Praxa

Legal

Privacy Policy

This policy explains what data Praxa handles, why, where it lives, and how long we keep it. It is consistent with the controls described on our Security page.

Last updated · May 1, 2026

Plain-language note. This is a pre-launch template, not yet executed against a paying customer. The binding agreement for any contract is the signed MSA and order form. We publish these so your legal team can review the shape of the relationship before a call.

1. Scope

This policy covers the Praxa platform operated by Praxa Labs, Inc. It describes how we handle three categories of data: information you give us directly (account and billing details), artifacts Praxa observes in systems you connect, and operational data the platform generates (run records and audit logs). Where you are an Enterprise customer, the Data Processing Addendum governs our role as a processor of personal data.

2. Data we handle

Account and billing

  • Name, work email, company, and workspace role for each user.
  • Billing contact and subscription records. Card data is handled by our payment processor (Stripe); Praxa does not store full card numbers.

Observed artifacts

  • Commits, pull requests, issues, tickets, messages, calendar events, and similar artifacts from the systems you connect, scoped to the role you ask Praxa to observe.
  • Derived material: the distilled job specification, generated Skill manifest, and evaluation suite for your workspace.

Model provider keys (BYOK)

  • Your Anthropic, AWS Bedrock, or Google Vertex credentials, stored encrypted and used only to execute your Skills.

Operational data

  • Run records and the audit log for each Skill action: input, reasoning, alternatives considered, confidence, and output.
  • Standard service logs and metrics needed to operate and secure the platform.

3. How we use data

  • To generate, evaluate, run, and audit your Skills.
  • To provide the dashboard, including per-Skill transparency metrics.
  • To bill the per-Skill subscription, secure the platform, and provide support.

We do not sell your data. We do not use your observed artifacts, prompts, or outputs to train foundation models. With BYOK, prompts and completions are processed by your own model provider account, not stored by Praxa beyond the audit-log fields you choose to retain.

4. Language-model data flow

Because the platform is BYOK, every model call runs against your provider credentials. The content of prompts and completions lands in your provider account under your provider's terms. Praxa retains only the structured audit-log fields described above so you can replay a decision. We never act as a token reseller and do not retain a separate copy of raw model traffic.

5. Where data lives

  • Skill plan. Shared multi-tenant Postgres with workspace-isolated rows, and shared object storage with workspace-isolated keys, in our Cloudflare and AWS us-east-1 deployment. Encrypted at rest.
  • Enterprise plan. A dedicated tenant in your region of choice, with infrastructure-level isolation (separate database, KMS key, and object store). Optional self-host in your own AWS account.

Tenant isolation is enforced in code: every row, object key, and memory fact carries a workspace_id, and cross-tenant reads are blocked at the query layer. BYOK keys are encrypted with a workspace-scoped key (AES-256-GCM), itself wrapped by a tenant-scoped KMS data key.

6. Retention and deletion

  • Audit and run logs are retained for 90 days by default on the Skill plan, and for a contracted window on Enterprise.
  • Customer-initiated erasure runs a hard delete within 7 days.
  • On termination we stop processing and delete workspace data on the same timelines, except where retention is required by law.

7. Sub-processors and sharing

We share data only with infrastructure sub-processors needed to run the platform — for example our cloud and database providers and our payment processor — under contracts that require appropriate safeguards. We maintain a current sub-processor list available on request and, for Enterprise customers, provide advance notice of material changes as set out in the DPA. We disclose data to authorities only where legally required.

8. Your rights

Depending on your jurisdiction you may have rights to access, correct, export, or delete personal data. Workspace administrators can export and erase data from the platform; for anything else, email privacy@praxa.dev. Where Praxa acts as a processor on behalf of a customer, we route individual requests to that customer as controller.

9. Security

Security controls — bot-user authentication, encryption, tenant isolation, append-only audit logging, and runtime scope enforcement — are described on the Security page. Our SOC 2 Type II program is on the roadmap for Q4 2026; we will update this policy as that status changes rather than claim it early.

10. Changes

We may update this policy. Material changes are announced to workspace administrators with reasonable notice and reflected in the "last updated" date above.

11. Contact

Privacy questions go to privacy@praxa.dev. Security questions and questionnaires go to security@praxa.dev.