Privacy Policy
Effective date: December 1, 2025
Overview
This Privacy Policy explains how Ephapsys, Inc. (“Ephapsys,” “we,” “our,” or “us”) collects, uses, discloses, and safeguards information when you use our website, SDK, CLI, APIs, Agent Operation Center (Ops Center), documentation, and related services (collectively, the “Service”).
By using the Service, you agree to this Policy. If you do not agree, do not use the Service. Where required by law, we will obtain your consent separately.
Scope & Roles
For account, billing, marketing, and website analytics data, Ephapsys acts as an independent “controller.” For Customer Data and Agent Artifacts that organizations submit to the Service (e.g., models, agent packages, logs) we act as a “processor” (or “service provider”) and process such data only on your documented instructions and applicable agreements (e.g., DPA, Order Form, Terms).
Key Definitions
“Customer Data” means data you or your users provide to the Service (including personal data). “Agent Artifacts” include models, weights, agent packages, certificates, policies, metadata, logs, and configuration files you upload or generate. “Usage Data” means operational data about how the Service is accessed and used (e.g., features, performance, telemetry). “dPKI Materials” include certificate metadata such as public keys, fingerprints, signatures, revocation status, and host bindings used for secure inference enforcement.
Information We Collect
Account & Organization Data: name, email, password hashes, role, organization name, seat assignments, SSO identifiers, and contact preferences.
Billing Data: billing contact, payment method tokens, invoicing details, and transaction history (payment processors collect and store card data; we receive tokens and limited metadata).
Service & Device Data: IP address, approximate location (derived from IP), user-agent, device/OS/browser info, timestamps, pages viewed, referrer, session identifiers, SDK/CLI versions, API usage, and error logs.
Ops Center & Operational Telemetry: event logs, admin actions, policy changes, agent lifecycle events, modulation step counts, performance counters, and security signals used for auditing and troubleshooting.
dPKI Materials: agent IDs, certificate/public-key metadata, signatures, certificate chains, revocation status, and optional host attestation fingerprints as configured by your organization.
Customer Data & Agent Artifacts: content you submit or generate through the Service (e.g., models, agent packages, configuration, and related metadata) including optional attachments you choose to upload for support.
Cookies & Similar Technologies: we use essential cookies to enable sign-in and security, and optional analytics cookies to understand site usage. You can manage cookie choices via browser settings or banners where applicable.
How We Use Information
To provide and operate the Service, including account creation, authentication, secure inference enforcement via dPKI, agent provisioning and revocation, and usage metering for billing.
To secure the Service, including fraud and abuse monitoring, incident detection, integrity checks, certificate validation, and policy enforcement.
To support you, including responding to tickets, troubleshooting, and improving reliability and performance.
To improve the Service, including analytics on aggregated or de-identified data, feature development, and product research that does not identify you.
To communicate with you, including transactional emails (e.g., critical updates, billing notices) and, where permitted, product announcements or marketing (you can opt out of non-transactional communications).
To comply with law and enforce our agreements, including preventing prohibited conduct and protecting the rights, safety, and property of users and Ephapsys.
Legal Bases
Contract: we process data to provide the Service you requested (e.g., account management, model modulation, agent governance, secure inference, billing).
Legitimate Interests: we process for security, fraud prevention, service improvement, and analytics in ways that do not override your rights and freedoms.
Consent: where required (e.g., certain cookies/marketing), we rely on your consent, which you may withdraw at any time.
Legal Obligation: we process data to comply with applicable laws, regulations, and lawful requests.
How We Share Information
Service Providers & Sub-processors: cloud hosting, storage, security monitoring, analytics, email delivery, and payment processing vendors who are bound by confidentiality and data protection terms and process data solely on our behalf.
Your Organization & Admins: if you use the Service under an organization account, administrators may access information related to your use (e.g., audit logs, policy changes, seat and agent usage).
Legal & Safety: we may disclose information to comply with law, enforce our Terms, or protect users, the public, or Ephapsys against harm or illegal activity.
Business Transfers: if we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction subject to this Policy.
We do not sell personal information, and we do not use Customer Data or Agent Artifacts to train generic foundation models without your written agreement.
Cookies & Analytics
We use necessary cookies for authentication and security, and optional analytics cookies to understand how the website and documentation are used. You can control cookies via your browser or our cookie banner where available; essential cookies cannot be disabled as they are required for the Service to function.
Some analytics providers receive pseudonymous identifiers and usage information; we configure analytics to avoid collecting sensitive content and to respect regional settings where applicable.
Data Retention
We retain personal data for as long as necessary to provide the Service and for the purposes described in this Policy, including security, auditing, and legal compliance. Account, billing, and audit logs are retained consistent with our records schedules and legal obligations.
Upon contract termination, we may preserve limited records for compliance and accounting. By request within thirty (30) days of termination and subject to your account being in good standing, we will provide a commercially reasonable export of your administrative data and logs; backups may persist for a limited period before being overwritten.
Security
We implement technical and organizational measures designed to protect information, including encryption in transit, access controls, network segmentation, logging and monitoring, rate limiting, and key/certificate management for dPKI features. No system is completely secure; your configurations, endpoint posture, key hygiene, and user access controls are critical to overall security.
International Transfers
If we transfer personal data outside its country of origin, we do so pursuant to appropriate safeguards such as Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms. You may contact us for more information about such safeguards.
Your Rights
Depending on your location, you may have rights to access, correct, delete, restrict, object to, or port your personal data, and to withdraw consent where processing is based on consent. To exercise these rights, contact us using the details below; we may need to verify your identity and coordinate with your organization administrator where applicable.
California & U.S. State Privacy: where applicable, you may have rights to know/access, correct, delete, and opt out of “sale” or “sharing” of personal information and targeted advertising. Ephapsys does not sell personal information. We will honor authorized agent requests consistent with law and will not discriminate against you for exercising your rights.
Children’s Privacy
The Service is intended for business use and is not directed to children. We do not knowingly collect personal information from individuals under 16 (or the age defined by local law). If you believe a child has provided personal information to us, contact us and we will take appropriate action.
Third-Party Links & Integrations
The Service may link to or integrate with third-party websites, services, identity providers (SSO), payment processors, hardware attestation providers, or open-source components. Their privacy practices are governed by their own policies, and we are not responsible for their content or practices.
Marketing Preferences
You can opt out of non-transactional marketing emails by using the unsubscribe link in the message or contacting us. We may still send you transactional or service-related communications (e.g., critical security notices, billing emails).
Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices or applicable laws. We will post the updated Policy with a new effective date and, where changes are material, provide additional notice. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
Contact Us
For questions, requests, or complaints regarding this Policy or our data practices, contact: support@ephapsys.com. If you are in the EEA/UK and believe we have not resolved your concern, you may lodge a complaint with your local supervisory authority.
Additional Disclosures for Enterprise Customers
If you have executed a Data Processing Addendum (DPA) with Ephapsys, the DPA governs our processing of personal data on your behalf. In the event of a conflict between this Policy and your DPA, the DPA controls to the extent of the conflict.