# {{ORG_NAME}} — AI Usage Policy

**Effective date:** {{EFFECTIVE_DATE}}
**Owner:** {{POLICY_OWNER_NAME}}, {{POLICY_OWNER_TITLE}}
**Review cadence:** {{REVIEW_CADENCE}} (e.g., annually)

## Purpose

This policy describes how staff at {{ORG_NAME}} may and may not use AI tools and AI-enabled features. It exists to (1) protect the company's confidential and personal data, (2) comply with the EU AI Act and other applicable regulations, and (3) make AI adoption auditable.

## Scope

This policy applies to all employees, contractors, and other personnel who use AI tools in the course of their work at {{ORG_NAME}}. It covers:

- Generative AI tools (ChatGPT, Claude, Gemini, Copilot, Perplexity, etc.).
- AI features embedded in other software (e.g., Notion AI, Linear AI, Slack AI).
- AI APIs called from internal code or third-party integrations.

## Approved tool list

Only AI tools that appear in the approved list inside {{REGISTER_LOCATION}} (e.g., "AIRegistra → Tool Register, status = Approved") may be used for {{ORG_NAME}} work. The list is maintained by {{REGISTER_OWNER}} and updated as new tools are vetted.

If you need a tool that is not on the approved list, submit a request through {{REQUEST_PATH}} (e.g., "AIRegistra → Requests"). Do not use unapproved tools for company work.

## Data classification rules

When using an approved AI tool, respect the following data classification rules:

- **Public data** — fine to use with any approved tool.
- **Internal data** — fine to use with approved tools that have a signed DPA on file.
- **Confidential data** — only with approved tools marked as "confidential-cleared" in the register.
- **Restricted data** (PII, health data, payment data, regulated personal data) — never input into any AI tool unless the tool is explicitly approved for that data class and the use is documented.

If you are unsure of a data class, default to the higher restriction.

## Training requirement

All staff who use AI tools for company work must complete AI literacy training as required by Article 4 of the EU AI Act. Training is recorded in {{TRAINING_LOCATION}} (e.g., "AIRegistra → Training"). Initial training: within {{INITIAL_TRAINING_WINDOW}} of starting AI use. Refresher: every {{REFRESHER_CADENCE}}.

## Incident reporting

If you suspect an AI tool has been misused, has handled data inappropriately, or has produced output that may cause harm, report it to {{INCIDENT_CONTACT}} immediately. Reports are tracked in {{INCIDENT_LOCATION}} and investigated by {{INCIDENT_OWNER}}.

## Consequences

Violations of this policy may result in disciplinary action up to and including termination. Specific consequences depend on the severity of the violation and the data involved.

## Review and updates

This policy is reviewed every {{REVIEW_CADENCE}} by {{POLICY_OWNER_NAME}}. Material updates are communicated to all staff and recorded in the company's policy register.

---

**Acknowledgement.** Each employee should acknowledge receipt of this policy on hire and again after each material update. Acknowledgements are stored in {{ACKNOWLEDGEMENT_LOCATION}}.

*This template is provided by AIRegistra (Mindysm OÜ, Tallinn, Estonia) as a starting point. It is general guidance, not legal advice — review with your own counsel before adoption.*