Privacy Policy

The short version: We collect only what we need to run Elea. We do not sell your data. We do not share it with third parties for any purpose other than delivering the Elea service to you. Your audit data, stack information, and account details are stored securely and deleted on the schedule described below.

2.1 Account Information

When you create an account, we collect your email address, display name, and the timestamp of account creation. If you authenticate via a third-party provider (Google, GitHub), we receive only the information that provider shares under your authorization — typically your email address and name. We store a Stripe customer reference ID to manage billing. We do not store payment card numbers, bank account details, or any other financial data. All payment processing is handled exclusively by Stripe, Inc.

2.2 Organization and Stack Data

When you use Elea, you provide information about your organization (company name, industry, size, website) and your technology stack (tools you use, their costs, tiers, and contract details). This is business operational data — it does not include personal health information, government identification, or financial account numbers. You retain full control over this data and may delete it at any time.

2.3 Compliance Audit Data

When you run a compliance audit, we store your questionnaire responses, AI model registry entries, compliance framework selections, findings, and recovery recommendations. This data describes your organization's compliance posture. It may reference categories of data your organization handles (such as noting that your systems process health information) but does not contain the underlying personal records themselves. Audit data is retained per the schedule in Section 6.

2.4 Usage and Technical Data

We collect information about how you use the Service: pages visited, features used, AI insights generated, token usage counts, and event timestamps. This is used to deliver the Service, enforce plan limits, detect abuse, and improve Elea. This data is not shared with advertising networks or third-party analytics resellers.

2.5 AI Interaction Data

When you use AI-powered features — stack insights, audit analysis, compliance recommendations — your inputs are processed by Anthropic's Claude API under a Data Processing Agreement. We log token counts, the feature name, and timestamps for billing and limit enforcement. We do not log or retain the full content of AI prompts beyond what is saved as part of your audit reports within the Service.

2.6 Cookies

We use essential cookies required for authentication and session management. These cannot be disabled as the Service cannot function without them. With your consent, we may use analytics cookies (PostHog, EU-hosted) to understand aggregate feature usage. You control cookie preferences at signup and may update them in Settings at any time.

4.1 Service Infrastructure Partners

We share data with the following parties solely to operate the Service, each under a Data Processing Agreement: • Supabase, Inc. — database hosting and authentication infrastructure • Netlify, Inc. — application hosting and content delivery • Anthropic, PBC — AI processing for insights and audit analysis • Stripe, Inc. — payment processing (receives only transaction data; we receive only a customer reference ID) These providers may only process your data as instructed by us and are contractually prohibited from using it for their own purposes.

4.2 No Other Third-Party Sharing

We do not share your personal data or organizational data with any other third parties. We do not sell data. We do not share data with marketing partners, analytics resellers, data brokers, or advertising networks.

4.3 Legal Disclosure

We may disclose information if required by law, court order, or lawful government request, or where we have a good-faith belief that disclosure is necessary to protect our legal rights, your safety, or the safety of others. We will notify you of any such disclosure where permitted by law.

4.4 Business Transfers

If Zeno Global LLC is involved in a merger, acquisition, or sale of substantially all assets, your data may transfer as part of that transaction. We will provide at least 30 days prior notice by email and through a prominent notice on the Service before your data becomes subject to a different privacy policy.

6.1 Account Data

We retain your account information for as long as your account remains active. Upon account deletion, we will delete your personal data within 30 days, except where retention is required by applicable law (such as financial records required for tax compliance).

6.2 Audit Data Retention Schedule

Free, Silver, and Gold plans: Audit reports are retained for 12 months from the date created, or until you reach 20 stored audit reports, whichever limit is reached first. When a limit is reached, the oldest reports are automatically deleted. Executive and Enterprise plans: Audit reports are retained for 24 months from the date created, or until you reach 150 stored audit reports, whichever limit is reached first. You may manually archive or delete audit reports at any time. Archived reports do not count toward your active limit but remain subject to the same age-based retention period.

6.3 AI Usage Logs

Token usage logs (count, feature name, timestamp) are retained for 24 months for billing verification and service improvement.

6.4 Consent Records

Records of your consent to these terms (timestamp, version, preferences) are retained for the duration of your account plus 7 years for legal compliance purposes.