Privacy Policy
Effective Date: March 24, 2026
Last Updated: March 24, 2026
Previous Version: January 17, 2026
This Privacy Policy explains how Sigma5C Corp ("Sigma5C," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with our websites, applications, APIs, and services (collectively, the "Services"), including the Sigma5C platform, the Sigma5C Model Observatory, and related APIs.
If you use the Services on behalf of an organization (for example, as an employee or contractor), your organization may be the "Customer" and may control the information processed through the Services.
1. Scope
This Privacy Policy applies to personal information we process:
- Through our Services (including our web application, APIs, and AI features)
- When you visit our websites, request demos, or communicate with us
- In connection with marketing and events
This Privacy Policy does not apply to third-party websites, products, or services that may be linked from our Services.
2. Definitions
- "Personal Information" means information that identifies, relates to, or could reasonably be linked to an individual.
- "Customer Content" means content, data, prompts, queries, files, or other information submitted to the Services by or on behalf of a Customer or end user.
- "Usage Data" means telemetry and analytics data about how the Services are accessed and used.
- "Observation Data" means data about AI model behavior produced by the Sigma5C Model Observatory. Observation Data is generated by Sigma5C's own research processes and does not contain Personal Information.
- "Observatory API Data" means records of API requests made by customers to access Observation Data, including query parameters, timestamps, and response metadata.
3. Information We Collect
3.1 Information You Provide
Account and profile information:
- Name, email address, organization name
- Username, password (or SSO identifiers)
- Billing contact details
Customer Content and inputs:
- Prompts, queries, and messages you provide to AI features
- Data you upload to the platform
- API requests and their contents
Payment information:
- Subscription tier and plan selection
- Payment method details are processed by Stripe; we receive limited metadata (last 4 digits, billing address)
Communications:
- Support tickets, emails, and feedback
- Newsletter signup information
3.2 Information Collected Automatically
Device and network data:
- IP address, browser type, operating system, time zone
- Approximate location derived from IP
Session data:
- Login timestamps and session identifiers
- Device fingerprint (combination of IP address and browser type) for security
- We limit concurrent sessions to 5 per account for security purposes
- Sessions are automatically terminated after 24 hours of inactivity
Usage Data:
- Pages viewed, features used, API endpoints accessed
- Error logs and performance metrics
3.3 Observatory and API Usage Data
Free Observatory browsing:
- Standard web analytics (page views, time on page) collected only with your cookie consent
- No account or Personal Information required to browse the public Observatory
Paid Observatory API access:
- API key identifiers (hashed; we do not store plaintext API keys)
- API request logs: endpoint accessed, query parameters, timestamp, response status, and response time
- Daily and monthly usage aggregates per API key
- IP address of API requests (for rate limiting and security)
What the Observatory does NOT collect:
- Observation Data is generated by Sigma5C's own research infrastructure and does not derive from your Personal Information or Customer Content
- The Observatory does not process, store, or transmit your proprietary data, prompts, or AI model outputs
3.4 Information From Third Parties
- Authentication providers (SSO) for identity verification
- Payment processors for billing confirmation
4. How We Use Information
4.1 Provide and Secure the Services
- Create accounts, authenticate users, provide features
- Process transactions and manage subscriptions
- Monitor reliability and provide support
- Detect and prevent fraud, abuse, and security incidents
4.2 Improve the Services
- Understand feature usage and performance
- Test and deploy updates
- Develop new capabilities
We do not use Customer Content to train or improve AI models. Your prompts, queries, and data remain private and are not used for machine learning training purposes. We may use aggregated, de-identified Usage Data for analytics and service improvement.
4.3 Communicate With You
- Send service-related messages (security alerts, billing notices)
- Respond to inquiries and support requests
- Send marketing messages (where permitted); you can opt out anytime
4.4 Legal and Compliance
- Comply with applicable laws and regulations
- Enforce our terms and policies
- Protect rights, privacy, and safety
5. How We Disclose Information
5.1 Service Providers
We share information with vendors who help us operate the Services, including:
- Cloud infrastructure providers
- Payment processors (Stripe)
- Email service providers (for transactional emails)
- Analytics providers
These providers are contractually required to protect information and only process it on our instructions. For a complete list of our sub-processors, see our Third-Party Providers page.
5.2 AI Infrastructure Providers
When you use AI features, we may transmit your prompts to third-party AI providers to generate responses. Our AI infrastructure includes:
- OpenRouter: Multi-provider routing service that connects to 100+ AI models (including Groq, Gemini, Mistral, DeepSeek, Cohere, and others)
- OpenAI: GPT-series language models
- Anthropic: Claude-series language models
- On-premises inference: Optional local AI processing for enterprise customers (data never leaves your infrastructure)
We select providers with appropriate privacy practices and limit data sharing to what is necessary for generating responses. Your prompts and AI responses are not used for model training. If you enable conversation memory features, prompts and responses may be retained for up to 7 days to provide context continuity; otherwise, they are processed transiently.
5.3 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction.
5.4 Legal Requirements
We may disclose information to comply with law, legal process, or lawful requests, or to protect security and safety.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | While account is active; deleted within 90 days after closure |
| Session data | 24 hours of inactivity (standard); up to 30 days with "remember me" enabled |
| Authentication tokens | Access tokens: 30 minutes; Refresh tokens: 7 days (standard) or 30 days ("remember me") |
| Customer Content | Per your plan settings; deleted upon request or account closure |
| AI prompts and responses | Transient by default; up to 7 days if conversation memory features are enabled |
| Usage logs | 90 days for security and troubleshooting |
| Observatory API request logs | 90 days (detailed); aggregated usage statistics retained for the duration of the subscription |
| Observatory API keys (hashed) | While subscription is active; revoked keys purged within 30 days |
| Backups | 30 days on a rolling basis |
7. Security
We implement administrative, technical, and organizational safeguards to protect personal information, including:
- Encryption in transit (TLS/HTTPS for all communications)
- Password hashing using Argon2id (industry-leading memory-hard algorithm)
- Two-factor authentication (2FA) with backup codes
- Automatic session rotation and token refresh
- Cross-site request forgery (CSRF) protection
- Secrets management using enterprise-grade vault systems
- Security monitoring and incident response
- Automatic log redaction of sensitive data
- Regular security assessments
No system is 100% secure, and we cannot guarantee absolute security. For more details about our security practices, see our Security page.
8. International Data Transfers
We may process and store information in the United States. When we transfer personal information internationally, we use appropriate safeguards (such as Standard Contractual Clauses) where required by law.
9. Your Privacy Rights
Depending on where you live, you may have rights regarding your personal information:
- Access, correction, or deletion of your data
- Data portability
- Objection or restriction of processing
- Withdrawal of consent
To exercise these rights, contact us at privacy@sigma5c.com. We will respond to verified requests within 30 days (or sooner where required by law).
10. Cookies and Local Storage
We use cookies and similar technologies for:
- Essential: Authentication, security, session management
- Preferences: Theme settings (light/dark mode)
- Analytics: Understanding usage and performance
Specific Technologies Used
| Name | Type | Purpose | Duration |
|---|---|---|---|
| access_token | HttpOnly Cookie | Short-lived authentication token (cannot be accessed by JavaScript) | 30 minutes |
| refresh_token | HttpOnly Cookie | Long-lived authentication token for session renewal | 7 days (standard); 30 days ("remember me") |
| csrf_token | HttpOnly Cookie | Protection against cross-site request forgery attacks | 1 hour |
| sigma5c-theme | localStorage | Remember your light/dark mode preference | Persistent |
You can control cookies through your browser settings. We do not use advertising cookies or third-party tracking cookies.
11. Marketing Preferences
You can opt out of marketing emails by using the "unsubscribe" link or contacting us. You will still receive essential service communications.
12. Children's Privacy
The Services are not directed to children under 16, and we do not knowingly collect personal information from children.
13. U.S. State Privacy Rights
Residents of California, Virginia, Colorado, and other states with privacy laws may have additional rights including:
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt out of "sale" or "sharing" of personal information
We do not sell personal information.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice via the Services or email.
15. Contact Us
Sigma5C Corp
Delaware C Corp
Email: info@sigma5c.com
Privacy: privacy@sigma5c.com
Website: https://sigma5c.com