Privacy Policy
How IdentiQube collects, uses, shares, and protects personal data in the Provenant hosted service.
IdentiQube · Effective 9 July 2026
1. Introduction
This Privacy Policy explains how IdentiQube LLC (QFC No. 04577) ("Provenant", "we", "us") processes personal data in connection with our websites and the Provenant hosted service (the "Service"). We are the controller of the personal data described here, except where we act as a processor on our customers' behalf (see Section 11).
We aim to collect only what we need to run a security and governance product, to keep it safe, and to be clear about it. If you have questions, contact [email protected].
2. A note for self-hosted deployments
3. Personal data we collect
| Category | Examples | Source |
|---|---|---|
| Account & identity | Name, work email, organization name, role, password (stored only as a scrypt hash) | You, at registration |
| Authentication | Second-factor status and passkey public keys (we never receive biometrics or private keys), one-time recovery-code hashes, session and reset tokens | You / your device |
| Usage & configuration | Mandates, policies, budgets, connectors, agents, and the decisions and audit-ledger records they generate — these may include data you route through the Service | Your use of the Service |
| Support & communications | Messages you send us and their contents | You |
| Billing | Plan, subscription status, and billing metadata. Card details are handled by Stripe; we do not store card numbers | Stripe |
| Technical & log data | IP address, device/browser data, timestamps, request logs, and security telemetry | Automatically |
| Cookies | A strictly-necessary session cookie (HttpOnly, SameSite) | Automatically |
We do not intentionally collect special-category personal data, and you should not submit it to the Service unless expressly agreed.
4. How and why we use personal data
We use personal data to: provide, operate, secure, and support the Service; authenticate you and protect accounts; process billing; monitor, prevent, and investigate abuse, fraud, and security incidents; comply with legal obligations; and communicate with you about the Service. Our legal bases under the GDPR/UK GDPR are:
- Performance of a contract — to provide the Service you have signed up for.
- Legitimate interests — to secure, maintain, and improve the Service (using operational and aggregated data, not the content of Customer Data), prevent abuse, and run our business, balanced against your rights.
- Legal obligation — to meet accounting, tax, and other legal requirements.
- Consent — where we ask for it (for example, optional communications); you can withdraw it at any time.
We do not use Customer Data to train machine-learning models, and we do not use one customer's data to train, tune, or improve models or features for another customer.
Your communication choices. While you hold an account we send service and transactional messages (for example, security, billing, and important product notices) that you cannot opt out of. We send marketing email only with your consent or where otherwise permitted, and every marketing message has an unsubscribe link. You may object to direct marketing at any time by using that link or by contacting [email protected].
7. International data transfers
We and our sub-processors may process personal data in countries other than yours. Where we transfer personal data across borders, we rely on appropriate safeguards — such as adequacy decisions or the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where relevant) — a copy of which is available on request at [email protected].
8. Data retention
We keep personal data only as long as needed for the purposes it was collected, then delete or anonymize it. The main retention periods, or the criteria we use to set them, are:
| Data | Retention |
|---|---|
| Account & profile data | For the life of the account; deleted or anonymized within a reasonable period (typically 30 days) after the account is closed. |
| Audit-ledger & operational records | Per your Plan's retention window, then pruned (we warn before pruning). |
| Billing & tax records | The statutory record-keeping period (up to 7 years). |
| Security & access logs | Up to 12 months. |
| Backups | Expire on their normal cycle, within 90 days. |
| Support communications | As long as needed to handle your request and for our legitimate business records. |
We may retain data longer where the law requires it or to establish, exercise, or defend legal claims.
9. How we protect personal data
We apply technical and organizational measures appropriate to the risk, including: encryption in transit (TLS); stored secrets and credentials (such as connector credentials, webhook and second-factor secrets, and SSO client secrets) encrypted at rest with AES-256-GCM under per-organization keys, with secrets never returned by the API; password hashing with scrypt; multi-factor authentication and passkeys; least-privilege, role-based access controls with per-query tenant scoping; network egress protections; a tamper-evident, hash-chained audit ledger; and logging and monitoring. Data at rest is held on managed hosting and database infrastructure that provides disk-level encryption. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Report concerns to [email protected].
10. Your privacy rights
Depending on where you live, you may have rights to access, correct, delete, or receive a portable copy of your personal data; to restrict or object to certain processing; and to withdraw consent. Under the GDPR/UK GDPR you may also lodge a complaint with your supervisory authority. Under the CCPA/CPRA (California) you may know, delete, and correct your personal information and opt out of "sale" or "sharing" — we do not sell or share personal information as those terms are defined — and you will not be discriminated against for exercising your rights.
To exercise your rights, contact [email protected]. We may need to verify your identity, and we will respond within the time required by law. You may use an authorized agent where the law permits.
11. Data our customers control
Where personal data is submitted to the Service by a customer (for example, another organization's members or the data their Agents process), that customer is the controller and we act as their processor. If you are a data subject of such a customer, please direct your requests to that customer; we will assist them as described in our DPA.
12. Automated decisions
The Service makes automated allow / hold / deny decisions about Agent actions, according to the rules our customers configure. It is not designed to make decisions that produce legal or similarly significant effects about individuals, and it does not profile individuals. Approvals and high-risk actions are routed to human review under the customer's configuration.
13. Children
The Service is for organizations and business users and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact [email protected] and we will delete it.
14. Changes to this policy
We may update this policy from time to time. We will post the updated version with a new effective date and, for material changes, provide additional notice. Your continued use after the effective date constitutes acceptance of the updated policy.
15. Contact us
Privacy questions or requests: [email protected]. Data protection officer / privacy contact: [email protected]. IdentiQube LLC (QFC No. 04577), Qatar Financial Centre, Doha, State of Qatar. You may also contact your supervisory authority (the QFC Data Protection Office; EU/UK data subjects may also contact their local authority).
EU representative (Art. 27 GDPR). Our representative in the European Union is PEAK Consulting Services GmbH, Kaiserring 14-16, 68161 Mannheim, Germany (an IdentiQube affiliate). EU data subjects and supervisory authorities may address it, in addition to us, on all matters related to our processing of personal data.