Privacy Policy

Effective Date: March 1, 2026

1. Introduction

Elydora Inc. (“Elydora,” “we,” “us,” or “our”) is committed to protecting the privacy of our users, customers, and their end users. This Privacy Policy describes how we collect, use, store, and protect information when you use the Elydora platform, APIs, SDKs, and related services (the “Service”). By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

Account Information. When you register for the Service, we collect your name, email address, organization name, and billing information as necessary to provision and maintain your account.

Operation Metadata. The Service records operation metadata including agent identifiers, operation types, timestamps, chain hashes, and attestation receipts. By default, raw payloads are not stored unless you explicitly opt in to payload retention.

Usage Data. We collect information about how you interact with the Service, including API call volumes, error rates, latency metrics, and feature usage patterns. This data is used for service improvement and capacity planning.

Support Communications. When you contact our support team, we retain records of your communications, including any information you provide in connection with your support request.

3. How We Use Information

We use the information we collect to: (a) provide, maintain, and improve the Service; (b) process and verify operation records; (c) monitor for security threats, fraud, and abuse; (d) comply with legal obligations and respond to lawful requests; (e) communicate with you about your account, service updates, and security alerts; and (f) analyze usage patterns to improve performance and develop new features.

4. Data Storage and Retention

Evidence data is stored using Cloudflare R2 object storage with configurable jurisdiction controls for enterprise customers. Our storage architecture uses a tiered approach: Cloudflare D1 maintains a 30-day hot index for fast queries, while R2 provides canonical full-retention evidence storage with bucket locks for tamper prevention.

Retention periods are governed by your service agreement. Default retention for evidence artifacts is aligned with the requirements of your contract. Account metadata is retained for the duration of your account plus any legally required retention periods.

5. Data Minimization

Elydora is designed around the principle of data minimization. By default, the Service records operation metadata and payload hashes (SHA-256), not raw payload content. This means we can verify the integrity of operations without storing sensitive business data. Field-level redaction is available for customers who need to submit partial payloads while maintaining verifiability of the complete operation.

6. Security

We implement comprehensive security measures to protect your data, including: Ed25519 cryptographic signing (RFC 8032) for all operation records; SHA-256 hashing (FIPS 180-4) for payload integrity verification; encryption at rest for all stored evidence; Zero Trust access controls with role-based permissions; Web Application Firewall (WAF) protection on all API endpoints; regular security audits and penetration testing; and secure key management practices following NIST SP 800-57 guidelines.

7. Third-Party Services

The Service operates on Cloudflare infrastructure, including Workers (compute), D1 (database), R2 (object storage), Durable Objects (chain state), and Queues (async processing). For customers who enable trusted timestamping, the Service interacts with RFC 3161-compliant Timestamping Authority (TSA) providers. We evaluate all third-party service providers for their security and privacy practices.

8. Data Subject Rights

You have the right to: (a) access your personal data and operation records; (b) request correction of inaccurate account information; (c) request deletion of your account data, subject to evidence retention obligations required for chain integrity and legal compliance. For evidence data that cannot be deleted due to integrity requirements, we support crypto-shredding via SSE-C key destruction, which renders the evidence content unreadable while preserving chain structure.

To exercise your rights, contact us at privacy@elydora.com.

9. International Data Transfers

By default, data is processed and stored in Cloudflare's global network. For enterprise customers with jurisdictional requirements, Elydora offers jurisdiction-locked R2 storage buckets that confine evidence data to specific geographic regions (e.g., EU, US, APAC). International data transfers are conducted in compliance with applicable data protection laws, including Standard Contractual Clauses where required.

10. Children's Privacy

The Service is designed for business and enterprise use only. We do not knowingly collect personal information from children under the age of 16. If you become aware that a child has provided us with personal information, please contact us immediately at privacy@elydora.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated through the Service dashboard, email notification, or publication on our website with at least thirty (30) days' prior notice. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

12. Contact

For questions about this Privacy Policy or our data practices, please contact us at privacy@elydora.com.