Skip to main content

Privacy Policy

Effective Date: May 30, 2026 · Last Updated: June 10, 2026

1. Introduction

STROKIX, Inc. (“STROKIX,” “we,” “us,” or “our”) operates the STROKIX platform, accessible at https://strokix.com, https://app.strokix.com, and related services (collectively, the “Service”). This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you access or use our Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must not access or use the Service.

2. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or destruction.
  • “Data Controller” means the entity that determines the purposes and means of Processing Personal Data.
  • “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller.
  • “Workspace” means a tenant environment within the Service associated with an organization.
  • “Connector” means an integration between the Service and a third-party application (e.g., Salesforce, Jira, Slack, Stripe, Gmail).

3. Data Controller and Processor Roles

When you use the Service on behalf of an organization, that organization is the Data Controller for any business data processed through Connectors. STROKIX acts as the Data Processor, processing such data solely on the organization’s instructions as configured through the Service.

For account-level data (your email, password, login activity), STROKIX is the Data Controller.

4. Information We Collect

4.1 Information You Provide Directly

  • Account Information (email address, hashed password, company name)
  • Workspace Configuration (workspace name, team invitations, role assignments)
  • Connector Credentials (OAuth tokens, API keys — encrypted at rest with AES-256-GCM)
  • Chat Queries (natural language questions submitted to the Service)
  • Feedback (thumbs up/down on responses)

4.2 Information Collected Automatically

  • Log Data (IP address, browser type, timestamps)
  • Device Information (device type, screen resolution)
  • Usage Data (features used, query frequency)
  • Session identifiers (sessionStorage for authentication)

4.3 Information from Third-Party Connectors

When you authorize a Connector, we access data from that third-party service to respond to your queries and perform approved actions. We do not store bulk copies of your third-party systems. Data retrieved through Connectors is generally fetched in real time; however, chat history may store the questions you ask and the responses you receive, which can include limited excerpts or summaries from connected systems when those excerpts are part of the answer shown to you.

5. How We Use Your Information

  1. Service Delivery — Authenticating users, processing queries, connecting to third-party services, generating AI-powered responses.
  2. Security — Detecting and preventing unauthorized access, fraud, and abuse. Maintaining audit logs.
  3. Service Improvement — Analyzing usage patterns, improving AI model accuracy, optimizing performance.
  4. Communication — Sending transactional emails (password resets, invitations, security alerts). We do not send marketing emails without explicit opt-in consent.
  5. Legal Compliance — Complying with applicable laws, regulations, or governmental requests.

6. Legal Bases for Processing (GDPR)

If you are located in the EEA, UK, or Switzerland, we process your Personal Data under the following legal bases:

  • Service delivery — Performance of a contract (Art. 6(1)(b) GDPR)
  • Security and fraud prevention — Legitimate interest (Art. 6(1)(f) GDPR)
  • Legal compliance — Legal obligation (Art. 6(1)(c) GDPR)
  • Service improvement — Legitimate interest (Art. 6(1)(f) GDPR)
  • Marketing communications — Consent (Art. 6(1)(a) GDPR)

7. Data Sharing and Disclosure

We do not sell, rent, or trade your Personal Data. We share information only in the following circumstances:

7.1 Sub-processors

  • Fly.io — Application hosting
  • Supabase — Database hosting (PostgreSQL)
  • Upstash — Redis caching
  • OpenAI / Groq — AI model inference
  • Resend — Transactional email delivery

7.2 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or governmental request, or to protect the rights, property, or safety of STROKIX, our users, or the public.

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your Personal Data may be transferred. We will notify you prior to any such transfer.

8. Data Security

  • Encryption in Transit: TLS 1.2+ for all communications
  • Encryption at Rest: AES-256-GCM with per-tenant derived keys for connector credentials
  • Password Security: bcrypt (cost factor 12) with SHA-256 prehash
  • Access Control: Role-based access control (RBAC) with row-level security (RLS)
  • Audit Logging: Immutable, HMAC-signed audit trail
  • Rate Limiting: Per-IP rate limiting on authentication endpoints
  • Infrastructure: Non-root containers, SSRF protection, prompt injection defense

9. Data Retention

  • Account information: Duration of account + 30 days after deletion
  • Workspace configuration: Duration of account unless deleted by the workspace
  • Chat history: Duration of account unless deleted by the user or workspace
  • Audit and security logs: retained as needed for security, abuse prevention, legal compliance, and dispute resolution
  • Server logs: 90 days
  • Connector credentials: removed when an integration is disconnected or when a workspace deletion request is completed
  • Transient connector lookups: not stored as bulk source-system replicas

10. Your Rights

All Users

  • Access: Request a copy of your Personal Data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your Personal Data
  • Data Portability: Request your data in a machine-readable format
  • Withdraw Consent: Where processing is based on consent

EEA/UK/Swiss Residents (GDPR)

  • Restriction of processing
  • Object to processing based on legitimate interests
  • Right regarding automated decision-making
  • Lodge a complaint with your local data protection authority

California Residents (CCPA/CPRA)

  • Right to Know: Categories and specific pieces of Personal Data collected
  • Right to Delete
  • We do not sell Personal Data
  • Non-Discrimination for exercising your rights

To exercise any rights, contact us at: [email protected]. We currently process export and deletion requests manually. We will verify the requester, confirm workspace ownership or authorization, export eligible data in a reasonable format, and delete eligible workspace data unless retention is required for security, fraud prevention, legal compliance, or dispute resolution. We respond within 30 days.

11. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States. Where required, we will use appropriate safeguards with service providers and business customers, such as data processing terms or Standard Contractual Clauses.

12. Cookies and Tracking

We use minimal, strictly necessary technologies:

  • Authentication tokens and strictly necessary session storage
  • OAuth state values and security headers used to protect login and connector authorization flows

We do not use third-party advertising cookies, cross-site tracking pixels, social media widgets, or analytics cookies that identify individuals.

13. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect Personal Data from children. If we become aware of such collection, we will delete that information promptly.

14. AI and Automated Processing

  • Queries are sent to AI model providers (OpenAI or Groq) for inference with minimized PII
  • PII-redacted conversation summaries are maintained for contextual responses
  • We do not use AI for automated decisions with legal or significant effects on individuals
  • Your data is not used to train third-party AI models

15. Data Breach Notification

In the event of a data breach likely to result in risk to your rights, we will notify the relevant supervisory authority within 72 hours (where required by GDPR) and notify affected individuals without undue delay where the breach poses high risk.

16. Google API Limited Use Disclosure

STROKIX’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only use Google user data (Gmail, Google Drive, Google Calendar) to provide and improve user-facing features within the STROKIX platform.
  • We do not use Google user data for serving advertisements.
  • We do not allow humans to read Google user data unless: (a) we have your affirmative consent, (b) it is necessary for security purposes, (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.
  • We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, with user consent, or as required by law.

17. Canadian Residents (PIPEDA)

If you are a resident of Canada, you have the following rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

  • Access: You may request access to the personal information we hold about you.
  • Correction: You may request correction of inaccurate or incomplete personal information.
  • Withdrawal of Consent: You may withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual obligations.
  • Complaints: You may file a complaint with the Office of the Privacy Commissioner of Canada.

We will respond to requests within 30 days. Contact us at [email protected].

18. Email Communications (CAN-SPAM)

In compliance with the CAN-SPAM Act of 2003, we will:

  • Not use false or misleading subjects or email addresses;
  • Identify promotional messages as advertisements where applicable;
  • Honor opt-out and unsubscribe requests within 10 business days;
  • Allow users to unsubscribe from promotional communications at any time.

Transactional emails (security alerts, password resets, account notifications) are not subject to opt-out as they are necessary for the operation of the Service.

19. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a new date and sending an email notification for material changes. Continued use after changes constitutes acceptance.

20. Contact Information

STROKIX, Inc.

Email: [email protected]

Support: [email protected]

Data Protection Officer: [email protected]

21. Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict of law provisions, except where overridden by mandatory local data protection laws (e.g., GDPR for EEA residents).

© 2026 STROKIX, Inc. All rights reserved.