Subatix Privacy Policy
Subatix, Inc.
A Delaware Corporation
Effective Date: January 12, 2026
Last Updated: January 12, 2026
TABLE OF CONTENTS
- Introduction
- Information We Collect
- How We Use Your Information
- Legal Bases for Processing (GDPR)
- Data Sharing and Disclosure
- AI Processing and Logging
- Product and Service Improvement
- Data Retention
- Data Security
- International Data Transfers
- Your Privacy Rights
- GDPR Rights (EU/EEA Residents)
- CCPA Rights (California Residents)
- Children's Privacy
- Cookies and Tracking
- Subprocessors
- Changes to This Policy
- Contact Information
1. INTRODUCTION
This Privacy Policy describes how Subatix, Inc. ("Subatix," "we," "us," or "our"), a Delaware corporation, collects, uses, stores, shares, and protects your information when you use the Subatix AI-native operations improvement workspace (the "Service").
Subatix is an AI-native operations improvement workspace designed to assist businesses and individuals with various productivity, analysis, and operational tasks through the use of artificial intelligence. The Service functions as an AI-powered business improvement tool.
The Service is hosted on Amazon Web Services (AWS) in the US-East-1 (Northern Virginia) region.
By accessing or using the Service, you consent to the collection, use, and processing of your information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use the Service.
This Privacy Policy is incorporated into and subject to the Subatix Terms of Use (available at www.subatix.com/terms).
Key Definitions (consistent with the Terms of Use):
| Term | Definition |
|---|---|
| Local Data | Files, documents, data, code, or other materials stored locally on your device outside your designated Workspace folder. Local Data is never accessed by the Service unless you explicitly enable extended file access permissions. |
| Workspace | The designated folder or environment on your device that interfaces with the Service. |
| User Content | Any data, text, prompts, files, or other materials that you submit, upload, or transmit through the Service, including files within the designated Workspace folder that are accessed or processed by the Service during task execution. |
| Recommendations | Any content, analysis, deliverables, reports, insights, code, or other materials generated by the Service in response to your inputs. This term reflects that AI-generated content is advisory in nature and requires independent verification. |
| Request Logs | Detailed records of AI requests and responses stored in a separate database for debugging, support, analytics, abuse detection, and product improvement. Request Logs include full prompts, full responses, and associated metadata, with user identifiers pseudonymized via cryptographic hashing. |
| Usage Data | Technical logs, metadata, and information about your use of and interactions with the Service, including token counts, cost calculations, request timing, model selection, and similar operational data. Usage Data excludes User Content and the substantive content of Recommendations. |
2. INFORMATION WE COLLECT
2.1 Account and Authentication Data
When you create an account, we collect and store:
| Data Type | Description | Purpose |
|---|---|---|
| Email address | Your email used for registration | Account identification, communication |
| First and last name | Your full legal name | Account identification, personalization |
| Authentication identifier | Secure identifier for login | Secure authentication |
| Subscription tier | Your current plan level | Service access control |
| Account timestamps | Creation and update dates | Account management |
| Session refresh tokens | Encrypted tokens for login persistence | Authentication continuity |
| Last login timestamp | Date/time of last login | Security monitoring |
2.2 Billing and Subscription Data
When you subscribe to the Service or make purchases, we collect and store:
| Data Type | Description | Retention |
|---|---|---|
| Token balances | Subscription and Top-up token pools | Active while account exists |
| Payment transactions | Payment amounts, methods, status, timestamps | 7 years (legal requirement) |
| Subscription records | Plan ID, status, period start/end, cancellation status | 7 years (legal requirement) |
| Stripe identifiers | Customer ID, subscription ID, invoice IDs | 7 years (legal requirement) |
| Trial information | Trial start/end dates, tokens used | Duration of trial + 7 years |
| Lifetime usage metrics | Total tokens purchased and used | Active while account exists |
Note: Payment card details are processed by Stripe and are not directly stored by Subatix.
2.3 Usage Transaction Data
When you use AI features, we record:
| Data Type | Description | Retention |
|---|---|---|
| Model used | The AI model requested | 24 months |
| Provider | The AI provider (e.g., Anthropic, OpenAI) | 24 months |
| Prompt/response token counts | Number of tokens in request and response | 24 months |
| Duration | Request processing time in milliseconds | 24 months |
| Cost | Token cost of the request | 24 months |
| Status | Success, error, or pending | 24 months |
2.4 Request Logs (Stored in Separate Database)
For debugging, analytics, product improvement, abuse detection, and support purposes, we log detailed request information in a separate, privacy-focused database:
| Data Type | Description | Retention |
|---|---|---|
| Full user prompts | Complete request messages (JSON format) | 24 months |
| Full AI responses | Complete response content (TEXT format) | 24 months |
| Hashed user ID | SHA-256 hash with salt (pseudonymized) | 24 months |
| IP address | Your IP address at time of request | 24 months |
| User agent | Your browser/client identifier | 24 months |
| Session identifier | Groups multi-turn conversations | 24 months |
| Request parameters | Temperature, max_tokens, etc. | 24 months |
| Request/completion timestamps | When request started and completed | 24 months |
| Generation ID | Unique identifier for the AI generation | 24 months |
Important: We log full prompts and full responses. This data is used for debugging, abuse prevention, analytics, and product improvement—never for output caching or to serve future responses.
2.5 Technical and Security Data
We automatically collect:
| Data Type | Description | Retention |
|---|---|---|
| IP address | Network identifier | 30 days (security logs) |
| User agent | Browser/device information | 30 days (security logs) |
| Request headers | HTTP headers including custom headers | 30 days (security logs) |
| Error logs | System errors and debugging info | 30 days |
2.6 Local Data vs. Workspace Data
Understanding the Distinction:
| Data Category | Definition | Collection Status |
|---|---|---|
| Local Data | Files stored on your device outside your designated Workspace folder | Never accessed by the Service |
| Workspace Data | Files within your designated Workspace folder | May be accessed during task execution (see below) |
Local Data (NOT Collected):
Subatix does NOT collect or access:
- Files stored on your local device outside your designated Workspace;
- Your operating system, applications, or other folders (under default settings);
- Raw local datasets that you have not uploaded or pasted;
- Operating system information beyond user agent;
- Keystroke logging or screen captures;
- Location data beyond IP-derived geolocation.
Workspace Data (Accessed During Service Use):
When you use the Service, files within your designated Workspace may be accessed:
- By default, the Service can read and edit project files (files within your Workspace) with auto-approval enabled;
- File contents read by the AI agent are transmitted to third-party AI Providers as part of the conversation context;
- You may disable auto-approval or adjust these settings at any time through the Service settings interface;
- The Service does NOT scan, index, or read files outside your Workspace unless you explicitly enable expanded permissions.
Expanded Permissions (Opt-In Only):
External file access (outside your Workspace) requires explicit opt-in through the Service settings interface. Options such as "Read all files" or "Edit all files" are disabled by default and grant broader access only when you choose to enable them.
2.7 Auto-Execution Features and Privacy Implications
The Service includes features that automatically perform operations on your behalf ("Auto-Execution Features"). Understanding the privacy implications of these features is important:
Default Behavior:
| Feature | Default Setting | Privacy Implication |
|---|---|---|
| Read project files | Auto-approved | File contents transmitted to AI Providers |
| Edit project files | Auto-approved | Modified files remain local; edit requests transmitted |
| External file access | Disabled | Files outside Workspace not accessed |
| Browser automation | Disabled | No browser activity unless enabled |
| Unrestricted commands | Disabled | Commands require approval unless enabled |
Data Transmission During Auto-Execution:
When the AI agent reads files from your Workspace:
- File contents are transmitted to third-party AI Providers as part of the conversation context;
- Data minimization approach: For structured data files (CSV, Excel, JSON, Parquet, etc.), the Service is designed to process data locally via Python scripts, transmitting only computed results (summaries, metrics, preview data) rather than complete raw datasets;
- Transparency: Analysis scripts and documentation are saved locally to your Workspace for your review and audit trail;
- Automated data processing: When your Workspace contains data files (CSV, Excel, JSON, Parquet, etc.), the Service may automatically analyze your data structure using autonomous background processes. This analysis helps the Service better understand your context and provide more relevant Recommendations. A visual indicator appears during processing.
Optional Expanded Permissions:
Optional expanded permissions (such as external file access, browser automation, and unrestricted command execution) are disabled by default and require explicit opt-in. Enabling these permissions significantly increases the data that may be accessed and transmitted to AI Providers. See the Terms of Use (Section 4.6) for full details on Auto-Execution Features and associated risks.
Important Notice: Auto-approved file read operations result in content transmission to AI Providers. The data minimization approach is enforced through system instructions to the AI, but is not a technical guarantee.
3. HOW WE USE YOUR INFORMATION
3.1 Primary Purposes
We use your information to:
| Purpose | Description |
|---|---|
| Provide the Service | Operate, maintain, and deliver the Service functionality |
| Process payments | Manage subscriptions, process transactions, calculate token costs |
| Authenticate users | Secure account access and session management |
| Route AI requests | Direct your prompts to appropriate AI providers |
| Provide support | Respond to inquiries and resolve issues |
| Send communications | Service-related updates and notifications |
3.2 Product Improvement
We use logged data (prompts, responses, metadata) to:
| Purpose | Description |
|---|---|
| Debug issues | Identify and resolve technical problems |
| Analyze usage | Understand usage patterns and trends |
| Improve AI routing | Enhance model selection and performance |
| Enhance features | Develop and improve platform capabilities |
| Optimize service | Improve reliability and user experience |
Before using logs for product improvement, we apply:
- Pseudonymization: User IDs are hashed with SHA-256 + secret salt;
- Secret scrubbing: Sensitive credentials are automatically redacted;
- Aggregation: When applicable, data is aggregated to prevent individual identification.
3.3 Security and Abuse Prevention
We use your information to:
- Detect and prevent fraud and abuse;
- Monitor for policy violations;
- Protect against security threats;
- Investigate suspicious activity;
- Comply with legal obligations.
3.4 What We Do NOT Do
- We do NOT use customer data to train internal machine learning models unless you explicitly opt in.
- We do NOT sell your data to third parties.
- We do NOT share your data for advertising purposes.
- We do NOT cache AI responses for reuse across different requests.
- Logged data is never used to serve future AI responses to you or other users.
4. LEGAL BASES FOR PROCESSING (GDPR)
For users in the European Union or European Economic Area, we process personal data based on the following legal bases:
4.1 Summary of Legal Bases
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance | Account management, service provision, billing, payment processing |
| Legitimate Interests | Security, fraud prevention, analytics, product improvement, debugging, customer support |
| Legal Obligation | Tax compliance, responding to legal requests, regulatory requirements |
| Consent | Marketing communications (where applicable) |
4.2 Jurisdiction-Specific Disclosure Table
| Purpose | Type of Data | Legal Basis |
|---|---|---|
| To provide and maintain the Service | Identity and contact data, User Content, Recommendations | Contract |
| To create and administer your account | Identity and contact data, payment information | Contract |
| To facilitate payments | Identity and contact data, payment information | Contract |
| To provide optional features that enhance the Service | Identity and contact data, User Content, Recommendations | Legitimate interests: to improve the Service and expand functionality |
| To communicate with you | Identity and contact data, communication information | Contract (service-related); Consent (marketing) |
| To prevent and investigate fraud, abuse, and security incidents | Identity and contact data, technical information, User Content | Legitimate interests: to protect Subatix and users |
| To investigate and resolve disputes | Identity and contact data, User Content, Recommendations | Legitimate interests; Legal obligation |
| To debug and repair errors | Identity and contact data, technical information | Legitimate interests: to ensure stable operation |
| To improve the Service and conduct research | Technical information, aggregated usage data | Legitimate interests: to evaluate and improve the Service |
| To enforce our Terms of Use | Identity and contact data, technical information | Contract; Legitimate interests |
4.3 No Automated Decision-Making
Subatix does not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you (e.g., decisions affecting your healthcare, financial circumstances, or legal rights).
While the Service uses AI to generate Recommendations, these Recommendations:
- Are provided as suggestions only and do not constitute decisions made about you;
- Do not have legal or similarly significant effects on you;
- Require your independent review and action before implementation.
4.4 Objection Rights
You may object to processing based on legitimate interests by contacting support@subatix.com. We will assess your request and respond within 30 days.
5. DATA SHARING AND DISCLOSURE
5.1 Third-Party AI Providers
Your User Content is transmitted to third-party AI providers for processing. By using the Service, you acknowledge and consent that your prompts and data will be processed by these providers according to their own privacy policies and terms.
The current list of AI providers is maintained at: www.subatix.com/subprocessors
5.2 Data Transmitted to AI Providers
When you make an AI request, we transmit the following to third-party AI Providers:
| Data Category | Description |
|---|---|
| Typed prompts and messages | Your text inputs and instructions |
| Images | Images you paste or attach to the conversation |
| Workspace files | Contents of files within your designated Workspace folder that are read by the AI agent during task execution (auto-approved by default) |
| Workspace context metadata | File and folder names (not contents unless read), open editor tabs, terminal command output, current timestamp |
| Conversation history | Previous messages in the current conversation |
| Request parameters | Temperature, max_tokens, model selection, and other technical parameters |
Data Minimization for Structured Data:
When analyzing structured data files (CSV, Excel, JSON, etc.), the Service instructs the AI to:
- Process data locally via Python scripts rather than loading raw data into the conversation;
- Share only computed results (summaries, calculated metrics, limited preview data);
- Save analysis scripts locally to your Workspace for transparency.
This approach minimizes raw data exposure, though some data preview and analysis results are necessarily transmitted for meaningful responses.
We do NOT transmit to AI Providers:
- Your email address or personal identifiers;
- Your IP address;
- Your payment information;
- Your Subatix account credentials.
5.3 Third-Party AI Provider Data Policies
Each AI Provider has its own policies regarding data retention and model training. You should understand the following:
Subatix's Position:
- Subatix does NOT use your User Content to train internal AI models unless you explicitly opt in to such use;
- Where available, Subatix configures API calls to request that providers do not use your data for training;
- However, enforcement depends on each provider's implementation and policies.
Important Limitations:
| Limitation | Explanation |
|---|---|
| Third-party control | Subatix cannot control third-party AI Provider policies regarding data retention or model training |
| Varying practices | AI Providers may have different data handling practices than Subatix |
| Policy changes | Provider policies may change over time |
| Training opt-out | Some providers may use content for training unless explicitly opted out; opt-out availability varies by provider |
Provider Information:
Details on each AI provider's data usage policies are maintained at: www.subatix.com/subprocessors
We encourage you to review the privacy policies and terms of service of our AI Providers to understand how they handle your data.
5.4 Service Providers
We share data with service providers who assist in operating the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Hosting infrastructure | All Service data |
| Stripe, Inc. | Payment processing | Billing information |
| Authentication provider | Identity management | Account credentials |
| Analytics providers | Usage analytics | Aggregated usage data |
5.5 Legal Requirements
We may disclose information when required by:
- Law, regulation, or legal process;
- Court orders or subpoenas;
- Government or regulatory requests;
- Protection of rights, safety, or property.
5.6 Business Transfers
In the event of a merger, acquisition, bankruptcy, or asset sale, your information may be transferred to the successor entity.
5.7 No Sale of Personal Information
Subatix does NOT sell your personal information to third parties for monetary consideration.
Subatix does NOT share your data for advertising purposes.
6. AI PROCESSING AND LOGGING
6.1 Logging Behavior
Subatix logs full prompts and full responses for each AI request. This logging is essential for:
- Debugging: Identifying and resolving technical issues
- Abuse Prevention: Detecting misuse and policy violations
- Analytics: Understanding usage patterns
- Product Improvement: Enhancing Service quality
- Support: Assisting with customer inquiries
6.2 Pseudonymization
All logged data is pseudonymized before storage:
- Algorithm: SHA-256 cryptographic hash
- Salt: Secret salt stored separately from logs
- Result: 64-character hex string that cannot be reversed without the salt
This means that if the logs database alone were compromised, user identities could not be determined without access to the main database and the secret salt.
6.3 Automatic Secret Scrubbing
Before storing any prompt or response, we automatically scan for and redact sensitive secrets:
| Secret Type | Examples |
|---|---|
| API keys | OpenAI (sk-...), Anthropic (sk-ant-...), AWS (AKIA...), Stripe keys |
| Passwords | Password fields and patterns |
| Authentication tokens | Bearer tokens, JWT tokens |
| Access tokens | GitHub tokens (ghp_..., gho_...), OAuth tokens |
| Secret keys | AWS secret keys, API secrets |
Detected secrets are replaced with [REDACTED] before storage.
6.4 No Output Caching for Reuse
- Logs are never used for output caching
- Logs are never used to serve future responses
- Every user request triggers a fresh API call to the AI provider
Temporary Data Caching (Separate from Logging):
| Data Type | Cache Duration | Purpose |
|---|---|---|
| Billing metadata (token counts, cost calculations) | Up to 15 minutes | Billing accuracy |
| Authentication state | 5 minutes to 1 hour | Security |
| Rate limiting data | 5 minutes to 1 hour | Security |
This temporary caching is for operational purposes only and is never used to serve future AI responses.
6.5 Logging Opt-Out
Users may request to opt out of request logging by submitting a written request to support@subatix.com.
Important: Opting out may limit our ability to provide support or investigate issues related to your requests. Specifically, without request logs we may be unable to:
- Provide technical support for issues with your AI requests;
- Investigate and resolve problems you report;
- Detect and respond to potential abuse on your account;
- Assist with billing inquiries related to specific requests.
7. PRODUCT AND SERVICE IMPROVEMENT
7.1 Use of Logged Data
Subatix may use logged prompts, responses, and metadata to develop, debug, improve, and enhance Subatix products and services.
7.2 Safeguards Applied
Before using data for improvement purposes, Subatix applies:
- Pseudonymization: User identifiers are hashed with SHA-256 + secret salt
- Secret Scrubbing: Credentials and sensitive data are removed
- Aggregation: Data is aggregated when applicable to prevent individual identification
- De-identification: Personal identifiers are removed or replaced
7.3 No AI Model Training (Default)
Subatix does NOT use customer data to train internal machine learning models unless the user explicitly opts in to such use.
7.4 No Advertising Use
Logged data is never sold, shared, or used for advertising purposes.
7.5 Permitted Improvement Uses
Anonymized and aggregated data may only be used for:
- Security monitoring and incident response
- Abuse detection and prevention
- Analytics and usage measurement
- Product development and feature improvement
- Debugging and technical troubleshooting
- Service reliability and performance optimization
- Internal research and analysis
- Developing new Service capabilities
8. DATA RETENTION
8.1 Retention Schedule
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Until account deletion | Service provision |
| Request logs (prompts/responses) | 24 months (730 days) | Debugging, analytics, product improvement |
| Billing and payment data | 7 years | Legal and tax compliance |
| Security logs | 30 days | Security monitoring |
| Usage metadata | 30–90 days | Analytics and monitoring |
8.2 Automatic Deletion
- Request logs are automatically deleted after 24 months
- Security logs are automatically purged after 30 days
- No manual intervention required for scheduled deletions
8.3 Account Deletion
Upon account deletion:
| Data Type | Action |
|---|---|
| Account-level data | Immediately deleted |
| Request logs | Deleted via normal retention cycle (24 months) |
| Billing data | Cannot be deleted (7-year legal retention) |
| Local data on your device | You must delete it yourself (Subatix cannot access) |
8.4 Local Data Deletion
Subatix cannot delete files stored locally on your device. You are responsible for managing and deleting your own local data.
9. DATA SECURITY
9.1 Security Measures
We implement commercially reasonable security measures, including:
- Encryption in transit: All data is transmitted over TLS/HTTPS
- Encryption at rest: Database encryption for stored data
- Access controls: Role-based access for internal staff
- Pseudonymization: User IDs hashed in logs
- Secret scrubbing: Automatic credential redaction
- Separate databases: Request logs stored in isolation from main database
- Infrastructure security: AWS security best practices
- Monitoring: Security logging and anomaly detection
9.2 Administrative Access
Only limited Subatix internal staff have administrative access to backend systems. This access is used exclusively for:
- Billing issue resolution
- Customer support
- Fraud detection and prevention
- Technical debugging and maintenance
- Analytics and usage monitoring
Administrators cannot access files stored locally on your device. Local Data remains entirely under your control.
9.3 Limitations
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
9.4 Incident Response
In the event of a data breach, we will:
- Investigate and contain the breach
- Notify affected users as required by applicable law
- Report to supervisory authorities as required by GDPR (within 72 hours) or other applicable laws
10. INTERNATIONAL DATA TRANSFERS
10.1 Data Location
Your data is processed and stored on servers located in the United States (AWS US-East-1 region, Northern Virginia).
10.2 Transfers from EEA/UK
If you are located in the European Economic Area (EEA) or United Kingdom (UK), your data will be transferred to the United States. We rely on the following mechanisms for lawful data transfers:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) where applicable
- Data Processing Agreements with our subprocessors
10.3 User Consent
By using the Service, you consent to the transfer, processing, and storage of your information in the United States and other jurisdictions where our service providers operate.
11. YOUR PRIVACY RIGHTS
11.1 Access and Portability
You can:
- Access your account data through your account settings
- Access Local Data and Recommendations directly from your Workspace
- Request a copy of your personal data by contacting support@subatix.com
11.2 Correction
You can update your account information through your account settings or by contacting support@subatix.com.
11.3 Deletion
You may request deletion of your account and personal data by contacting support@subatix.com.
Deletion Limitations:
| Data Type | Can Be Deleted? |
|---|---|
| Account data | Yes - Immediately deleted |
| Request logs | Yes - Deleted via retention cycle (24 months) |
| Billing data | No - Cannot be deleted (7-year legal retention) |
| Local data | No - You must delete it yourself (Subatix cannot access) |
11.4 Objection
You may object to processing based on legitimate interests by contacting support@subatix.com. We will assess your request and respond within 30 days.
11.5 Withdrawal of Consent
Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
12. GDPR RIGHTS (EU/EEA RESIDENTS)
If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):
| Right | Description |
|---|---|
| Right to Access | Obtain confirmation of processing and access to your data |
| Right to Rectification | Request correction of inaccurate data |
| Right to Erasure | Request deletion ("right to be forgotten") |
| Right to Restrict Processing | Request limitation of processing |
| Right to Data Portability | Receive data in structured, machine-readable format |
| Right to Object | Object to processing based on legitimate interests |
| Right to Withdraw Consent | Withdraw consent at any time |
| Right to Lodge Complaint | File complaint with supervisory authority |
To Exercise Rights: Contact support@subatix.com
Response Time: Within 30 days (extendable by 60 days for complex requests)
Supervisory Authority: You may file complaints with your local data protection authority.
13. CCPA RIGHTS (CALIFORNIA RESIDENTS)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
13.1 Right to Know
You have the right to request information about:
- Categories of personal information collected
- Specific pieces of personal information collected
- Categories of sources
- Purposes for collection
- Categories of third parties with whom data is shared
13.2 Right to Delete
You have the right to request deletion of your personal information, subject to legal exceptions.
13.3 Right to Correct
You have the right to request correction of inaccurate personal information.
13.4 Right to Opt-Out
You have the right to opt out of the "sale" or "sharing" of personal information.
Subatix does NOT sell personal information.
13.5 Right to Non-Discrimination
Subatix will not discriminate against you for exercising your CCPA rights.
13.6 Exercising Rights
To Exercise Rights: Contact support@subatix.com or send a written request to:
Subatix, Inc.
3723 Greenville Ave STE 41033
Dallas, TX 75206
Verification: We may need to verify your identity before processing requests.
Response Time: Within 45 days (extendable by an additional 45 days)
13.7 Categories of Personal Information Collected
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | Email, name, IP address | Yes |
| Commercial Information | Subscription, purchases | Yes |
| Internet Activity | Service usage logs (API requests, tool usage) | Yes |
| Geolocation | IP-derived location | Yes |
| Professional Information | N/A | No |
| Education Information | N/A | No |
| Biometric Information | N/A | No |
| Sensitive Personal Information | N/A | No |
14. CHILDREN'S PRIVACY
14.1 Age Restriction
The Service is not directed to, and not intended for, individuals under 18 years of age. You must be at least 18 years old to use the Service.
We do not knowingly collect or solicit personal information from individuals under 18. If you are under 18, please do not use the Service or provide any personal information to us.
14.2 COPPA Compliance
Subatix is not designed to collect data from children under 13 and does not knowingly collect such data in compliance with the Children's Online Privacy Protection Act (COPPA).
The Service is not directed at children under 13 and should not be used by anyone under 13 under any circumstances.
14.3 Discovery and Deletion
If we learn or have reason to suspect that a user is under the age of 18, we will investigate and, if appropriate:
- Promptly delete the personal information associated with that account;
- Terminate the user's account;
- Take any other appropriate action.
14.4 Reporting
If you believe we have collected information from an individual under 18, please contact support@subatix.com immediately with the following information:
- The username or email address associated with the account (if known);
- Any relevant details about how you became aware of the situation.
We take such reports seriously and will investigate promptly.
15. COOKIES AND TRACKING
Scope: This section applies to the Subatix website (www.subatix.com) and web-based Service interfaces. The Subatix desktop agent application does not use cookies.
This section should be read together with our Cookie Policy (available at www.subatix.com/cookies).
15.1 What Cookies Are
Cookies are small text files stored on your device when you visit a website. They help recognize your device, remember preferences, improve performance, and sometimes deliver personalized content or advertising. Some cookies are essential for operation; others are optional and used for analytics, marketing, or personalization.
Similar technologies such as pixels, local storage, or scripts may serve the same purpose.
15.2 Types of Cookies We Use
a. Essential Cookies (Always Active)
These cookies are necessary for the website and Service to function securely and correctly. They enable page navigation, consent management, and basic functionality. You cannot disable them through our cookie banner.
Examples include:
- Session identifiers used by the hosting provider;
- Cookies that store your consent preferences;
- Authentication and security cookies.
b. Analytics and Performance Cookies (Optional)
These cookies help us understand how visitors use the website and Service, measure traffic, and improve speed and reliability. Collected data is aggregated and not used to identify you personally.
We currently use:
| Service | Purpose |
|---|---|
| Google Analytics 4 (GA4) | Tracks engagement, session counts, and approximate geography with IP anonymization |
| Vercel Analytics and Web Vitals | Measures anonymous performance metrics (load time, responsiveness) |
| Sentry | Monitors frontend and backend errors, crashes, and performance data |
You can reject these cookies via the cookie banner or your browser settings.
c. Marketing and Personalization Cookies (Optional)
We may use these cookies in the future to provide personalized experiences, measure campaign performance, and display relevant ads. They may come from our advertising and analytics partners such as:
- Google Ads / Google Marketing Platform — remarketing, conversion tracking, ad personalization;
- Meta (Facebook/Instagram) Pixel — cross-platform advertising and performance measurement;
- Other advertising or social media platforms we may integrate later.
These cookies track interactions across websites to help us deliver more relevant advertising and content. They are only set after you give explicit consent through the cookie banner.
15.3 How to Manage or Delete Cookies
You can manage your cookie preferences using:
- Cookie banner: Shown on your first visit to the website. You can click "Cookie Settings" to manage your preferences at any time;
- Browser settings: Most browsers allow you to block or delete cookies. Disabling essential cookies may affect functionality;
- Preference retention: Your consent preferences are stored for 12 months, after which you may be asked to renew your choices.
For more information about cookies:
Disabling optional cookies may affect certain Service features but will not prevent core functionality.
15.4 Legal Basis for Cookies (GDPR)
For visitors from the EEA, UK, and Switzerland:
| Cookie Type | Legal Basis |
|---|---|
| Essential cookies | Legitimate interest to operate and secure the website and Service |
| Analytics cookies | Consent only |
| Marketing and personalization cookies | Consent only |
You can withdraw consent at any time through the cookie banner or your browser settings.
15.5 Cookie Retention
Cookies have varying lifespans:
| Cookie Type | Retention Period |
|---|---|
| Session cookies | Expire when your browser closes |
| Persistent cookies | Remain for a defined period (typically no longer than 13 months) |
| Analytics and marketing data | May be retained by providers according to their own privacy policies |
15.6 Do Not Track
We do not currently respond to "Do Not Track" browser signals. This is because there is no industry standard for how to respond to such signals, and the impact on Service functionality varies.
16. SUBPROCESSORS
16.1 Subprocessor List
A current list of our subprocessors (third parties who process data on our behalf) is maintained at:
16.2 Categories of Subprocessors
| Category | Purpose | Examples |
|---|---|---|
| Cloud Infrastructure | Hosting, storage | AWS |
| AI Providers | AI model processing | Listed on subprocessors page |
| Payment Processing | Billing, transactions | Stripe |
| Authentication | Identity management | Authentication provider |
| Analytics | Usage analytics | Various |
16.3 Updates
We update the subprocessors list as providers are added or changed. Material changes will be communicated per our Terms of Use.
17. CHANGES TO THIS POLICY
17.1 Right to Modify
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
17.2 Notification
We will provide at least fourteen (14) days' notice of material changes by:
- Sending email to your registered address
- Posting notice within the Service
- Updating the "Last Updated" date
17.3 Emergency Changes
We may make changes immediately and without advance notice if required by law or necessary to address security, fraud, or illegal activity.
17.4 Review
We encourage you to periodically review this Privacy Policy to stay informed about our data practices.
17.5 Continued Use
Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy.
18. CONTACT INFORMATION
For questions, concerns, or requests related to this Privacy Policy or your personal data:
Subatix, Inc.
A Delaware Corporation
3723 Greenville Ave STE 41033
Dallas, TX 75206
General Support & Privacy Inquiries: support@subatix.com
Website: www.subatix.com
Cookie Policy: www.subatix.com/cookies
Subprocessors: www.subatix.com/subprocessors
Terms of Use: www.subatix.com/terms
Response Time: We aim to respond to privacy inquiries within 30 days.
SUMMARY OF DATA PRACTICES
What We Collect and How Long We Keep It
| What We Collect | What We Use It For | How Long We Keep It |
|---|---|---|
| Account data (email, first/last name, etc.) | Authentication, personalization | Until account deletion |
| Billing data | Payment processing, compliance | 7 years |
| Usage transactions | Billing, analytics | 24 months |
| Full prompts & responses | Debugging, analytics, product improvement, abuse detection | 24 months |
| IP address / user agent | Security, abuse prevention | 30 days |
What We Do NOT Do
| What We Do NOT Do | Details |
|---|---|
| Sell your data | Never |
| Use data for advertising | Never |
| Train ML models on your data | Not without explicit opt-in |
| Cache responses for other users | Never |
| Access your local files | Cannot access local storage |
| Share data with third parties for marketing | Never |
BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.
Subatix, Inc.
A Delaware Corporation
Effective as of January 12, 2026
END OF PRIVACY POLICY