Privacy Policy

Data controller: ITLOX Inc., a Delaware corporation ("RadMah AI," "we," "our," or "us"). This Privacy Policy governs all personal data processed by RadMah AI through: — our marketing website (www.radmah.ai) — our client application (app.radmah.ai) — our REST and WebSocket APIs (api.radmah.ai) — our CLI, SDK, and any other RadMah AI-operated digital services Privacy and data protection inquiries: privacy@radmah.ai EU/EEA representative inquiries: privacy@radmah.ai (subject line: "EU Representative") Data breach notification: security@radmah.ai We do not currently designate a full-time Data Protection Officer (DPO); however, our privacy team handles all data subject requests and regulatory communications. Enterprise customers operating in the EU may request a DPA that names an EU-based sub-processor contact.

This Privacy Policy applies to all personal data we process as a data controller. Where RadMah AI processes personal data on your behalf (for example, within Reference Datasets you upload), it does so as a data processor under a Data Processing Agreement (DPA) — our obligations as processor are set out in the DPA, not this policy. This policy was last updated on March 19, 2026. We will notify registered users of material changes via the email address on their Account at least 30 days before those changes take effect. The current version is always available at www.radmah.ai/legal/privacy.

We collect personal data in the following categories: A. Account and Registration Data — Organisation name, billing address, and business email addresses provided during sign-up — Names and email addresses of individual users within an organisation — Phone numbers (optional, for Enterprise and support escalations) B. Authentication and Security Data — Hashed passwords (bcrypt) and salted API key hashes (SHA-256 stored in the key lookup table; the raw key is never stored) — Session tokens (httpOnly, Secure, SameSite=Strict cookies) — MFA device identifiers (TOTP seeds, stored encrypted) — IP addresses and user-agent strings for authentication events C. Usage and Telemetry Data — API call logs: endpoint, HTTP method, status code, response time, timestamp, tenant ID, user ID, request ID — Job execution metadata: engine selected, credit consumption, job duration, queue name, output row count, error codes — Feature interaction data: which dashboard features are used, navigation patterns (aggregated and anonymised for analytics) — Credit balance, PAYG purchases, and subscription tier D. Billing and Financial Data — Stripe customer ID and payment method token (we never store full card numbers — Stripe handles card data under PCI-DSS Level 1) — Invoice history and subscription status — Tax identification numbers (VAT/GST IDs) where provided for invoicing purposes E. Reference Datasets (Processed as Processor) — Any data you upload for synthetic data generation. This data is processed solely to execute your generation jobs. We do not analyse, sell, or use it for any other purpose. If Reference Datasets contain personal data of third parties, you are the controller of that data and we are the processor. You must have a lawful basis to upload and process that personal data. F. Communications Data — Emails, support tickets, and chat messages you send to us — Responses to surveys, feedback requests, and customer success calls (with consent) G. Technical Infrastructure Data — AWS CloudWatch logs (retained 90 days): API request logs, worker logs, error traces — AWS VPC flow logs (retained 30 days): network traffic metadata for security monitoring — These logs are used solely for security, debugging, and capacity planning.

We use personal data only for the following purposes: 1. Service Delivery — To create and manage your Account, authenticate users, execute generation and training jobs, deliver evidence bundles, and maintain the platform. 2. Billing and Payments — To process subscriptions, PAYG top-ups, invoicing, and tax compliance via Stripe. 3. Security and Fraud Prevention — To detect, prevent, and investigate unauthorised access, fraud, AML violations, sanctions breaches, and abuse. This includes running IP addresses against abuse intelligence feeds and screening account details against sanctions lists. 4. Service Improvement and Reliability — Aggregated, anonymised usage telemetry to understand feature adoption, performance bottlenecks, and capacity requirements. We do not use individual user behaviour to make automated decisions about you. 5. Customer Communications — To send transactional emails (job completion, billing alerts, security notifications, policy updates) and, with your separate consent, product announcements and feature releases. 6. Legal and Compliance — To comply with applicable laws, respond to lawful government or regulatory requests, enforce our Terms of Service, and defend legal claims. 7. AML/CTF Screening — To screen account information against sanctions lists, PEP (Politically Exposed Person) databases, and adverse media as part of our AML/CTF programme. We do not use personal data to train AI models, sell to data brokers, target advertising, or any purpose beyond those listed above.

For customers in the European Economic Area (EEA), United Kingdom, and Switzerland, our lawful bases under GDPR Article 6 are: (a) Contract performance (Art. 6(1)(b)): Processing necessary to create your Account, deliver the Service, process billing, and respond to support requests. (b) Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, sanctions screening, AML/CTF compliance, debugging, aggregated analytics, and improving the platform. We have conducted legitimate interest assessments (LIAs) for these processing activities, available on request. (c) Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable laws (tax, AML, export control, data retention mandates). (d) Consent (Art. 6(1)(a)): Non-essential cookies and marketing communications. Consent may be withdrawn at any time without affecting the lawfulness of prior processing. For special category data (e.g., health data inadvertently present in Reference Datasets): we instruct customers not to upload special category data without explicit consent or legal basis. If you have a business reason to process special category data using the Service, contact us to discuss appropriate safeguards.

We use the following categories of cookies and similar technologies: Strictly Necessary (always active — no consent required): — Session authentication cookie (httpOnly, Secure, SameSite=Strict) — CSRF protection token — Load balancer stickiness cookie (session-scoped) Analytics and Performance (consent required in applicable jurisdictions): — First-party aggregated analytics using privacy-first tooling (no cross-site tracking, no fingerprinting, IP anonymised). We do not use Google Analytics. We do NOT use: — Third-party advertising or retargeting cookies — Social media tracking pixels — Persistent cross-site identification cookies Cookie consent management: A cookie consent banner is presented on first visit to our marketing site, compliant with the EU ePrivacy Directive (Cookie Law) and GDPR. You may change your cookie preferences at any time via the "Cookie Settings" link in the site footer. For customers enquiring about cookie consent management solutions compatible with React/Next.js applications (such as Cookiebot, CookieYes, or self-hosted solutions like react-cookie-consent), contact privacy@radmah.ai.

We retain personal data only as long as necessary for the purpose for which it was collected: Account Data: Retained for the duration of your subscription plus 12 months after Account deletion or termination (to allow for dispute resolution, chargebacks, and legal claims). Usage Logs and Audit Trails: 12 months for standard usage logs. 7 years for billing records, financial transaction logs, and AML/CTF screening records (legal retention obligation). Security Logs (AWS CloudWatch, VPC Flow): 90 days for application logs; 30 days for VPC flow logs. Reference Datasets and Generated Data: Retained for the duration of your subscription or your configured retention period (minimum 30 days, configurable up to 365 days or custom). Deleted within 30 days of subscription termination or customer request. Evidence Bundles: Retained with the same policy as Generated Data. Export before terminating your Account if you need long-term retention. Communications: Support tickets and emails retained for 3 years for quality assurance and legal compliance. Backups: Database backups are retained for 35 days (7 daily + 4 weekly). Deleted data may persist in backups for up to 35 days after deletion from the live database. Retention periods may be extended where required by applicable law or where data is needed to defend legal claims.

We implement a layered security programme: Encryption: All data at rest is AES-256 encrypted in AWS S3 and RDS via AWS-managed envelope encryption. All data in transit is encrypted via TLS 1.3 with HSTS enforced (minimum 1-year max-age). Access Control: Zero-trust, role-based access control. Multi-tenant isolation enforced at the database layer (row-level security) and object storage layer (tenant-scoped S3 key prefixes). No cross-tenant data access is architecturally possible. Secret Management: All production secrets (database credentials, API keys, OAuth tokens) are stored in AWS Secrets Manager and resolved at runtime. No secret is stored in environment variables, source code, or configuration files. A missing secret causes a hard failure — no silent fallback. Monitoring: AWS CloudWatch metrics and alarms, AWS GuardDuty threat detection, AWS WAF and CloudFront DDoS protection on all public endpoints. Personnel: Access to customer data systems is restricted to RadMah AI personnel with a legitimate operational need. Access requires MFA and is logged in an immutable audit trail. Penetration Testing: Annual third-party penetration test of all public API surfaces. CVE bug bounty programme active. Despite these measures, no system is completely impenetrable. We cannot guarantee absolute security. Please notify security@radmah.ai immediately if you discover a security vulnerability.

We do not sell your personal data. We share personal data only with: (a) Sub-processors who assist in delivering the Service, each subject to a data processing agreement: | Sub-processor | Purpose | Location | | Amazon Web Services (AWS) | Cloud hosting, compute, storage, logging, secret management | USA (multi-region) | | Stripe, Inc. | Payment processing, subscription billing | USA (PCI-DSS Level 1) | | Postmark / transactional email provider | Transactional email delivery | USA | | Sentry (if applicable) | Error tracking and performance monitoring | USA | | Redis / ElastiCache | Job queue broker | USA (within AWS VPC) | We will notify you of any material changes to our sub-processor list with 30 days' notice by updating this section and emailing registered users. (b) Law enforcement, courts, and regulatory authorities when required by applicable law, a court order, or to comply with legal process. We will notify you of such requests unless legally prohibited from doing so. (c) Successors in the event of a merger, acquisition, or sale of substantially all of RadMah AI's assets, provided the acquirer agrees to protect your personal data consistently with this Policy. (d) Professional advisers (lawyers, accountants, auditors) under confidentiality agreements. We require all third parties to maintain the security and confidentiality of your personal data and to use it only for the specified purpose.

RadMah AI is headquartered in the United States. Our primary infrastructure runs on AWS in US-East-1. If you are located in the EEA, UK, Switzerland, or another jurisdiction with data transfer restrictions, your personal data is transferred to the United States. We rely on the following safeguards for international transfers: EEA to USA: EU Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914, Module 1 (controller to controller) and Module 2 (controller to processor) as applicable. UK to USA: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs. Switzerland to USA: Swiss Federal Act on Data Protection (revFADP) SCCs. Copies of our SCCs and IDTA are available on request by emailing privacy@radmah.ai. Enterprise customers may select EU-West (Ireland) or AP-Southeast as their primary data region to minimise cross-border transfer of data. Contact your account manager to configure data residency.

Depending on your jurisdiction, you may have the following rights with respect to your personal data. We will respond to all verified requests within 30 days (or such shorter period as required by applicable law). Right of Access (GDPR Art. 15; CCPA; LGPD Art. 18): Request a copy of the personal data we hold about you and information about how we process it. Right to Rectification (GDPR Art. 16; LGPD Art. 18): Request correction of inaccurate or incomplete personal data. Right to Erasure (GDPR Art. 17; LGPD Art. 18): Request deletion of your personal data where we no longer have a lawful basis to retain it. Note: erasure requests do not extend to data we are legally required to retain (e.g., financial records, AML records, audit logs for the retention periods described in Section 7). Right to Restrict Processing (GDPR Art. 18): Request that we restrict processing of your data in certain circumstances (e.g., while you contest accuracy). Right to Data Portability (GDPR Art. 20): Receive your personal Account data in a structured, machine-readable format (JSON). Generation job metadata and evidence bundles are already available for export via the API. Right to Object (GDPR Art. 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds. Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. Right Not to be Subject to Automated Decision-Making (GDPR Art. 22): We do not make solely automated decisions with legal or similarly significant effects about you. Sanctions screening results are reviewed by a human before an Account is suspended. To exercise any of these rights, contact privacy@radmah.ai from the email address associated with your Account. We may require identity verification before processing requests. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

This section applies to California residents under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). Categories of personal information collected: identifiers (email, IP address), commercial information (subscription, billing), internet/electronic network activity (API logs, usage data), professional or employment-related information (organisation name, job role). Purposes for collection: as described in Section 4. We do NOT sell or share personal information for cross-context behavioural advertising. Your CCPA/CPRA rights: — Know: Request disclosure of what personal information we collect, use, disclose, and sell. — Delete: Request deletion of personal information (subject to exceptions for legal obligations, fraud prevention, and security). — Correct: Request correction of inaccurate personal information. — Opt out of sale/sharing: We do not sell or share personal information; no opt-out is required. — Limit use of sensitive personal information: We process sensitive personal information (financial account credentials via Stripe) solely to provide the Service; no further limitation is applicable. — Non-discrimination: We will not discriminate against you for exercising any CCPA/CPRA right. Authorised agents: You may designate an authorised agent to make CCPA/CPRA requests on your behalf. We require written authorisation and may verify the agent's identity. Contact for California privacy requests: privacy@radmah.ai

This section applies to individuals in Brazil under the Lei Geral de Proteção de Dados (LGPD). Legal bases for processing under LGPD: contract performance (Art. 7, II), legitimate interest (Art. 7, IX), compliance with legal obligation (Art. 7, II), and, where applicable, consent (Art. 7, I). Brazilian data subjects have the same rights as described in Section 11. Contact privacy@radmah.ai for any LGPD-related inquiry. RadMah AI will respond within 15 days of a verified request.

RadMah AI uses Large Language Model (LLM) AI systems as part of the AI Orchestrator and Agentic AI Data Scientist features. The following disclosures apply: Platform-Managed AI Key: When you use AI features without a BYO (bring-your-own) key, your prompts and intermediate outputs are sent to our platform-managed API key at the relevant AI provider (OpenAI, Anthropic, or Gemini, depending on your Account configuration). These requests are governed by the AI provider's data processing terms. RadMah AI operates these providers as sub-processors. BYO AI Key: If you configure your own AI provider API key, your prompts and AI outputs are transmitted directly to your provider under your own agreement. RadMah AI does not process, log, or store the content of BYO key AI requests beyond what appears in your job configuration. No Training on Your Prompts: RadMah AI does not use your AI Orchestrator prompts, Agentic Data Scientist session content, or Generated Data to train or fine-tune any RadMah AI model. EU AI Act: RadMah AI's synthetic data generation platform may constitute an "AI system" under Regulation (EU) 2024/1689 (EU AI Act). Our generation engines are not classified as high-risk AI systems under Annex III. Evidence bundles produced by the platform can serve as technical documentation supporting customers' own AI Act compliance requirements. Automated Decision-Making: We do not use AI systems to make solely automated decisions with legal or similarly significant effects about any natural person. Sanctions screening uses third-party lists reviewed by a human before action is taken.

The Service is not directed to and is not intended to be used by children under the age of 18. We do not knowingly collect personal data from children under 18. If you are under 18, do not register for or use the Service. If we become aware that we have inadvertently collected personal data from a child under 18, we will delete it promptly. If you believe we have collected personal data from a child, contact privacy@radmah.ai. For users under 18 who are EU residents: if you are between 16 and 18 years old, consent of a parent or legal guardian may be required under national implementing legislation of GDPR Article 8 in your member state.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, RadMah AI will: (a) Notify affected customers without undue delay and no later than 72 hours after we become aware, to the extent practicable; (b) Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR Article 33 or equivalent applicable law; (c) Provide in the notification: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed. Notifications will be sent to the primary email address on your Account and posted on our status page at status.radmah.ai. Please note that notification timelines may be extended where law enforcement requests a delay.

The Service integrates with third-party data sources and AI providers at your direction (for example, data connector imports from Snowflake, BigQuery, Postgres, or other systems; AI calls via BYO key). RadMah AI is not responsible for the privacy practices of these third parties. You should review the privacy policies of any third-party services you connect to the Service. Our marketing website may contain links to third-party websites. This Privacy Policy does not apply to those websites.

We may update this Privacy Policy to reflect changes in our data practices, applicable law, or platform features. We will: (a) Update the "last updated" date at the top of this page; (b) Notify registered users via email at least 30 days before any material change takes effect; (c) Where required by law (e.g., GDPR Article 13/14), obtain fresh consent if a change affects the lawful basis for processing. Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes.

If you have a complaint about how we process your personal data, please contact us first at privacy@radmah.ai. We will investigate and respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority: EU / EEA: Your national data protection authority (e.g., CNIL in France, BfDI in Germany, ICO in Ireland, AEPD in Spain). UK: The Information Commissioner's Office (ICO) — ico.org.uk Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd USA (California): California Privacy Protection Agency (CPPA) — cppa.ca.gov

Privacy inquiries and data subject requests: privacy@radmah.ai Security vulnerabilities: security@radmah.ai Legal and compliance: legal@radmah.ai Response time: We aim to acknowledge all privacy requests within 5 business days and provide a substantive response within 30 days (or within the shorter deadline required by applicable law).