Legal
Privacy Policy
Public legal text sourced from the repository documentation set. These documents remain subject to legal review where marked as draft.
Last updated March 29, 2026
Privacy Policy
APPROVED v1 — Approved by EXEC 2026-03-31.
Effective Date: [TO BE DETERMINED]
Last Updated: March 29, 2026
This Privacy Policy describes how Wizdom Networks ("Company", "we", "us", "our") collects, uses, stores, and shares your personal information when you use the EVC Platform ("Service"). Wizdom Networks is a corporation organized under the laws of Canada, operating from Ontario.
We are the data controller responsible for your personal information.
1. Information We Collect
1.1 Account Data
When you register for an account, we collect:
- Email address
- Display name
- Password (stored as an argon2id hash; we never store plaintext passwords)
- Organization name (if you create an organization)
1.2 Build Data
When you use the Service to create builds, we collect and process:
- Prompts you submit for build execution
- Build output (generated source code, assets, and artifacts)
- Evidence records (quality assessments, stage telemetry, verification results)
- Token usage metrics (input tokens, output tokens, model used, cost)
1.3 Usage Data
We collect information about how you interact with the Service:
- API calls and endpoint usage
- Page views and feature usage patterns
- Build initiation frequency and patterns
- Session duration and timestamps
1.4 Billing Data
Payment processing is handled by Stripe. We do not store your full payment card details. We store:
- Subscription tier and billing cycle
- Stripe customer and subscription identifiers
- Invoice and payment history metadata
- Credit usage and overage records
1.5 Technical Data
We automatically collect:
- IP address
- Browser type and version
- Operating system and device type
- Referring URL
- Cookies and similar identifiers (see Cookie Policy)
2. How We Use Your Information
We use your information for the following purposes:
2.1 Service Delivery
- Processing your prompts through LLM providers to execute builds
- Generating and delivering build output and evidence records
- Managing your account, organization, and team memberships
- Enforcing build credit quotas and subscription limits
2.2 Billing
- Processing subscription payments through Stripe
- Tracking credit usage and calculating overage charges
- Generating invoices and managing payment disputes
2.3 Service Improvement
- Analyzing usage patterns to improve platform performance and features
- Monitoring build pipeline reliability and success rates
- Identifying and fixing bugs and technical issues
2.4 Support
- Responding to your support requests
- Investigating reported issues with builds or account access
- Communicating about service changes, maintenance, and security incidents
2.5 Security and Compliance
- Detecting and preventing fraud, abuse, and security threats
- Enforcing our Terms of Service and Acceptable Use Policy
- Complying with legal obligations
3. Legal Basis for Processing
We process your personal information on the following legal bases:
| Basis | Data Types | Purpose |
|---|---|---|
| Contract performance | Account data, build data, billing data | Providing the Service you subscribed to |
| Legitimate interest | Usage data, technical data | Service improvement, security, fraud prevention |
| Consent | Analytics cookies (where applicable) | Understanding usage patterns via optional analytics |
| Legal obligation | Billing data, audit logs | Tax compliance, fraud reporting, legal proceedings |
Where we rely on legitimate interest, we have assessed that our interests do not override your rights and freedoms. You may object to processing based on legitimate interest at any time (see Section 8).
4. Data Retention
| Data Type | Retention Period | Rationale |
|---|---|---|
| Account data | While account is active + 30 days after deletion | Service delivery; grace period for reactivation |
| Build data (prompts, output) | Per subscription tier: Professional 30 days, Team 90 days, Enterprise custom | Tier-based value proposition; storage cost management |
| Evidence records | Same as build data retention | Tied to build lifecycle |
| Usage data | Aggregated after 12 months; deleted after 24 months | Long-term trend analysis in aggregate only |
| Billing data | 7 years from transaction date | Tax and legal compliance requirements |
| Technical data | 90 days | Security monitoring and debugging |
| Audit logs | 2 years minimum | Security investigation and compliance |
When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymized. Build data retention timers begin when a build completes, not when the subscription ends.
5. Data Sharing
We share your information only in the following circumstances:
5.1 LLM Providers
Your prompts are transmitted to third-party LLM providers for build execution. Current providers include:
- Anthropic (Claude models) — San Francisco, CA, USA
- OpenAI (GPT models) — San Francisco, CA, USA
Prompts are sent to providers as needed for build execution. Providers process prompts under their data processing terms, which prohibit training on customer inputs via API. We select providers based on build requirements and cost optimization.
5.2 Payment Processor
Billing data is shared with Stripe for payment processing. Stripe processes your payment information under their own privacy policy and PCI DSS compliance framework.
5.3 Infrastructure Providers
We use cloud infrastructure providers to host and operate the Service. These providers process data under data processing agreements with appropriate safeguards. Infrastructure providers do not access your data except as necessary to provide hosting services.
5.4 Legal Requirements
We may disclose your information if required by law, regulation, legal process, or governmental request. We will notify you of such disclosure unless prohibited by law.
5.5 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.
5.6 No Sale of Personal Data
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We have never sold personal data and have no plans to do so.
6. Security Measures
We implement technical and organizational measures to protect your data:
- Encryption at rest: PostgreSQL uses transparent data encryption. Object storage uses AES-256 server-side encryption. Secrets are managed through envelope encryption with a dedicated key management system.
- Encryption in transit: All connections use TLS 1.2 or higher. Client-facing connections use TLS 1.3 via Cloudflare. Internal service communications use TLS with certificate verification.
- Tenant isolation: PostgreSQL row-level security (RLS) policies enforce data isolation between organizations. Object storage paths are scoped by organization identifier.
- Access controls: Role-based access control (RBAC) limits data access to authorized users and roles. API authentication uses short-lived JWT tokens (15-minute expiry).
- Audit logging: All data access, modifications, and administrative actions are recorded in immutable audit logs.
- Build sandboxing: Build execution occurs in isolated containers with no network access by default, read-only filesystems, and resource limits.
For more details, see our Security Architecture documentation.
7. Cross-Border Data Transfers
Wizdom Networks is based in Ontario, Canada. Your data may be processed in Canada and the United States (where our LLM providers and infrastructure are located).
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland:
- We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for cross-border transfers.
- Canada has received an adequacy decision from the European Commission under PIPEDA (Personal Information Protection and Electronic Documents Act).
- Where data is transferred to US-based processors, we ensure appropriate safeguards through SCCs and supplementary measures.
You may request a copy of the applicable Standard Contractual Clauses by contacting us at [privacy@wizdom.dev].
8. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your personal data ("right to be forgotten") |
| Portability | Request your data in a structured, machine-readable format |
| Restriction | Request that we limit processing of your data |
| Objection | Object to processing based on legitimate interest |
| Withdraw consent | Withdraw consent for processing where consent is the legal basis |
To exercise any of these rights, contact our Data Protection Officer at [dpo@wizdom.dev]. We will respond within 30 days. If we need additional time, we will inform you within the initial 30-day period.
You also have the right to lodge a complaint with your local data protection supervisory authority.
Data Protection Officer
Wizdom Networks has designated a Data Protection Officer. Contact:
- Email: [dpo@wizdom.dev]
- Mail: Data Protection Officer, Wizdom Networks, [Address to be provided]
9. Your Rights Under CCPA
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
9.1 Right to Know
You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
9.2 Right to Delete
You have the right to request deletion of your personal information, subject to certain exceptions (legal obligations, security, completing transactions).
9.3 Right to Opt-Out of Sale
We do not sell personal information. Because we do not engage in the sale of personal information, there is no need to opt out. If our practices change, we will update this policy and provide an opt-out mechanism.
9.4 Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing, quality, or service levels for exercising your rights.
9.5 Exercising Your Rights
To exercise your CCPA rights, contact us at [privacy@wizdom.dev]. We will verify your identity before processing your request. You may also designate an authorized agent to make requests on your behalf.
10. Canadian Privacy Law
As a Canadian company, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Under PIPEDA, you have the right to access and challenge the accuracy of your personal information held by us. Contact [privacy@wizdom.dev] to exercise these rights.
11. Children's Privacy
The Service is not directed to children under 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected data from a child under 18, we will delete that data promptly. If you believe a child has provided us with personal information, contact us at [privacy@wizdom.dev].
12. Cookies
We use cookies and similar technologies as described in our Cookie Policy. Please refer to the Cookie Policy for details about the types of cookies we use and how to manage your cookie preferences.
13. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email. Non-material changes take effect upon posting. The "Last Updated" date at the top of this policy indicates the most recent revision.
14. Contact
For privacy-related inquiries:
- General: [privacy@wizdom.dev]
- Data Protection Officer: [dpo@wizdom.dev]
- Mail: Wizdom Networks, [Address to be provided], Ontario, Canada