Privacy Policy

MythologIQ Labs LLC is the data controller for personal information collected through the Qortara Cloud Governance platform and website.

Contact: support@qortara.com

Entity: MythologIQ Labs LLC

Account information (collected at signup):

• Email address
• Service tier selection
• Payment information (processed and stored by Stripe or Microsoft; we do not store card numbers)

Usage data (collected automatically during Service use):

• API request metadata (endpoints called, timestamps, response codes)
• Agent identifiers and policy evaluation contexts (as submitted by you via the API)
• Metered usage counts (policy evaluations, audit events, compliance scans, sessions, trust lookups)
• Active agent counts (for volume discount calculation)

Technical data (collected automatically):

• IP addresses
• Browser type and version (for website visits)
• Device information

Data you submit through the Service:

• Governance policies you define
• Agent configurations and registrations
• Policy evaluation contexts (which may contain personal data about your end users)
• Compliance scan parameters

We use your information to:

• Provide, maintain, and improve the Qortara Cloud Governance service
• Process payments and manage your account
• Enforce governance policies and generate audit events as you direct
• Generate compliance evidence reports
• Calculate metered billing and apply volume discounts
• Monitor budget cap thresholds and send alerts
• Communicate with you about your account, security incidents, and service changes
• Comply with legal obligations

We do NOT use your information to:

• Train AI models
• Sell or share your data with third parties for advertising
• Build user profiles for marketing purposes
• Track your browsing behavior (we do not use cookies or analytics)

For customers in the European Economic Area and United Kingdom, we process personal data under the following legal bases:

Data residency: Your Service data is stored in the Azure region you select at signup:

• Developer plan: US (Central US region)
• Professional, Team, Business plans: US or EU (your choice)
• Enterprise plan: US, EU, or custom region

Security measures:

• Encryption in transit (TLS 1.2+)
• Row-level security for tenant data isolation
• Ed25519 cryptographic signatures on audit trails
• Access controls on all infrastructure components
• Regular security assessments

Tenant isolation: Each customer's data is logically isolated. Your governance data, policies, and audit events are not accessible to other customers.

After account cancellation, your data is retained for 30 days to allow export or reactivation. After 30 days, all data is permanently deleted.

We share personal data only with the following categories of recipients:

Service providers (sub-processors):

• Microsoft Azure: cloud infrastructure (compute, storage, database, networking)
• Stripe, Inc.: payment processing for direct-signup customers
• Microsoft Commercial Marketplace: payment processing for Azure Marketplace customers
• Twilio SendGrid: transactional email delivery (signup confirmations, billing alerts, security notifications)

We do not sell, rent, or share your personal data with any other third parties.

Legal requirements: We may disclose personal data if required by law, regulation, legal process, or government request.

Data breach notification: In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify affected individuals without undue delay and no later than 72 hours after becoming aware of the breach, consistent with GDPR Article 34 and our Data Processing Agreement.

If your data is transferred outside the European Economic Area or United Kingdom, appropriate safeguards are in place:

• Microsoft Azure operates under Standard Contractual Clauses (SCCs) for international transfers
• Stripe operates under SCCs for international transfers
• For UK transfers, the UK International Data Transfer Addendum applies

If you are located in the European Economic Area or United Kingdom, you have the following rights under GDPR/UK GDPR:

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate personal data
• Erasure: request deletion of your personal data (subject to legal retention requirements)
• Restriction: request restriction of processing
• Portability: request your data in a machine-readable format
• Objection: object to processing based on legitimate interest
• Complaint: lodge a complaint with your local supervisory authority

To exercise these rights, contact support@qortara.com. We will respond within 30 days.

California residents (CCPA): You have the right to know what personal information we collect, request deletion, and opt out of sale (we do not sell personal information). Contact support@qortara.com.

qortara.com does not use cookies, third-party analytics services, or tracking technologies. We do not track your browsing behavior on our website.

The Qortara Cloud Governance API uses session tokens (JWT) for authentication. These are not cookies -- they are sent via HTTP headers by your application code, not stored in your browser's cookie jar.

The Service is not directed to children under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact support@qortara.com.

MythologIQ Labs LLC is enrolled in the Microsoft AI Cloud Partner Program. For customers who sign up via Azure Marketplace:

• Certain customer data sourced from Microsoft is subject to a 30-day retention limit per MAICPP terms
• This data is automatically purged after 30 days unless you provide explicit consent for extended retention
• This applies only to Microsoft-sourced data; data you submit directly through the API is not subject to this limit

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

For questions about this Privacy Policy or to exercise your data rights:

Email: support@qortara.com

MythologIQ Labs LLC

If you are in the EU, you also have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.