Privacy Policy

Who we are

This Privacy Policy applies to products and services operated by Alethinx, Inc., a Delaware C-Corporation headquartered in McKinney, Texas (EIN 41-5313469). In this policy, "Alethinx," "we," "us," and "our" refer to Alethinx, Inc. and its authorized subsidiaries.

Our products include Alethinx Deal Intelligence, SERAPH, JIREH, GABRIEL, SOPHYNX, JOSEYNX, AGORNYX, and related tools served on domains including app.alethinx.ai, www.alethinx.ai, sophynx.ai, and their subdomains.

Scope of this policy

This policy covers personal data we collect, process, and store when you:

• Create an account or sign in to any Alethinx product
• Connect a third-party service (such as Google) to your Alethinx account
• Submit data into our products (deal memos, financial documents, business profiles, waitlist forms)
• Communicate with us by email, chat, or form submission
• Visit our public websites including marketing and support pages

This policy does not cover third-party websites or services that you may access through links on our platforms. Those are governed by their own privacy policies.

Data we collect

3.1 Account data

When you create an account, we collect your email address, display name, and authentication credentials. If you sign in with Google, we collect the minimum profile fields necessary to establish your identity (see Section 5).

3.2 Product data

Our products work by analyzing data you provide — deal memos, financial statements, company research, acquisition criteria, and similar materials. This data is stored in your authenticated workspace, encrypted at rest, and scoped to your account through row-level security.

3.3 Usage and device data

We collect technical logs including IP address, browser type, device identifiers, pages visited, feature interactions, and timestamps. We use this data to debug errors, prevent abuse, and improve the product. We do not sell this data or share it with advertising networks.

3.4 Communications

If you contact us by email or a support form, we retain the message and our response to provide continuity of support.

3.5 Payment data

Payment processing is handled by Stripe. Alethinx does not store your full credit card details. We retain transaction metadata (amount, timestamp, last four digits, billing address) for accounting and compliance.

How we use your data

We process personal data strictly to operate, improve, and secure our products. Specifically:

• Deliver the service — authenticating sessions, saving your work, delivering outputs, and syncing connected accounts
• Support and billing — responding to inquiries, processing payments, issuing refunds, and resolving disputes
• Security and abuse prevention — detecting fraud, preventing unauthorized access, and enforcing our Terms of Service
• Product improvement — analyzing aggregate, de-identified usage patterns to fix bugs and prioritize features
• Legal compliance — responding to valid legal requests and complying with applicable tax, financial, and regulatory obligations

Google user data

If you sign in to an Alethinx product with Google or connect a Google service to your account, this section describes exactly what we access and how we use it.

5.1 Scopes we request

Alethinx requests the minimum scopes necessary to authenticate users. If in the future we introduce features that require additional Google scopes (such as Drive or Calendar access), we will update this policy and request your explicit consent at the point where the new scope is needed.

5.2 How Google user data is used

• Authentication only. We use your Google identity to confirm who you are when you sign in.
• Profile display. Your name and profile photo appear in your own Alethinx dashboard so you can confirm the correct account is active.
• Session continuity. Your Google identifier is bound to your Alethinx user record so that subsequent sign-ins resolve to the same workspace.

5.3 How Google user data is stored and shared

• Google tokens are stored encrypted at rest within our authentication provider (Supabase Auth), which is SOC 2 Type II certified.
• Google user data is not shared with any third party except as necessary to operate the authentication flow (for example, Google itself, Supabase as our authentication vendor, and hosting infrastructure).
• Google user data is not used to train AI or machine learning models. See Section 6.
• Google user data is not sold, rented, or made available to advertisers.
• Our use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5.4 Revoking Google access

You may revoke Alethinx's access to your Google account at any time:

1. Visit https://myaccount.google.com/permissions
2. Select "Alethinx" in the third-party apps list
3. Click "Remove Access"

Revoking access will sign you out of Alethinx if Google was your only sign-in method. You can also contact us at privacy@alethinx.ai to request complete deletion of your account and all associated data.

AI and model training

Alethinx products use AI models to deliver results (deal scoring, document analysis, agent outputs). These models are:

• Operated by third-party AI providers (including Anthropic and OpenAI) under Zero Data Retention or equivalent no-training agreements where available
• Queried on-demand with the data you submit for the purpose of generating the output you requested
• Not used as training signal by Alethinx, our vendors, or any downstream party

Your deal memos, financial documents, and Google user data are not added to any training dataset.

Sharing and disclosure

We share personal data only in limited circumstances:

• Service providers. We use vendors for infrastructure, authentication, payment processing, AI model inference, email delivery, and customer support. These vendors are bound by contractual data protection obligations and may only process data on our instructions.
• Legal obligations. If we receive a valid legal request (subpoena, court order, law enforcement request), we may disclose data as required by applicable law. We will notify you unless prohibited.
• Business transfers. If Alethinx is acquired, merged, or sells substantially all of its assets, your personal data may transfer to the acquiring entity under the same or stricter privacy commitments.
• With your consent. If you ask us to share data with a third party (such as an integration you set up), we will share only the data needed for that integration.

Data retention

We retain personal data for as long as your account is active and for a reasonable period afterward to comply with legal obligations, resolve disputes, and enforce agreements.

• Account data — retained while your account is active; deleted within 30 days of account closure upon request.
• Product data (deal memos, documents) — retained per your account settings; permanently deleted within 30 days of account closure or on explicit deletion request.
• Logs and security data — retained up to 90 days for troubleshooting and abuse prevention, then purged.
• Payment records — retained for 7 years to satisfy tax and accounting requirements (US).
• Google user data — deleted within 30 days of you revoking access or closing your account.

Security

We take reasonable technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, and destruction. Measures include:

• AES-256 encryption at rest for all database-stored data
• TLS 1.3 for all data in transit
• Row-level security enforcing per-user data isolation in our database
• Role-based access control for employees and contractors who may access production systems
• Regular security reviews and third-party infrastructure (Supabase SOC 2 Type II, Vercel SOC 2 Type II)

No system is perfectly secure. If we become aware of a security incident affecting your data, we will notify you in accordance with applicable law.

Your rights and choices

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your account and associated data
• Export your data in a machine-readable format
• Object to certain processing activities
• Withdraw consent you previously granted

To exercise any of these rights, email us at privacy@alethinx.ai. We will respond within 30 days.

Residents of California (CCPA/CPRA), the European Economic Area (GDPR), the United Kingdom (UK GDPR), and other jurisdictions with comparable frameworks have specific additional rights. We honor all valid requests under applicable law.

Children

Alethinx products are not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, email privacy@alethinx.ai and we will delete it promptly.

International transfers

Alethinx is based in the United States. If you access our products from outside the US, your data may be transferred to, stored in, and processed in the United States. We rely on appropriate safeguards (such as Standard Contractual Clauses) for transfers from jurisdictions that require them.

Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the policy was last revised. If we make material changes, we will notify you by email or through an in-product notice before the changes take effect.

Historical versions of this policy are available on request.