Privacy Policy

1. Introduction

Softmax Data Inc. ("Company," "we," "us," or "our") operates the Engram platform — a persistent memory infrastructure service for AI agents — accessible at app.engram.so and via the Engram API (collectively, the "Service").

This Privacy Policy explains what personal information we collect, how we use and protect it, with whom we share it, and what rights you have regarding your data. This policy applies to all users of the Service worldwide and is designed to comply with the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act as amended by the CPRA (collectively, "CCPA").

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller

The data controller responsible for your personal information is:

For GDPR-specific inquiries, you may contact us at the address above. We do not currently appoint a Data Protection Officer (DPO), but you may direct privacy requests to success@softmaxdata.com.

3. Information We Collect

We collect the minimum information necessary to provide, secure, and improve the Service. The categories below describe what we collect and why.

3.1 Account Information

When you register, we collect your email address and, optionally, your name. If you sign up or sign in via Google, we receive your email address and display name from Google's OAuth service. We also store a hashed version of your password (if you use email/password authentication) and your multi-factor authentication (MFA) configuration, including an encrypted TOTP secret and hashed recovery codes.

3.2 Third-Party API Keys (BYOK)

You provide API keys for third-party LLM and embedding providers (e.g., OpenAI, Anthropic) to enable core functionality. These keys are encrypted at rest using AES-256-GCM with a per-deployment encryption key. Keys are decrypted only at the moment an operation you initiate requires them and are never logged, cached in plaintext, or transmitted to any party other than the intended provider.

3.3 Memory Data

The Service stores structured memory data that you create, including contexts (named memory spaces), bullets (atomic facts), schemas (structured knowledge representations), embeddings (vector representations for semantic search), conversation inputs submitted via the commit endpoint, and related metadata such as salience scores and timestamps. This data is owned by you and processed solely to provide the Service.

3.4 Engram API Keys

When you create Engram API keys to authenticate your AI agents, we store the key name, a hashed version of the key, a key prefix for identification, and usage metadata (creation time, last used timestamp). The full key is shown to you only once at creation.

3.5 Usage & Log Data

We automatically collect technical information when you interact with the Service, including:

• IP address and approximate geolocation (country/region level)
• Browser type, operating system, and device information
• Pages visited, features used, and timestamps of interactions
• API request metadata (endpoints called, response codes, latency) — we do not log request or response bodies
• Error reports and crash diagnostics

3.6 Information We Do Not Collect

We do not collect payment or financial information (the Service is currently free). We do not use third-party analytics, advertising, or tracking services. We do not collect biometric data, health data, or sensitive personal information as defined under CCPA.

4. How We Use Your Information

We process your personal information for the following purposes:

We do not use your personal information or Your Data for advertising, profiling, automated decision-making, or training machine learning models.

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

5.1 Third-Party LLM Providers

When you invoke operations that require LLM inference or embedding generation (commit, materialize, search), your memory data is transmitted to the third-party provider (e.g., OpenAI) using your own API key. Once your data reaches the provider, it is subject to that provider's privacy policy and terms. We recommend reviewing your provider's data handling practices. We do not control and are not responsible for how third-party providers process your data.

5.2 Infrastructure Providers

We use trusted infrastructure providers to host and operate the Service, including Amazon Web Services (AWS) for compute, storage, and database services. These providers process data on our behalf under data processing agreements that require them to protect your data and limit their use of it to providing services to us. Our primary infrastructure is hosted in the AWS US and Canada regions.

5.3 Legal Requirements

We may disclose your information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, or legal process; (b) protect the safety, rights, or property of Softmax Data, our users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) respond to a valid government request.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy.

6. International Data Transfers

Softmax Data is based in Canada. Your information may be stored and processed in Canada and the United States, where our infrastructure providers operate. Canada has been recognized by the European Commission as providing an adequate level of data protection.

For transfers of personal data from the European Economic Area (EEA) or the United Kingdom to jurisdictions that have not received an adequacy determination, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) or the recipient's participation in recognized data transfer frameworks.

7. Data Security

We implement technical and organizational measures designed to protect your information, including:

• Encryption in transit: All connections to the Service are encrypted using TLS 1.2 or higher
• Encryption at rest: Data stored in our databases is encrypted at the storage layer; sensitive fields (API keys, TOTP secrets) receive additional application-level AES-256-GCM encryption
• Authentication: JWT-based authentication with mandatory TOTP multi-factor authentication for all accounts
• Password hashing: Passwords are hashed using industry-standard algorithms and are never stored in plaintext
• Access controls: Access to production systems is restricted to authorized personnel on a need-to-know basis
• Monitoring: We monitor our systems for security incidents and unauthorized access attempts

No system is perfectly secure. While we take commercially reasonable measures to protect your information, we cannot guarantee absolute security. If we become aware of a security breach that affects your personal information, we will notify you and relevant authorities as required by applicable law (see Section 10).

8. Data Retention

We retain your information according to the following schedule:

When you delete your account, we initiate deletion of Your Data within 30 days. Some information may persist in encrypted backups for up to an additional 30 days before those backups are rotated. Data required to be retained by law (e.g., for tax or legal compliance purposes) may be kept for the legally required period.

9. Cookies & Local Storage

The Service uses only strictly necessary cookies and browser local storage. We do not use any third-party tracking, analytics, or advertising cookies.

Because we use only strictly necessary cookies, consent is not required under GDPR Article 5(3) of the ePrivacy Directive. No cookie banner is displayed.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify affected users by email without undue delay and, where feasible, within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
• Report the breach to relevant supervisory authorities as required by applicable law, including the Office of the Privacy Commissioner of Canada (PIPEDA) and applicable provincial authorities
• Provide a description of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach

11. Your Privacy Rights

Depending on your jurisdiction, you have specific rights regarding your personal information. We honor these rights for all users, regardless of location, to the extent technically feasible.

11.1 Rights Under PIPEDA (Canada)

Under PIPEDA, you have the right to:

• Access your personal information held by us and receive a copy
• Request correction of inaccurate or incomplete information
• Withdraw consent to the collection, use, or disclosure of your information (subject to legal or contractual restrictions)
• Challenge our compliance with PIPEDA by filing a complaint with the Office of the Privacy Commissioner of Canada

11.2 Rights Under GDPR (EEA/UK)

If you are located in the European Economic Area or United Kingdom, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Restriction — request that we limit processing of your data
• Data portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interest
• Withdraw consent — withdraw consent at any time where processing is based on consent
• Complaint — lodge a complaint with your local data protection authority

11.3 Rights Under CCPA/CPRA (California)

If you are a California resident, you have the right to:

• Know — request disclosure of the categories and specific pieces of personal information we have collected about you
• Delete — request deletion of your personal information
• Correct — request correction of inaccurate personal information
• Opt-out of sale/sharing — we do not sell or share your personal information as defined under CCPA, so this right is automatically satisfied
• Non-discrimination — we will not discriminate against you for exercising your CCPA rights

In the past 12 months, we have not sold any personal information and have not shared personal information for cross-context behavioral advertising purposes.

11.4 Exercising Your Rights

To exercise any of your privacy rights, contact us at success@softmaxdata.com with the subject line "Privacy Rights Request." We will verify your identity and respond within the timeframes required by applicable law (generally 30 days under GDPR and 45 days under CCPA). If you are an authorized agent submitting a request on behalf of a California consumer, please include proof of authorization.

12. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at success@softmaxdata.com.

13. Do Not Track Signals

The Service does not track users across third-party websites and does not respond to Do Not Track (DNT) browser signals because no tracking occurs. We do not use third-party analytics or advertising services that would be affected by DNT signals.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

• Update the "Effective date" at the top of this page
• Send an email notification to the address associated with your account
• Post a prominent notice on the dashboard at least 15 days before the changes take effect

Your continued use of the Service after the effective date of any revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this policy periodically.

15. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

For complaints that we are unable to resolve, Canadian residents may contact the Office of the Privacy Commissioner of Canada. EU/EEA residents may contact their local supervisory authority. California residents may contact the California Privacy Protection Agency.