Skip to main content

Legal

Privacy Policy

How Cavaridge™ handles personal data.

Effective date: 2026-05-04

Draft — operator/legal review pending. Operator + legal counsel must review and replace this draft before public launch. Specific GDPR/CCPA mechanics depend on operator-confirmed sub-processor list (PROD-09).

1. What we collect

  • Account information (name, email, organization).
  • Billing data (handled by Stripe — Cavaridge sees the last 4 of card, billing email, and invoice history).
  • Product usage events (Pulse) for service operation, support, and feature improvement.
  • Content you provide (prompts, files, project data) — yours, never used for cross-tenant model training.

2. What we do with it

Run the service, support your team, bill you, and improve the product. We do not sell personal data.

3. Sub-processors

Cavaridge uses sub-processors for hosting (Railway), database (Supabase), payments (Stripe), AI inference (OpenRouter and the underlying model providers — Anthropic, OpenAI, Google, etc.), and observability (Sentry, Langfuse). The full sub-processor list is published at /legal/security.

4. Your rights

Under GDPR / CCPA / similar, you can request access to, correction of, or deletion of your personal data. Email legal@cavaridge.com or use the in-app account-deletion flow (90-day grace, then purge).

5. Healthcare data

PHI on Cavaridge requires a signed BAA. The Healthcare suite is gated on BAA acceptance at signup; PHI never reaches Stripe metadata or analytics surfaces.

6. Cookies + tracking

Cavaridge uses first-party cookies for authentication and preferences, plus minimal anonymized analytics. We honor the Global Privacy Control (GPC) header. Manage preferences at /legal/preferences (link active in v1.1).

7. Contact

Privacy questions: legal@cavaridge.com.

Questions? Email legal@cavaridge.com.

See also: Terms · Privacy · AI Addendum · BAA Request · Security.