Privacy Policy
Last updated: December 28, 2025
Our Commitment: ProlixoTech is designed with privacy at its core. We encourage hashing of sensitive data before logging, and we never require you to store personally identifiable information (PII) in evidence records.
1. Introduction
Prolixotech ("ProlixoTech", "we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address
- Company name
- Password (hashed and salted)
- Billing information (processed by Stripe)
2.2 Evidence Data
When you use our SDK, you control what data is logged. We recommend:
- Hashing inputs/outputs: Hash sensitive data before logging (e.g.,
hashlib.sha256(data).hexdigest()) to store only cryptographic digests - Avoiding PII: Do not include personal information in log metadata
- Policy Context: Log policy names and versions, not the actual policy content
2.3 Integration Data
When you connect third-party integrations (such as Microsoft 365 or AWS), we collect organization metadata, user directory information, and compliance-related configuration data through authorized OAuth connectors. OAuth tokens used for integrations are encrypted at rest using AWS KMS.
2.4 Technical Data
We automatically collect:
- IP addresses (for security and rate limiting)
- API usage metrics
- SDK version and platform information
- Timestamps and event counts
| Data Type | Purpose | Retention |
|---|---|---|
| Account Data | Service delivery, billing | Duration of account + 7 years |
| Evidence Records | Compliance evidence | Duration of subscription + 7 years |
| API Logs | Security, debugging | 90 days |
| Audit Logs | Regulatory compliance | 2 years (required for regulatory compliance) |
| Analytics | Service improvement | Aggregated indefinitely |
3. How We Use Your Information
We use your information to:
- Provide and maintain the ProlixoTech services
- Process transactions and send billing notifications
- Generate attestation documents and compliance reports (on applicable plans)
- Respond to your inquiries and support requests
- Detect, prevent, and address technical issues or fraud
- Comply with legal obligations
4. Data Sharing
We do not sell your data. We may share data with:
- Service Providers: AWS (infrastructure), Stripe (payments), for service delivery only
- Legal Compliance: When required by law, court order, or government request
- Business Transfers: In connection with merger, acquisition, or asset sale
- With Your Consent: For any purpose you explicitly authorize
5. Data Security
We implement robust security measures:
- Encryption in Transit: TLS 1.3 for all API communications
- Encryption at Rest: AES-256 for stored data
- HSM Protection: AWS KMS uses FIPS-validated HSMs; we use KMS for all ECDSA signing operations
- Access Controls: Role-based access, audit logging, MFA supported and recommended
- Security Assessments: Periodic internal security reviews; we may engage third-party assessors as the platform matures
6. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data (subject to legal retention requirements)
- Portability: Receive your data in a structured format
- Objection: Object to certain processing activities
To exercise these rights, contact privacy@prolixotech.com.
7. International Transfers
We process data in the United States. For EU/EEA users, we rely on Standard Contractual Clauses for lawful data transfers. Our services are designed to support GDPR compliance requirements.
For Enterprise customers requiring a Data Processing Agreement (DPA), please contact legal@prolixotech.com.
8. Children's Privacy
ProlixoTech is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.
9. Cookies and Tracking
We use the following browser storage mechanisms:
- Clerk Cookies: Used for authentication session management via our identity provider (Clerk)
- Browser sessionStorage: Stores your API key during the active browser session for authenticated API requests
- localStorage: Stores user preferences such as tenant ID and display settings
We do not use advertising or tracking cookies. Analytics capabilities (Mixpanel, Amplitude, Google Analytics) are integrated but currently disabled. If enabled in the future, we will update this policy and notify users accordingly. You can control cookies through your browser settings.
10. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes via email or through the Services. The "Last updated" date indicates when the policy was last revised.
11. Contact Us
For privacy-related inquiries:
Email: privacy@prolixotech.com
Data Protection Officer: dpo@prolixotech.com
Address: Prolixotech, Delaware, USA