Privacy policy

Last updated: 2026-05-19
Effective date: 2026-05-19
Operator: MythologIQ Labs LLC ("MythologIQ", "we", "us", "our")
Service: Qortara (qortara.com, Azure Marketplace)
Customer-facing URL: https://qortara.com/legal/privacy

This Privacy policy describes how MythologIQ Labs LLC collects, uses, stores, and shares personal information when you use Qortara through the qortara.com website, the Qortara API, the Azure Marketplace, or any related interface. It applies in addition to the Terms of service at https://qortara.com/legal/terms.

1. Who we are

MythologIQ Labs LLC is a United States limited liability company. We operate Qortara, a hosted governance platform for AI agents. Our principal contact for privacy matters is privacy@qortara.com. Postal and registered-entity details are published in the Imprint at https://qortara.com/legal/imprint.

2. Information we collect

2.1 Information you provide

  • Account identifiers: name (optional), email address, organization name, billing contact information.
  • Authentication identifiers: identity-provider linkage for SSO tiers (Microsoft Entra, Google Workspace, Okta, Auth0, and other OIDC-compliant providers).
  • Payment information: handled exclusively by our payment processors (Stripe for direct signups; Microsoft for Azure Marketplace subscriptions). We do not see or store full payment-card numbers, CVV, or billing addresses.
  • Support communications: the content of emails, screenshots, and other materials you send when contacting support@qortara.com, privacy@qortara.com, security@qortara.com, or accessibility@qortara.com.

2.2 Information we receive from Microsoft (Marketplace customers)

When you subscribe through Azure Marketplace, Microsoft transmits subscription metadata, including Azure subscription ID, tenant ID, plan identifier, purchaser email and name, subscription status, term, and pricing model. This data is required to provision and service your account.

2.3 Information generated by your use of the Service

  • Policy evaluation records: which agent, which tool, which decision (allow / deny / require-approval / exempt), and the policy identifier that produced the decision.
  • Audit events: cryptographic attestations of policy decisions (Ed25519-signed, RFC 8785 JCS-canonicalized, SHA-256-hashed).
  • Tool-call arguments and metadata: when relevant to a policy decision, the arguments your agent passed to a tool may be recorded as part of the decision evidence.
  • Trust attestations: signed records used for cross-organization verification when Trust Federation features are in use.
  • Usage telemetry: counts of metered events (active agents, policy evaluations, audit events, compliance scans, sessions, trust lookups) for billing and operational purposes.

2.4 Information collected automatically

  • Request metadata: IP address, user-agent string, timestamp, requested endpoint, response status.
  • Session cookies: first-party, HTTPS-only session identifiers used for authenticated dashboard access. See the Cookie policy at https://qortara.com/legal/cookies.

We do not use third-party advertising, cross-site tracking, or behavioral-analytics cookies on qortara.com.

3. Legal bases for processing (UK / EEA)

Where the UK GDPR or EU GDPR applies, we rely on the following Article 6 legal bases:

Processing activityLegal basis
Provisioning, operating, and billing for the ServiceContract (Art. 6(1)(b)) — necessary to perform the Service contract you entered into
Authenticating users and enforcing access controlsContract (Art. 6(1)(b))
Detecting, preventing, and responding to abuse, fraud, and security incidentsLegitimate interests (Art. 6(1)(f)) — protecting the Service, our customers, and third parties
Operating Trust Federation and cross-organization attestationContract (Art. 6(1)(b)) where you have enabled the feature
Marketing communications (if any)Consent (Art. 6(1)(a)) — you may withdraw at any time
Complying with legal obligations (tax, regulatory requests)Legal obligation (Art. 6(1)(c))
Defending or pursuing legal claimsLegitimate interests (Art. 6(1)(f))

Where we rely on legitimate interests, you may object at any time by contacting privacy@qortara.com. We will weigh your objection against our continuing legitimate interests in line with applicable law.

4. How we use information

We use the information described in §2 to:

  • provide, operate, and maintain the Service;
  • authenticate your identity and authorize access to your tenant;
  • bill you for usage and process payments through Stripe or Microsoft;
  • generate audit evidence and compliance reports for your account;
  • operate Trust Federation features when you enable them;
  • detect, prevent, and respond to security incidents, abuse, and fraud;
  • communicate with you about your account, security, and material Service changes;
  • comply with legal obligations and respond to lawful requests from authorities.

We do not sell personal information to third parties. We do not use Customer Content or personal information to train AI models.

5. Subprocessors and data sharing

We share personal information with the subprocessors listed at https://qortara.com/legal/subprocessors, each bound by a written data-processing agreement with us. The current list includes:

  • Microsoft Azure — hosting, compute, storage, identity, networking;
  • Stripe, Inc. — payment processing for direct signups (PCI-DSS Level 1);
  • Twilio SendGrid — transactional email delivery;
  • GitHub Inc. — source-code and container-registry hosting;
  • Microsoft (Azure Marketplace) — subscription fulfilment for Marketplace customers under the Microsoft AI Cloud Partner Program.

We may also share personal information with: (a) professional advisors (accountants, auditors, attorneys) under confidentiality obligations; (b) competent authorities where required by law or to defend against legal claims; (c) an acquirer or successor entity in connection with a merger, acquisition, financing, or sale of assets, in which case the recipient will be bound by privacy obligations no less protective than this policy.

New subprocessors are announced at https://qortara.com/legal/subprocessors at least 30 days before they begin processing personal data, with email notification to controllers under a Data processing agreement. Controllers may object as described in the Data processing agreement at https://qortara.com/legal/dpa.

6. International transfers

The Service is hosted on Microsoft Azure regions selected by you at signup (US Central by default; US or EU options available; Enterprise customers may request additional regions). Operating the Service, providing support, and processing billing may involve transfers of personal data to the United States and to other jurisdictions where our subprocessors operate.

For transfers from the United Kingdom or European Economic Area, we rely on:

  • the European Commission's adequacy decisions where applicable;
  • the European Commission's Standard Contractual Clauses (2021/914) for transfers to controllers or processors in third countries; and
  • the UK International Data Transfer Addendum, where the data exporter is in the United Kingdom.

The Standard Contractual Clauses are incorporated by reference into our Data processing agreement at https://qortara.com/legal/dpa. A copy is available on request to privacy@qortara.com.

7. Retention

Retention periods reflect operational, billing, security, and legal needs. The audit-log retention table below tracks the subscription-tier ladder published at https://qortara.com/pricing.

Data typeRetentionNotes
Audit log — Developer tier30 daysRolling window from event time
Audit log — Pro tier90 daysRolling window from event time
Audit log — Team tier365 daysRolling window from event time
Audit log — Business tierMulti-year per order form (default 3 years)Order form may specify a longer period
Audit log — Enterprise tier7 yearsSuitable for regulated workloads
Trust attestationsSame retention as the audit events that produced them
Account and billing metadataWhile the account is active, plus 90 days after closureBilling reconciliation, dispute response
Tax records and invoices7 years post-closureUS and EU tax-law minimums
Usage telemetryWhile the account is active, plus 90 days after closure
Support communications3 years from last contactFor customer-relationship continuity
Request metadata (IP, user-agent, access logs)90 daysSecurity and abuse detection
Session cookiesBrowser session (cleared on logout or session timeout)
BackupsUp to 35 daysBest-effort; see disaster-recovery posture below

7.1 Microsoft AI Cloud Partner Program (MAICPP) retention TTL

For subscriptions fulfilled through Azure Marketplace, on subscription expiration we retain account-linked data for 30 days and then delete it, in accordance with Microsoft AI Cloud Partner Program terms. You may export your data during that 30-day window through the dashboard or by request to support@qortara.com. Tenant CA private keys deleted as part of this TTL cannot be regenerated; this limitation is described in our internal disaster-recovery procedures and is inherent to the cryptographic design.

7.2 Deletion on cancellation (non-Marketplace)

For direct-signup subscriptions, account and tenant data are deleted within 30 days of cancellation, except for records that we are legally required to retain (notably tax records and minimum-statutory log retention).

8. Your rights

Subject to your jurisdiction and applicable law, you have the following rights with respect to your personal information. You may exercise any of them by contacting privacy@qortara.com. We will respond within 30 days (or shorter where required by law) and will not discriminate against you for exercising a right.

8.1 Rights under GDPR (UK and EEA residents)

  • Access — obtain confirmation of processing and a copy of your personal data.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion, subject to legal-retention exceptions.
  • Restriction — restrict processing in specified circumstances.
  • Portability — receive your data in a structured, machine-readable format (JSON), or have it transmitted to another controller where technically feasible.
  • Objection — object to processing based on legitimate interests, including profiling.
  • Withdraw consent — for processing based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint — with your local supervisory authority. A list is maintained by the European Data Protection Board at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may complain to the Information Commissioner's Office at https://ico.org.uk.

8.2 Rights under CCPA/CPRA (California residents)

  • Know — what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share.
  • Access — request a copy of the specific pieces of personal information we hold about you.
  • Delete — request deletion of personal information, subject to legal exceptions.
  • Correct — request correction of inaccurate personal information.
  • Opt out of sale/sharing — we do not sell personal information and do not share it for cross-context behavioral advertising; no opt-out is required.
  • Limit use of sensitive personal information — we do not use sensitive personal information for purposes that would trigger the right to limit under CPRA.
  • Non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised a right.

You may designate an authorized agent to make a request on your behalf. We will verify the agent's authority and your identity before responding.

8.3 Other US state privacy laws

We extend the access, correction, deletion, and opt-out rights described above to residents of states with comparable privacy laws, including Virginia, Colorado, Connecticut, Utah, Texas, and Oregon.

9. Security

We apply administrative, technical, and physical safeguards designed to protect personal information. Highlights:

  • Secrets are stored in Azure Key Vault.
  • Audit events are signed with Ed25519 keys.
  • Access controls and policy decisions are enforced through Cedar policies in a deny-closed fail mode.
  • Network traffic is encrypted in transit (TLS 1.2 or higher).
  • Data at rest is encrypted using Azure-managed encryption.

A more detailed overview is published at https://qortara.com/legal/security. No system is perfectly secure; we encourage you to report suspected vulnerabilities to security@qortara.com under the responsible-disclosure policy.

10. Data breach notification

If we become aware of a personal-data breach affecting your data, we will notify you without undue delay and, where required, within 72 hours of becoming aware, in accordance with GDPR Article 33-34 and applicable state breach-notification laws. Notice will describe the nature of the breach, the categories and approximate number of records affected, likely consequences, and the measures we have taken or propose to take. For controller customers, additional commitments are set out in the Data processing agreement at https://qortara.com/legal/dpa.

11. Cookies

Cookie usage is described at https://qortara.com/legal/cookies. In summary: we use first-party session cookies strictly necessary for authentication. We do not use third-party advertising, tracking, or cross-site analytics cookies, and we do not require a consent banner under the GDPR ePrivacy regime for the cookies we use.

12. Children

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, contact privacy@qortara.com and we will delete it. The Service is intended for use by adults acting on behalf of organizations.

13. Changes to this policy

We may update this Privacy policy from time to time. For material changes, we will provide at least 30 days' advance notice by email to the address on file and by updating the "Last updated" date at the top of this page. Continued use of the Service after the effective date constitutes acceptance. Non-material changes (typographical fixes, broken-link updates) take effect on posting.

14. Contact

  • Privacy inquiries: privacy@qortara.com
  • Data subject requests: privacy@qortara.com (subject line: "Data subject request")
  • Security: security@qortara.com
  • General support: support@qortara.com
  • Postal: see the Imprint at https://qortara.com/legal/imprint

If you are in the European Economic Area or the United Kingdom and prefer to communicate in a language other than English, please write to us in any official EU language; we will use commercially reasonable efforts to respond in that language.