Cipher Privacy Policy
Effective date: October 30, 2025
Cipher Technologies Inc. (“Cipher”, “we”, “us”, “our”)
This Privacy Policy explains how Cipher collects, uses, stores, and shares information when you use our software-as-a-service platform, websites, and related services (the “Services”). If you do not agree with this policy, please do not use the Services.
1) Scope
This policy applies to information processed through the Services and our website. A separate agreement (e.g., Order Form / MSA, and if applicable a DPA or BAA) governs our processing of Customer-provided data within a paid account (“Customer Data”). In those cases, Cipher acts as a data subprocessor under Customer direction.
2) Information We Collect
- Account & Contact Information. Name, email, company/organization, role, billing contact details, and similar information you or your organization provide.
- Authentication & Identity Data. We use Stack Auth as our authentication service provider. Depending on how you sign in, Stack Auth may receive and share with us identifiers (e.g., email, OpenID/subject identifiers), profile name, avatar URL, and enterprise domain information made available by your identity provider (such as Google, GitHub, or other OAuth providers).
- Usage & Technical Data. Device/browser type, IP address, timestamps, pages/features used, system logs, diagnostics, and telemetry to secure and improve the Services.
- Payment & Billing Data. Limited billing details (processed by PCI-compliant payment providers).
- Support Content. Information you submit in support tickets or during troubleshooting.
- Cookies & Similar Technologies. Used for session management and analytics (you can control cookies through your browser settings).
Third-party integrations. If you connect third-party services (e.g., identity providers, telephony, speech, CRM/EHR), we may receive data that those services disclose to us subject to your permissions and your organization’s configuration.
3) How We Use Information
- Provide and Secure the Services. Account creation, authentication, authorization/role-based access, service delivery, fraud/abuse prevention, and troubleshooting.
- Improve the Services. Analytics, quality, reliability, and feature development using aggregated or de-identified data where possible.
- Customer Support. Respond to requests, diagnose issues, and provide onboarding or training.
- Administrative & Billing. Invoicing, account notifications, and transactional communications.
- Legal & Compliance. Comply with law, enforce agreements, and protect rights and safety.
We do not use Customer personal data for model training or fine-tuning without explicit written consent from the Customer.
4) Data from Google Accounts (If You Use Google Sign-In or Google Integrations)
When you choose to authenticate with Google or enable Google-connected features, Cipher may access limited Google user data only as necessary to provide the requested functionality. We use Stack Auth as our authentication service provider to facilitate the OAuth flow on our behalf.
Accessed data (typical for sign-in): Name, email address, OpenID identifier, and (where provided) Google Workspace domain.
Use: Authenticate users, associate accounts to an organization/tenant, enforce access controls, and secure sessions.
Stack Auth’s Role: Stack Auth receives your Google user data during the OAuth authentication flow and securely passes necessary information to us to create and manage your account. Stack Auth acts as our service provider and subprocessor bound by confidentiality and data protection obligations.
Storage & Retention: Profile identifiers may be stored to operate your account. Access tokens are stored ephemerally; refresh tokens (if required) are encrypted at rest and restricted by least-privilege access. Data is retained while your account is active or as needed to provide the Services, then deleted or de-identified within commercially reasonable timelines, subject to legal/backup requirements.
Sharing: We do not sell Google user data. We share only with essential subprocessors (e.g., Stack Auth for authentication, cloud hosting) or as required by law.
Human access: Limited to (a) your explicit request (support), (b) security/abuse investigations, or (c) legal requirements.
Your control: You can revoke Cipher’s access in your Google Account security settings.
5) Customer Data (Processor Role)
For paid accounts, Customer determines what Customer Data is submitted and how long it is retained. Cipher processes Customer Data strictly under Customer’s instructions and configurations (including optional ephemeral/no-retention modes where enabled). By default, processing occurs in Google Cloud Platform (GCP) U.S. regions, unless otherwise agreed in writing.
6) Legal Bases (where applicable)
Where required by law (e.g., GDPR/UK GDPR), we rely on one or more of the following legal bases: performance of a contract, legitimate interests (e.g., securing and improving Services), compliance with legal obligations, and consent (where obtained).
7) How We Share Information
We may share information with:
- Service Providers/Subprocessors. We use trusted third-party service providers bound by confidentiality and data-protection obligations, including:
- Stack Auth - Authentication and identity management
- Google Cloud Platform (GCP) - Hosting, storage, and infrastructure
- Legal & Safety. To comply with law, enforce agreements, or protect rights, safety, and security.
- Business Transfers. In connection with a merger, acquisition, financing, or sale of assets, subject to continued protections or notice.
We do not sell personal information.
8) Security
We employ industry-standard administrative, technical, and organizational measures appropriate for a hosted SaaS provider, including encryption in transit (TLS 1.2+), encryption at rest (AES-256), least-privilege access controls, and audit logging. Production infrastructure is hosted on Google Cloud Platform. No method of transmission or storage is 100% secure.
9) Data Retention
We retain information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Customer-controlled retention applies to Customer Data; otherwise, we delete or de-identify data within commercially reasonable timelines.
10) International Transfers
If information is transferred across borders, we apply appropriate safeguards (e.g., contractual measures). Regional processing can be arranged under contract.
11) Your Choices and Rights
- Access/Correction/Deletion. Contact your organization’s admin or us using the details below. Where we act as processor, we will route requests to the Customer.
- Cookies/Analytics. Manage through browser settings and, where applicable, in-product controls.
- Revoke Third-Party Access. For any identity provider (e.g., Google), you may revoke Cipher’s access in that provider’s account settings.
12) Children
The Services are not directed to children under 16, and we do not knowingly collect personal information from them.
13) Changes to This Policy
We may update this policy from time to time. We will post updates here and revise the “Effective date” above. Material changes may also be communicated in-product or by email.
14) Contact Us
For questions or requests regarding this Privacy Policy or our data practices:
privacy@getcipher.ai
Cipher Technologies Inc.
132 Scholes Street, Brooklyn, NY 11206
Controller/Processor Note: For paid Customer accounts, the Customer is generally the controller of Customer Data, and Cipher is the processor. Cipher is the controller of account, website, and operational data it collects directly.