Skip to main content

Privacy Policy

Last Updated: January 1, 2026

Oriphim Labs LLC ("Oriphim", "we", "our") provides AI validation infrastructure to financial institutions and enterprise clients. This Privacy Policy explains how we collect, use, and safeguard data when you access our validation services.

Data Minimization Principle

Oriphim is designed to validate actions without accessing sensitive business logic. We operate on validation metadata only—not proprietary strategies, customer PII, or execution credentials.

Information We Collect

1. Account & Access Data

  • Contact Information: Name, email, company affiliation, role
  • Authentication Credentials: API keys, OAuth tokens (hashed, never stored in plaintext)
  • Billing Information: Processed securely via third-party payment processor (Stripe). Oriphim does not store full credit card numbers.

2. Validation Request Metadata

  • Action Parameters: Proposed trade attributes (symbol, quantity, direction, price constraints)
  • System State: Account balances, position snapshots, constraint configurations
  • Validation Outcomes: PASS/BLOCK decisions, triggered rules, confidence scores
  • Timestamps: Request/response latency, execution timestamps

We do NOT collect:

  • Proprietary trading algorithms or alpha signals
  • Customer PII (end-user identities, account holder names)
  • Execution venue credentials or API keys
  • Post-execution trade outcomes or P&L data

3. Technical & Diagnostic Data

  • Infrastructure Logs: IP addresses, request headers, API version usage
  • Performance Metrics: Latency distributions, error rates, throughput
  • Integration Diagnostics: SDK versions, deployment configurations

4. Communications

  • Support Interactions: Email correspondence, technical support tickets
  • Contractual Documents: MSA terms, compliance questionnaires (stored securely)

How We Use Your Data

Primary Purposes

  1. Service Delivery: Process validation requests, deliver PASS/BLOCK decisions
  2. Audit Trail Generation: Maintain cryptographic logs for regulatory reporting
  3. System Operations: Monitor uptime, detect anomalies, prevent abuse
  4. Billing: Calculate usage-based fees, process invoices
  5. Security: Detect credential compromise, prevent unauthorized access
  6. Support: Troubleshoot integration issues, resolve validation discrepancies

Secondary Purposes

  • Service Improvement: Aggregate anonymized metrics to enhance validation accuracy
  • Compliance: Respond to legal requests, regulatory inquiries
  • Research: Develop improved constraint detection algorithms (using anonymized data only)

Data Sharing & Third Parties

We do not sell, rent, or trade client data.

Authorized Third-Party Providers

  • Cloud Infrastructure: AWS/GCP for secure hosting (SOC 2 Type II certified)
  • Database Services: Encrypted storage with Supabase (PostgreSQL) or equivalent
  • Payment Processing: Stripe (PCI-DSS compliant)
  • Monitoring: Datadog for performance metrics (anonymized telemetry only)

Legal Disclosures

We may disclose data when legally required: court orders, subpoenas, regulatory requests, prevention of fraud or security threats, or protection of Oriphim’s legal rights. We provide advance notice to clients before disclosure unless legally prohibited.

Data Security Measures

Encryption

  • In Transit: TLS 1.3 for all API communications
  • At Rest: AES-256 encryption for databases and audit logs
  • API Keys: Hashed with bcrypt, rotated every 90 days (enforced)

Access Controls

  • Role-Based Access Control (RBAC): Principle of least privilege
  • Multi-Factor Authentication (MFA): Required for all Oriphim employee accounts
  • Audit Logging: All administrative actions logged and reviewed quarterly

Infrastructure Security

  • Network Isolation: Validation engines run in isolated VPCs
  • Penetration Testing: Annual third-party security audits
  • Vulnerability Management: CVE monitoring with 48-hour patch SLA for critical issues
  • Incident Response Plan: 15-minute escalation for suspected breaches

Compliance Readiness

  • SOC 2 Type II: Certification in progress (Q2 2026)
  • ISO 27001: Information security management framework
  • GDPR/CCPA: Full compliance with data subject rights

Client Confidentiality

What We Keep Confidential

  • Client identity and relationship (no public customer lists without consent)
  • Validation rule configurations and constraint definitions
  • Usage patterns and validation statistics
  • Integration architecture and deployment details

We may publish anonymized, aggregate statistics without identifying individual clients.

Cookies & Website Tracking

Minimal Tracking

Our public website uses privacy-safe analytics (Plausible or Simple Analytics) that do not use cookies or persistent identifiers, do not track users across sites, and do not sell data to advertisers.

Essential Cookies Only

Authentication sessions use secure, HTTP-only cookies that expire after 24 hours.

Data Retention & Deletion

Active Accounts

  • Validation Logs: Retained for 12 months (configurable per client compliance requirements)
  • Audit Trails: 7 years (regulatory standard for financial records)
  • Performance Metrics: 90 days rolling window

Terminated Accounts

  • Grace Period: 90 days post-termination for compliance export
  • Permanent Deletion: All client data purged within 120 days unless legally required to retain
  • Billing Records: 7 years (IRS/tax compliance)

Clients may request early deletion via [email protected]. We comply within 30 days unless retention is legally mandated.

Your Privacy Rights

GDPR (EU Residents)

  • Right to Access: Obtain copy of your personal data
  • Right to Rectification: Correct inaccurate information
  • Right to Erasure: “Right to be forgotten” (subject to legal exceptions)
  • Right to Portability: Receive data in machine-readable format
  • Right to Restriction: Limit processing under certain conditions
  • Right to Object: Opt out of certain processing activities

CCPA (California Residents)

  • Right to Know: What personal information is collected
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: No sale of personal information (we never sell data)
  • Non-Discrimination: Equal service regardless of privacy choices

Email [email protected] with subject line “Privacy Rights Request” and include your name, company affiliation, account email, and specific request. We respond within 30 days and verify identity before fulfilling requests.

International Data Transfers

Data Residency

  • US Clients: Data stored in US-based data centers (AWS us-east-1)
  • EU Clients: Data stored in EU regions (AWS eu-west-1) where available
  • Cross-Border Transfers: Protected by Standard Contractual Clauses (SCCs) per GDPR Article 46

Clients may request data residency specifications in their Master Service Agreement.

Children’s Privacy

Oriphim services are intended for business and institutional use only. We do not knowingly collect data from individuals under 18 years of age.

Changes to This Policy

Notification Process

  • Material Changes: 30 days’ advance notice via email to primary account contact
  • Minor Updates: Published on website with updated “Last Modified” date
  • Continued Use: Constitutes acceptance unless client terminates service

Clients may request previous policy versions by emailing [email protected].

Contact & Data Protection Officer

Privacy Inquiries: [email protected]

Security Incidents: [email protected] (PGP key available on request)

General Support: [email protected]

Data Protection Officer (DPO): [email protected]

Oriphim Labs LLC

Registered in Delaware, USA

EIN: [To be assigned]

Regulatory Compliance Summary

RegulationStatus
GDPR (EU)✅ Full Compliance
CCPA (California)✅ Full Compliance
SOC 2 Type II🔄 In Progress (Q2 2026)
ISO 27001🔄 Roadmap (Q3 2026)
PCI-DSS✅ Compliant (via Stripe)

Last Updated: January 1, 2026

Version: 2.0 (Infrastructure Positioning)

© 2026 Oriphim Labs LLC. All rights reserved.