1. Roles
When you use this website or our hosted services, we act as the controller of personal data we collect about you (a website visitor, prospect, or hosted-service customer). When a customer organization uses the EP Cloud service to authorize actions involving end-user data, we act as a processor and the customer organization is the controller. The customer's DPA governs that processing.
2. What we collect
For website visitors and prospects:
- Standard request metadata (IP address, user agent, referrer, requested URL, timestamp). Held by Vercel as our hosting provider; rotated on Vercel's standard schedule.
- Information you submit voluntarily (contact form, partner inquiry, investor inquiry, pilot request) — name, organization, role, email, free-text describing your interest.
- If you sign up for the hosted service: account email, organization name, billing details (handled by our payment processor; we do not store full card numbers).
For hosted-service customer data we process on the customer's behalf:
- Trust receipts (cryptographically signed records of authorized actions). Receipts contain action context and signatures — not raw PII unless the customer's policy explicitly includes it.
- Policy data (the rules a customer organization authors and ships to EP Cloud).
- Entity authority records (which principal authorities exist within the customer's tenant).
We do not run advertising trackers, third-party analytics that fingerprint users, or session replay. The site uses no third-party cookies.
3. How we use it
- Operate, secure, and improve the websites and hosted services.
- Respond to inquiries, fulfill pilot or partnership requests, send transactional service notices.
- Comply with legal obligations and respond to lawful requests.
- For hosted-service customer data: only as instructed by the customer through the documented service interfaces.
We do not sell or rent personal information. We do not use customer trust-receipt data, policy data, or entity authority data to train models or to improve services for other customers.
4. Sub-processors
We use a small number of vetted sub-processors to run the websites and hosted services. The current list is published at /legal/sub-processors and is updated whenever a data flow changes. Customers can subscribe to change notifications by emailing privacy@emiliaprotocol.ai.
5. International transfers
Our primary processing region is the United States. For customers in the EU/EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses (SCCs) and equivalent UK addendum where required. Customer-data residency is configurable on EP Cloud Enterprise tiers.
6. Retention
- Inquiry / contact form submissions — retained while the relationship is active and for 24 months thereafter unless deletion is requested.
- Server access logs — 30 days at the edge, 90 days in cold storage.
- Hosted-service customer trust receipts and policy data — for the duration of the customer relationship plus the period required to comply with legal obligations or as specified in the customer's contract.
7. Your rights
Depending on jurisdiction (including under GDPR, UK GDPR, and CCPA), you may have the right to access, correct, port, delete, or restrict processing of your personal data, object to certain processing, and lodge a complaint with a supervisory authority. Exercise these rights by emailing privacy@emiliaprotocol.ai. We respond within the timeline required by the applicable law and at most within 30 days.
8. Security
We take reasonable technical and organizational measures to protect personal data against unauthorized access, loss, and misuse. The current security posture is documented at /security. No system is perfectly secure; if we become aware of a breach affecting your personal information we notify affected parties as required by applicable law and at most within 72 hours of confirmation.
9. Children
The website and services are not directed at children under 16 and we do not knowingly collect their personal information.
10. Changes
We may update this policy. The "Effective" date above changes when we do. Material changes are announced by email to active customers and via a notice on this page for at least 30 days.
11. Contact
EMILIA Protocol Foundation
Mailing address available on request — contact team@emiliaprotocol.ai
Privacy: privacy@emiliaprotocol.ai
Legal: legal@emiliaprotocol.ai
This policy is reviewed and updated as our practices change. For DPA negotiation, customer-specific clauses, or jurisdiction-specific addenda, contact legal@emiliaprotocol.ai.