Privacy Policy

1. Information We Collect

We collect the following types of personal data:

a. Information You Provide Directly

• Account and Profile Information: When you create an account or sign up for our Services, we collect your name, email address, company name, and any other details you provide (e.g., role, billing information for subscriptions).
• Uploaded Content: Through the Platform, your organization may upload files containing IP assets (e.g., PDFs, documents, images). While these files may include personal data (e.g., names or contact details within documents), we treat them as your organization's data. Files are encrypted and stored on AWS servers.
• Communications: Information you provide when contacting us, such as via email to privacy@immut.io or support requests.

b. Information Collected Automatically

• Usage and Device Data: When you interact with our Website or Services, we automatically collect data such as IP addresses, browser type, device identifiers, operating system, pages viewed, time spent, and referral sources. This helps us with timestamping IP uploads, analytics, and security.
• Cookies and Tracking Technologies: We use cookies, pixels, and similar technologies for functionality, analytics, and marketing. See our embedded Cookie Policy below for details.
• Audit Logs: For security and compliance, we log actions like logins, file uploads, views, and access attempts, including timestamps, user IDs, and IP addresses.

c. Information from Third Parties

• Payment Processors: Billing information (e.g., credit card details) from Stripe for subscription payments.
• Analytics Providers: Aggregated usage data from Google Analytics for website visitors.

We do not collect sensitive personal data (e.g., health, racial, or biometric data) unless incidentally included in uploaded IP files by your organization.

Note on Blockchain Data: When you upload IP assets, we generate a hash of the file and log it to the XRPL blockchain for timestamping. Hashes are pseudonymized and do not reveal the original file content, but blockchain entries are immutable and publicly viewable on the XRPL ledger.

2. How We Use Your Information

We use personal data for the following purposes:

• Providing and Improving Services: To create accounts, process uploads, encrypt and store files, timestamp IP on XRPL, manage user roles (e.g., admins, viewers), and enable features like sharing with external viewers via email.
• Billing and Subscriptions: To manage subscriptions, process payments, and handle billing inquiries (subscription-only model; no refunds).
• Security and Compliance: To maintain audit logs, detect fraud, prevent unauthorized access, and comply with legal obligations (e.g., breach notifications within 24 hours of awareness).
• Analytics and Marketing: To analyze usage patterns, improve our Platform, and send service-related communications. We use Google tracking for website visitors.
• Support and Communications: To respond to inquiries and provide updates.

We process data based on the following legal bases under GDPR/UK GDPR:

• Contract performance (e.g., providing Services).
• Legitimate interests (e.g., security, analytics).
• Consent (e.g., for cookies where required).

For CCPA purposes, we do not “sell” or “share” personal information as defined under the law.

3. Sharing and Disclosure of Information

We share personal data in limited circumstances:

• Service Providers: With third-party vendors who help us operate the Services, such as AWS (for encrypted file storage on EU or customer-owned servers), Google (for analytics and tracking), and Stripe (for payments). These providers are bound by contracts ensuring data protection.
• Within Your Organization: Data is shared based on user roles (e.g., admins can grant access to viewers or external viewers via email links).
• Legal Requirements: If required by law, subpoena, or to protect rights, property, or safety (e.g., responding to government requests).
• Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred (we'll notify you).
• Blockchain: Hashes are publicly logged on XRPL, but they do not contain personal data.

We do not share data for advertising purposes beyond our own services.

4. Data Retention

We retain personal data for as long as your organization's account is active and the subscription is paid. After the last payment, we retain data for an additional 12 months for compliance and dispute resolution, unless a shorter period is required by law. Uploaded files and associated metadata are deleted upon account closure or request, except for immutable blockchain hashes on XRPL, which cannot be altered or removed.

Audit logs are retained for security purposes as required by law (e.g., up to 7 years for financial records).

5. Security Measures

We prioritize data security:

• Files are encrypted using AES-256 at rest and in transit (TLS 1.3).
• Access controls include mandatory 2FA, role-based permissions, and audit logging.
• Storage on secure AWS servers (EU regions where applicable) or customer-owned servers for hybrid setups.
• We conduct regular security audits and comply with ISO 27001 standards.

In case of a data breach, we notify affected users and authorities within 24 hours of becoming aware, as required by law.

No system is 100% secure, so we cannot guarantee absolute security, but we implement measures to protect against unauthorized access.

6. International Data Transfers

Your data may be transferred to and stored in the United States (e.g., for AWS processing). For EU/UK users, we use Standard Contractual Clauses (SCCs) or other approved mechanisms to ensure adequate protection under GDPR/UK GDPR. We participate in the EU-US Data Privacy Framework where applicable.

7. Your Rights and Choices

You have rights regarding your personal data:

• Access, Correction, Deletion: Request access to, correction of, or deletion of your data.
• Portability: Receive your data in a portable format (as per GDPR/CCPA data portability).
• Objection/Restriction: Object to processing or request restrictions.
• Withdraw Consent: Where processing is based on consent (e.g., cookies).
• Opt-Outs: For CCPA, opt-out of any potential “sale” (though we do not sell data). Use “Do Not Sell/Share My Personal Information” requests.

To exercise rights, email privacy@immut.io. We respond within 30 days (extendable under law). For B2B users, we may direct you to your organization's admin.

We use consent banners for non-essential cookies. You can manage preferences via browser settings.

8. Embedded Cookie Policy

We use cookies and similar technologies (e.g., pixels, web beacons) to enhance your experience:

• Essential Cookies: Necessary for functionality (e.g., session management).
• Analytics Cookies: Google Analytics tracks website usage (e.g., pages visited, IP addresses anonymized).
• Marketing Cookies: For targeted communications (with consent).

You can manage cookies via our consent banner or browser settings. Disabling cookies may limit functionality. We respect Global Privacy Control (GPC) signals.

For more details, see our vendors: Google.

9. Children's Privacy

Our Services are for B2B use and not directed at individuals under 16. If we learn we have collected data from someone under 16, we will delete it.

10. Changes to This Privacy Policy

We may update this Policy to reflect changes in our practices or legal requirements. We'll post the updated version on our Website with the new effective date and notify you via email or in-app notice for material changes.

11. Contact Us

For questions or requests, contact our Data Protection Officer at:

Governing Law: This Policy is governed by Delaware law, without regard to conflict of laws principles.