Privacy Policy
Effective Date: June 18, 2026
This Privacy Policy explains how Oxus AI, Inc. ("Company", "we", "us") collects, uses, shares, and protects personal data when you visit our website or use our AI-native platform for internal auditors (the "Services").
1. Scope & Roles
We act as a data controller for personal data relating to website visitors, prospects, and account administrators. We act as a data processor for Customer Content that we process on behalf of enterprise customers within the Services (e.g., uploaded evidence, transcripts, workpapers, and resulting outputs).
2. Personal Data We Collect
A. Information you provide to us (Controller)
- Contact & account data (name, email, employer, role, authentication identifiers).
- Profile & admin settings (preferences, organization settings).
- Commercial & support data (subscriptions, tickets, correspondence).
- Marketing preferences and communication choices.
- Survey responses, testimonials or reviews (with consent).
B. Information we process on behalf of customers (Processor)
- Customer Content: documents, evidence files, control matrices, meeting transcripts, and other audit artifacts that you or your organization upload to the platform.
- Outputs: AI-generated analyses, flowcharts, workpapers, and related logs derived from Customer Content.
- Metadata and contextual information: file names, timestamps, control identifiers, entity names, user IDs, and relationships between uploaded materials.
C. Information collected automatically
- Device & technical data (IP address, device/browser type, OS, language, time zone).
- Online activity & usage data (pages/features used, access times, navigation paths, session duration, email engagement).
- Diagnostic and performance data: application logs, error reports, and API performance metrics.
D. Information from third parties
- Identity providers/SSO and your organization (for account provisioning).
- CRM enrichment, marketing partners, event co-sponsors (business contact details).
- Public sources/business directories (business contact info only).
3. Cookies & Similar Technologies
We may use cookies, pixels, and local storage to operate, secure, and improve the Services, measure engagement, and remember preferences.
4. How We Use Personal Data
- Provide, operate, maintain, secure, and improve the Services.
- Authenticate users (including SSO), administer accounts, and provide support.
- Send transactional and security communications; administer service notifications.
- Research & development, including performance, reliability, and UX improvements using aggregated/de-identified data.
- Marketing communications (you may opt out at any time).
- Compliance and protection: comply with laws, enforce terms, prevent fraud/abuse, protect rights and safety.
- AI transparency: We do not use Customer Content or personal data to train or improve AI models. This restriction applies to Oxus and all AI subprocessors, and is enforced through data processing agreements.
5. How We Share Personal Data
- Service providers/subprocessors: third parties that provide services on our behalf (hosting, storage, authentication, email, and payment processing). AI subprocessors are engaged under data processing agreements covering confidentiality, security, and data-use restrictions.
- Your organization (if access is provided by your employer).
- Authorities and others where required by law or to protect rights and safety.
- Other users within your tenant where collaboration features are enabled by your administrator.
We do not sell personal data or share it for cross-context behavioral advertising.
6. Data Residency
Customer data is stored exclusively in the United States. We do not transfer Customer Content across borders. For Oxus-hosted deployments, data resides in U.S.-based cloud infrastructure. For Private Cloud/VPC and Customer-Hosted/On-Premises deployments, data stays within your controlled environment. Each customer is provisioned a dedicated database and dedicated object storage bucket — there are no shared data stores between tenants.
7. Data Retention
We retain personal data for as long as necessary to fulfill the purposes described, comply with legal obligations, resolve disputes, and enforce agreements. Customer Content retention follows our customer agreements and admin settings.
8. Security
Technical safeguards
- AES-256 encryption at rest across all databases and object storage.
- TLS 1.2 or higher for all data in transit.
- Role-based access control with separate roles for admins, members, viewers, and auditees.
- SSO integration and MFA available for all accounts.
- Least-privilege access and internal access controls with logging and monitoring.
Vulnerability management
- Continuous dependency scanning and dynamic application security testing (DAST).
- Quarterly scans of public-facing systems.
- Annual third-party penetration test.
Compliance
- SOC 2 Type II certified. Report and supporting documentation available at trust.oxus-ai.com.
9. Your Choices
- Access/Update: Account admins can review and update profile data in the product.
- Marketing opt-out: Use unsubscribe links or contact founders@oxus-ai.com.
- Cookie controls: Use browser settings.
- Do Not Track: Our Services currently do not respond to DNT browser signals.
- Third-party linking: Manage what is shared via settings in your third-party accounts.
10. Your Privacy Rights (U.S. & Global)
Depending on your location, you may have rights to access, correct, delete, receive a copy of your data, limit certain processing, or opt out of targeted advertising. Submit requests at founders@oxus-ai.com. When acting as a processor, we will refer your request to the applicable customer (controller). We verify requests and may require reasonable information to confirm your identity or residency. We do not discriminate for exercising rights. GDPR-style rights include: access, rectification, erasure, restriction, objection (including to direct marketing), portability, and withdrawal of consent (where processing is based on consent).
11. Other Sites, Services & Integrations
Our Services may link to or integrate with third-party sites and applications (e.g., identity providers, document editors, or plug-ins). Their privacy practices are governed by their own policies.
12. Children
Our Services are not directed to children and are intended for professional/business use. We do not knowingly collect personal data from children.
13. Changes to this Policy
This policy is reviewed at least annually and updated as needed. Material changes will be communicated via the Service or email where appropriate, and the effective date will be updated.