PRIVACY POLICY
Effective Date: May 2, 2026
Last Updated: May 2, 2026
SALESZ LLC ("Stratalize," "we," "us," or "our") operates the Stratalize platform available at stratalize.com. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our services.
This policy applies to all users of the Stratalize platform, including administrators, end users, and visitors to our marketing website.
1. WHO WE ARE
Stratalize is an AI governance and intelligence platform for regulated industries. We are operated by SALESZ LLC, a Florida limited liability company (EIN 93-2230413), with a registered address at 205 N Michigan Ave Suite 810, Chicago, IL 60601.
For privacy inquiries: privacy@stratalize.com
2. INFORMATION WE COLLECT
2.1 Account and Profile Information
When you register for Stratalize, we collect:
- Name, email address, and password (via Supabase Auth)
- Organization name, industry, and location
- Department, job title, and role within your organization
- Single sign-on identifiers (if your organization uses SSO/SCIM)
- Billing information processed by our payment processor, Stripe
2.2 Usage and Activity Data
We collect information about how you use the platform:
- Features accessed, reports generated, and queries submitted
- AI query counts and model context protocol (MCP) usage
- Integration connection events and sync activity
- Session timestamps, IP addresses, and browser/device metadata
- User actions logged in our governance audit trail
2.3 Integration Credentials
When you connect third-party systems (e.g., QuickBooks, HubSpot, Salesforce, Epic, Jack Henry, Fiserv, and others), we collect and store OAuth access tokens and refresh tokens in encrypted form using AES-256 encryption with a platform-managed key (INTEGRATION_TOKEN_KEY). Webhook secrets and related credentials are similarly encrypted. We do not store plaintext credentials.
2.4 Connected System Data — Ephemeral Staging Architecture
Stratalize operates a zero-persistence architecture for raw enterprise integration data:
(a) When you connect a third-party system, we temporarily stage a minimal data payload in an ephemeral buffer (integration_transactions) solely for the purpose of synthesizing an AI intelligence output.
(b) After successful synthesis, the raw staging payload is automatically and permanently deleted by our data sovereignty pipeline. Only the cryptographically signed synthesis output (not the source data) is retained.
(c) In the event synthesis fails, the staging payload is retained until the next successful synthesis run, after which it is deleted.
(d) Webhook event payloads and sync job metadata may be retained for operational and audit purposes for a limited period.
(e) User-uploaded documents (for document analysis features) and their extracted content are stored for as long as you retain them in the platform.
2.5 AI Synthesis Outputs
Stratalize retains the signed outputs of AI synthesis operations, including intelligence briefs, strategies, reports, and decision briefs. These outputs are cryptographically signed with an Ed25519 private key and stored with associated metadata including synthesis ID, timestamp, model identifier, and data lineage records. These outputs are retained for the duration of your subscription and for a post-termination period as described in Section 7.
2.6 Conversation History
When you use the "Ask Stratalize" conversational AI feature, messages and responses are stored in your account to provide conversation continuity. These messages, including any content you submit, are transmitted to Anthropic's API for processing.
2.7 Information Transmitted to AI Providers
To generate intelligence outputs, Stratalize transmits prompts to third-party AI model providers. These prompts may include:
- Your submitted queries
- Organizational context from your business memory
- Summarized or synthesized data from your connected systems
- Retrieved document content from your uploaded files
We do not transmit raw personal data of your end-users or patients to AI providers unless you explicitly include such content in your queries. Anthropic processes prompts under an enterprise API agreement that prohibits using API content to train Anthropic's models.
2.8 Analytics Data
We use PostHog for product analytics. We collect:
- A pseudonymous user identifier, your subscription tier, and your organization identifier
- Feature usage events (e.g., report_generated, integration_connected, ai_query_used, benchmark_loaded)
- Vendor marketplace events
In our vendor verification flow, a vendor's email address may be transmitted to PostHog as a distinct identifier for that event. We are working to replace this with a pseudonymous identifier in a future release.
2.9 Error and Performance Data
We use Sentry for error monitoring. Error reports may include stack traces, request metadata, and contextual information. We configure Sentry to scrub known credential patterns before transmission. Error data does not include full request/response bodies or integration payloads.
2.10 Information from Cookies and Similar Technologies
Our platform uses cookies and similar technologies for:
- Authentication session management (Supabase Auth)
- Security and fraud prevention (CSRF, rate limiting)
- Analytics (PostHog)
We do not use cookies for cross-site advertising or behavioral tracking outside the platform.
3. HOW WE USE YOUR INFORMATION
We use the information we collect to:
(a) Provide, operate, and improve the Stratalize platform
(b) Authenticate users and maintain session security
(c) Generate AI intelligence syntheses on your behalf
(d) Send transactional communications (via Resend), including account notifications, approval requests, and security alerts
(e) Process billing and subscription management (via Stripe)
(f) Maintain governance audit trails and cryptographic attestation
(g) Detect, investigate, and prevent security incidents and fraud
(h) Comply with applicable legal obligations
(i) Analyze platform usage to improve features and performance
(j) Respond to support and privacy requests
We do not sell your personal data. We do not use your data to train AI models. We do not use your data for advertising.
4. LEGAL BASIS FOR PROCESSING (GDPR)
For users located in the European Economic Area, United Kingdom, or Switzerland, our legal bases for processing personal data are:
(a) Contract performance — processing necessary to deliver the Stratalize service you have contracted for
(b) Legitimate interests — platform security, fraud prevention, product improvement, and audit trail maintenance, where such interests are not overridden by your rights
(c) Legal obligation — compliance with applicable laws and regulatory requirements
(d) Consent — where we have requested and obtained your consent for a specific processing activity (e.g., marketing communications)
5. HOW WE SHARE YOUR INFORMATION
5.1 Sub-processors
We engage the following sub-processors who may process personal data on our behalf:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database, authentication | All platform data including Personal Data | US / EU (configurable) |
| Anthropic | AI model inference | Prompts containing org-context and user queries | United States |
| OpenAI | Embedding generation (RAG pipeline) | Text content from uploaded documents and data | United States |
| OpenRouter | AI model gateway | Search queries and non-customer-data enrichment prompts only — no org data or PII routed through this service | United States |
| Vercel | Application hosting, serverless | HTTP traffic, logs, execution environment | United States |
| Stripe | Payment processing, billing | Billing identifiers and payment metadata | United States |
| Resend | Transactional email | Email addresses, message content | United States |
| PostHog | Product analytics | User ID, org ID, subscription tier, usage events | United States |
| Sentry | Error monitoring | Error contexts, request metadata (credentials scrubbed) | United States |
| Inngest | Background job orchestration | Job metadata including org_id and integration_id | United States |
| Upstash | Redis caching | Cached synthesis bundles and rate-limit data | United States |
| Plaid | Financial account linking | Financial account metadata (where Customer uses Plaid integration) | United States |
| Tavily | Web search enrichment | Search queries for market data enrichment | United States |
| xpay.sh (x402) | x402 protocol payment settlement (processes on-chain transaction metadata only — no customer personal data) | Transaction hashes and settlement metadata | United States |
We require all sub-processors to maintain appropriate technical and organizational security measures and to process data only as directed by us.
5.2 Your Organization
Stratalize is a B2B platform. Your organization administrator controls user access, data visibility, and integration configurations. We process data on behalf of your organization as a data processor under your organization's direction.
5.3 Legal Requirements
We may disclose information if required by law, regulation, legal process, or governmental request, to the extent permitted by applicable law.
5.4 Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
5.5 With Your Consent
We may share information with third parties when you have given us explicit consent to do so.
6. DATA RETENTION
We retain your data for the following periods:
| Data Category | Retention Period |
|---|---|
| Account and profile data | Duration of subscription + 90 days |
| Role briefs and brief cache | Duration of subscription + 90 days |
| Signed AI synthesis artifacts (governance records) | 7 years (regulatory requirement) |
| Governance audit logs | 7 years (regulatory requirement) |
| Integration credentials | Until disconnected or account deletion |
| Raw staging payloads | Seconds to minutes (deleted post-synthesis) |
| Uploaded documents | Until deleted by user or account closure |
| Billing records | 7 years (tax and accounting requirements) |
| Error logs (Sentry) | 90 days |
| Analytics events (PostHog) | 12 months |
| Conversation history | Duration of subscription + 90 days |
Upon account termination, we will delete or anonymize your personal data within 90 days, except where retention is required by law or legitimate business necessity (e.g., fraud prevention, dispute resolution, regulatory compliance).
You may request deletion of your data at any time by contacting privacy@stratalize.com. We will process verified deletion requests within 30 days.
7. SECURITY
We implement technical and organizational measures to protect your data, including:
- TLS 1.3 for all data in transit
- AES-256-GCM encryption for data at rest (Supabase)
- Application-layer AES-256 encryption for integration credentials
- Ed25519 cryptographic signatures on all AI synthesis outputs
- Role-based and attribute-based access controls (RBAC/ABAC)
- Per-user OAuth credential isolation (no shared service accounts)
- Four-eyes approval requirements for AI-proposed write operations
- HMAC-signed approval chains for governance workflows
- Immutable, hash-chained audit logs
- Rate limiting, Content Security Policy, and HSTS headers
- SOC 2 certification planned
No security measure is perfect. If you believe your account security has been compromised, contact security@stratalize.com immediately.
8. INTERNATIONAL DATA TRANSFERS
Stratalize is operated from the United States. If you are located in the European Economic Area, United Kingdom, or Switzerland, your data will be transferred to and processed in the United States.
For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate transfer mechanisms, with relevant sub-processors. We conduct Transfer Impact Assessments where required.
Organizations in the EU/EEA may request a Data Processing Agreement (DPA) incorporating appropriate transfer safeguards by contacting privacy@stratalize.com.
9. YOUR PRIVACY RIGHTS
9.1 Rights for EEA, UK, and Swiss Residents (GDPR)
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete personal data
- Request deletion of your personal data
- Restrict or object to processing
- Request data portability in a machine-readable format
- Withdraw consent where processing is based on consent
- Lodge a complaint with your local data protection authority
9.2 Rights for California Residents (CCPA/CPRA)
California residents have the right to:
- Know what personal information we collect, use, and share
- Delete personal information we have collected
- Correct inaccurate personal information
- Opt out of the sale or sharing of personal information (we do not sell personal information)
- Limit use of sensitive personal information
- Non-discrimination for exercising your rights
To exercise your rights, contact privacy@stratalize.com with your name, email address, and the right you wish to exercise. We will respond within 30 days (GDPR) or 45 days (CCPA/CPRA).
We will not discriminate against you for exercising any privacy right.
10. CHILDREN'S PRIVACY
Stratalize is a business-to-business platform not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will delete it promptly.
11. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice in the platform at least 30 days before the changes take effect. The "Last Updated" date at the top of this policy reflects when it was most recently revised.
Your continued use of the platform after the effective date of any changes constitutes acceptance of the updated policy.
12. CONTACT US
For privacy questions, data subject requests, or to request our Data Processing Agreement:
SALESZ LLC dba Stratalize
Attn: Privacy
205 N Michigan Ave Suite 810
Chicago, IL 60601
Email: privacy@stratalize.com
For security concerns: security@stratalize.com