# App Privacy Policy

### YouDesign Transformation Suite — for ServiceNow Store Applications

#### 1. Introduction

This App Privacy Policy ("Policy") describes how ins-pi Inc. (Miami, FL, USA) and ins-pi GmbH (Cologne, Germany) handle data in connection with the YouDesign Transformation Suite applications ("Applications" or "Apps") available through the ServiceNow Store. ins-pi Inc. and ins-pi GmbH are referred to collectively as "ins-pi," "Supplier," "we," "our," or "us" throughout this Policy. Each Application is offered by a specific ins-pi entity as identified in Section 2.

This Policy applies specifically to the Applications as installed and operated on the Customer's ServiceNow Platform instance. It is separate from and supplementary to the [ins-pi corporate Privacy Policy](https://www.ins-pi.com/privacy), which governs data collected through the ins-pi website and marketing activities.

This Policy should be read in conjunction with the applicable ins-pi Software License Agreement (Terms & Conditions) governing the Customer's use of the Applications.

***

#### 2. Applications Covered

This Policy covers the following Applications within the YouDesign Transformation Suite:

| Application                                                 | Supplier    | License | AI Features | Data Masking | Privacy Tier |
| ----------------------------------------------------------- | ----------- | ------- | ----------- | ------------ | ------------ |
| [YouDesign Freelucy](https://docs.ins-pi.com/freelucy/)     | ins-pi GmbH | Free    | None        | None         | Tier 1       |
| [YouDesign Blueprints](https://docs.ins-pi.com/blueprints/) | ins-pi Inc. | Paid    | None        | None         | Tier 1       |
| [YouDesign Models](https://docs.ins-pi.com/models/)         | ins-pi Inc. | Paid    | Optional    | Yes          | Tier 2       |
| [YouDesign Processes](https://docs.ins-pi.com/processes/)   | ins-pi Inc. | Paid    | None        | None         | Tier 1       |
| [YouDesign Command](https://docs.ins-pi.com/command/)       | ins-pi GmbH | Paid    | Optional    | Yes          | Tier 2       |

The Applications are classified into two privacy tiers based on their data handling characteristics. Tier 1 applications operate entirely within the Customer's ServiceNow instance with no external data transmission. Tier 2 applications include optional AI features that, when enabled and configured by the Customer, may transmit data to an external AI provider as described in Section 6.

YouDesign Freelucy and YouDesign Command are developed and offered by ins-pi GmbH (Cologne, Germany). YouDesign Blueprints, YouDesign Models, and YouDesign Processes are developed and offered by ins-pi Inc. (Miami, FL, USA). The Supplier entity identified for each Application is the contracting party under the applicable Software License Agreement. Regardless of which entity is the Supplier, the data handling principles and commitments in this Policy apply uniformly to all Applications.

YouDesign Blueprints is a Tier 1 application. It operates with a zero external data footprint — no data is transmitted outside your ServiceNow instance.

***

#### 3. Fundamental Data Handling Principles

The following principles apply to all Applications in the YouDesign Transformation Suite:

* **No Data Collection by ins-pi.** The Applications do not collect, transmit, store, or send any data to ins-pi. ins-pi does not operate any servers, endpoints, or infrastructure that receive data from the Applications.
* **No Telemetry or Analytics.** The Applications do not contain telemetry, usage analytics, tracking pixels, or any mechanism that reports information back to ins-pi or any third party. Note: The ServiceNow Platform and ServiceNow Store may independently collect platform-level usage or installation data in accordance with the Customer's agreement with ServiceNow. Such collection, if any, is performed by ServiceNow and is outside ins-pi's control.
* **No Access to Customer Instances.** ins-pi personnel do not have access to the Customer's ServiceNow instance or any data therein, unless the Customer explicitly grants such access for consulting or technical support purposes.
* **ServiceNow Platform Security Inheritance.** The Applications are certified by ServiceNow and run entirely within the ServiceNow Platform's security perimeter. All platform security controls, access management, encryption, and audit capabilities apply to data managed by the Applications.
* **No Standalone Operation.** The Applications are installed as certified plugins from the ServiceNow Store and cannot operate outside of the ServiceNow Platform.
* **No Personal Data Processing by ins-pi.** ins-pi does not host, store, manage, or process any personal data as part of the Applications. All data remains within the Customer's ServiceNow instance under the Customer's control.

***

#### 4. Data Within the Customer's Instance

**4.1 Data Created and Managed by the Applications**

The Applications enable Customers to create, manage, and visualize enterprise architecture and transformation data within their ServiceNow instance. This may include, depending on the Application, information about applications, business capabilities, business services, processes, relationships between enterprise objects, diagrams, models, and associated metadata.

All such data is stored exclusively within the Customer's ServiceNow instance, governed by the Customer's own data management policies, and subject to the ServiceNow Platform's security and access controls.

**4.2 Personal Data Considerations**

The Applications are designed for enterprise architecture and transformation management. They are not designed to collect or process personal data. However, if a Customer chooses to store personal data within fields managed by the Applications (for example, naming individuals as application owners or business capability contacts), such data remains entirely within the Customer's ServiceNow instance and is subject to the Customer's own data protection policies and procedures.

Given that ins-pi does not access, receive, or process any data within the Customer's ServiceNow instance under normal operating conditions, ins-pi does not act as a data controller or data processor with respect to such data. The Customer retains sole control over the data within its instance, including any personal data that may be stored in fields managed by the Applications.

***

#### 5. Tier 1 Applications (No AI Features)

The following Applications are classified as Tier 1: YouDesign Freelucy (offered by ins-pi GmbH), YouDesign Blueprints (offered by ins-pi Inc.), and YouDesign Processes (offered by ins-pi Inc.).

Tier 1 Applications operate with a zero external data footprint:

* No data is transmitted outside the Customer's ServiceNow instance.
* No external APIs, services, or endpoints are called by the Application.
* No AI, machine learning, or generative AI features are included.
* All processing occurs entirely within the ServiceNow Platform's security perimeter.
* The Applications inherit all ServiceNow Platform security, encryption, and access control mechanisms.

For Tier 1 Applications, ins-pi's data handling obligation is limited to ensuring the Application code itself does not introduce vulnerabilities or unauthorized data transmission pathways, which is verified through the ServiceNow certification process for each release.

***

#### 6. Tier 2 Applications (Optional AI Features)

The following Applications are classified as Tier 2: YouDesign Models (offered by ins-pi Inc.) and YouDesign Command (offered by ins-pi GmbH).

Tier 2 Applications include all the data handling characteristics of Tier 1 Applications as their baseline. In addition, they offer optional AI-assisted features that, when enabled and configured by the Customer, involve communication with an external AI provider API. These AI features are entirely optional. When AI features are not enabled, Tier 2 Applications operate identically to Tier 1 Applications.

**6.1 AI Feature Data Flow**

When AI features are enabled, the following data flow applies:

<table><thead><tr><th width="186.76953125">Step</th><th>Description</th></tr></thead><tbody><tr><td>API Configuration</td><td>The Customer configures the AI provider API connection (e.g., endpoint URL, API key) directly within their ServiceNow instance. ins-pi does not provide, manage, or have access to these credentials.</td></tr><tr><td>Data Selection</td><td>The Application identifies data within the Customer's instance that is relevant to the AI-assisted operation requested by the end user.</td></tr><tr><td>Data Masking</td><td>Before any data is transmitted, the Application's built-in masking engine processes the selected data within the Customer's instance. The Customer may configure masking rules. An option is available to not share real data; data content is masked before any external API call.</td></tr><tr><td>API Transmission</td><td>The masked (or unmasked, per Customer configuration) data is transmitted directly from the Customer's ServiceNow instance to the Customer's configured AI provider. No data passes through any ins-pi infrastructure.</td></tr><tr><td>Response Handling</td><td>The AI provider's response is received directly by the Customer's ServiceNow instance and processed by the Application within that instance.</td></tr></tbody></table>

**6.2 Data Masking**

The Applications provide a built-in data masking capability that operates within the Customer's ServiceNow instance. When enabled, this feature replaces sensitive data content with masked values before any data is transmitted to the AI provider API. The masking is performed locally within the Customer's instance; no unmasked data leaves the instance when masking is active.

The Customer has the option to configure whether data masking is applied and may customize masking rules according to their data protection requirements. ins-pi provides the masking capability as a tool; the Customer is solely responsible for enabling, configuring, testing, and validating masking rules in accordance with their own data governance and compliance requirements. ins-pi does not warrant that the masking capability will satisfy any particular regulatory, contractual, or organizational requirement of the Customer. The Customer should independently verify that the masking configuration meets their needs before enabling AI features with production data.

**6.3 Customer Responsibility for AI Provider Relationships**

The Customer is solely responsible for:

* Selecting and contracting with their chosen AI provider.
* Configuring the API connection within their ServiceNow instance.
* Managing API credentials and access controls.
* Evaluating the AI provider's privacy and data handling practices.
* Determining whether the data transmitted (masked or unmasked) meets their compliance and data protection requirements.
* Ensuring compliance with any applicable regulations regarding the use of AI services and the transfer of data to the AI provider.

ins-pi does not recommend, endorse, certify, or assume any responsibility for any third-party AI provider. The Customer's agreement with their AI provider governs the AI provider's handling of any data received.

**6.4 ins-pi's Role in the AI Data Flow**

ins-pi's role is strictly limited to providing the Application code that enables the AI feature functionality. ins-pi does not:

* Act as an intermediary, proxy, or relay for any data transmitted to AI providers.
* Have access to, intercept, log, or store any data transmitted between the Customer's instance and the AI provider.
* Provide, host, or operate the AI provider service.
* Process any data as a data processor or sub-processor in connection with the AI features.
* Have access to the Customer's API credentials or AI provider account.

***

#### 7. Support and Consulting Access

When the Customer grants ins-pi personnel access to their ServiceNow instance for technical support or consulting purposes, ins-pi will handle any data encountered in accordance with the confidentiality provisions of the applicable ins-pi Software License Agreement (Terms & Conditions).

Such access is granted solely at the Customer's discretion, is limited to the scope and duration required for the support or consulting engagement, and is subject to the Customer's own access management controls within their ServiceNow instance. ins-pi personnel will not extract, copy, or retain Customer data beyond what is strictly necessary to perform the support or consulting task.

***

#### 8. Sub-Processors

ins-pi does not engage any sub-processors in connection with the Applications. As stated in this Policy, ins-pi does not receive, process, or store any Customer data through the Applications.

For Tier 2 Applications with AI features enabled, the Customer's chosen AI provider is not a sub-processor of ins-pi. The AI provider relationship is directly between the Customer and the AI provider, and is governed by the Customer's own agreement with that provider.

***

#### 9. International Data Transfers

The Applications themselves do not transfer data internationally. All Application data resides within the Customer's ServiceNow instance, hosted in the data center region selected by the Customer under their agreement with ServiceNow.

For Tier 2 Applications, if the Customer configures an AI provider API endpoint located in a different jurisdiction, the Customer is responsible for ensuring that any resulting data transfer complies with applicable data protection regulations, including GDPR, the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or other applicable transfer mechanisms.

***

#### 10. Data Retention and Deletion

All data created or managed by the Applications is stored within the Customer's ServiceNow instance and is subject to the Customer's own data retention and deletion policies.

Upon termination or expiration of the Application subscription, the Customer is responsible for removing the Application from their ServiceNow instance in accordance with the applicable Terms & Conditions. Any data created by the Application remains within the Customer's instance and under the Customer's control. ins-pi does not retain any copy of Customer data, as ins-pi never receives such data in the first instance.

***

#### 11. Security

The Applications are certified by ServiceNow for each release, including hot fixes and patches. This certification process includes security review. The Applications inherit all security capabilities of the ServiceNow Platform, including but not limited to:

* Role-based access control (RBAC) and access control lists (ACLs).
* Platform-level encryption for data at rest and in transit.
* Audit logging and monitoring.
* Multi-factor authentication support.
* Session management and timeout controls.

ins-pi warrants that the Applications do not contain malicious code, backdoors, or unauthorized data transmission mechanisms, as stated in the applicable Terms & Conditions.

***

#### 12. Open-Source Components

The Applications incorporate certain open-source software components as described in the applicable Terms & Conditions. These components operate entirely within the Customer's ServiceNow instance and do not independently collect, transmit, or process data outside of the instance. A list of open-source components is available upon request.

***

#### 13. Children's Privacy

The Applications are enterprise software tools intended for business use. They are not directed at or intended for use by individuals under the age of 16. ins-pi does not knowingly collect or process personal data of children through the Applications.

***

#### 14. Data Protection and Regulatory Compliance

**14.1 ins-pi's Role Under Data Protection Law**

The Applications are software tools that run entirely within the Customer's ServiceNow instance. ins-pi provides the Application code; it does not access, receive, store, or process any data within the Customer's instance under normal operating conditions. On this basis, ins-pi does not act as a data controller or data processor with respect to data within the Customer's instance for purposes of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or other applicable data protection legislation.

For Tier 2 Applications with AI features enabled, ins-pi's role remains limited to providing the Application code. ins-pi does not determine the purposes or means of any data processing that occurs when data is transmitted to the Customer's configured AI provider. The Customer determines whether to enable AI features, which data to transmit, whether to apply masking, and which AI provider to use.

For Applications offered by ins-pi GmbH (YouDesign Freelucy, YouDesign Command), the governing law and venue provisions of the ins-pi GmbH Software License Agreement apply, with jurisdiction in Cologne, Germany. For Applications offered by ins-pi Inc. (YouDesign Blueprints, YouDesign Models, YouDesign Processes), the governing law and venue provisions of the ins-pi Inc. Software License Agreement apply, with jurisdiction in Florida, USA. Regardless of the governing jurisdiction, the data handling commitments in this Policy apply uniformly.

In the limited circumstance where the Customer grants ins-pi personnel access to the Customer's instance for support or consulting purposes, and such access involves exposure to personal data, ins-pi acknowledges that it may be considered a data processor for the duration and scope of that access. In such cases, the applicable data processing arrangements are governed by the Terms & Conditions and any supplementary data processing agreement between the parties.

**14.2 Customer Responsibilities**

The Customer is the data controller for all data within their ServiceNow instance, including any data managed through the Applications. The Customer is responsible for:

* Determining the lawful basis for processing any personal data stored within the Applications.
* Implementing appropriate technical and organizational measures for data protection.
* Responding to data subject access requests related to data managed by the Applications.
* Conducting Data Protection Impact Assessments (DPIAs) where required, including for the use of AI features in Tier 2 Applications.
* Ensuring compliance with applicable data protection regulations for any data transmitted to AI providers through Tier 2 Application features.

**14.3 Data Subject Rights**

As ins-pi does not have access to or control over data within the Customer's ServiceNow instance, data subject requests (including access, rectification, erasure, restriction, portability, and objection requests) must be directed to the Customer. ins-pi will cooperate with the Customer as reasonably necessary to fulfill such requests, to the extent ins-pi is involved (e.g., during a support engagement).

***

#### 15. Incident Notification

If ins-pi becomes aware of any security vulnerability in the Application code that could affect the privacy or security of data within Customer instances, ins-pi will notify affected Customers without undue delay (and in any event within 72 hours of becoming aware of the vulnerability, where such vulnerability may involve personal data) and will provide a remediation plan, including expedited patches through the ServiceNow certification process where applicable. Notification timelines are subject to the constraints of the ServiceNow certification process, which may affect the availability of a certified fix.

Any security incidents related to the Customer's ServiceNow Platform instance, the Customer's AI provider, or the Customer's own systems are outside the scope of ins-pi's incident notification obligations under this Policy.

***

#### 16. Changes to This Policy

ins-pi may update this Policy from time to time to reflect changes in the Applications, legal requirements, or best practices. Material changes will be communicated to Customers through the ServiceNow Store listing and/or the ins-pi website. The effective date at the top of this Policy indicates when the most recent revision took effect.

***

#### 17. Scope and Limitations

**17.1 Relationship to Terms & Conditions**

This Policy is informational and describes ins-pi's data handling practices in connection with the Applications. It does not create contractual obligations beyond those set forth in the applicable ins-pi Software License Agreement (Terms & Conditions). In the event of any conflict between this Policy and the Terms & Conditions, the Terms & Conditions shall prevail. All limitations of liability, warranty disclaimers, and indemnification provisions in the Terms & Conditions apply to the subject matter of this Policy.

**17.2 No Third-Party Beneficiary Rights**

This Policy is intended solely for the benefit of ins-pi and the Customer as defined in the applicable Terms & Conditions. Nothing in this Policy confers any rights, remedies, or claims upon any third party, including end users of the Customer's ServiceNow instance, data subjects, or any other individual or entity.

**17.3 Disclaimer**

This Policy does not constitute legal advice. Customers are responsible for conducting their own legal and compliance assessments with respect to their use of the Applications, including any use of AI features and the transmission of data to third-party AI providers. ins-pi recommends that Customers consult with their own legal counsel regarding their obligations under applicable data protection laws.

***

#### 18. Contact Information

For questions, concerns, or requests regarding this App Privacy Policy, please contact:

<table><thead><tr><th width="134.44140625">Company</th><th>ins-pi Inc.</th><th>ins-pi GmbH</th></tr></thead><tbody><tr><td><strong>Address</strong></td><td><p>444 Brickell Avenue </p><p>Suite 700 Miami</p><p>FL 33131, USA</p></td><td><p>Im Zollhafen 18 </p><p>50678 Köln</p><p>Germany</p></td></tr><tr><td><strong>Supplier for</strong></td><td><ul><li>YouDesign Blueprints</li><li>YouDesign Models</li><li>YouDesign Processes</li></ul></td><td><ul><li>YouDesign Freelucy</li><li>YouDesign Command</li></ul></td></tr></tbody></table>

**Email:** <legal@ins-pi.com>&#x20;

**Support:** <https://www.ins-pi.com/support>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ins-pi.com/legal/app-privacy-policy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.