Privacy Policy
Privacy Policy: Effective Date: September 16, 2025
Entity: PhronEdge (“PhronEdge,” “we,” “us,” or “our”)
Contact: privacy@phronedge.com | legal@phronedge.com | support@phronedge.com
1. Scope and Relationship to Other Terms
This Privacy Policy explains how PhronEdge collects, uses, shares, and protects personal data in connection with our products, services, websites, and integrations (the “Service”).
Your use of the Service is also governed by the Terms of Service, Acceptable Use Policy, Data Processing Addendum (DPA), Subprocessors list, and Cookie Policy. See our Data Processing Addendum for processor obligations.
For organizational data provided to the Service, PhronEdge acts as a processor under the DPA. For billing, website, abuse prevention, and our own operations, PhronEdge acts as a controller.
2. Categories of Personal Data We Collect
PhronEdge does not intentionally collect or process special categories of personal data (such as health information, biometric identifiers, or precise geolocation data) unless expressly agreed in writing under a Data Processing Addendum.
We may collect the following categories of personal data:
Profile and Contact Data: name, work email, organization, role.
Device and Log Data: IP address, device/OS/browser type, user agent, referrer, timestamps, diagnostic logs.
Authentication Data: OAuth/SSO tokens and identity provider metadata. No local passwords are stored.
Integration Data: messages, tickets, repositories, issues, pull requests, calendars, and metadata from integrations authorized by your organization.
Communications: support requests, feedback, attachments.
Billing Data: handled by Stripe, which acts as an independent controller.
Other Data Voluntarily Provided: information you choose to provide through forms or correspondence.
3. Sources of Personal Data
Directly from users or administrators.
From identity providers through OAuth/SSO.
Automatically through device logs and telemetry.
From integrations your organization enables.
From service providers engaged to deliver the Service.
4. Legal Bases for Processing
Where data protection laws apply, we process personal data on the following legal bases:
Contractual necessity (to provide the Service).
Legitimate interests (security, reliability, fraud prevention, service improvement).
Consent, where expressly obtained.
Legal obligation, including regulatory compliance.
5. How We Use Personal Data
To operate and deliver the Service.
To authenticate and authorize users.
To secure the Service, prevent misuse, and investigate incidents.
To analyze performance and improve reliability using de-identified and aggregated data.
To provide support and send transactional notifications.
To comply with law and enforce agreements.
We do not sell or share personal data for advertising. We do not use Customer Data to train third-party foundation models.
6. Sharing of Personal Data
Subprocessors: hosting, infrastructure, email, vector storage, and processing vendors listed at https://phronedge.com/legal/subprocessors.
Customer-enabled integrations: Microsoft Teams, Slack, GitHub, GitLab, Bitbucket, Jira, Azure DevOps, and Google Calendar. These are enabled and controlled by your organization and are not PhronEdge subprocessors.
Independent controllers: Stripe processes billing and identity verification under its own privacy policy.
Legal disclosures: we may disclose data to comply with applicable law, valid legal process, or to protect rights and safety. Where permitted, we notify customers and challenge overbroad requests.
Business transfers: data may be transferred in the event of a merger, acquisition, or other transaction, subject to continued protections.
De-identified/aggregated data: we may use or share non-identifiable data for lawful business purposes.
7. International Transfers
Personal data may be transferred internationally. We implement the following safeguards:
EU Standard Contractual Clauses (2021/914, Modules 2/3).
UK Addendum.
Swiss FDPIC variations.
Supplementary measures, including encryption, tenant isolation, and pseudonymization where applicable.
If transfer mechanisms are invalidated or replaced, we will implement alternative lawful safeguards. We also assist with Transfer Impact Assessments upon request.
8. Data Retention
Customer Data: retained for 30 days by default, with enterprise retention options available.
Security and diagnostic logs: retained up to 90 days unless longer retention is required for investigations.
Website and marketing data: retained for stated purposes or until deletion is requested.
Upon termination or request, Customer Data is deleted or returned per the DPA. Backups are purged on standard cycles. A deletion certificate is available upon request.
9. Security Measures
We maintain technical and organizational safeguards appropriate to the risk, including:
Encryption at rest (AES-256) and in transit (TLS 1.2+).
OAuth/SSO-only authentication.
Role-based access control and tenant isolation.
Secrets management (AWS KMS/Parameter Store).
Logging, monitoring, anomaly detection, and incident response planning.
Business continuity and disaster recovery measures.
We notify customers of Personal Data Breaches without undue delay and within 72 hours where required by law.
10. Cookies and Similar Technologies
Essential cookies are required for login and core functionality.
Functional cookies may store preferences.
Analytics cookies may measure product usage and reliability.
No advertising cookies are used.
Users can control cookies in browser settings. Where required by law, cookie consent is requested through banners or consent tools. We honor Global Privacy Control (GPC) signals.
11. Your Rights
Depending on jurisdiction, you may have rights to:
Access and obtain a copy of your data.
Correct inaccurate data.
Delete data, subject to legal and contractual limits.
Port data in machine-readable format.
Restrict or object to processing.
Opt out of sale or sharing of personal data (PhronEdge does not sell/share data under CPRA/TDPSA definitions).
Appeal a denied request, where applicable.
Requests should be submitted to privacy@phronedge.com. Verification may be required. When PhronEdge acts as a processor, individual rights requests must be exercised through your organization, which controls your data. PhronEdge will support your organization in fulfilling such requests under our Data Processing Addendum.
We do not discriminate for exercising privacy rights.
12. Children’s Data
The Service is not directed to individuals under 18. We do not knowingly collect data from minors. If such data is discovered, it will be deleted.
13. Regional Disclosures
California (CPRA): categories collected may include identifiers, device/network data, professional information, and billing data. We do not sell or share data for advertising.
Texas (TDPSA) and other U.S. states: we provide comparable rights, including access, correction, deletion, portability, opt-out, and appeals.
EEA, UK, Switzerland (GDPR/UK GDPR/FADP): rights include access, rectification, erasure, restriction, portability, objection, and lodging complaints with a supervisory authority. You may lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.
14. Automated Decision-Making
PhronEdge does not engage in solely automated decision-making that produces legal or similarly significant effects.
15. Changes to this Policy
We may update this Policy periodically. Material changes will be posted at https://phronedge.com/legal/privacy and, where required, notified by email or in-product. Continued use of the Service after updates constitutes acceptance.
16. Contact Information
Privacy inquiries and rights requests: privacy@phronedge.com
Legal inquiries: legal@phronedge.com
Support: support@phronedge.com