AI Use & Data Policy
Document ID: WBL-POL-AI-v1.0 Effective Date: [DATE] Last Revised: 2026-02-19 Applies To: All clients and engagements where Webility uses AI tools in service delivery or builds AI-powered systems for Clients.
1. Introduction
Webility ("Agency", "we", "us") uses artificial intelligence tools and platforms as part of our service delivery process. We also build AI-powered systems, automation workflows, and AI agents for our clients as a core service offering.
This AI Use & Data Policy ("Policy") does two things:
- Discloses how we use AI tools internally when delivering services to you
- Governs how we handle data when building AI-powered systems on your behalf
This Policy is incorporated by reference into all Statements of Work (SOW) and the Master Service Agreement (MSA). It complements our Privacy Policy and Intellectual Property Policy.
We believe in transparency around AI. This document tells you exactly what we do with AI and what you should know before working with us.
2. How Webility Uses AI in Service Delivery
2.1 AI-Assisted Work
We use AI tools to enhance the quality and efficiency of our work. AI assistance may be used in the following areas:
| Service Area | How AI Is Used |
|---|---|
| Web Development | Code generation and review, automated testing, bug detection, performance analysis |
| UI/UX Design | Concept ideation, layout suggestions, accessibility checks, copy refinement |
| Branding | Initial concept exploration, color and typography recommendations, moodboarding |
| Copywriting & Content | Drafting, editing, tone adjustment, SEO analysis — always reviewed and refined by human team members |
| AI & Automation Builds | Designing agent architectures, writing system prompts, testing AI workflows |
| Strategy & Research | Market research synthesis, competitor analysis, proposal drafting |
| Project Management | Documentation, meeting summaries, status reports |
2.2 AI Is a Tool, Not a Replacement
All AI-assisted output is reviewed, refined, and validated by qualified Webility team members before delivery. We do not deliver raw, unreviewed AI-generated content to clients. Final Deliverables reflect human judgment, professional expertise, and creative decision-making.
2.3 AI Tools We Use
We work with industry-standard, commercially available AI platforms. These may include, but are not limited to:
- Large Language Models: Claude (Anthropic), GPT-4 (OpenAI), Gemini (Google)
- Design Assistance: Adobe Firefly, Midjourney (for concept ideation only)
- Code Assistance: GitHub Copilot, Cursor, Claude Code
- Automation Platforms: n8n, Make (Integromat), Zapier with AI nodes
- SEO & Research: Perplexity, SEMrush AI features
This list may change as the AI landscape evolves. We use AI tools that offer enterprise-grade privacy controls and do not use Client data to train third-party models where avoidable.
3. What Data We Share With AI Tools
3.1 Our Internal Data Handling Principle
We follow a minimum exposure principle: we share only what is necessary with AI tools to complete a specific task, and we avoid sharing identifiable or sensitive Client data with AI platforms wherever possible.
3.2 What May Be Processed by AI Tools
When delivering services, the following types of information may be processed through AI tools:
| Data Type | May Be Used in AI Tools | Notes |
|---|---|---|
| Project briefs and requirements | Yes | General project context; sensitive specifics are redacted where possible |
| Draft copy and content | Yes | Before client review |
| Code and technical specifications | Yes | Via code assistants (see Section 3.3) |
| Design concepts and references | Yes | Moodboarding and ideation only |
| Personal data (names, emails, customer records) | No — by policy | Must not be entered into consumer AI tools |
| Financial records or sensitive business data | No — by policy | Must not be entered into consumer AI tools |
| Confidential strategic plans | Minimized | Anonymized or paraphrased before AI processing |
3.3 Code & Technical Data
Source code developed for Clients may be processed through AI coding assistants. We use tools with enterprise privacy settings that do not use submitted code to train AI models. If a Client requires that no source code be processed by AI tools, they must notify the Agency in writing at project outset — this may affect timeline and pricing.
3.4 No Training on Client Data
Webility does not use Client data to train AI models for use with other clients or for any purpose other than the services described in the applicable SOW.
4. Building AI Systems for Clients
This section applies when Webility is engaged to design, develop, or deploy AI-powered systems on behalf of a Client — including AI agents, chatbots, automation workflows, recommendation systems, or any other AI-integrated product.
4.1 Data Processing for AI Builds
When building an AI system for a Client, the Agency may process Client data including:
- Sample datasets, historical records, or knowledge bases used to configure or test the AI system
- Business process documentation used to design automation logic
- Customer interaction data used to train or fine-tune chatbot responses (if within scope)
All such data is used solely for the purpose of the contracted build and is handled in accordance with this Policy and the confidentiality obligations in the MSA.
4.2 Data Minimization for AI Builds
Where possible, we will:
- Use anonymized, synthetic, or sample data during development and testing phases
- Request only the minimum data necessary to configure the AI system
- Ensure production data is not used in development or staging environments without explicit Client consent
4.3 Third-Party AI Providers for Client Builds
AI systems built for Clients may rely on third-party AI APIs (e.g., OpenAI, Anthropic, Google Cloud AI). The Client must be aware that:
(a) Data sent to third-party AI APIs is processed by those providers under their own terms of service; (b) The Agency will disclose all third-party AI providers used in the build at the time of the SOW; (c) The Client is responsible for ensuring their use of the AI system complies with the applicable API provider's usage policies; (d) The Agency will recommend API providers with enterprise data privacy agreements where sensitive data is involved.
4.4 Data Residency
If the Client has data residency requirements (e.g., data must remain in Canada, the EU, etc.), this must be specified in the SOW. Data residency constraints may affect the choice of AI provider and may impact pricing and feasibility.
4.5 AI Model Selection
Unless specified in the SOW, the Agency selects the AI models and providers best suited to the project's requirements. If the Client has a preference for a specific provider or has an existing API agreement, this should be stated at kickoff.
5. Data Security for AI Integrations
5.1 Credentials & API Keys
All API keys, credentials, and access tokens used in AI builds are:
- Stored securely using environment variables or secret management tools (not hardcoded)
- Shared with the Client securely at handover via an encrypted method
- Never stored in version control repositories
5.2 Access Controls
AI systems built for Clients will incorporate role-based access controls and authentication mechanisms appropriate to the sensitivity of the data processed, as agreed in the SOW.
5.3 Security Testing
For AI systems handling sensitive or personal data, the Agency will conduct basic security testing as part of the build. Penetration testing and formal security audits are out-of-scope unless explicitly included in the SOW.
6. Privacy & Data Protection Compliance
6.1 Agency Compliance
The Agency's use of AI tools in service delivery is conducted in compliance with applicable data protection laws, including GDPR, PIPEDA, and CCPA. We rely on legitimate interests or contractual necessity as our legal basis for processing project-related data through AI tools, where applicable.
6.2 Client Compliance Responsibility
The Client is solely responsible for ensuring that their use of any AI system built by the Agency complies with all applicable laws, including:
- Privacy laws: GDPR, PIPEDA, CCPA, and any other applicable data protection regulations
- Consumer protection laws: Disclosure obligations around AI-generated content or AI-driven decisions
- Industry-specific regulations: Healthcare (HIPAA), financial services, education, and other regulated sectors
- AI-specific regulations: The EU AI Act, emerging national AI governance frameworks
The Agency will flag known compliance considerations during the build, but does not provide legal compliance advice. Clients operating in regulated industries should engage legal counsel before deploying AI systems.
6.3 AI Disclosure to End Users
If an AI system built by Webility will interact with or make decisions affecting end users, the Client is responsible for:
- Disclosing to end users that they are interacting with an AI system, where required by law or good practice
- Providing end users with appropriate privacy notices covering the AI system's data processing
- Implementing required consent mechanisms
6.4 Data Subject Rights
If an AI system processes personal data of individuals who have rights under GDPR, CCPA, or similar laws (right to access, right to erasure, etc.), the Client is responsible for implementing processes to honor those rights. The Agency will assist in designing such mechanisms if included in the SOW.
7. AI Output Disclaimer
7.1 No Guarantee of Accuracy
AI-generated content and AI system outputs are probabilistic by nature. The Agency does not guarantee that:
- AI-generated content is factually accurate, current, or free from errors
- AI systems will perform consistently or without failure
- AI-generated outputs are free from bias, discrimination, or hallucination
- AI systems will achieve specific business performance metrics (conversion rates, accuracy rates, etc.)
7.2 Human Review Required
For any use case where AI outputs will be used in high-stakes decisions (medical, legal, financial, safety-related), the Client must implement appropriate human review processes. The Agency strongly advises against deploying AI systems in such contexts without robust human oversight.
7.3 Client Validation Responsibility
Before deploying any AI system built by Webility into production, the Client is responsible for:
- Validating the system's outputs against their own standards
- Testing the system with representative real-world inputs
- Establishing monitoring and feedback mechanisms post-launch
8. Intellectual Property in AI Builds
Ownership of AI-related Deliverables follows the Agency's Intellectual Property Policy (WBL-POL-IP-v1.0), with the following AI-specific clarifications:
| Component | Ownership |
|---|---|
| Custom system prompts written for Client's use case | Client (upon full payment) |
| Custom AI agent configurations and workflow logic | Client (upon full payment) |
| Fine-tuned model weights trained on Client data | Client (upon full payment, subject to provider terms) |
| Agency's prompt engineering methodology and frameworks | Agency (Pre-Existing IP) |
| Third-party AI model underlying the system | Third-party provider |
| Client's training data and knowledge base | Client |
9. Transparency Commitments
Webility commits to:
- Disclose which AI tools are used in your project if you ask
- Never represent AI-generated content as entirely human-created where material
- Inform you if a significant change in our AI tooling affects your project
- Not use your Confidential Information to train AI models for other clients
- Recommend privacy-preserving alternatives when sensitive data is involved
10. AI Ethics
We take the responsible use of AI seriously. We will not use AI tools or build AI systems for purposes that:
- Engage in deceptive, manipulative, or coercive practices
- Facilitate illegal discrimination based on protected characteristics
- Enable mass surveillance or tracking of individuals without consent
- Generate or distribute disinformation, deepfakes, or fraudulent content
- Violate applicable laws or the rights of individuals
We reserve the right to decline engagements that conflict with these principles.
11. Policy Updates
The AI landscape is evolving rapidly. This Policy will be reviewed and updated at least annually or whenever there is a material change in our AI tooling or applicable regulations. Updated versions will be published at [webility.local/ai-policy] and communicated to active clients with at least 30 days' notice before applying to ongoing engagements.
12. Contact
For questions about AI use, data handling, or privacy:
Webility Email: privacy@webility.local Website: webility.local/ai-policy
Disclaimer: This Policy is for informational purposes. It does not constitute legal advice. Clients deploying AI systems in regulated industries should consult qualified legal counsel.
Webility — WBL-POL-AI-v1.0 | Effective [DATE]