Privacy Policy

1. Scope of Policy

This Policy applies to personal data collected through:

• Web properties, applications, and hosted platforms
• Subscription-based SaaS offerings and multi-tenant environments
• APIs, SDKs, and system integrations
• AI and agent-based systems, including orchestration and inference services
• Account registration and authentication systems
• Customer support, communications, and enterprise engagements

This Policy does not apply to third-party systems not owned or controlled by Noir Stack LLC.

2. Categories of Information Collected

A. Information Provided by Users

• Name and contact details
• Email address and account identifiers
• Business or organizational information
• Billing and transaction data
• Authentication credentials
• Communications, submissions, and support inquiries

B. Information Collected Automatically

• IP address and approximate geolocation
• Device identifiers and operating system
• Browser type and configuration
• Usage patterns, telemetry, and interaction logs
• API request metadata and system diagnostics

C. Customer and Platform Data

Users and enterprise customers may submit, upload, or transmit data into the Services (“Customer Data”). This may include structured, unstructured, operational, or analytical data.

The Company processes Customer Data solely to provide and maintain the Services.

The Company does not claim ownership of Customer Data.

D. AI and Model Interaction Data

Use of AI-enabled features may involve processing of:

• Prompts, queries, and instructions
• Inputs and contextual data provided to models
• Generated outputs and system responses
• Performance and evaluation metrics

Such data is processed strictly to deliver requested functionality, maintain system integrity, and improve internal performance. Unless explicitly stated, such data is not used to train external or third-party public models.

3. Purposes of Processing

Personal information is processed for the following purposes:

• Provision, operation, and maintenance of Services
• Identity verification and authentication
• Billing, subscription management, and financial processing
• Security enforcement, monitoring, and incident detection
• System performance optimization and reliability
• Fraud prevention and misuse detection
• Compliance with legal and regulatory obligations
• Customer support and communications

4. Legal Basis for Processing

Where applicable under law, processing is based on:

• Performance of a contract
• Legitimate business interests
• Compliance with legal obligations
• User consent, where required

5. Data Sharing and Disclosure

The Company does not sell personal data.

Information may be disclosed:

• To infrastructure, hosting, analytics, security, and billing providers
• To enterprise customers in accordance with contractual obligations
• To comply with legal process, subpoenas, or governmental requests
• To protect rights, safety, or property of the Company or others
• In connection with corporate transactions (e.g., merger, acquisition, asset transfer)

All service providers are contractually obligated to maintain confidentiality and implement appropriate safeguards.

6. Controller and Processor Roles

Depending on context:

• Noir Stack LLC acts as a data controller for account, billing, and operational data
• Noir Stack LLC acts as a data processor/service provider for Customer Data processed on behalf of enterprise clients

Processing activities are governed by applicable agreements, including Data Processing Addenda (DPA), where required.

7. Multi-Tenant Architecture and Data Segregation

The Services operate within logically segregated environments designed to:

• Isolate tenant and workspace data
• Enforce role-based access controls
• Apply least-privilege principles
• Maintain system-level audit logs and traceability

Customers are responsible for configuring internal access permissions and governance controls.

8. Security Measures

The Company implements administrative, technical, and physical safeguards consistent with industry standards, including:

• Encryption in transit (TLS)
• Encryption at rest where applicable
• Access control and identity management
• Logging, monitoring, and anomaly detection
• Change management and deployment controls
• Incident response and containment procedures

Security practices are aligned with principles consistent with SOC 2 Trust Services Criteria. No system can guarantee absolute security.

9. Data Retention

Personal data is retained only as necessary to:

• Provide Services and fulfill contractual obligations
• Comply with legal and regulatory requirements
• Resolve disputes and enforce agreements

Customer Data is retained in accordance with customer instructions and may be deleted upon termination, subject to legal obligations.

10. Virginia Privacy Rights

Pursuant to the Virginia Consumer Data Protection Act, eligible Virginia residents may have the right to:

• Confirm whether personal data is being processed
• Access personal data
• Correct inaccuracies
• Delete personal data
• Obtain a portable copy of personal data
• Opt out of targeted advertising, profiling, or sale of personal data (if applicable)

Requests may be submitted to: privacy@noirstack.com

The Company may require verification of identity prior to fulfilling requests.

Users have the right to appeal a denied request in accordance with applicable law.

11. Other U.S. State Privacy Laws

Where applicable, the Company will comply with similar rights under other U.S. state privacy frameworks. Rights and obligations may vary by jurisdiction.

12. Cookies and Tracking Technologies

The Services may use:

• Essential and functional cookies
• Security-related cookies
• Analytics and performance monitoring tools

The Company does not deploy cross-site behavioral advertising trackers without appropriate consent where required by law.

Users may manage cookie preferences through browser settings.

13. International Data Transfers

Where data is transferred outside the United States, appropriate safeguards will be implemented consistent with applicable law and contractual requirements.

14. Children's Privacy

The Services are not directed to individuals under the age of 13. The Company does not knowingly collect personal data from children.

15. Data Breach and Incident Notification

In the event of a confirmed breach involving personal data, the Company will:

• Investigate and contain the incident
• Assess scope and impact
• Notify affected individuals and authorities as required under applicable Virginia law and other regulations

16. Enterprise Processing and Data Governance

For enterprise customers:

• The customer acts as the data controller
• Noir Stack acts as a processor/service provider
• Processing is limited to documented instructions

Additional contractual terms, including Data Processing Addenda, may apply.

17. Export Control and Sanctions Compliance

The Services are subject to U.S. export control and sanctions laws. Access may be restricted in prohibited jurisdictions or to restricted parties.

18. Changes to This Policy

The Company reserves the right to update this Privacy Policy at any time.

Material changes will be reflected by updating the “Last Updated” date. Continued use of the Services constitutes acceptance of the revised Policy.

19. Contact Information

Privacy requests or inquiries:

privacy@noirstack.com

Noir Stack LLC
Commonwealth of Virginia