Privacy Policy

STROKIX, Inc. (“STROKIX,” “we,” “us,” or “our”) operates the STROKIX platform, accessible at https://strokix.com, https://app.strokix.com, and related services (collectively, the “Service”). This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you access or use our Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must not access or use the Service.

• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or destruction.
• “Data Controller” means the entity that determines the purposes and means of Processing Personal Data.
• “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller.
• “Workspace” means a tenant environment within the Service associated with an organization.
• “Connector” means an integration between the Service and a third-party application (e.g., Salesforce, Jira, Slack, Stripe, Gmail).

When you use the Service on behalf of an organization, that organization is the Data Controller for any business data processed through Connectors. STROKIX acts as the Data Processor, processing such data solely on the organization’s instructions as configured through the Service.

For account-level data (your email, password, login activity), STROKIX is the Data Controller.

4.1 Information You Provide Directly

• Account Information (email address, hashed password, company name)
• Workspace Configuration (workspace name, team invitations, role assignments)
• Connector Credentials (OAuth tokens, API keys — encrypted at rest with AES-256-GCM)
• Chat Queries (natural language questions submitted to the Service)
• Feedback (thumbs up/down on responses)

4.2 Information Collected Automatically

• Log Data (IP address, browser type, timestamps)
• Device Information (device type, screen resolution)
• Usage Data (features used, query frequency)
• Session identifiers (sessionStorage for authentication)

4.3 Information from Third-Party Connectors

When you authorize a Connector, we access data from that third-party service solely to respond to your queries. We do not store bulk copies of your third-party data. Data retrieved through Connectors is fetched in real-time, used to generate a response, and not persisted beyond transient processing (except for PII-redacted conversation summaries stored for context continuity).

1. Service Delivery — Authenticating users, processing queries, connecting to third-party services, generating AI-powered responses.
2. Security — Detecting and preventing unauthorized access, fraud, and abuse. Maintaining audit logs.
3. Service Improvement — Analyzing usage patterns, improving AI model accuracy, optimizing performance.
4. Communication — Sending transactional emails (password resets, invitations, security alerts). We do not send marketing emails without explicit opt-in consent.
5. Legal Compliance — Complying with applicable laws, regulations, or governmental requests.

If you are located in the EEA, UK, or Switzerland, we process your Personal Data under the following legal bases:

• Service delivery — Performance of a contract (Art. 6(1)(b) GDPR)
• Security and fraud prevention — Legitimate interest (Art. 6(1)(f) GDPR)
• Legal compliance — Legal obligation (Art. 6(1)(c) GDPR)
• Service improvement — Legitimate interest (Art. 6(1)(f) GDPR)
• Marketing communications — Consent (Art. 6(1)(a) GDPR)

We do not sell, rent, or trade your Personal Data. We share information only in the following circumstances:

7.1 Sub-processors

• Fly.io — Application hosting
• Supabase — Database hosting (PostgreSQL)
• Upstash — Redis caching
• OpenAI / Groq — AI model inference
• Resend — Transactional email delivery

7.2 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or governmental request, or to protect the rights, property, or safety of STROKIX, our users, or the public.

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your Personal Data may be transferred. We will notify you prior to any such transfer.

• Encryption in Transit: TLS 1.2+ for all communications
• Encryption at Rest: AES-256-GCM with per-tenant derived keys for connector credentials
• Password Security: bcrypt (cost factor 12) with SHA-256 prehash
• Access Control: Role-based access control (RBAC) with row-level security (RLS)
• Audit Logging: Immutable, HMAC-signed audit trail
• Rate Limiting: Per-IP rate limiting on authentication endpoints
• Infrastructure: Non-root containers, SSRF protection, prompt injection defense

• Account information: Duration of account + 30 days after deletion
• Connector credentials: Until disconnected or account deletion
• Chat history: Duration of account (user can delete conversations)
• Audit logs: 7 years (legal compliance)
• Server logs: 90 days
• Transient connector data: Not persisted (real-time only)

All Users

• Access: Request a copy of your Personal Data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your Personal Data
• Data Portability: Request your data in a machine-readable format
• Withdraw Consent: Where processing is based on consent

EEA/UK/Swiss Residents (GDPR)

• Restriction of processing
• Object to processing based on legitimate interests
• Right regarding automated decision-making
• Lodge a complaint with your local data protection authority

California Residents (CCPA/CPRA)

• Right to Know: Categories and specific pieces of Personal Data collected
• Right to Delete
• We do not sell Personal Data
• Non-Discrimination for exercising your rights

To exercise any rights, contact us at: privacy@strokix.ai. We respond within 30 days.

Your data may be transferred to and processed in countries other than your country of residence, including the United States. We ensure appropriate safeguards including Standard Contractual Clauses (SCCs) and Data Processing Agreements with all Sub-processors.

We use minimal, strictly necessary technologies:

• Session token (sessionStorage) — authentication, browser session only
• CSRF token — security, per-request

We do not use third-party advertising cookies, cross-site tracking pixels, social media widgets, or analytics cookies that identify individuals.

The Service is not directed to individuals under the age of 16. We do not knowingly collect Personal Data from children. If we become aware of such collection, we will delete that information promptly.

• Queries are sent to AI model providers (OpenAI or Groq) for inference with minimized PII
• PII-redacted conversation summaries are maintained for contextual responses
• We do not use AI for automated decisions with legal or significant effects on individuals
• Your data is not used to train third-party AI models

In the event of a data breach likely to result in risk to your rights, we will notify the relevant supervisory authority within 72 hours (where required by GDPR) and notify affected individuals without undue delay where the breach poses high risk.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a new date and sending an email notification for material changes. Continued use after changes constitutes acceptance.

STROKIX, Inc.

Email: privacy@strokix.ai

Support: support@strokix.ai

Data Protection Officer: dpo@strokix.ai

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict of law provisions, except where overridden by mandatory local data protection laws (e.g., GDPR for EEA residents).