Privacy Policy

Constrix operates a constitutional AI governance runtime platform that enables organizations to enforce deterministic, cryptographically-sealed governance policies on AI system interactions. This Privacy Policy applies to data processed through the Constrix website (constrix.ai), the Constrix API, the Admin Portal, and all related services (collectively, the "Service").

Constrix acts as a data controller for account and usage data, and as a data processor for evaluation inputs and CAPL audit logs that contain content submitted by you.

Account Information

• Name and email address (required for account creation and communication).
• Organization name and billing address.
• Payment information (processed by our payment provider — we do not store card numbers).
• API keys and authentication credentials (hashed; not stored in plaintext).

Usage and Technical Data

• Evaluation request metadata: timestamps, policy IDs, decision outcomes (allow/restrict/deny/kill), latency metrics.
• CAPL audit entries produced by your evaluations (sealed with Ed25519, encoded in CBOR).
• API access logs: IP addresses, user agent strings, request timestamps, HTTP status codes.
• Admin Portal activity: pages viewed, actions taken, session duration.
• Error reports and diagnostic data to help us identify and fix issues.

Communications

• Emails you send to support@constrix.ai and our responses.
• Feedback, bug reports, or feature requests you submit.

What We Do Not Collect

• We do not inspect the content of evaluation inputs unless you explicitly share them with us for support purposes.
• We do not collect biometric data, health information, or government identification numbers.
• We do not sell your data to third parties.

• Service delivery: provisioning your account, processing evaluations, storing CAPL audit logs per your plan's retention period.
• Billing: processing subscription payments and overage charges.
• Security: detecting and preventing unauthorized access, abuse, or attacks.
• Product improvement: analyzing aggregated, anonymized usage patterns to improve the Service.
• Communication: sending service notices, security alerts, billing receipts, and (with your consent) product updates.
• Legal compliance: meeting our obligations under applicable law, including responding to valid legal process.

We process your data on the following legal bases: performance of our contract with you (delivering the Service and billing); legitimate interests (security, fraud prevention, product improvement); legal obligation (compliance with applicable law); and your consent where we request it explicitly.

We retain your data for as long as your account is active and for a reasonable period afterward to comply with legal obligations and resolve disputes.

• CAPL audit logs: retained for the period defined by your subscription plan — Free (30 days), Starter (90 days), Pro (365 days), Enterprise (custom). After this period, CAPL entries are permanently and irreversibly deleted.
• Account information: retained for the duration of your account and for up to 3 years after account deletion for legal and billing purposes.
• API access logs: retained for up to 90 days for security and diagnostic purposes.
• Payment records: retained as required by applicable tax and financial regulations (typically 7 years).
• Support communications: retained for up to 3 years to maintain service history.

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

• Service providers: We use trusted third-party providers for payment processing, cloud infrastructure, and email delivery. These providers process data only on our behalf and under our instructions.
• Legal requirements: We may disclose data when required by law, court order, or government authority, or when we believe disclosure is necessary to protect our rights or the safety of others.
• Business transfers: If Constrix is acquired or merges with another entity, your data may be transferred as part of that transaction. We will notify you in advance and provide opt-out options where required by law.
• With your consent: We may share data in other ways if you give us explicit permission.

Security is fundamental to the Constrix platform. We implement the following technical measures to protect your data:

• TLS 1.3 for all data in transit — no plaintext communication is permitted.
• Ed25519 cryptographic seals on all CAPL audit entries — ensuring tamper-evidence.
• API keys are stored as cryptographic hashes and never in plaintext.
• Database encryption at rest.
• Role-based access controls limiting data access to authorized personnel.
• Regular security reviews and penetration testing.

Despite these measures, no system can guarantee absolute security. You are responsible for protecting your API keys and account credentials. Notify us immediately at support@constrix.ai if you suspect unauthorized account access.

The Constrix website (constrix.ai) uses a minimal set of cookies:

• Strictly necessary cookies: Required for session management and authentication in the Admin Portal. These cannot be disabled without breaking the Service.
• Preference cookies: Store your language preference (English/Arabic). No personal data is linked to these.
• Analytics cookies: We use privacy-respecting, cookieless analytics to understand aggregate page traffic. No personal identifiers are collected.

We do not use advertising cookies, cross-site tracking pixels, or third-party behavioral profiling. You can manage cookie preferences through your browser settings.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data, subject to our legal retention obligations.
• Portability: Request your data in a structured, machine-readable format.
• Objection / Restriction: Object to or request restriction of certain processing activities.
• Withdraw consent: Where processing is based on your consent, withdraw it at any time without affecting prior processing.
• Complaint: Lodge a complaint with your relevant data protection authority.

To exercise any of these rights, contact us at support@constrix.ai with the subject line "Privacy Request — [Right you wish to exercise]". We will respond within 30 days. We may ask you to verify your identity before fulfilling your request.

Constrix operates infrastructure in multiple regions. Your data may be processed in countries other than your own. Where data is transferred internationally, we apply appropriate safeguards including standard contractual clauses, adequacy decisions, or other legally recognized mechanisms to protect your data.

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. Contact us at support@constrix.ai if you believe we have collected data from a child.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) or through a notice in the Admin Portal at least 14 days before the changes take effect.

The "Last updated" date at the top of this policy reflects the most recent revision. We encourage you to review this policy periodically.

For privacy-related inquiries, requests, or complaints, please contact us:

• Email: support@constrix.ai
• Subject line: Privacy — [Your inquiry]
• Website: constrix.ai/privacy

We are committed to resolving privacy concerns promptly and transparently.