Privacy Policy

1. Introduction

Kronisys Inc. ("Kronisys," "we," "us," or "our") operates Strata, an AI-powered enterprise intelligence platform that serves as a general AI assistant with optional enterprise extensions. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you access or use the Strata platform, our website, and related services (collectively, the "Services").

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.

Enterprise customers: If your organization has provisioned your Strata account, your organization's data processing agreement governs the handling of data submitted through your account. This Privacy Policy applies to data Kronisys controls directly.

2. Data We Collect

Data you provide directly

Account Information: Name, email address, organization name, and role when you create a Strata account, including identifiers generated by Microsoft SSO authentication.
Inputs and Outputs: Natural language prompts ("Inputs") you submit to Strata and the responses, SQL queries, charts, exports, and other content generated by Strata ("Outputs").
Database Connection Credentials: SQL Server connection strings, server addresses, and authentication credentials you provide to connect your databases. These are encrypted at rest and in transit.
Memory: Facts and preferences you choose to save (or that the AI saves with your permission) for cross-conversation context. Memory entries are scoped to your individual user account, are user-controlled (enable or disable in Settings), and are individually viewable and deletable.
Feedback: Ratings, comments, bug reports, and suggestions you submit about the Services.
Communications: Information you provide when contacting our support team.

Data collected automatically

Device & Connection Data: Device type, operating system, browser type, IP address, timezone, and general location derived from your IP address.
Usage Data: Dates and times of access, features used, prompts submitted, models selected, integrations activated, and interaction patterns with the Services.
Log Data: Server logs, error reports, performance data, and diagnostic information generated during your use of the Services.
Audit Logs: Administrative actions taken in your organization (user invitations, role changes, permission updates, session revocations) are logged with actor identity, timestamp, target, and action details. Visible only to organization administrators.
Activity Logs: Per-conversation metadata including model selected, token counts, response time, and SQL queries executed (when the database extension is connected) is logged for cost tracking, rate limiting, and quality monitoring.
Cookies: Strata sets only the cookies required to operate the Services. We do not set tracking, advertising, or analytics cookies.
- strata_session — HTTP-only, SameSite=Lax authentication session token. Required for sign-in. Lifetime: 7 days.
- strata_csrf — Non-HTTP-only CSRF token (double-submit pattern) used to protect state-changing requests. Lifetime: 24 hours.

Data from third-party integrations

Microsoft SSO: When you sign in with Microsoft, we receive your name, email, and organization identifier from Microsoft Entra ID.
OneDrive: File metadata and content you choose to access or save through the OneDrive integration.
Outlook: Email addresses, subjects, and message content you interact with through the Outlook integration.
Microsoft Teams: Channel information, message content, and user identifiers when you interact with the Strata Teams bot.

3. How We Use Your Data

We use your personal data for the following purposes:

Providing the Services: To operate Strata, process your prompts, generate outputs, execute SQL against your databases, and deliver exports and reports.
Account Management: To create, maintain, and secure your Strata account.
Integration Functionality: To facilitate connections between Strata and your Microsoft services (SQL Server, OneDrive, Outlook, Teams).
AI Model Routing: To route your prompts to the appropriate AI model (GPT-5.4, GPT-5.4 Mini, Claude Opus 4.8 (1M context), Claude Sonnet 4.6, Grok 4, or Grok 4.1 Fast) based on your selection.
Memory Storage: To remember user preferences, project context, and facts across separate conversations when memory is enabled. Memory is scoped to your individual user account and is never shared across users or organizations.
Service Improvement: To analyze usage patterns, debug errors, and improve the quality, performance, and reliability of the Services.
Safety & Compliance: To prevent fraud, abuse, and violations of our Usage Policy, and to comply with legal obligations.
Communications: To send you service announcements, security alerts, and administrative messages.

4. AI Model Training & Third-Party Models

Strata routes your prompts to third-party AI models provided by OpenAI, Anthropic, and xAI via Microsoft Foundry. When processing your prompts:

We do not use your Inputs or Outputs to train any AI models. Your prompts and their results are not used for model training by Kronisys or, pursuant to our Microsoft Foundry agreements, by our AI providers.
Your Inputs are transmitted to the selected AI provider via Microsoft Foundry to generate Outputs. This transmission is governed by our Foundry agreements with Microsoft, which prohibit the use of customer data for model training.
Inference-time processing: AI providers may temporarily log Inputs and Outputs for abuse detection, safety monitoring, billing reconciliation, and operational reasons. This processing occurs on the provider's inference infrastructure (OpenAI, Anthropic, or xAI) accessed via Microsoft Foundry. Logs retained for these purposes are subject to the providers' enterprise retention policies and are not used for training.
Third-party content awareness: Inputs you submit may contain personal data of third parties (such as recipients, names, addresses, or contract terms in emails or documents). By submitting such content, you confirm under our Usage Policy that you have the legal right to share it with our AI providers for processing.
We may use aggregated, de-identified usage analytics to improve Strata's prompt routing, schema matching, and semantic embedding systems. This data cannot be used to identify individual users or reconstruct specific prompts.

Your data is never used for AI training. Strata accesses AI models through Microsoft Foundry, which prohibits the use of your data for training models.

5. Data Sharing & Disclosure

We disclose personal data only in the following circumstances:

AI Model Providers: Your Inputs are transmitted to OpenAI, Anthropic, or xAI (depending on the model you select) via Microsoft Foundry to generate Outputs. These providers process data under Microsoft Foundry agreements that restrict their use of your data.
Microsoft Services: When you use Microsoft integrations, data is exchanged between Strata and Microsoft's APIs in accordance with Microsoft's privacy practices and your organization's Microsoft agreements.
Transactional Email: User invitations, security alerts, and administrative notifications are sent via Azure Communication Services. Recipient email addresses, subject lines, and message bodies are processed by Microsoft Azure Communication Services under Microsoft's enterprise data processing terms.
Geographic Location: When you sign in, your IP address is sent to a third-party geolocation service (ipapi.co) to display approximate session location (city, region, country) on the Sessions page in your account settings. Only the IP address is shared with this service; no other personal data is sent. Geographic data is stored only with the session record and is not used for any other purpose.
Payment Processing: Billing details for enterprise customers (such as billing contact name, email, organization name, and tokenized payment credentials) are processed by Stripe, Inc. to handle invoicing, payment collection, and tax calculation. Strata does not store full payment card numbers; Stripe holds payment credentials in tokenized form under its own security and compliance controls.
Service Providers: We engage third-party service providers for hosting (Microsoft Azure), analytics, and customer support. These providers are contractually bound to protect your data.
Legal Requirements: We may disclose data to comply with applicable law, legal process, or governmental requests, or to protect the rights, property, or safety of Kronisys, our users, or the public.
Corporate Transactions: In connection with a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction.

Kronisys does not sell your personal data. We do not share your personal data for targeted advertising purposes.

6. Microsoft Integrations

Strata integrates with four Microsoft services. Each integration handles data as follows:

Integration	Data Accessed	How Data is Used
SQL Server	Database schemas, table structures, query results	Schema discovery, SQL generation and execution, result display and export
OneDrive	File names, metadata, file contents	Searching files, reading documents, saving generated exports and reports
Outlook	Email addresses, subjects, message body, attachments	Searching inbox, drafting and sending emails with report attachments
Teams	Channel info, message content, user identifiers	Processing prompts via the Teams bot, sharing results in channels

All Microsoft integration data is transmitted via encrypted connections using OAuth 2.0 authentication. Strata accesses only the data necessary to fulfill your specific requests and does not persistently store Microsoft integration data beyond the active session unless explicitly saving exports to OneDrive at your direction.

7. Subprocessors

Strata uses the following subprocessors to deliver the Services. Each is bound by data processing agreements that restrict use of customer data.

Subprocessor	Purpose	Data Processed	Location
Microsoft Azure (App Service, SQL Database, Blob Storage, Communication Services)	Hosting, database, file storage, transactional email	All customer data	United States (Azure region varies by deployment)
Microsoft Foundry	AI model routing	Prompts and responses	United States
OpenAI	AI model provider (GPT-5.4, GPT-5.4 Mini)	Prompts and responses	United States
Anthropic	AI model provider (Claude Sonnet 4.6, Claude Opus 4.8)	Prompts and responses	United States
xAI	AI model provider (Grok models via Foundry)	Prompts and responses	United States
Stripe, Inc.	Payment processing & invoicing for enterprise subscriptions	Billing contact details, tokenized payment credentials, invoice line items	United States
ipapi.co	IP geolocation lookup	IP addresses only	United States

Kronisys will provide 30 days' notice before adding new subprocessors to enterprise customers via email to designated administrators.

Objection right. Enterprise customers may object in writing to a new subprocessor within 30 days of notice by emailing legal@kronisys.com. If we cannot reasonably accommodate the objection, the affected enterprise customer may terminate the affected portion of the Services without penalty by giving written notice within 30 days of our response.

8. Data Retention

Account Data: Retained for the duration of your account plus 30 days after deletion.
Inputs & Outputs: Conversation history is retained for your convenience and can be deleted by you at any time. Deleted conversations are purged from our systems within 30 days.
Database Credentials: Encrypted connection strings are retained while your database connection is active. You may disconnect and delete credentials at any time.
Memory Entries: Retained until you delete them individually or disable the memory feature, after which they are purged within 30 days.
Audit Logs: Retained per organization configuration, default 365 days, then automatically deleted by a nightly cleanup job.
Activity Logs: Retained for the lifetime of the associated conversation. When a conversation is deleted, its activity logs are deleted within 30 days.
Usage Analytics: Aggregated, de-identified analytics may be retained indefinitely for service improvement.
Safety & Compliance: Data flagged for safety review or required by law may be retained for up to 3 years.

9. Security

We implement appropriate technical and organizational measures to protect your data:

Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Database Credential Storage: AES-256-GCM application-layer encryption with a key stored as an Azure App Service environment variable, separate from the database itself.
Authentication: Microsoft Entra ID (Azure AD) Single Sign-On exclusively. No passwords are stored or managed by Strata. Multi-factor authentication, conditional access, and session timeout policies are inherited from your organization's Microsoft tenant.
Network: Hosted in Azure App Service with HTTPS-only enforced (TLS 1.2 minimum). The platform database is restricted to the App Service via Azure firewall rules and is not exposed to the public internet.
Threat Detection: Microsoft Defender for SQL is enabled on the platform database with vulnerability assessments and anomalous activity alerts.
Multi-Tenant Isolation: Strata is a multi-tenant SaaS platform. Customer data is logically isolated by organization identifier. Conversation history, audit logs, files, database connections, and user settings from one organization are never accessible to users of another organization. Tenant isolation is enforced at every API endpoint via authenticated session checks against the organization identifier derived from the user's Microsoft SSO domain.
Access Controls: Employee access to production systems follows the principle of least privilege. All access is logged and audited.
Incident Response: We maintain an incident response plan and will notify affected customers within 72 hours of confirming a personal data breach, in accordance with GDPR Article 33 and other applicable laws.

10. Your Rights & Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete personal data.
Deletion: Request deletion of your personal data, subject to legal retention obligations. You may also delete individual conversations directly within Strata.
Memory Control: You can view, edit, or delete individual memory entries from your account Settings at any time, and you can disable the memory feature entirely. Disabling memory does not delete previously saved entries; you may delete them individually.
Data Portability: Request a copy of your data in a structured, machine-readable format.
Objection: Object to processing of your personal data for certain purposes.
Restriction: Request restriction of processing in certain circumstances.
Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@kronisys.com. We will respond within 30 days of receiving your request.

11. International Data Transfers

Your data may be processed in the United States and other countries where Kronisys, its affiliates, or service providers operate. When transferring data outside the European Economic Area (EEA) or the United Kingdom, we ensure appropriate safeguards are in place, including:

Adequacy decisions by the European Commission
Standard Contractual Clauses approved by the European Commission
Other legally recognized transfer mechanisms

12. Children

Strata is an enterprise product not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child under 18 has provided personal data to us, please contact us at privacy@kronisys.com and we will take steps to delete such information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Effective" date at the top of this page and, where required, by providing additional notice (such as via email or an in-product notification). We encourage you to review this page periodically.

14. Contact Information

If you have questions about this Privacy Policy, or wish to exercise your privacy rights, you can reach us at:

Kronisys Inc. — West Palm Beach, Florida, United States
Email: privacy@kronisys.com
Web: kronisys.com