Draft — pending counsel
Privacy policy
Last updated — pending counsel
1. What we collect
We collect the information you provide when creating an account (name, email, organization), the security-program data you add to Praxis, usage activity to operate the service, and technical signals (error data, performance traces) to keep the service reliable. Final wording is prepared with counsel.
2. How we use your data
Your data is used to provide and operate the Praxis service, respond to your requests, send transactional notifications, and improve reliability. We do not sell your data. Your security-program data is not used to train AI models — see Section 3.
3. Who we share with (sub-processors)
We share data with a small, named set of sub-processors to operate Praxis. Infrastructure and hosting: Vercel (application hosting and file storage, United States) and Neon (database, United States). Authentication: Clerk (sign-in, sessions, and account identity). AI processing: Anthropic (powers the Praxis advisor model under zero data retention and no training on API data terms — Anthropic does not retain prompts or completions beyond serving the response, and does not use API data for model training). Communication: Microsoft (optional SSO for organizations using Microsoft identity) and Resend (transactional and notification email). Observability: Sentry (application error tracking and performance data) and Langfuse (LLM call tracing for advisor quality and debugging). Analytics: PostHog EU (product analytics, hosted in the European Union — see Section 5). The full registry with roles and locations is named in the Trust Center.
4. Retention and deletion
Account and security-program data is soft-deleted when you delete it, then permanently purged within a 30-day window. Privileged and data-affecting actions are recorded in an immutable audit log. GDPR / CCPA deletion requests are handled within the timelines required by applicable law. Governance details are in the Data Processing Addendum.
5. Analytics — privacy-first and cookieless
Praxis uses PostHog EU for product analytics. PostHog EU is hosted in the European Union and is configured with cookieless operation (no browser cookies are set for analytics), memory-only persistence (no cross-session tracking), and identified-only person profiles (no anonymous profiling). Autocapture is disabled — only deliberate, named events are recorded. This posture minimizes PII collection and avoids tracking users across sessions or devices.
6. Your rights
Depending on where you are located, you may have rights to access, correct, delete, or restrict processing of your personal data, and to object to certain uses. To exercise these rights, contact us at the address in the Data Processing Addendum. Requests are handled under the timelines required by applicable law (GDPR / CCPA).