Privacy Policy

Introduction

At entropy forge ("Company," "we," "us," or "our"), we understand that privacy is fundamental to enterprise trust — especially when integrating AI systems into mission-critical business operations. This Privacy Policy explains how we collect, use, protect, and handle your personal data in compliance with the latest 2026 global privacy standards.

This policy applies to all services provided by entropy forge, including custom software development, agentic workflow implementation, systems integration, and AI automation consultancy.

Our Core Privacy Commitment: Your data is never used to train public AI models. We maintain strict data siloing to ensure complete operational and competitive confidentiality.

1. Information We Collect

1.1 Information You Provide Directly

We collect information you voluntarily provide when engaging our services:

• Contact Information: Name, email address, phone number, company name, job title
• Business Information: Company details, project requirements, technical specifications, system architecture details
• Account Credentials: Login information for client portals or project management systems
• Payment Information: Billing address, payment method details (processed securely through third-party payment processors)
• Communications: Content of emails, support tickets, consultation notes, and other correspondence

1.2 Information Collected Automatically

When you visit our website or use our services, we automatically collect certain information:

Data Type	What We Collect	Purpose
Website Analytics	IP address, browser type, device information, pages visited, time spent	Improve user experience and website performance
Cookies	Session cookies, preference cookies, analytics cookies	Maintain sessions, remember preferences, analyze usage patterns
System Logs	Access logs, error logs, API request logs, authentication events	Security monitoring, troubleshooting, performance optimization
Integration Logs	API calls, data transformations, workflow executions, system interactions	Service delivery, debugging, optimization, audit trail

1.3 Information from Third-Party Sources

We may receive information from:

• Business Partners: Referral partners or technology integration partners
• Public Sources: Publicly available business information for B2B prospecting
• Service Providers: Payment processors, email service providers, cloud infrastructure providers

1.4 Client Project Data

During service delivery, we may process:

• Business Logic Data: Workflow specifications, process documentation, operational requirements
• Technical Data: System credentials, API keys, database schemas, integration endpoints
• Operational Data: Transaction logs, user behavior patterns, performance metrics
• Sensitive Data: Any data classified as sensitive by the client (handled under specific contractual provisions)

2. AI Data Silo Guarantee

2.1 How We Protect Your Data in AI Systems

entropy forge implements strict technical and organizational measures to ensure complete data isolation:

• Project-Specific Environments: Each client engagement operates in isolated computing environments with dedicated infrastructure
• Zero Cross-Contamination: Data from one client project never flows to another client's systems or workflows
• No Model Training: Your data is not used to fine-tune, train, or improve any machine learning models that serve other clients
• API Isolation: When using third-party AI APIs (OpenAI, Anthropic, Google Cloud), we configure zero-retention policies where supported
• Memory Partitioning: Agentic systems maintain separate memory contexts per client with cryptographic isolation
• Audit Trails: Complete logging of data access and processing for compliance verification

2.2 Third-Party AI Provider Data Handling

When we integrate third-party AI services, we ensure maximum data protection:

Provider	Our Configuration	Data Retention
OpenAI API	Zero-retention mode enabled where available; API calls do not train models	30 days for abuse monitoring only (per OpenAI policy), then permanent deletion
Anthropic Claude	Enterprise API with contractual data isolation guarantees	Not used for model training; retained per our deletion schedule
Google Cloud AI	Private deployment in client-specific projects with data residency controls	Governed by Google Cloud Platform DPA and our retention policies

2.3 Competitive Confidentiality

We understand that your business logic, operational processes, and data represent competitive advantages. Our data silo architecture ensures:

• Your proprietary workflows remain completely confidential
• No insights from your systems inform solutions for other clients
• Your data architecture and integration patterns are never replicated
• Industry competitors receiving our services operate in completely isolated environments

3. How We Use Your Information

3.1 Service Delivery

• Designing, developing, and deploying custom software and agentic workflows
• Integrating systems and automating business processes
• Providing technical support and troubleshooting
• Monitoring system performance and optimizing operations
• Conducting security assessments and implementing protective measures

3.2 Business Operations

• Processing payments and managing invoices
• Communicating about projects, updates, and service changes
• Responding to inquiries and support requests
• Managing client relationships and project timelines

3.3 Legal and Compliance

• Complying with legal obligations and regulatory requirements
• Enforcing our Terms of Use and other agreements
• Protecting against fraud, security threats, and illegal activity
• Maintaining audit trails for compliance verification

3.4 What We Do NOT Do With Your Data

4. Third-Party Integrations and Service Providers

4.1 AI and Cloud Infrastructure Providers

We utilize industry-leading AI and cloud platforms to deliver our services. Each provider maintains its own privacy policy and security standards:

• OpenAI: Privacy Policy at openai.com/privacy
• Anthropic: Privacy Policy at anthropic.com/privacy
• Google Cloud Platform: Privacy Policy at cloud.google.com/privacy
• Amazon Web Services: Privacy Policy at aws.amazon.com/privacy
• Microsoft Azure: Privacy Policy at privacy.microsoft.com

4.2 Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all third-party providers who process client data. These agreements ensure:

• Providers act only on our documented instructions
• Appropriate technical and organizational security measures are implemented
• Sub-processors are authorized and compliant
• Data subject rights can be exercised
• Data breaches are reported promptly

4.3 Other Service Providers

We work with carefully vetted service providers for:

• Payment Processing: Stripe, PayPal (PCI-DSS compliant)
• Email Communications: SendGrid, Postmark (GDPR compliant)
• Analytics: Plausible Analytics (privacy-focused, GDPR compliant)
• Customer Support: Intercom, Zendesk (EU data residency options)
• Scheduling: Google Calendar — subject to Google's Privacy Policy

5. Data Security Measures

5.1 Technical Safeguards

• Encryption: AES-256 encryption at rest, TLS 1.3 for data in transit
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), principle of least privilege
• Network Security: Firewall protection, intrusion detection systems, DDoS mitigation
• Secure Development: Code reviews, security testing, vulnerability scanning, penetration testing
• Backup and Recovery: Automated encrypted backups, disaster recovery procedures, business continuity planning

5.2 Organizational Safeguards

• Employee Training: Regular security and privacy training for all staff
• Background Checks: Screening for personnel with data access
• Confidentiality Agreements: All employees sign comprehensive NDAs
• Incident Response: Documented procedures for security incidents and data breaches
• Third-Party Audits: Regular security assessments by independent auditors

5.3 Data Breach Notification

In the event of a data breach affecting personal data, we will:

• Notify affected individuals within 72 hours of discovery (as required by GDPR)
• Provide clear information about the nature of the breach and data affected
• Outline steps taken to mitigate harm and prevent recurrence
• Notify relevant supervisory authorities as required by law
• Offer support services (credit monitoring, identity protection) where appropriate

6. Data Retention and Deletion

6.1 Retention Periods

Data Category	Retention Period	Rationale
Contact Information	Duration of relationship + 3 years	Business continuity, legal requirements
Project Data	As specified in contract, default 2 years post-completion	Support obligations, dispute resolution
Financial Records	7 years	Tax and accounting regulations
System Logs	90 days (security logs retained 1 year)	Troubleshooting, security monitoring
Integration Logs	As specified in contract, default 90 days	Debugging, audit trail
Marketing Data	Until consent withdrawn	Ongoing business relationship

6.2 Secure Deletion Procedures

When data reaches the end of its retention period or upon deletion request, we:

• Cryptographic Erasure: Delete encryption keys, rendering data unrecoverable
• Secure Overwriting: Overwrite storage media using DOD 5220.22-M or equivalent standards
• Backup Purging: Remove data from all backup systems within 90 days
• Third-Party Deletion: Request deletion from all third-party processors
• Verification: Confirm deletion through audit logs and certificate of destruction

6.3 Legal Hold Exception

Data may be retained beyond standard periods when required for:

• Active litigation or regulatory investigation
• Ongoing contract disputes
• Legal preservation requests
• Government or law enforcement requirements

7. Your Privacy Rights

7.1 Right to Access

You have the right to:

• Request confirmation of whether we process your personal data
• Obtain a copy of your personal data in a structured, commonly used format
• Receive information about how we use your data, who we share it with, and how long we retain it

How to Exercise: Submit a request to privacy@entropy-forge.io. We will respond within 30 days with a comprehensive data export.

7.2 Right to Rectification

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data

How to Exercise: Contact privacy@entropy-forge.io with the corrections needed. We will update your data within 10 business days.

7.3 Right to Deletion ("Right to be Forgotten")

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed
• Deletion is required for legal compliance

Special Considerations for AI/LLM Integration Contexts:

• Active Integration Data: For data in live agentic workflows, we will delete within 30 days, coordinating with you to prevent service disruption
• Historical Logs: Integration logs containing your data will be purged from all systems within 90 days
• Third-Party APIs: We will request deletion from OpenAI, Anthropic, Google Cloud, and other processors
• Backup Systems: Data in encrypted backups will be deleted within the next backup rotation cycle (maximum 90 days)
• Derived Insights: Any aggregated or anonymized data derived from your data will be reviewed; if re-identification is possible, it will be deleted

How to Exercise: Submit a deletion request to privacy@entropy-forge.io with subject line "Data Deletion Request — [Your Name/Company]". We will:

1. Acknowledge your request within 48 hours
2. Verify your identity to prevent unauthorized deletions
3. Coordinate with you on timing (for active integrations)
4. Execute deletion across all systems
5. Provide confirmation of deletion within 45 days

7.4 Right to Restriction of Processing

You have the right to request we limit processing of your data when:

• You contest the accuracy of the data (during verification)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You object to processing (pending verification of legitimate grounds)

7.5 Right to Data Portability

You have the right to:

• Receive your personal data in a structured, machine-readable format (JSON, CSV, XML)
• Transmit your data to another service provider where technically feasible

7.6 Right to Object

You have the right to object to:

• Processing based on legitimate interests (unless we demonstrate compelling grounds)
• Direct marketing activities (unconditional right)
• Profiling and automated decision-making

7.7 California-Specific Rights (CCPA/CPRA)

If you are a California resident, you also have the right to:

• Know: What categories of personal information we collect and how we use them
• Non-Discrimination: Not receive discriminatory treatment for exercising privacy rights
• Limit Sensitive Data Use: Restrict use of sensitive personal information
• Opt-Out of Sales/Sharing: We do not sell personal information, but you can opt out of any future changes

7.8 Virginia-Specific Rights (VCDPA)

If you are a Virginia resident, you have all the rights above plus:

• Right to appeal our decisions regarding rights requests
• Right to opt-out of targeted advertising (we do not engage in targeted advertising)

8. International Data Transfers

8.1 Data Residency and Transfer Mechanisms

entropy forge primarily operates in the United States. When we transfer data internationally, we use approved mechanisms:

• Standard Contractual Clauses (SCCs): EU-approved model contracts for data transfers
• Adequacy Decisions: Transfers to jurisdictions deemed adequate by the EU Commission
• Binding Corporate Rules: For intra-organization transfers
• Explicit Consent: Where required and appropriate

8.2 EU-U.S. Data Privacy Framework

For transfers from the European Economic Area to the United States, we comply with the EU-U.S. Data Privacy Framework, including:

• Self-certification to framework principles
• Annual recertification
• Independent dispute resolution mechanisms
• Commitment to arbitration for unresolved complaints

8.3 Data Localization Options

For enterprise clients with specific data residency requirements, we offer:

• EU-exclusive hosting (data never leaves EU jurisdiction)
• U.S.-exclusive hosting
• Region-specific cloud deployment
• On-premises deployment options

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

Cookie Type	Purpose	Duration	Can Be Disabled?
Essential Cookies	Enable core website functionality, security, session management	Session or 30 days	No (required for service)
Preference Cookies	Remember your settings and preferences	1 year	Yes
Analytics Cookies	Understand how visitors use our site (privacy-focused analytics only)	1 year	Yes

9.2 What We Don't Use

• No Advertising Cookies: We do not use cookies for targeted advertising
• No Cross-Site Tracking: We do not track you across other websites
• No Third-Party Advertising Networks: No data shared with ad networks

9.3 Managing Your Cookie Preferences

You can control cookies through:

• Our cookie consent banner (appears on first visit)
• Browser settings to block or delete cookies
• Privacy-focused browser extensions

10. Children's Privacy

entropy forge services are designed for business and enterprise use. We do not knowingly collect personal information from individuals under 18 years of age. If we discover we have collected data from a minor, we will delete it immediately.

If you believe we have inadvertently collected information from a minor, please contact privacy@entropy-forge.io immediately.

11. Changes to This Privacy Policy

11.1 Updates and Notifications

We may update this Privacy Policy to reflect:

• Changes in data protection laws and regulations, particularly evolving AI governance frameworks
• Updates to our service offerings, AI integrations, or data processing practices
• New guidance from regulatory authorities (FTC, EDPB, ICO, and others)
• Industry best practices for AI privacy and security

11.2 Notice of Changes

We will communicate material changes by:

• Posting the updated policy on our website (entropy-forge.io/privacy)
• Updating the "Last Updated" date at the top of this document
• Sending email notification to active clients at least thirty (30) days before changes take effect

11.3 Continued Use

Your continued use of entropy forge services after the effective date of a revised Privacy Policy constitutes acceptance of those changes. If you do not agree to the updated policy, you must discontinue use of our services and notify us in writing.