PolicyStrata

Privacy Policy

Legal-review draft. This page is published for transparency and must not be represented as counsel-approved or incorporated into a customer agreement until its status is updated.

Status: legal-review draft for PolicyStrata Clearance. Do not publish as final legal terms without counsel review.

Scope

This policy covers the hosted Clearance platform at app.policystrata.com and related product sites and documentation operated for PolicyStrata.

Data We Process

Clearance processes:

  • Account data: name, email, authentication identifiers, organization

membership, roles, invitations, and session metadata.

  • Workspace data: organization, project, environment, runner-token metadata,

review decisions, evidence-pack metadata, runtime decision metadata, and audit logs.

  • Billing data: Stripe customer, subscription, checkout, and portal metadata.
  • Operational data: request metadata, IP address, user agent, Vercel runtime

logs, web analytics, and speed insights.

Hosted ingestion is metadata-only by default. Clearance rejects raw prompts, traces, tool-call payloads, credentials, database rows, and inline witness objects.

Uses

We use data to provide the product, authenticate users, enforce tenant boundaries, generate evidence exports, maintain audit logs, process billing, secure the service, investigate incidents, and support customers.

Subprocessors

Current subprocessors are listed in docs/legal/subprocessors.md.

Retention

Default organization retention is 90 days unless otherwise configured or contracted. Audit, billing, and security records may be retained as required for legitimate business, legal, or security purposes.

Customer Controls

Workspace admins can manage members, roles, SSO metadata, SCIM directories, and runner tokens. Evidence exports are available to authorized roles. Deletion requests are handled through an audited support workflow until self-serve deletion is available.

Security

Security measures include TLS, RBAC, organization-scoped access checks, Postgres row-level security for tenant data, hashed runner and SCIM tokens, append-only audit logs, production secret management, and provider-managed backup controls.

Contact

Privacy and security requests should be sent to the contract-designated contact or the published PolicyStrata security contact.