PRIVACY POSTURE · BY DESIGN, NOT BY EXCEPTION

What we collect. And what we don’t.

A privacy posture engineered for buyers who actually read privacy policies. No dark patterns. No buried data sales. No third-party analytics on logged-in surfaces. No user data collected from your end-users’ devices, ever.

Effective 2026-05-26 · Last reviewed at release v0.0.1-gate7 · Maintained alongside the product, audited at every major release. See change history below.

THE FIVE PROMISES  ·  PRIVACY-BY-CONSTRUCTION

The short version. Five lines we will not cross.

Most policies say “we take privacy seriously” and then list ten exceptions. Ours says the opposite. Here are the five concrete refusals that the rest of this page only fills in.

01
PROMISE
YOUR USERS’ DATA

We never collect end-user data from your app.

The Ejenix runtime sees patch lifecycle events. Nothing else. Not your user’s session, not their inputs, not their analytics, not their location. Your app’s data stays in your app — we engineered the runtime so it physically cannot reach it.

02
PROMISE
YOUR COMPANY’S DATA

We never sell, rent, or share customer data.

No advertising graphs. No data brokers. No “trusted partners.” The list of third parties who can see your data is published in Subprocessors below, and it is short by design — not by accident.

03
PROMISE
YOUR DATA AND AI

We never train models on your data.

Your patches, audit logs, console activity, and device telemetry are not training data for any model — ours, OpenAI’s, Anthropic’s, or anyone’s. AI crawlers are blocked at robots.txt and the policy is contractual, not aspirational.

04
PROMISE
COOKIES & TRACKING

We never set optional cookies.

Strictly-necessary cookies for session and CSRF protection. That’s the entire list. No advertising, no fingerprinting, no third-party analytics. The EU disclosure banner exists for regulatory clarity, not because we have something to hide.

THE META PROMISE
05
PROMISE
TRUST, MADE VERIFIABLE

Every access we make to your data is in your audit chain.

Including our own on-call engineers. If an Ejenix employee ever reads your console state, it is logged — visible to you at all times, signed with Ed25519, hash-chained, and exportable. The other four promises are commitments. This one makes them verifiable without trusting us.

CONTENTS
  1. 1. From the marketing site
  2. 2. From the product (console)
  3. 3. From devices running your patched app
  4. 4. What we never collect
  5. 5. Where data is stored
  6. 6. Who can see your data
  7. 7. Cookies & tracking
  8. 8. Your rights
  9. 9. Subprocessors
  10. 10. Breach notification
  11. 11. Children
  12. 12. Compliance posture
  13. 13. Change history
  14. 14. Contact

1. What we collect from the marketing site

Server access logs (IP address, user-agent, page path, timestamp) retained for 30 days for security investigation. No third-party analytics scripts run on these pages. Cookie banner records consent state in a first-party cookie only.

2. What we collect from the product (signed-in console)

Account details you provide: email, name, organization. Operational events you generate: patches authored, rollouts started, signing-key fingerprints, audit entries, approval flows. Billing details when you upgrade to a paid plan, processed through Stripe and never stored in our database in their original form (we store the Stripe customer ID only).

All operational events are written to the audit chain (Ed25519-signed, hash-chained, tamper-evident) and are visible to you at all times via Console → Audit.

3. What we collect from devices running your patched app

Only what is required to operate the patch lifecycle, and that you opt your fleet into per app:

  • Patch install / launch / failure outcomes (binary signals, no user data)
  • Device platform (iOS/Android), OS version, app version, app build identifier
  • Patch ID, patch version, rollout cohort
  • Boot-loop guard signals (binary success/fail flags from the reviewer-safe runtime)
  • Approximate region (country-level, derived from request IP, never stored verbatim)

4. What we never collect

From your end-users’ devices, we never collect:

  • User data inside your app (form inputs, session state, business data of any kind)
  • Advertising identifiers (IDFA, GAID) or any cross-app/cross-site identifiers
  • Fingerprinting signals (canvas, font enumeration, hardware fingerprints)
  • Location data beyond country-level region inference at request time
  • Contact data (address book, calendar, photos, microphone, camera)
  • Anything outside the patch lifecycle, period

The disclosure packet sent to platform reviewers (App Store, Play Store) lists every single signal we collect, by name, with retention and purpose. If a signal isn’t in the packet, the runtime doesn’t emit it.

5. Where data is stored

EU, US, and India regions today. Any region on request for Enterprise customers. Self-hosted deployments keep all data inside your network — we see nothing, and the audit chain still works because cryptographic verification doesn’t require our servers.

Region selection is per-organization and locked at provisioning. Cross-region replication for disaster recovery stays within the same legal jurisdiction (e.g. EU data replicates only within the EU).

6. Who can see your data

You, the people you authorize in your organization (role-based, audit-trailed), and a small Ejenix on-call rotation under signed access requests. Every access — ours or yours — is recorded in the audit chain.

We never share, sell, or rent customer data to any third party. We never use customer data to train any model. We do not respond to bulk law-enforcement requests; we respond only to lawful, narrow, jurisdiction-appropriate orders, and we notify the affected customer unless prohibited by court order.

7. Cookies & tracking

Strictly-necessary cookies only on the marketing site: session, CSRF, and cookie-consent state. No advertising cookies. No third-party trackers. No fingerprinting. The cookie banner you saw on first visit is for EU disclosure compliance; there’s nothing optional to disable because we don’t set any optional cookies.

AI training crawlers (GPTBot, ClaudeBot, Google-Extended, CCBot) are blocked at robots.txt. Our content is intellectual property and is not consent-given training data.

8. Your rights

Access, export, correction, and deletion of your data at any time:

  • Access & export: Console → Settings → Export — produces a signed bundle of your full organization state.
  • Correction: in-product editing, or email support@ejenix.com.
  • Deletion: Console → Settings → Delete organization. 30-day soft-delete window for recovery, then cryptographic erasure. Audit chain entries are tombstoned (hash preserved, payload destroyed) to maintain integrity.
  • Object to processing / restrict processing: email support@ejenix.com.

EU residents have rights under GDPR Articles 15–22. California residents have rights under CCPA / CPRA. We honor these rights globally because it’s the right default, not because every jurisdiction requires it.

9. Subprocessors

Third parties who can process customer data on our behalf. The live list with effective dates is in Console → Trust → Subprocessors for signed-in customers. Today’s short list:

Subprocessor Purpose Region
Microsoft Azure Compute, storage, CDN EU / US / India
Stripe Billing & payments US (PCI DSS)
Postmark / Resend Transactional email (receipts, security alerts) US
Cloudflare DDoS protection & DNS Global edge

We notify customers at least 30 days before adding a new subprocessor with material access to customer data. Enterprise customers may opt out of specific subprocessors as part of their contract.

10. Breach notification

If we determine that a security incident has affected customer data, we will notify affected customers without undue delay and in any case within 72 hours of confirmation, regardless of jurisdiction. The notification will include the nature of the incident, the data affected, the steps we’ve taken, and what we recommend you do.

11. Children

Ejenix is a B2B developer tool. It is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe we have, please contact support@ejenix.com and we will delete it.

12. Compliance posture

Ejenix is engineered for compliance from the ground up rather than retrofitted. Attestations follow our enterprise tier rollout; today we publish honest status, not aspirational claims.

  • GDPR / UK GDPR: Compliant by design. DPA available for Business and Enterprise customers.
  • CCPA / CPRA: Compliant. We do not sell personal information under any definition.
  • SOC 2 Type II: In-flight. Targeted at general-availability launch.
  • ISO 27001: Planned post-SOC-2.
  • HIPAA: Not in scope today. Healthcare customers should self-host.
  • App Store / Play Store guidelines: The runtime ships a reviewer disclosure packet with every release. See Trust for details.

13. Change history

This policy is versioned alongside the product. Material changes are emailed to account owners at least 14 days before they take effect.

Date Version Change
2026-05-26 v0.0.1-gate7 Initial publication ahead of public launch. Establishes the five promises, subprocessor list, breach notification timeline, compliance posture.

14. Contact

Privacy questions, requests, and rights exercises: support@ejenix.com

Data Protection Officer (DPO) is available to Business and Enterprise customers under contract. EU representative will be appointed at general-availability launch and published here.

If something in this policy looks wrong, contradictory, or harder to act on than it should be — tell us. We’d rather rewrite a paragraph than ship a privacy posture you don’t trust.