Privacy Policy

How IdentiQube collects, uses, shares, and protects personal data in the Provenant hosted service.

IdentiQube · Effective 9 July 2026

1. Introduction

This Privacy Policy explains how IdentiQube LLC (QFC No. 04577) ("Provenant", "we", "us") processes personal data in connection with our websites and the Provenant hosted service (the "Service"). We are the controller of the personal data described here, except where we act as a processor on our customers' behalf (see Section 11).

We aim to collect only what we need to run a security and governance product, to keep it safe, and to be clear about it. If you have questions, contact [email protected].

2. A note for self-hosted deployments

If you run Provenant on your own infrastructure, your deployment's data stays on your systems. We do not receive it and are neither its controller nor its processor. This policy covers our hosted Service and our public websites.

3. Personal data we collect

CategoryExamplesSource
Account & identityName, work email, organization name, role, password (stored only as a scrypt hash)You, at registration
AuthenticationSecond-factor status and passkey public keys (we never receive biometrics or private keys), one-time recovery-code hashes, session and reset tokensYou / your device
Usage & configurationMandates, policies, budgets, connectors, agents, and the decisions and audit-ledger records they generate — these may include data you route through the ServiceYour use of the Service
Support & communicationsMessages you send us and their contentsYou
BillingPlan, subscription status, and billing metadata. Card details are handled by Stripe; we do not store card numbersStripe
Technical & log dataIP address, device/browser data, timestamps, request logs, and security telemetryAutomatically
CookiesA strictly-necessary session cookie (HttpOnly, SameSite)Automatically

We do not intentionally collect special-category personal data, and you should not submit it to the Service unless expressly agreed.

4. How and why we use personal data

We use personal data to: provide, operate, secure, and support the Service; authenticate you and protect accounts; process billing; monitor, prevent, and investigate abuse, fraud, and security incidents; comply with legal obligations; and communicate with you about the Service. Our legal bases under the GDPR/UK GDPR are:

  • Performance of a contract — to provide the Service you have signed up for.
  • Legitimate interests — to secure, maintain, and improve the Service (using operational and aggregated data, not the content of Customer Data), prevent abuse, and run our business, balanced against your rights.
  • Legal obligation — to meet accounting, tax, and other legal requirements.
  • Consent — where we ask for it (for example, optional communications); you can withdraw it at any time.

We do not use Customer Data to train machine-learning models, and we do not use one customer's data to train, tune, or improve models or features for another customer.

Your communication choices. While you hold an account we send service and transactional messages (for example, security, billing, and important product notices) that you cannot opt out of. We send marketing email only with your consent or where otherwise permitted, and every marketing message has an unsubscribe link. You may object to direct marketing at any time by using that link or by contacting [email protected].

5. Cookies

The Service uses a single strictly-necessary session cookie to keep you signed in. It is HttpOnly (not readable by scripts) and SameSite (to resist cross-site use). We do not use advertising or cross-site tracking cookies, and the product is not built to profile you across the web. Because the cookie is essential to the Service, it is not subject to consent under most cookie rules; our public marketing site, if it uses any analytics, will describe and, where required, seek consent for them separately.

Because the Service does not track you across third-party sites and does not sell or share personal information, we do not act on browser Do-Not-Track or Global Privacy Control signals differently — there is no cross-site tracking for them to switch off.

6. How we share personal data

We do not sell personal data. We share it only as needed to run the Service:

  • AffiliatesPEAK Consulting Services GmbH (Kaiserring 14-16, 68161 Mannheim, Germany), which administers payments as our billing agent and merchant of record and acts as our EU representative, under this policy.
  • Sub-processors — vetted vendors that process data on our behalf under contract (payments, transactional email, hosting/database, error and performance monitoring). The current list is available on request at [email protected] (see the DPA, Annex III).
  • Legal and safety — where required by law, or to protect the rights, safety, and security of Provenant, our customers, or the public.
  • Business transfers — in a merger, acquisition, financing, or sale of assets, subject to this policy; we will notify you of any change of controller.
  • With your direction — the third-party services and Connectors you configure receive the data you route to them; that processing is governed by those third parties.

7. International data transfers

We and our sub-processors may process personal data in countries other than yours. Where we transfer personal data across borders, we rely on appropriate safeguards — such as adequacy decisions or the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where relevant) — a copy of which is available on request at [email protected].

8. Data retention

We keep personal data only as long as needed for the purposes it was collected, then delete or anonymize it. The main retention periods, or the criteria we use to set them, are:

DataRetention
Account & profile dataFor the life of the account; deleted or anonymized within a reasonable period (typically 30 days) after the account is closed.
Audit-ledger & operational recordsPer your Plan's retention window, then pruned (we warn before pruning).
Billing & tax recordsThe statutory record-keeping period (up to 7 years).
Security & access logsUp to 12 months.
BackupsExpire on their normal cycle, within 90 days.
Support communicationsAs long as needed to handle your request and for our legitimate business records.

We may retain data longer where the law requires it or to establish, exercise, or defend legal claims.

9. How we protect personal data

We apply technical and organizational measures appropriate to the risk, including: encryption in transit (TLS); stored secrets and credentials (such as connector credentials, webhook and second-factor secrets, and SSO client secrets) encrypted at rest with AES-256-GCM under per-organization keys, with secrets never returned by the API; password hashing with scrypt; multi-factor authentication and passkeys; least-privilege, role-based access controls with per-query tenant scoping; network egress protections; a tamper-evident, hash-chained audit ledger; and logging and monitoring. Data at rest is held on managed hosting and database infrastructure that provides disk-level encryption. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Report concerns to [email protected].

10. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, or receive a portable copy of your personal data; to restrict or object to certain processing; and to withdraw consent. Under the GDPR/UK GDPR you may also lodge a complaint with your supervisory authority. Under the CCPA/CPRA (California) you may know, delete, and correct your personal information and opt out of "sale" or "sharing" — we do not sell or share personal information as those terms are defined — and you will not be discriminated against for exercising your rights.

To exercise your rights, contact [email protected]. We may need to verify your identity, and we will respond within the time required by law. You may use an authorized agent where the law permits.

11. Data our customers control

Where personal data is submitted to the Service by a customer (for example, another organization's members or the data their Agents process), that customer is the controller and we act as their processor. If you are a data subject of such a customer, please direct your requests to that customer; we will assist them as described in our DPA.

12. Automated decisions

The Service makes automated allow / hold / deny decisions about Agent actions, according to the rules our customers configure. It is not designed to make decisions that produce legal or similarly significant effects about individuals, and it does not profile individuals. Approvals and high-risk actions are routed to human review under the customer's configuration.

13. Children

The Service is for organizations and business users and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact [email protected] and we will delete it.

14. Changes to this policy

We may update this policy from time to time. We will post the updated version with a new effective date and, for material changes, provide additional notice. Your continued use after the effective date constitutes acceptance of the updated policy.

15. Contact us

Privacy questions or requests: [email protected]. Data protection officer / privacy contact: [email protected]. IdentiQube LLC (QFC No. 04577), Qatar Financial Centre, Doha, State of Qatar. You may also contact your supervisory authority (the QFC Data Protection Office; EU/UK data subjects may also contact their local authority).

EU representative (Art. 27 GDPR). Our representative in the European Union is PEAK Consulting Services GmbH, Kaiserring 14-16, 68161 Mannheim, Germany (an IdentiQube affiliate). EU data subjects and supervisory authorities may address it, in addition to us, on all matters related to our processing of personal data.