Privacy Policy

Phrona, Inc. ("Phrona," "we," "us," "our") operates the phrona.io website (the "Site") and the Phrona platform (the "Service"). This Privacy Policy explains what personal information we collect, how we use and share it, how long we keep it, and the rights you have.

Phrona is designed for companies handling sensitive strategic information. Our approach to personal data reflects the trust our customers place in us.

Our privacy commitments:

• We collect the minimum personal information needed to deliver the Service.
• We do not sell personal information.
• We do not train AI models on Customer Content.
• Each customer's strategic graph is single-tenant — we do not pool customer data across tenants.

Phrona, Inc.

6209 Hewetson Dr, Austin, TX 78738

Email: hello@phrona.io

Website: https://phrona.io

Phrona is the controller of your personal information for purposes of GDPR and applicable US state privacy laws.

3.1 Information You Provide

• Account information: name, work email, company name, role, authentication credentials
• Billing information: billing contact, billing address, and payment details (payment-card data is processed by our payment processor and we do not store full card numbers)
• Communications: content of inquiries, support requests, and survey responses you submit
• Content you submit to the Service: documents you upload, data you enter, and any content you or an Authorized User creates in the Service (collectively, "Customer Content")

3.2 Information We Collect Automatically

• Log data: IP address, device and browser type, operating system, referring URL, pages viewed, and timestamps
• Cookies and similar technologies: session cookies, authentication tokens, and limited analytics (see §8)
• Performance data: application error reports, feature-usage metrics, and latency measurements used to improve the Service

3.3 Information From Third Parties

• Enrichment sources: when you use the Service, we gather information from public or third-party sources about the companies, markets, and people in your strategic ecosystem. This data is stored in your Client Graph. Public-source data may include names, titles, and professional information of individuals that is lawfully available through news, press releases, regulatory filings, and similar sources.
• Referral or partner information: if you reach us through a referral or partner, we may receive the referrer's name or partner identifier.

3.4 Information We Do Not Collect

• We do not collect special categories of personal data (GDPR Art. 9: health, biometric, genetic, racial, political, religious, or sexual-orientation data) in the ordinary course of the Service
• We do not use the Service to collect information about children under 16
• We do not sell personal information (for purposes of CCPA/CPRA and applicable state laws)

We use personal information for the following purposes:

4.1 Service Delivery

• Providing, operating, maintaining, and securing the Service
• Authenticating you and managing your account
• Processing payments and billing

4.2 Communications

• Responding to inquiries and support requests
• Sending transactional messages (account notifications, service updates, billing notices)
• Sending marketing communications where you have opted in (see §10)

4.3 Product Improvement

• Diagnosing technical issues and improving reliability
• Analyzing aggregated and de-identified usage to improve the Service
• Conducting internal research and product development

4.4 Legal and Compliance

• Complying with legal obligations
• Enforcing our agreements
• Protecting the rights, property, or safety of Phrona, our customers, or others
• Responding to lawful requests from public authorities

4.5 Customer Content

We process Customer Content only to provide and improve the Service for the customer who submitted it, in accordance with the contract executed with that customer. We do not train our AI models on Customer Content except where we have the customer's prior written agreement. We do not share Customer Content with other customers except as described in §5.2 (Central Intelligence Layer — public-source data only).

We do not sell personal information. We share personal information in the following circumstances:

5.1 Sub-processors

We use third-party sub-processors to operate the Service. Sub-processors may process personal data only to the extent necessary to provide their service to us and under written obligations consistent with this Privacy Policy.

5.2 Central Intelligence Layer (Future)

When we activate our central intelligence layer, only public-source data (news, regulatory filings, press releases, and similar) will be aggregated across customers. Customer Content — documents you upload, proprietary data, or confidential information — never enters this layer.

5.3 Business Transfers

If Phrona is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, your personal information may be transferred as part of that transaction, subject to the receiving party's agreement to maintain privacy protections substantially equivalent to those in this Privacy Policy.

5.4 Legal Reasons

We may disclose personal information if required by law, court order, or government request, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Phrona, our customers, or others. Where legally permitted, we will notify the affected user.

5.5 With Your Consent

We may share personal information with your consent or at your direction.

• Account information: for as long as you maintain an account, plus a reasonable period to comply with legal and business obligations (typically up to seven (7) years for tax and contract records)
• Customer Content: in accordance with the customer's contract and deletion instructions
• Log and usage data: up to twenty-four (24) months, except where longer retention is required for security or legal reasons
• Marketing records: until you unsubscribe or request deletion, plus a reasonable period for suppression records to honor your unsubscribe

Depending on where you are located, you may have the following rights. To exercise any right, email hello@phrona.io. We will respond within the timeframe required by applicable law (typically 30 days under GDPR; 45 days under CCPA/CPRA, with one 45-day extension permitted).

7.1 All Users

• Access: request a copy of the personal information we hold about you
• Correction: request that we correct inaccurate information
• Deletion: request that we delete your personal information, subject to our legal retention obligations
• Portability: request a machine-readable export of your personal information
• Objection: object to processing based on our legitimate interests
• Withdrawal of consent: where processing is based on consent, you may withdraw that consent at any time

7.2 EU/UK/Swiss Users (GDPR / UK GDPR)

• Right to lodge a complaint with a supervisory authority (in the EEA, your local Data Protection Authority; in the UK, the Information Commissioner's Office)
• Rights regarding automated decision-making (Art. 22): our Service includes AI-generated analyses and profiling of companies and, when submitted, individuals. We do not use automated decision-making with legal or similarly significant effects about individual consumers of Phrona's services. Where our Service generates profiles of individuals in a customer's strategic ecosystem, the customer is the Controller of that processing.

7.3 California Users (CCPA/CPRA)

• Right to know what personal information is collected, used, and shared
• Right to delete personal information
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing of personal information (we do not sell or share personal information as defined by CCPA/CPRA)
• Right to limit use of sensitive personal information (we do not use sensitive personal information beyond the purposes permitted without opt-in)
• Right to non-discrimination for exercising any of these rights

Authorized agents may submit requests on your behalf; we will verify the request and the agent's authority.

7.4 Verification

To protect your privacy, we will take reasonable steps to verify your identity before responding to a rights request. For customer-account requests, verification is typically done through the account authentication.

The Site and Service use a limited set of cookies:

• Strictly necessary: authentication and session cookies required for the Service to function
• Functional: preferences such as language or display settings
• Analytics: limited, aggregated analytics to understand Site usage (we do not use cross-site tracking for advertising)

You can control cookies through your browser settings. Blocking strictly necessary cookies may affect your ability to use the Service.

Phrona is based in the United States, and personal data processed through the Service is primarily stored and processed in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States or in other countries where our sub-processors operate.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the EU Standard Contractual Clauses (2021/914), the UK IDTA or UK Addendum, and supplementary technical and organizational measures. Where we participate in the EU-U.S. Data Privacy Framework and its UK and Swiss extensions, we will update this Privacy Policy accordingly.

• We send marketing emails only to people who have opted in or who are existing customers (where permitted by applicable law, including CAN-SPAM in the U.S. and GDPR-compliant bases in the EU)
• Every marketing email includes a one-click unsubscribe link
• You may opt out of all marketing communications by emailing hello@phrona.io
• Transactional and service-related messages (e.g., account security notifications) continue even if you opt out of marketing

We implement appropriate technical and organizational measures to protect personal information, including encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent), access controls, tenant isolation, and audit logging. No system is perfectly secure; we will notify affected users and regulators of a data breach as required by law.

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, please contact hello@phrona.io and we will promptly delete it.

We may update this Privacy Policy periodically to reflect changes to the Service, our practices, or legal requirements. The effective date at the top of this policy indicates when it was last changed. If we make material changes, we will provide notice by email (to active customers) or by prominently posting a notice on the Site, at least thirty (30) days before the changes take effect, unless a shorter period is required by law.

For privacy inquiries, rights requests, or to report a data security concern, contact us at:

Phrona, Inc.

6209 Hewetson Dr, Austin, TX 78738

Email: hello@phrona.io

Website: https://phrona.io