Privacy Policy

Last Updated: November 12, 2025

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Name and email address
• Username and encrypted password
• Company/organization name (if provided)
• IP address and login timestamps

1.2 NDA Content and Party Information

When you create NDAs through the wizard, we collect and store:

• Party names, addresses, and entity types
• Confidentiality terms and agreement scope
• Selected legal clauses and customizations
• Generated NDA text in full
• Attached files and supporting documents

1.3 Signature and Tracking Data

When recipients sign NDAs via magic links, we collect:

• IP address and user agent
• Scroll depth percentage (forensic tracking)
• Time spent viewing document
• Signature timestamp
• Geographic location (from IP)

1.4 Usage and Analytics Data

We automatically collect:

• Pages visited and features used
• Browser type and operating system
• Referring URLs and search queries
• Session duration and interaction patterns

2. How We Use Your Information

We use collected information to:

• Provide Services: Create, store, and distribute NDAs as requested
• Authentication: Verify your identity and prevent unauthorized access
• Communication: Send NDA magic links, notifications, and service updates
• Analytics: Improve platform features and user experience
• Compliance: Maintain audit logs for security and legal purposes
• Support: Respond to inquiries and troubleshoot issues

3. Third-Party Data Sharing

3.1 OpenAI (AI Review Feature)

We require explicit checkbox consent before transmitting any data to OpenAI. You can skip AI review entirely to keep your data within our platform only.

3.2 Email Service (Resend)

We use Resend to deliver magic link emails. Resend receives:

• Recipient email addresses
• NDA sender name
• Secure magic link URLs (not full NDA content)

3.3 Authentication (Replit OAuth)

For paid-tier users authenticating via Replit, we receive:

• Replit username and email
• OAuth tokens for session management

3.4 We Do NOT Sell Your Data

CyberEthix does not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Data Retention

We retain your data as follows:

• Active Accounts: Indefinitely while account is active
• Deleted Accounts: Soft-deleted for 90 days, then permanently purged
• Audit Logs: Retained for 7 years for compliance purposes
• AI Review Logs: Cached for 30 days to prevent duplicate API calls, then deleted
• Signed NDAs: Retained per user settings (default: 7 years)

5. Your Privacy Rights

5.1 GDPR Rights (EU Users)

If you are located in the European Union, you have the right to:

• Access: Request a copy of all personal data we hold
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data (subject to legal retention requirements)
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing for specific purposes
• Restriction: Request limitation of processing

5.2 CCPA Rights (California Users)

If you are a California resident, you have the right to:

• Know: What personal information we collect and how it's used
• Delete: Request deletion of your personal information
• Opt-Out: Opt-out of sale of personal information (we do not sell data)
• Non-Discrimination: Receive equal service regardless of privacy rights exercise

5.3 How to Exercise Your Rights

To exercise any privacy rights, contact us at: privacy@cyberethix.com

We will respond within 30 days of verified requests.

6. Data Security

We implement industry-standard security measures:

• Encryption: TLS/SSL for data in transit, encrypted storage for sensitive data
• Access Controls: Role-based permissions and authentication
• Password Security: Bcrypt hashing with secure salts
• Audit Logging: Comprehensive activity tracking
• Rate Limiting: Protection against brute-force attacks

However, no system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

7. Cookies and Tracking Technologies

We use cookies for:

• Session Management: Keep you logged in securely
• CSRF Protection: Prevent cross-site request forgery attacks
• Preferences: Remember your theme (light/dark mode) settings

You can disable cookies in your browser, but this may affect platform functionality.

8. Children's Privacy

SecureNDA Linker is not intended for users under 18 years of age. We do not knowingly collect information from minors. If we discover underage use, we will delete the account immediately.

9. International Data Transfers

Your data may be processed and stored in the United States or other countries where CyberEthix or its service providers operate. By using the Platform, you consent to cross-border data transfers.

For EU users: We implement appropriate safeguards (Standard Contractual Clauses) for international transfers.

10. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Material changes will be communicated via:

• Email notification to account holders
• Prominent notice on the Platform
• Updated "Last Updated" date at the top of this page

Continued use after changes constitutes acceptance of the updated policy.

11. Contact Information

For privacy-related questions or concerns, contact:

CyberEthix Privacy Team
Email: privacy@cyberethix.com
Address: [To be provided upon enterprise licensing]

12. Data Processing Agreement (Enterprise Licensees)

Organizations licensing SecureNDA Linker for deployment are responsible for implementing their own data processing agreements with end users. CyberEthix provides this Privacy Policy as a template reference only.