Privacy Policy

1. Scope of this policy

This policy explains what personal information Cytra ("Cytra", "we") collects when you use the cytra.io website, request early access, or operate the AI-governance platform and managed MCP gateway, and how we use, share, and protect it.

It does not change the data-processing terms in any signed order form or data processing addendum (DPA). Where a customer agreement and this policy conflict, the agreement controls for that customer’s data.

2. Information we collect

We collect information you provide directly — such as your name, work email, company, and role when you request early access or contact us — and a limited set of technical information (IP address, browser, and pages viewed) needed to operate and secure the site.

When you operate the platform, we process the configuration, policy, and governance data you submit, together with the runtime records the gateway produces. Those governed-action records are written to a per-tenant, SHA-256 hash-chained, tamper-evident log so that an outside party can verify them.

• Account & contact data — name, work email, company, role.
• Platform data — policies, control mappings, evidence artifacts, and governed-action records you generate.
• Technical data — IP address, device/browser, and product telemetry used for security and reliability.

3. How we use information

We use the information we collect to provide, secure, and improve the platform; to map your controls to the EU AI Act, NIST AI RMF, and ISO/IEC 42001; to produce audit-ready evidence; to respond to your requests; and to send service and, where permitted, relevant product communications.

We do not use the contents of your governed-action records or evidence artifacts to train shared or third-party models.

4. How information is shared

We do not sell your personal information. We share it only with subprocessors that help us run the service (for example, cloud hosting, email delivery, and error monitoring) under contract, and where required by law or to protect the rights and safety of Cytra and its users.

Credentials brokered by the gateway are issued as short-lived, scoped tokens; raw keys stay vaulted and are not shared with downstream tools beyond the scope you grant.

5. Data security

We apply administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction, including encryption in transit, tenant isolation, and least-privilege access.

Cytra’s SOC 2 Type II audit and a HIPAA Business Associate Agreement are in process. We describe our posture as aligned and audit-ready — not certified — and we will update this page as those attestations complete.

6. Data retention

We retain personal information for as long as your account is active or as needed to provide the service, then for the period required to meet legal, audit-evidence, and dispute-resolution obligations. Tamper-evident audit records are retained for the term agreed in your order form.

7. Your rights

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, and to object to or restrict certain processing (for example, under the GDPR or CCPA). To exercise a right, contact us using the details below; we will verify your request before acting on it.

8. Contact us

Questions about this Privacy Policy, or requests about your personal information, can be sent to our team. We aim to respond within the timeframe required by applicable law.

Email privacy@cytra.io or reach us through the contact page.