Privacy Policy
Last updated: January 2026
1. Information We Collect
We collect: account information (email, name, business details), incident metadata (type, amount, date, status), HMAC-hashed identifiers for matching, and usage logs. We do NOT collect or store: raw customer identifiers (these are hashed server-side), evidence file contents (encrypted client-side), decrypted descriptions, or raw IP addresses (hashed before storage).
2. How We Use Information
We use your information to: operate the platform, generate risk assessments, facilitate dispute resolution, maintain audit trails, and enforce our terms of service. We do not sell your data to third parties.
3. Encryption
Evidence and sensitive data are encrypted client-side using AES-256-GCM before transmission to our servers. Encryption keys are managed by users via passkeys and the WebAuthn PRF extension. MRX operators cannot decrypt evidence files.
4. Data Retention
Incident records are retained indefinitely as part of the risk assessment system. Status changes are recorded; records are never deleted. Account data is retained for the lifetime of the account. Audit logs are retained indefinitely and are tamper-evident.
5. Data Sharing
Risk assessments (containing no PII) are shared with merchants via the POS lookup API. Evidence is only shared between organizations when explicitly granted using client-side encryption key wrapping. We may disclose information when required by law.
6. Your Rights
You may: access your account data, dispute incident records, export your data, and delete your account. Deleting your account removes your login but incident records remain (with identifiers hashed) as part of the shared intelligence system.