not sell personal information. We do not use customer or expert work product to train general-purpose foundation models. China-bound engagements stay on China-region infrastructure with no cross-border egress. You can ask what we hold, ask us to delete it, or opt out of analytics — see §11 Your Rights.
Teehoo AI ("we", "our", "Teehoo AI") builds infrastructure for human-in-the-loop AI evaluation. This Privacy Policy describes what information we collect when you use our platform, website, and services, how we use it, and the choices you have.
Data Controller. Teehoo AI is operated by Fullhouse Asset Management LLC, a California limited liability company headquartered in Los Angeles, California, USA ("Teehoo AI", "we", "our"). A Delaware C-corporation may be established as a successor contracting entity in the future, in which case this page will be updated and the change communicated per §15 Changes to This Policy. For China-region engagements operated under our PRC affiliate, the controller / personal-information-handler is disclosed in the China-region engagement contract.
We take the position that compliance-native operations are not optional for the AI era. The practices below describe what we do today; certifications that are in progress are explicitly disclosed as such — we will never claim certifications we have not earned.
02Scope & Applicability
This policy applies to:
- Customers — frontier AI labs, model companies, and enterprises engaging Teehoo AI for evaluation, RLHF, or embodied AI data services.
- Experts — subject-matter experts applying to or operating within the Teehoo AI Expert Network.
- Website visitors — anyone browsing teehooai.com or applying through our forms.
Specific engagements may carry additional contractual privacy terms; in case of conflict, the engagement contract prevails.
03Information We Collect
Information you provide
- Account information (name, email, professional credentials, domain expertise).
- Identity verification materials when required for tier-gated workflows.
- Payment and tax information for expert compensation or enterprise billing.
- Communications you send to us (support inquiries, applications, partnership outreach).
Information we collect automatically
- Standard log data (IP address, browser type, referring URL, timestamps) for security and audit purposes.
- Usage analytics scoped to product improvement.
Engagement-scoped data
Evaluation tasks, expert outputs, audit trails, and customer-uploaded data are processed strictly within the scope of the engagement contract. We do not use customer or expert work product to train general-purpose models.
Sensitive Personal Information (CPRA / PIPL "sensitive PI")
For certain workflows we collect categories defined as sensitive personal information under the California Privacy Rights Act and equivalent definitions under PIPL Art. 28 / GDPR Art. 9:
- Government-issued ID (driver's license, passport) — for identity verification of experts in tier-gated cohorts. Retained only as required by tax/AML law; otherwise hashed and discarded after verification.
- Tax identifiers (SSN / ITIN / EIN / TIN equivalents) — for IRS / tax authority reporting (US: 1099-NEC).
- Biometric template — used only if a customer engagement contractually requires liveness check; never used for general identification, never sold, never shared outside the engagement scope.
- Precise geolocation — not collected. We use coarse country/region-level location only.
- Account credentials — hashed at rest; not retrievable in plaintext.
Sensitive PI is used only for the disclosed purpose, retained per §08 Retention, and never used for cross-context behavioral advertising. California residents may limit use of sensitive PI — see §12 Do Not Sell / Share.
04How We Use Information
- To operate, maintain, and improve the platform.
- To route experts to tasks matching their domain, tier, and language.
- To process compensation, taxes, and reporting obligations.
- To verify identity, prevent fraud, and maintain audit trails.
- To comply with legal, regulatory, and contractual obligations.
- To communicate operational updates, security advisories, and product changes.
05Sharing & Disclosure
We share information only in the following circumstances:
- With customers and partners, scoped to the specific engagement and governed by contract.
- With service providers (cloud, payments, identity verification, communications) operating under data-processing agreements — full list in §06 Sub-processors.
- For legal compliance when required by valid legal process in the applicable jurisdiction.
- In business transactions (acquisition, merger), with privacy commitments transferred to the successor.
06Sub-processors
The categories and named entities below are material sub-processors that process personal information on Teehoo AI's behalf. All operate under written data-processing agreements with confidentiality, security, and compliance flow-down obligations. Customers receive notice of material changes at least 30 days in advance per the engagement DPA.
An always-current machine-readable list is maintained at teehooai.com/sub-processors (publishing on or before public launch). Enterprise customers may subscribe to email notifications of changes.
07Data Residency & Transfers
Engagements requiring jurisdictional data residency are bound to in-region infrastructure per the contract:
- China-bound engagements — processed and stored on Tencent Cloud China region; no cross-border egress.
- Global engagements — routed through infrastructure scoped to the contract's geographic posture (AWS / GCP regions disclosed at contracting).
- Cross-border transfers from the EEA / UK / Switzerland to the US or other third countries rely on the EU Commission's Standard Contractual Clauses (Module 2 / 3 as applicable) with supplementary measures (encryption in transit and at rest, tenant isolation). Where the EU Commission ban or invalidates a transfer mechanism, we will adopt alternative mechanisms (Binding Corporate Rules, regional hosting, or transfer suspension) within the timeline required by the supervisory authority.
- PIPL outbound transfer from PRC residents is restricted to the mechanisms permitted by the CAC (security assessment, standard contract, or certification, as applicable).
08Retention
We retain information only as long as necessary for the disclosed purpose, legal/contractual obligations, and dispute resolution. Specific windows by data category:
On account deletion: account profile is anonymized within 90 days; data categories with longer regulatory windows (tax, audit, payment) are retained per the schedule above and then deleted.
09Security
Architectural practices in place:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Tiered access control with permission routing.
- Network segregation by tenant.
- Full audit logs for sensitive operations.
Certification status: SOC 2 and ISO 27001 alignment in progress; not yet certified. We disclose certification status accurately and do not claim certifications we have not earned. See our Security & Compliance page for full architectural disclosure.
10Automated Decision-Making
We use automated and semi-automated processing in the following areas:
- Expert-to-task routing — algorithmic matching of experts to engagement tasks based on disclosed domain, tier, language, and cohort. Routing recommendations are reviewed by a human operator before any task is dispatched; no expert is routed to a task solely by algorithm.
- Tier assignment — initial tier is suggested by structured signal (credentials, verification, sample-task quality) and confirmed by a human reviewer. Tier changes are not made solely by automated means.
- Fraud / abuse detection — automated signals (rate, geo anomaly, pattern) flag accounts for human review. Account restrictions are applied only after human investigation except for time-critical lockouts (which are reversible on appeal).
- Customer-side application AI — when a customer engagement uses AI for downstream decisions (e.g. model evaluation grading), that processing is governed by the customer's own privacy notice and our DPA with that customer.
Under GDPR Art. 22 / CPRA / PIPL, you have the right to: (i) request human review of any decision that materially affects you, (ii) contest the outcome, and (iii) receive an explanation of the logic involved. To exercise these rights contact privacy@teehooai.com.
11Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal information we hold about you.
- Request correction or deletion.
- Withdraw consent where processing is based on consent.
- Object to or restrict certain processing.
- Data portability.
- Non-discrimination for exercising your rights.
- Lodge a complaint with your local data protection authority.
To exercise these rights, contact privacy@teehooai.com. We respond within 30 days or the period required by applicable law. We will verify your identity before fulfilling sensitive requests.
12Do Not Sell / Share (CCPA / CPRA)
Teehoo AI does not sell personal information for money and does not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act.
California residents nonetheless have an absolute right to direct that we not sell or share their personal information, and to limit the use of sensitive personal information to those purposes necessary to provide the service. To exercise these rights:
- Email privacy@teehooai.com with the subject line "Do Not Sell / Share — California".
- Use the "Do Not Sell or Share My Personal Information" link in the site footer.
- Configure the Global Privacy Control (GPC) signal in your browser — we honor GPC as a valid opt-out request.
We will not discriminate against you (in service, price, or quality) for exercising any privacy right.
13Cookies & Tracking
We use a minimal set of cookies for session management, security, and analytics. We do not deploy third-party advertising trackers. Cookies set on first visit:
You can withdraw consent at any time via the cookie banner footer link. Strictly necessary cookies (session, CSRF, consent record) operate without consent as permitted by ePrivacy Directive Art. 5(3).
14Children's Privacy
The Teehoo AI platform is not directed at children under 16. We do not knowingly collect information from minors. If you believe a minor has provided us information, contact privacy@teehooai.com for prompt removal.
15Changes to This Policy
We update this policy as the service and applicable law evolve. Material changes will be communicated by email to active users or via prominent notice on the site at least 14 days before taking effect. Continued use after the effective date constitutes acceptance. A change log will be maintained at teehooai.com/privacy/changelog.
16Contact & Controller
Data Controller
- Fullhouse Asset Management LLC · California limited liability company · operating Teehoo AI · Los Angeles, California, USA · postal address available on request to privacy@teehooai.com. A Delaware C-corporation may be established as a successor contracting entity in the future.
- PRC affiliate · for engagements operated under our China-region entity. Affiliate name disclosed in the China-region engagement contract.
EU / UK Representative
Teehoo AI does not currently target the EU or UK markets as a primary commercial cohort. Where an engagement nonetheless brings us within the scope of GDPR Art. 27 / UK GDPR Art. 27, we will appoint a representative before processing begins and disclose the representative's contact details to affected data subjects in the engagement notice. Until such an engagement is in place we do not maintain a standing EU / UK representative. EU / UK residents who wish to contact us in the interim may write directly to privacy@teehooai.com.
Privacy team & supervisory authority
- Privacy team: privacy@teehooai.com
- Security disclosures: security@teehooai.com
- General: hello@teehooai.com
California residents may also contact the California Privacy Protection Agency (cppa.ca.gov). EU / EEA residents may contact their local data protection authority. PRC residents may contact the Cyberspace Administration of China through the channels published at cac.gov.cn.