Oxus AI Privacy Policy

Effective Date: November 2, 2025

This Privacy Policy explains how Oxus, Inc. ("Company", "we", "us") collects, uses, shares, and protects personal data when you visit our website or use our AI‑native platform for internal auditors (the "Services").

1) Scope & Roles

We act as a data controller for personal data relating to website visitors, prospects, and account administrators. We act as a data processor for Customer Content that we process on behalf of enterprise customers within the Services (e.g., uploaded evidence, transcripts, workpapers, and resulting outputs).

2) Personal Data We Collect

A) Information you provide to us (Controller):

• Contact & account data (name, email, employer, role, authentication identifiers).
• Profile & admin settings (preferences, organization settings).
• Commercial & support data (subscriptions, tickets, correspondence).
• Marketing preferences and communication choices.
• Survey responses, testimonials or reviews (with consent).

B) Information we process on behalf of customers (Processor):

• Customer Content: documents, evidence files, control matrices, meeting transcripts, and other audit artifacts that you or your organization upload to the platform.
• Outputs: AI‑generated analyses, flowcharts, workpapers, and related logs derived from Customer Content.
• Metadata and contextual information: file names, timestamps, control identifiers, entity names, user IDs, and relationships between uploaded materials.

C) Information collected automatically:

• Device & technical data (IP address, device/browser type, OS, language, time zone).
• Online activity & usage data (pages/features used, access times, navigation paths, session duration, email engagement).
• Diagnostic and performance data: application logs, error reports, and API performance metrics.

D) Information from third parties:

• Identity providers/SSO and your organization (for account provisioning).
• CRM enrichment, marketing partners, event co‑sponsors (business contact details).
• Public sources/business directories (business contact info only).

E) Aggregated/De‑identified data:

We may create aggregated or de-identified data for analytics and improvement. We do not attempt to re‑identify such data.

3) Cookies & Similar Technologies

We may use cookies, pixels, and local storage to operate, secure, and improve the Services, measure engagement, and remember preferences.

4) How We Use Personal Data

• Provide, operate, maintain, secure, and improve the Services.
• Authenticate users (including SSO), administer accounts, and provide support.
• Send transactional and security communications; administer service notifications.
• Research & development, including performance, reliability, and UX improvements using aggregated/de‑identified data.
• Marketing communications (you may opt out at any time).
• Compliance and protection: comply with laws, enforce terms, prevent fraud/abuse, protect rights and safety.
• AI transparency: We do not use Customer Content or personal data to train general‑purpose foundation models.

5) How We Share Personal Data

• Service providers/subprocessors (third parties that provide services on our behalf such as hosting, storage, authentication, email, and payment processing).
• Your organization (if access is provided by your employer).
• Authorities and others where required by law or to protect rights and safety.
• Other users within your tenant where collaboration features are enabled by your administrator.

We do not sell personal data or share it for cross‑context behavioral advertising.

6) International Data Transfers

We are headquartered in the United States, where personal data is stored and processed. We also engage trusted third-party service providers that may operate in the United States and other countries. As a result, your personal information may be transferred to, or accessed from, jurisdictions whose privacy laws may not provide the same level of protection as those in your state, province, or country.

7) Data Retention

We retain personal data for as long as necessary to fulfill the purposes described, comply with legal obligations, resolve disputes, and enforce agreements. Customer Content retention follows our customer agreements and admin settings.

8) Security

We implement administrative, technical, and physical safeguards (encryption in transit/at rest, access controls, logging/monitoring, least‑privilege, and security reviews). We are pursuing SOC 2 Type II (and/or ISO 27001). For more information, see our Trust Center at: trust.oxus-ai.com.

9) Your Choices

• Access/Update: Account admins can review and update profile data in the product.
• Marketing opt‑out: Use unsubscribe links or contact founders@oxus-ai.com.
• Cookie controls: Use browser settings.
• Do Not Track: Our Services currently do not respond to DNT browser signals.
• Third‑party linking: Manage what is shared via settings in your third‑party accounts.

10) Your Privacy Rights (U.S. & Global)

Depending on your location, you may have rights to access, correct, delete, receive a copy of your data, limit certain processing, or opt out of targeted advertising. Submit requests at founders@oxus-ai.com. When acting as a processor, we will refer your request to the applicable customer (controller). We verify requests and may require reasonable information to confirm your identity or residency. We do not discriminate for exercising rights.

GDPR‑style rights include: access, rectification, erasure, restriction, objection (including to direct marketing), portability, and withdrawal of consent (where processing is based on consent).

11) Other Sites, Services & Integrations

Our Services may link to or integrate with third‑party sites and applications (e.g., identity providers, document editors, or plug‑ins). Their privacy practices are governed by their own policies.

12) Children

Our Services are not directed to children and are intended for professional/business use. We do not knowingly collect personal data from children.

13) Changes to this Policy

This policy is reviewed at least annually and updated as needed. Material changes will be communicated via the Service or email where appropriate, and the "Effective date" will be updated.

14) Contact Us