Privacy Policy

SednaOS Inc. ("Sedna," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our AI governance and security platform and related services (the "Service").

This Privacy Policy applies to information collected through our website at https://sedna.sh/ and the Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

If you do not agree with this Privacy Policy, please do not access or use the Service.

1. Information We Collect

We collect several types of information from and about users of our Service.

1.1 Information You Provide to Us

Account Information: When you register for an account, we collect:

• Authentication credentials (email address)
• An organization name
• Billing and payment information (processed by our third-party payment processor, Stripe)

Communications: When you contact us, we collect:

• The content of your communications with us
• Support tickets and related correspondence
• Feedback and survey responses

Configuration and Settings: When you configure the Service, we collect:

• Policy configurations and rules
• Integration settings
• User permissions and access controls
• Deployment preferences (data region selection)

1.2 Information Collected Automatically

When using an enterprise or self-hosted version of our product, no data is collected by our cloud service and the following section may not apply. When you use the Service, we automatically collect certain information for the purpose of the primary functionality of our service:

Cloud Service Usage Data:

• AI platform interactions monitored through the Service
• Prompts and responses processed through the Service
• Policy enforcement actions (blocks, redactions, alerts)
• Compliance events and audit logs
• Shadow AI discovery data
• Platform and tool usage patterns

Technical Information:

• IP addresses
• Device information (device type, operating system)
• Browser type and version
• Log data (access times, pages viewed, time spent)
• Cookies and similar tracking Technologies

1.2.1 Information Collected Automatically for the Purpose of the Landing Page Website

Analytics Information: We use analytics services (Vercel Analytics and self-hosted PostHog) to collect:

• Usage patterns and feature adoption
• Performance metrics
• Error reports and diagnostics

1.3 Customer Data

When you use the Service, we process data on your behalf ("Customer Data"), which may include:

• Employee AI interactions and prompts
• Content processed through monitored AI platforms
• Data detected and redacted by our security controls
• Organizational data about AI tool usage

Important: For Customer Data, you are the data controller and we are the data processor. You are responsible for ensuring you have lawful bases to process this data and for complying with applicable data protection laws. We process Customer Data solely in accordance with your instructions and as necessary to provide the Service.

Data Usage Commitment: We do not use conversation history, message content, AI prompts, or AI responses for any purpose other than to provide the core functionality of the Service.

• We do not use your data to train AI models or machine learning systems
• We do not share your data with third-party AI providers for training purposes
• We do not analyze your data for purposes unrelated to Service delivery
• We do not use your data for marketing, advertising, or profiling

All Customer Data is processed exclusively to deliver the monitoring, governance, and security features you have configured.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery and Operations

• Provide, maintain, and improve the Service
• Process transactions and send related information
• Authenticate users and maintain account security
• Monitor and enforce policies as configured by you
• Generate compliance reports and audit trails
• Detect and prevent security threats
• Provide customer support and respond to inquiries

2.2 Analytics and Improvement

• Analyze usage patterns to improve the Service
• Develop new features and functionality
• Conduct research and development
• Perform internal testing and quality assurance

2.3 Communications

• Send administrative information (service updates, security alerts)
• Respond to your comments and questions
• Send marketing communications (with your consent, where required)
• Request feedback and conduct surveys

2.4 Legal and Compliance

• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service
• Protect our rights, property, and safety
• Detect, prevent, and address fraud or security issues
• Resolve disputes

3. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data under the following legal bases:

• Performance of Contract: Processing necessary to provide the Service under our Terms of Service
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud, provided these interests do not override your fundamental rights
• Consent: Where you have provided explicit consent (e.g., for marketing communications)
• Legal Obligation: Processing necessary to comply with applicable laws and regulations

You have the right to withdraw consent at any time where we rely on consent as the legal basis for processing.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers

We may share information with third-party vendors who perform services on our behalf:

• Vercel: Cloud hosting and infrastructure
• Stripe: Payment processing
• PostHog: Analytics (self-hosted instance)

These service providers are contractually obligated to protect your information and may only use it for the purposes we specify.

4.2 Business Transfers

If Sedna is involved in a merger, acquisition, sale of assets, bankruptcy, or reorganization, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

4.3 Legal Requirements

We may disclose information if required to do so by law or in response to:

• Valid legal process (subpoena, court order, warrant)
• Government or regulatory requests
• Requests from law enforcement
• National security or public safety requirements

We will notify you of such requests unless prohibited by law.

4.4 Protection of Rights

We may disclose information to:

• Enforce our Terms of Service and other agreements
• Protect the security and integrity of the Service
• Protect our rights, property, and safety, or that of others
• Detect, prevent, or address fraud or security issues

4.5 With Your Consent

We may share information with third parties when you give us explicit permission to do so.

4.6 Aggregated or De-identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you.

5. Data Storage and International Transfers

5.1 Data Storage Locations

Sedna offers multiple deployment options with data storage in the following regions:

• United States (US East, US West, US Central)
• Canada (Canada East)
• European Union (EU Frankfurt)

You select your preferred data region during setup. We store your data in your chosen region and do not transfer it to other regions without your consent, except as necessary for service operation or legal compliance.

5.2 Self-Hosted Deployments

For self-hosted deployments, data is stored in your own infrastructure under your control. We do not have access to or store Customer Data from self-hosted deployments, except for limited diagnostic information necessary to provide support.

5.3 International Data Transfers

SednaOS Inc. is based in Canada. If you are located outside Canada and choose a data region outside your country, your information will be transferred to and processed in that region.

For EEA, UK, and Swiss Users: When we transfer personal data outside the EEA, UK, or Switzerland, we rely on:

• European Commission adequacy decisions (e.g., for transfers to Canada)
• Standard Contractual Clauses approved by the European Commission
• Your explicit consent

We implement appropriate safeguards to ensure your data remains protected in accordance with this Privacy Policy and applicable law.

6. Data Retention

6.1 Retention Periods

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account Information: Retained for the duration of your account plus thirty (30) days after account closure or as required for legal, tax, or accounting purposes.

Customer Data:

• Active accounts: Retained as long as you use the Service
• After termination: Retained for thirty (30) days to allow data retrieval, then deleted unless you request earlier deletion or we are required to retain it for legal reasons

Audit Logs and Compliance Data: Retained for the periods required by applicable regulations (typically 3-7 years).

Analytics Data: Aggregated analytics data may be retained indefinitely in de-identified form.

6.2 Deletion Requests

You may request deletion of your personal information at any time by contacting us at legal@sedna.sh. We will comply with deletion requests within thirty (30) days, subject to legal retention requirements.

7. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

7.1 Rights for All Users

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Data Portability: Request a copy of your data in a machine-readable format
• Opt-out of Marketing: Unsubscribe from marketing communications

7.2 Additional Rights for EEA, UK, and Swiss Users (GDPR)

• Restriction of Processing: Request that we limit how we use your information
• Object to Processing: Object to our processing of your information based on legitimate interests
• Withdraw Consent: Withdraw consent where processing is based on consent
• Lodge a Complaint: File a complaint with your local data protection authority

7.3 Additional Rights for California Residents (CCPA/CPRA)

California residents have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of personal information
• Opt-out of the "sale" or "sharing" of personal information (we do not sell or share personal information)
• Non-discrimination for exercising privacy rights
• Limit use of sensitive personal information

7.4 Additional Rights for Canadian Users (PIPEDA)

Canadian users have the right to:

• Access personal information held by us
• Challenge the accuracy and completeness of information
• File a complaint with the Privacy Commissioner of Canada

7.5 Exercising Your Rights

To exercise any of these rights, please contact us at legal@sedna.sh. We will respond to your request within thirty (30) days (or as required by applicable law). We may need to verify your identity before processing your request.

For EEA/UK users: If we deny your request, you have the right to appeal and to lodge a complaint with your supervisory authority.

8. Data Security

8.1 Security Measures

We implement reasonable technical and organizational measures to protect your information, including:

• Encryption in transit (TLS/SSL) and at rest
• Access controls and authentication mechanisms
• Regular security assessments and audits
• Employee training on data protection
• Incident response procedures
• Network security and monitoring

8.2 Limitations

While we strive to protect your information, no system is completely secure. We cannot guarantee the absolute security of your information. You are responsible for maintaining the confidentiality of your account credentials.

8.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law, typically within 72 hours of discovery.

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

• Essential Cookies: Necessary for the Service to function (authentication, security)
• Analytics Cookies: Help us understand how users interact with the Service
• Preference Cookies: Remember your settings and preferences

9.2 Third-Party Cookies

We use analytics services that may set cookies:

• Vercel Analytics: For performance monitoring
• PostHog (self-hosted): For usage analytics

9.3 Your Cookie Choices

Most browsers allow you to refuse cookies or alert you when cookies are being sent. However, disabling cookies may affect the functionality of the Service. You can manage your cookie preferences in your browser settings.

9.4 Do Not Track

Some browsers have a "Do Not Track" feature. We do not currently respond to Do Not Track signals. We will continue to monitor industry developments regarding Do Not Track.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

If you believe we have collected information from a child under 18, please contact us at legal@sedna.sh.

11. Marketing Communications

11.1 Opt-In

We may send you marketing communications about our products, services, and events. Where required by law, we will obtain your consent before sending marketing communications.

11.2 Opt-Out

You may opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your communication preferences in your account settings
• Emailing us at legal@sedna.sh

Please note that opting out of marketing communications does not affect transactional or administrative communications related to your use of the Service.

12. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the Service.

12.1 Integrations

The Service integrates with various third-party AI platforms and business tools. Data shared with these platforms is governed by their respective privacy policies. You are responsible for configuring integrations and understanding how third-party platforms handle your data.

13. Business Accounts and Employee Data

If you use the Service on behalf of an organization:

13.1 Employer Access

Your employer (the organization that purchased the Service) may access and control your account and the data associated with it, including monitoring data and communications processed through the Service.

13.2 Employee Notice

If you are an employee whose AI interactions are monitored through the Service, your employer is responsible for providing you with notice of such monitoring in accordance with applicable employment and privacy laws.

13.3 Data Controller Responsibilities

The organization using the Service is the data controller for employee data and is responsible for complying with applicable privacy laws, including providing required notices to employees.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. We will post the updated Privacy Policy on this page and update the "Last Updated" date.

Material Changes: For material changes, we will provide at least thirty (30) days' advance notice by:

• Posting a notice on our website
• Sending an email to the address associated with your account
• Providing notice through the Service

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes acceptance of the changes. If you do not agree to the changes, you must stop using the Service.

15. Data Protection Officer and EU Representative

15.1 Data Protection Inquiries

For questions about our data protection practices, please contact:

Email: legal@sedna.sh
Subject Line: Data Protection Inquiry

15.2 EU Representative

We are in the process of designating an EU representative as required under GDPR Article 27. Once appointed, their contact information will be provided here. In the meantime, please direct all GDPR-related inquiries to legal@sedna.sh.

15.3 Supervisory Authorities

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

SednaOS Inc.
Email: legal@sedna.sh
Website: https://sedna.sh/

For GDPR-related inquiries, please include "GDPR Request" in the subject line.

For CCPA/CPRA-related inquiries, please include "California Privacy Request" in the subject line.

For PIPEDA-related inquiries, please include "PIPEDA Request" in the subject line.

We will respond to your inquiry within thirty (30) days or as required by applicable law.

17. Jurisdiction-Specific Disclosures

17.1 California Privacy Rights

California "Shine the Light" Law: California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

CCPA/CPRA Disclosures:

Categories of Personal Information Collected (in the past 12 months):

• Identifiers (name, email, IP address)
• Commercial information (purchase history, account details)
• Internet or network activity (usage data, log data)
• Professional or employment-related information (job title, company)
• Inferences (usage patterns, preferences)

Sources: Directly from you, automatically through your use of the Service, from third-party service providers.

Business Purposes: As described in Section 2 (How We Use Your Information).

Categories of Third Parties: Service providers (hosting, payment processing, analytics).

Sale or Sharing: We do not sell or share personal information as defined by the CCPA/CPRA.

Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA/CPRA.

17.2 Nevada Privacy Rights

Nevada residents have the right to opt out of the "sale" of personal information. We do not sell personal information as defined by Nevada law.

17.3 European Economic Area, UK, and Switzerland

Legal Bases: See Section 3.

Data Transfers: See Section 5.3.

Data Protection Officer: See Section 15.1.

EU Representative: See Section 15.2.

Rights: See Section 7.2.

17.4 Canada (PIPEDA)

Consent: By using the Service, you consent to our collection, use, and disclosure of your personal information as described in this Privacy Policy. You may withdraw consent at any time, subject to legal or contractual restrictions.

Accountability: SednaOS Inc. is responsible for personal information under our control, including information transferred to service providers.

Access Requests: Canadian users may request access to their personal information by contacting legal@sedna.sh. We will respond within thirty (30) days.

Complaints: You may file a complaint with the Privacy Commissioner of Canada if you believe we have not complied with PIPEDA.

By using the Service, you acknowledge that you have read, understood, and agree to this Privacy Policy.