Facebook tracking pixel AI Usage Policy · Conversion System | Conversion System Skip to main content

Published 2026-05-22 · Reviewed quarterly

AI Usage Policy.

How Conversion System uses AI tools. What data goes in, what does not, who reviews outputs, what gets logged. One page. We told prospects to write one (it is recommendation #8 in our AI Marketing Maturity Benchmark). We owed it to ship one ourselves.

Section 1 of 5

What data is allowed in AI tools.

  • Public marketing copy, blog drafts, headline variants, and any text already published on conversionsystem.com or its public surfaces.
  • Internal documentation, methodology notes, brand voice guidelines, and any content explicitly tagged as internal-only or public.
  • Aggregated, de-identified analytics: traffic by source, conversion rates, lead scoring outputs, performance by post.
  • Code in this repository (public via GitHub) and our own engineering artifacts: tests, schemas, configuration, deployment scripts.
  • Client work product the client has authorized in writing to be processed by AI tools, planned to the engagement and revoked when the engagement ends.

Section 2 of 5

What data is not.

  • Customer or prospect personal identifying information: names, emails, phone numbers, addresses, anything that resolves to a real human outside our team.
  • Financial data: credit card numbers, bank account information, internal financials, client billing data, payment processor tokens.
  • Anything covered by NDA, mutual confidentiality agreement, or client-specific data handling clauses. When in doubt, the answer is no.
  • Credentials: API keys, passwords, tokens, webhook secrets, JWT secrets. Even in development. Even "just for testing." The logger utility redacts these from logs; AI tool prompts do not get the same protection by default.
  • Regulatory data: anything covered by HIPAA, PCI, GDPR, CCPA, or industry-specific compliance regimes that govern our clients.

Section 3 of 5

Who reviews AI outputs.

  • The named owner of the workflow reviews every output before it ships externally. Not a committee. Not a queue. One person whose name is on the deliverable.
  • Public-facing copy (blog posts, landing pages, emails, social posts) is reviewed by the named author for voice, accuracy, brand compliance, and the v3.0 voice rules (no em-dashes, no banned words, named numbers).
  • Code is reviewed under the same quality bar as human-written code: TypeScript strict, tests required, brand and security anti-patterns enforced. The CLAUDE.md anti-pattern list is the floor.
  • Client deliverables (audits, blueprints, sprint reports) are reviewed by the engagement owner before they leave our system. Every claim has a name, a number, and a date.

Section 4 of 5

What gets logged.

  • Which AI tool ran, what kind of task, who ran it, when. Logged as part of normal session telemetry under ~/.gstack/analytics/ for internal sessions.
  • Prompt text is not logged verbatim because it can include client snippets covered by confidentiality. Hashes and categories are logged instead.
  • Server-side logs use the redacting logger in src/utils which strips any field whose key matches /api[_-]?key|secret|token|password|authorization|webhook[_-]?secret|bearer/i before writing.
  • Lead capture events (audits, benchmark submissions, contact forms) log only the data that crosses the form boundary, processed through processLeadSafely and tagged with consented attribution.

Section 5 of 5

How this policy stays alive.

  • Reviewed quarterly in the same meeting where security policy is reviewed. The review either confirms no changes or amends this page; either way the date at the top moves.
  • Embedded in tool selection. No new AI tool is purchased without a written check against this policy. The check names the data the tool will see, the workflow owner, and the 90-day kill criteria.
  • Named in onboarding. Every new hire reads this page on day one and signs that they have read it. If a sentence does not make sense, that is a defect in the policy and we fix it.
  • Reachable by URL. This page lives at /ai-policy for as long as Conversion System operates. The git history of src/routes/pages/ai-policy.ts is the public revision log.

Next step

Want to write your own?

Take the benchmark. If you score below 7 on the governance dimension, the one-page policy is in your top three moves. You can copy the structure of this page; you cannot copy the answers, because the answers depend on your data and your clients.

Take the benchmark Apply for a Revenue Audit