1 Introduction
Encryptix ("Encryptix," "we," "us," or "our") operates an IoT fleet management platform that enables organizations to monitor, manage, and maintain connected devices at scale. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our website (www.encryptix.io), dashboard (dashboard.encryptix.io), device agent software, backend services, and any related APIs or services (collectively, the "Services").
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of our Services immediately.
This Privacy Policy applies to all users of our Services, including website visitors, dashboard users, organization administrators, and operators of devices running the Encryptix agent.
2 Information We Collect
We collect information in several categories depending on how you interact with our Services.
2.1 Account and Organization Information
When you create an account or join an organization on Encryptix, we collect:
- Identity information: Name and email address, as provided through our authentication provider (Auth0).
- Organization information: Organization name and membership details necessary for multi-tenant access control.
- Authentication data: We use Auth0 as our identity provider. We do not store your password directly. Auth0 manages authentication credentials on our behalf, subject to their own privacy policy.
2.2 Device and Agent Data
When you install the Encryptix agent on your devices, the agent collects and transmits the following data to our platform:
- System metrics: CPU usage, memory utilization, and disk usage statistics, collected at configurable intervals (minimum 10 seconds, default 60 seconds).
- Network metrics: Network traffic volume (bytes in/out) and packet counts per network interface.
- Device metadata: Hostname, operating system type and version, hardware specifications (make, model, architecture), and network interface details (interface names, MAC addresses, IP addresses).
- Device identifiers: A stable machine identifier derived from system information (hostname, machine-id, MAC address) used to uniquely identify each device.
- Geolocation data: Approximate device location derived from IP address.
- Package inventory: Installed software packages (name, version, architecture, package manager) for vulnerability scanning purposes.
Important: The Encryptix agent is designed to collect only infrastructure-level telemetry. It does not access, read, or transmit file contents, user data stored on the device, application-level data, keystrokes, screen content, or personal files of device end users.
2.3 SSH Session Data
When you initiate an SSH session to a device through our dashboard, we collect:
- Session metadata: Session start time, end time, duration, initiating user, and target device.
- Session events: Connection and disconnection events for audit purposes.
SSH sessions are ephemeral. We act as a secure relay between your browser and the device. We do not log, store, or inspect terminal input/output or command history transmitted during SSH sessions.
2.4 Billing and Payment Information
We use Stripe as our payment processor. When you subscribe to a paid plan:
- Stripe processes: Credit card numbers, billing addresses, and other payment details directly. This information is handled entirely by Stripe and is subject to Stripe's Privacy Policy.
- We store: Subscription plan, billing cycle, entitlement information, and Stripe customer/subscription identifiers. We do not store full credit card numbers or payment credentials on our servers.
2.5 Website and Marketing Data
When you visit our website or request beta access, we collect:
- Contact information: Email address and estimated fleet size submitted through our beta access request form.
- Technical data: IP address, browser type and version, operating system, referring URL, pages visited, and access timestamps.
2.6 Enrollment Token Data
When you create enrollment tokens for onboarding new devices, we store the token metadata, creation date, associated organization, and usage status. Enrollment tokens are used solely to authenticate new devices joining your fleet.
3 How We Use Your Information
We use the information we collect for the following purposes:
- Service delivery: To provide, operate, and maintain the Encryptix platform, including device monitoring, metrics collection, fleet management, SSH relay, alerting, deployment orchestration, vulnerability scanning, and fleet service management features.
- Account management: To create and manage your account, authenticate your identity, and enforce multi-tenant access controls.
- Billing and payments: To process subscriptions, generate invoices, manage entitlements, and enforce plan limits (e.g., device count, data retention periods).
- Security and abuse prevention: To detect, investigate, and prevent unauthorized access, fraud, and abuse of our Services.
- Service improvement: To analyze usage patterns, diagnose technical issues, and improve the performance and reliability of our platform.
- Communications: To send service-related notifications, incident alerts, security advisories, and respond to your support requests. We do not send marketing emails without your explicit consent.
- Legal compliance: To comply with applicable laws, regulations, and legal processes.
4 Legal Basis for Processing (EEA/UK Users)
If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):
- Performance of a contract: Processing necessary to provide the Services you have requested, including account creation, device monitoring, and SSH access (Article 6(1)(b)).
- Legitimate interests: Processing necessary for our legitimate business interests, such as improving our Services, ensuring security, and preventing fraud, where these interests are not overridden by your rights (Article 6(1)(f)).
- Consent: Where you have given explicit consent, such as opting into marketing communications or submitting the beta access form (Article 6(1)(a)). You may withdraw consent at any time without affecting the lawfulness of prior processing.
- Legal obligation: Processing necessary to comply with applicable laws and regulations (Article 6(1)(c)).
5 Data Sharing and Third Parties
We do not sell your personal information. We do not rent, trade, or otherwise monetize your data. We share information only in the following limited circumstances:
5.1 Service Providers (Sub-processors)
We engage trusted third-party service providers who process data on our behalf to deliver and support our Services:
| Provider |
Purpose |
Data Processed |
| Amazon Web Services (AWS) |
Cloud infrastructure, hosting, data storage, and CDN |
All service data (encrypted at rest and in transit) |
| Auth0 (Okta) |
Identity and authentication |
Email, name, authentication credentials |
| Stripe |
Payment processing and billing |
Payment details, billing address, subscription data |
Each sub-processor is contractually bound to process data only as instructed by us and to maintain appropriate security measures.
5.2 Legal Requirements
We may disclose your information if required to do so by law or in good faith belief that such action is necessary to:
- Comply with a legal obligation, subpoena, court order, or governmental request.
- Protect and defend the rights or property of Encryptix.
- Prevent or investigate possible wrongdoing in connection with the Services.
- Protect the personal safety of users of the Services or the public.
5.3 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or use of your personal information, as well as any choices you may have.
5.4 With Your Consent
We may share your information for purposes not described in this Privacy Policy with your explicit consent.
6 Data Retention
We retain your information only as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
- Account data: Retained for as long as your account is active. Upon account deletion, personal data is removed within 30 days, except where retention is required for legal or compliance purposes.
- Device metrics and telemetry: Retained according to your subscription plan's data retention period (30 days, 1 year, or 2 years). Upon expiration, metrics data is permanently deleted.
- SSH session metadata: Retained for audit purposes for up to 90 days after the session ends.
- Billing records: Retained for up to 7 years as required by tax and financial regulations.
- Website visitor data: Beta access requests are retained for the duration of the beta program. Technical logs are retained for up to 90 days.
- Security logs: Retained for up to 90 days for incident investigation purposes.
- Inactive accounts: Accounts with no activity for 24 months may be flagged for deletion. We will notify you by email before deleting an inactive account.
7 Data Security
We implement and maintain industry-standard technical and organizational security measures to protect your data, including:
- Encryption in transit: All data transmitted between devices, the agent, our APIs, and the dashboard is encrypted using TLS 1.2 or higher.
- Encryption at rest: Data stored in our databases and object storage is encrypted using AES-256 encryption.
- Authentication and access controls: JWT-based authentication with Auth0, role-based access controls, and multi-tenant data isolation ensuring organizations can only access their own data.
- Infrastructure security: Our Services are hosted on AWS with network segmentation, security groups, and regular patching.
- Device authentication: Devices authenticate using enrollment tokens on first connection and stable machine identifiers for subsequent communications.
- Audit trails: All data modifications are tracked with audit fields (created by, updated by, timestamps) and history tables.
While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly notifying affected users and relevant authorities in the event of a data breach, as required by applicable law.
8 Your Rights
8.1 Rights for All Users
Regardless of your location, you may:
- Access your data: Request a copy of the personal information we hold about you.
- Correct your data: Request correction of inaccurate or incomplete personal information.
- Delete your data: Request deletion of your personal information, subject to legal retention requirements.
- Export your data: Request a portable copy of your data in a structured, machine-readable format.
- Opt out of communications: Unsubscribe from marketing communications at any time using the unsubscribe link in our emails or by contacting us.
8.2 Additional Rights for EEA/UK Residents (GDPR)
If you are in the European Economic Area or United Kingdom, you additionally have the right to:
- Restrict processing: Request that we limit how we use your personal data.
- Object to processing: Object to processing based on legitimate interests.
- Withdraw consent: Withdraw previously given consent at any time without affecting the lawfulness of prior processing.
- Lodge a complaint: File a complaint with your local data protection authority (e.g., the ICO in the UK, or your EU Member State supervisory authority).
8.3 Rights for California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights:
- Right to know: You may request the categories and specific pieces of personal information we have collected, the sources of collection, the business purpose, and the categories of third parties with whom we share it.
- Right to delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to correct: You may request correction of inaccurate personal information.
- Right to opt out of sale or sharing: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
In the preceding 12 months, the categories of personal information we have collected include: identifiers (name, email, IP address), commercial information (subscription data), internet or other electronic network activity (usage data, device metrics), and geolocation data (approximate location from IP address).
8.4 Exercising Your Rights
To exercise any of these rights, please contact us at support@encryptix.io. We will respond to your request within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.
9 Encryptix as a Data Processor
When you use our platform to monitor your devices, Encryptix acts as a data processor on your behalf. You (or your organization) are the data controller and determine the purposes and means of processing device data.
In this capacity:
- We process device data solely according to your instructions and for the purposes of providing the Services.
- You are responsible for ensuring that your use of our Services complies with applicable data protection laws, including obtaining any necessary consents from individuals whose personal data may be included in device telemetry.
- We will assist you in responding to data subject requests related to device data processed through our platform.
- Enterprise customers may request a Data Processing Agreement (DPA) by contacting support@encryptix.io.
10 International Data Transfers
Encryptix is based in the United States. Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.
For transfers of personal data from the EEA, UK, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs): EU-approved contractual safeguards for data transfers.
- Adequacy decisions: Where the European Commission has determined that a country provides an adequate level of data protection.
- Your consent: Where applicable, as a supplementary transfer mechanism.
11 Cookies and Tracking Technologies
Our website and dashboard use limited cookies and similar technologies:
- Essential cookies: Required for authentication, session management, and core functionality of the dashboard. These cannot be disabled.
- Authentication tokens: JWT tokens stored in your browser to maintain your authenticated session with the dashboard.
We do not use third-party advertising cookies or cross-site tracking technologies. We do not participate in ad networks or sell data to advertisers.
12 Children's Privacy
Our Services are not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at support@encryptix.io, and we will take steps to delete such information promptly.
13 Third-Party Links and Services
Our Services may contain links to third-party websites or services (e.g., Auth0 login, Stripe payment portal). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you interact with through our platform.
14 Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify you via email (for registered users) or through a prominent notice on our website.
- Where required by law, obtain your consent before applying material changes to previously collected data.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.