LEGAL // PRIVACY POLICY

Privacy Policy

Effective Date: March 1, 2026 | Last Updated: March 24, 2026

Praelyx is built on a foundational principle: we cannot read your email. This is enforced by technical architecture, not policy. Client-side tokenization, ephemeral processing, and cryptographic attestation ensure that email content is never stored, logged, or accessible to Praelyx or any third party.

1. Who We Are

Praelyx ("we," "us," "our") is a pre-send communication risk analysis service operated by Seraphim Group. Our service analyzes outbound email content for legal, regulatory, and reputational risk before messages are sent.

Contact: privacy@praelyx.com

2. What We Do Not Collect or Store

This section is the most important part of this policy.

  • Email content: We do not store, log, cache, or persist any email body text, subject lines, or message content at rest. All content analysis occurs in ephemeral memory and is wiped immediately after risk scoring.
  • Email addresses of recipients: Our extensions transmit only the domain portion of recipient email addresses (e.g., "company.com" not "jane@company.com"). Full email addresses of recipients are never transmitted to our servers.
  • Attachments: We do not process, scan, or receive email attachments of any kind.
  • Training data: Email content is never used to train, fine-tune, or improve any machine learning model. Analysis is performed by a third-party LLM (Anthropic Claude) under their zero-retention API terms.

2.1 Cryptographic Verification

Every analysis returns a signed HMAC-SHA256 attestation that certifies:

  • Analysis was performed
  • No content was stored
  • No content was logged
  • No content was transmitted to third parties beyond the analysis provider
  • Content was deleted, with exact deletion timestamp

You can verify these attestations independently using the verification endpoint or offline verification tools.

2.2 Client-Side Tokenization

Before email content reaches our servers, the Praelyx extension replaces sensitive entities (names, email addresses, phone numbers, account numbers, financial amounts, dates, and addresses) with typed tokens (e.g., [PERSON_1], [AMOUNT_1]). The API analyzes tokenized text only. Original values remain on your device and are never transmitted.

3. What We Do Collect

We collect a limited set of non-content metadata necessary to operate and improve the service:

3.1 Analysis Metadata (No Content)

  • Analysis ID (unique identifier)
  • Organization ID (if applicable)
  • Timestamp of analysis
  • Risk score and risk level
  • Risk categories detected (e.g., "contractual_exposure")
  • Number of risks flagged
  • Processing time
  • Character count of input (not the content itself)
  • Whether content was truncated

This metadata contains zero email content. It is used for service quality monitoring, organizational baselines, and anomaly detection.

3.2 Account and Contact Data

  • Email address, name, company, and role (provided during signup or contact)
  • API key and configuration preferences
  • Billing information (processed by our payment provider; we do not store card numbers)

3.3 Technical Data

  • IP address (for rate limiting; not logged long-term)
  • Browser extension version
  • Error logs (containing no email content)

4. How We Use Collected Data

  • Analysis metadata: To compute organizational baselines, detect anomalies, reduce false positives, and improve risk pattern detection.
  • Account data: To provide the service, communicate with you, process billing, and provide support.
  • Technical data: To maintain service availability, prevent abuse, and diagnose issues.

5. Third-Party Processors

  • Anthropic (Claude API): Processes tokenized email content for risk analysis. Anthropic's API is configured for zero data retention. Content is not stored or used for training. See Anthropic's privacy policy.
  • Google Cloud Platform: Infrastructure hosting. Processes analysis metadata only. No email content is stored on GCP.
  • Cloudflare: CDN and DDoS protection for our website and API endpoints.

6. Data Retention

  • Email content: Zero retention. Deleted from ephemeral memory immediately after analysis. Cryptographic attestation provided.
  • Analysis metadata: Retained for 90 days for baseline computation, then automatically purged.
  • Pattern memory (dismissals): Retained while the organization is an active customer. Purged 30 days after account closure.
  • Account data: Retained while you are an active customer. Deleted within 30 days of account closure upon request.
  • Contact form submissions: Retained for 12 months to process your inquiry, then deleted.

7. Security Measures

  • Quantum-resistant encryption (ML-KEM-768 / AES-256-GCM) for all API communication
  • Client-side content tokenization before transmission
  • Split-key encryption (dual custody) for any encrypted context
  • Canary hash chain for tamper-evident audit trail
  • Cryptographic attestation of zero retention
  • SOC 2 Type II certification in progress
  • GDPR-ready architecture

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the data we hold about you
  • Deletion: Request deletion of your account and associated data
  • Portability: Request your data in a portable format
  • Rectification: Request correction of inaccurate data
  • Objection: Object to processing of your data for specific purposes
  • Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, contact privacy@praelyx.com. We will respond within 30 days.

8.1 Note on Email Content

Because we do not store email content, we cannot provide access to, delete, or modify email content that was processed. It does not exist in our systems. The cryptographic attestation serves as independent proof of this.

9. International Data Transfers

Our infrastructure is hosted in the United States (Google Cloud Platform). If you are located outside the United States, your analysis metadata (which contains no email content) may be processed in the US. We rely on standard contractual clauses and the zero-content-storage architecture to ensure adequate protection.

10. Children

Praelyx is a business-to-business service. We do not knowingly collect data from individuals under the age of 18.

11. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated to active customers via email. The "Last Updated" date at the top of this page reflects the most recent revision.

12. Contact

For privacy inquiries, data requests, or questions about this policy: