Privacy Policy

Neptrix is a Constitutional AI Governance Platform operated by QuantumPivot Limited ("we", "us", or "our"). Our platform evaluates AI agent tool calls against constitutional rules before execution, ensuring that autonomous AI systems operate within defined safety boundaries.

This Privacy Policy explains how we collect, use, store, and protect your information when you use Neptrix at neptrixai.com and our associated APIs and services. We are committed to protecting your privacy and handling your data with transparency.

By creating an account or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, please do not use our services.

We use the information we collect for the following purposes:

• Providing governance services: Evaluating AI agent tool calls against your constitutional rules and returning allow, block, escalate, or modify decisions.
• Maintaining audit trails: Recording every governance decision in a hash-chained, tamper-evident log for your organisation's compliance and oversight needs.
• Account management: Authenticating your identity, managing your subscription, and communicating important service updates.
• Human escalation: Routing flagged actions to designated human reviewers within your organisation for approval or rejection.
• Platform improvement: Using pseudonymised, aggregated data to enhance threat detection capabilities, improve rule effectiveness, and strengthen the overall safety of the platform.
• Security and abuse prevention: Detecting and preventing unauthorised access, abuse, or malicious activity against the platform.
• Legal compliance: Meeting applicable legal obligations and responding to lawful requests from authorities where required.

We take the security of your data seriously and implement multiple layers of protection:

• Infrastructure: Our database is hosted on Supabase with encryption at rest and in transit (TLS 1.2+). Our frontend is deployed on Vercel with edge caching, and our backend API runs on Railway with isolated container environments.
• Hash-chain integrity: Every audit record is cryptographically linked to the previous record using hash chaining. This means that any tampering with historical records is detectable, providing a tamper-evident audit trail.
• Authentication security: User authentication is handled by Supabase Auth with secure password hashing, session management, and token-based API authentication.
• Organisation isolation: Governance data is strictly isolated per organisation. Row-level security policies ensure that users can only access data belonging to their own organisation.
• API key security: API keys are transmitted securely over HTTPS and can be revoked at any time from your dashboard.

While we implement industry-standard security measures, no system is completely immune to all threats. We continuously monitor and improve our security posture.

We are committed to protecting your data and limiting how it is shared:

• We do not sell your data. Your organisation's governance data, audit records, and personal information are never sold to third parties.
• Payment processing: We share necessary billing information with Stripe solely for the purpose of processing payments and managing subscriptions.
• Pseudonymised aggregates: We may use pseudonymised, aggregated data (as described in Section 2.3) internally to improve platform-wide threat detection and rule effectiveness. This data cannot be linked back to any individual or organisation.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or enforceable governmental request.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

We do not share your organisation's governance decisions, audit trail data, or constitutional rules with other customers or any third parties beyond what is described above.

Neptrix operates as a governance engine that evaluates AI agent tool calls against constitutional rules before execution. It is important to understand the following regarding data processed through the platform:

• No responsibility for AI agent data: QuantumPivot Limited is not responsible for any data processed by AI agents that pass through the Neptrix governance engine. The data contained within AI agent tool calls, including arguments, payloads, and contextual information, is generated and controlled by the AI agents and their operators, not by QuantumPivot Limited. We evaluate this data solely for the purpose of making governance decisions and do not assume any liability for its content, accuracy, legality, or consequences.
• Audit record content: Audit records maintained by Neptrix may contain information about AI agent actions, including details of proposed tool calls, governance decisions, and associated metadata. While QuantumPivot Limited maintains the integrity and availability of these audit records, we do not control or take responsibility for the content of the AI agent actions recorded within them. The actions described in audit records are initiated by AI agents operating under the control of their respective operators, and QuantumPivot Limited bears no liability for those actions or their outcomes.
• Governance decisions are advisory: Neptrix's governance decisions (ALLOW, BLOCK, ESCALATE, or MODIFY) are based on the constitutional rules configured by your organisation. QuantumPivot Limited provides the governance evaluation infrastructure but does not guarantee that all harmful or undesirable AI agent actions will be detected or prevented. Responsibility for the configuration of constitutional rules and the overall behaviour of AI agents remains with the organisation operating those agents.

You have the following rights regarding your personal data:

• Right of access: You can view all data associated with your account through the Neptrix dashboard at any time, including your full audit trail and governance history.
• Right to export: Your audit records and governance data are exportable directly from the dashboard. You can download your complete audit trail in standard formats for your own records or compliance needs.
• Right to rectification: You can update your account information (name, email, organisation name) through your account settings.
• Right to deletion: You can request deletion of your account and all associated data by contacting us at hello@neptrixai.com. Upon receiving a verified deletion request, we will delete your personal data and organisation data within 30 days, except where retention is required by law.
• Right to restriction: You can request that we restrict processing of your personal data in certain circumstances.
• Right to object: You can object to our processing of your personal data for platform improvement purposes (pseudonymised aggregate data collection).

To exercise any of these rights, contact us at hello@neptrixai.com. We will respond to your request within 30 days.

We retain your data according to the following policies:

• Account data: Retained for as long as your account is active. If you close your account, personal data is deleted within 30 days of a verified deletion request.
• Audit trail records: Retained for the duration of your active account. Audit records are a core feature of the platform and are maintained to preserve the integrity of your governance history. They are deleted upon account deletion request.
• Governance decision data: Retained alongside audit records for the duration of your active account.
• Pseudonymised aggregate data: Because this data is stripped of all PII and cannot be linked back to individuals or organisations, it may be retained indefinitely for platform improvement purposes.
• Payment records: Billing records maintained by Stripe are subject to Stripe's retention policies. We retain subscription status information for as long as your account is active.

Neptrix's infrastructure is distributed across multiple regions to ensure performance and reliability. Our services are hosted on Supabase, Vercel, and Railway, which may process and store data in various locations including the United States and the European Union.

If you are accessing Neptrix from outside the region where your data is stored, your information may be transferred across international borders. Where such transfers occur, we rely on appropriate safeguards to ensure your data remains protected, including:

• Standard contractual clauses approved by applicable regulatory authorities
• Adequacy decisions where applicable
• The data protection commitments of our infrastructure providers

By using Neptrix, you acknowledge that your data may be transferred to and processed in jurisdictions outside your country of residence.

Neptrix is a professional AI governance platform designed for use by software developers, engineering teams, and organisations. Our services are not intended for, directed at, or designed to attract individuals under the age of 16.

We do not knowingly collect personal information from anyone under 16 years of age. If we become aware that we have inadvertently collected data from a person under 16, we will take immediate steps to delete that information. If you believe that a child under 16 has provided us with personal data, please contact us at hello@neptrixai.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• The "Last updated" date at the top of this page will be revised
• For material changes, we will notify you via the email address associated with your account
• We encourage you to review this page periodically to stay informed about how we protect your data

Your continued use of Neptrix after any changes to this Privacy Policy constitutes your acceptance of the updated terms.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related enquiries within 30 days.