Privacy Policy

1. Scope of This Policy

This Privacy Policy describes how Citrux AI Inc. ("Citrux AI", "we", "us", or "our") collects, uses, stores, and shares personal information across:

• Our public website at www.citrux.ai and related marketing properties.
• The CORA Enterprise AI Agent Operating System (SaaS, on-premise, and air-gapped deployments).
• Our AI Compute Center EPC engagements and Forward Deployed Engineer (FDE) services.
• Pre-sales communications, evaluations, demos, and customer support.

If you are an end user of an enterprise customer's deployment of CORA, the customer (not Citrux AI) is the data controller for your information. Please consult that customer's privacy notice. Citrux AI acts as a data processor on the customer's behalf, governed by the Data Processing Addendum in our master agreement.

2. What Personal Information We Collect

2.1 Information You Provide Directly

• Contact information: name, business email, phone number, job title, organization.
• Account credentials: username, password hash, SSO identifiers, multi-factor authentication tokens.
• Commercial information: billing contact, billing address, tax identifiers (VAT, statutory IDs).
• Communications: inquiries submitted via web form, email, support tickets, meeting recordings, FDE engagement notes.
• Content you submit: documents, prompts, and configuration data uploaded to your CORA workspace or sandbox.

2.2 Information Collected Automatically

• Technical metadata: IP address, browser type, operating system, device identifiers, referrer URL.
• Usage telemetry: pages viewed, features used, API calls, latency, error logs, model routing decisions.
• Approximate location: derived from IP address for compliance, fraud prevention, and language defaults.
• Cookies and storage: language preference, session identifiers, analytics measurements (see Section 13).

2.3 Information from Third-Party Sources

• Business directories, public company filings, and professional networks for B2B prospecting.
• Identity verification, sanctions screening, and KYC/AML checks via reputable providers.
• Customer-provided integrations (e.g., when you connect Slack, Microsoft 365, or your ERP to CORA).

3. How We Use Your Personal Information

We use personal information to:

• Provide, operate, and maintain the CORA platform and EPC services.
• Process commercial transactions, issue invoices, and collect payments.
• Respond to inquiries, demo requests, and support tickets.
• Detect, prevent, and respond to fraud, abuse, security incidents, and policy violations.
• Monitor service health, debug errors, and improve reliability.
• Comply with applicable law, court orders, and regulatory requests.
• Enforce our agreements and protect our rights, property, and the safety of users.
• Send service announcements, security notices, and (with your consent) marketing communications.

4. Legal Bases for Processing

Where the EU/UK General Data Protection Regulation, Taiwan's Personal Data Protection Act, or similar laws apply, we rely on the following legal bases:

• Contract: processing necessary to provide services you have purchased or evaluated.
• Legitimate interests: securing our platform, preventing fraud, improving services, and conducting B2B outreach (balanced against your interests and rights).
• Legal obligation: tax records, anti-money-laundering checks, export control compliance, lawful disclosure requests.
• Consent: marketing communications, optional analytics cookies, and any processing for which we explicitly request your consent.

5. How We Store and Share Your Information

5.1 Storage

By default, customer data resides in the deployment region you select (Taiwan, Japan, Singapore, or your on-premise environment). Pre-sales and corporate data may be processed in Taiwan and the United States by our service providers. All data in transit is protected with TLS 1.2 or higher; data at rest is encrypted using AES-256 or equivalent.

5.2 Sharing

• Service providers (sub-processors): hosting, payment processing, email delivery, analytics, customer support tooling, identity verification, and security monitoring, each bound by confidentiality and data-protection obligations consistent with Article 28 of the GDPR (or equivalent local law).
• Affiliates: our subsidiaries and parent entities, when necessary for service delivery and corporate operations.
• Professional advisors: auditors, legal counsel, and consultants under confidentiality.
• Legal authorities: when required by valid legal process, where we will challenge overbroad requests where lawful and notify customers when permitted.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, with continued protection of personal information.

We do not share customer content with any third party for advertising or model training purposes.

5.3 Sub-Processor List & Change Notifications

An up-to-date list of our material sub-processors is published at www.citrux.ai/subprocessors. We will provide registered customers with at least 30 days' prior written notice (by email or platform notification) before engaging a new sub-processor that processes customer personal data. During the notice period, customers entitled to do so under the Data Processing Addendum may object on reasonable data-protection grounds, and the parties will work in good faith to address the objection or, failing that, terminate the affected Services without penalty.

6. Enterprise Customer Data & CORA Tenant Isolation

For enterprise customers deploying CORA:

• On-premise & air-gapped deployments: customer data never leaves the customer's own infrastructure. Citrux AI has no access except for explicitly authorized support sessions.
• SaaS deployments: data is segregated using dual-layer Instance + Tenant isolation. Personal information passing through any Large Language Model is masked by our Privacy Guard layer prior to model invocation.
• Audit trails: every agent decision, tool invocation, and data access is logged with correlation identifiers, in a manner designed to support compliance reporting aligned with the ISO 27001, 27701, 42001, 22301, and 9001 frameworks. Citrux AI does not represent that any particular certification has been obtained unless expressly stated in writing in the applicable Enterprise Agreement.
• Data Processing Addendum (DPA): available on request and forms part of our enterprise agreements.

7. Data Retention

• Inquiry forms and unconverted leads: deleted within 24 months of last contact, unless you request earlier deletion.
• Customer account and billing records: retained for the term of the agreement plus statutory periods (typically 7 years for tax records under Taiwanese law).
• Service logs and telemetry: retained 90 to 365 days, depending on log type and security requirements.
• Backups: rotated according to our standard backup schedule; encrypted backups are deleted in due course.
• Customer-controlled data in CORA workspaces: retained per the customer's configuration. Following termination of the applicable agreement, customers have 30 days to retrieve their data; thereafter Citrux AI will delete it within a further 30 days, subject to legal retention obligations and the corresponding provisions of our Terms of Service.

8. Security of Personal Information

We implement administrative, technical, and physical safeguards designed to align with the ISO 27001 information-security framework. Where Citrux AI has obtained a particular certification, the certificate scope and date will be disclosed on request and reflected in the applicable Enterprise Agreement. Our safeguards include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
• Role-based access control, least-privilege principles, and multi-factor authentication for staff.
• Continuous monitoring, intrusion detection, and our four-stage runtime defense (Intent → UCP → Egress → Secretary).
• Vendor risk assessments and contractual data-protection obligations.
• Incident response procedures with notification commitments under applicable law.

No method of transmission or storage is perfectly secure. While we work hard to protect your information, we cannot guarantee absolute security.

9. Your Rights

Subject to applicable law, you may have the right to:

• Access the personal information we hold about you and request a copy.
• Correct inaccurate or incomplete information.
• Delete your personal information ("right to be forgotten"), subject to retention obligations.
• Restrict or object to certain processing.
• Withdraw consent where processing is based on consent.
• Receive your data in a portable format.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email info@citrux.ai. We will respond within 30 days, or sooner where required by law.

10. International Data Transfers

Citrux AI is headquartered in Taiwan, Republic of China. When personal information crosses borders, we rely on the following transfer mechanisms, as applicable to the source and destination jurisdiction:

• European Economic Area: the European Commission's Standard Contractual Clauses as set out in Decision (EU) 2021/914, applying Module Two (controller-to-processor) or Module Three (processor-to-processor) as appropriate, supplemented by transfer impact assessments where required.
• United Kingdom: the UK International Data Transfer Addendum (IDTA) issued by the Information Commissioner's Office, attached to the EU SCCs.
• Switzerland: the EU SCCs as recognised and amended by the Swiss Federal Data Protection and Information Commissioner (FDPIC).
• Adequacy decisions: where the destination country has been recognised as providing adequate protection (for example, transfers within the EU/EEA, or to jurisdictions on the relevant adequacy list).
• Customer consent: where transfers are made to fulfil a contract you have entered into, or with your explicit informed consent.

Japan (APPI). For users and customers in Japan, personal information may be transferred to the following destination countries: Taiwan (R.O.C.), the United States, Singapore, and member states of the European Economic Area. Each destination country's personal-data-protection regime has been considered prior to transfer. Where transfer occurs outside the Personal Information Protection Commission's adequacy list, Citrux AI relies on contractually equivalent safeguards binding the recipient, supplemented by your consent obtained through your acceptance of this Privacy Policy and the applicable Enterprise Agreement, in accordance with Article 28 of Japan's Act on the Protection of Personal Information.

Customers requiring data residency in a specific jurisdiction may select an on-premise or regional SaaS deployment, in which case data does not leave the selected region.

11. Children's Privacy

Our services are designed for enterprise use and are not directed at individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided information to us, please contact info@citrux.ai and we will delete it promptly.

12. AI Models & Training Data

We do not use customer content, prompts, or outputs to train our own foundation models or those of any third-party model provider, unless the customer has explicitly opted in via written agreement.

For SaaS routing to third-party models (OpenAI, Anthropic, Google, etc.), we transmit only the minimum data required for inference, and only after Privacy Guard masking. Customers running fully on-premise or with local models (Llama, Qwen, Ollama) ensure no data leaves their environment.

Aggregated, anonymized, non-attributable telemetry (such as latency distributions and error counts) may be used to improve service quality.

13. Cookies and Similar Technologies

Our public website uses a small number of strictly necessary cookies and local-storage entries:

• Language preference (cora-lang): remembers your selected display language.
• Session identifiers: for authenticated portals.
• Approximate IP geolocation (via the third-party service api.country.is): when you visit our website, your browser sends a request to api.country.is, which receives your IP address solely in order to derive an approximate ISO country code used to set a default display language. Citrux AI does not store, log, or receive your IP address from this lookup. Use of api.country.is is governed by that provider's own terms and privacy practices. Under the GDPR and similar laws, an IP address may be considered personal data; this disclosure is intended to reflect that.

We do not use third-party advertising cookies. Where required by law, we will request your consent before any non-essential analytics cookies are set.

14. Notice to California Residents (CCPA / CPRA)

This section provides additional disclosures required by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA"). It applies only to California residents and supplements the rest of this Privacy Policy.

14.1 Categories of Personal Information We Collect

In the preceding 12 months we have collected the following statutory categories of personal information, as described in detail in Section 2:

• Identifiers (name, email, IP address, account identifiers).
• Customer records (billing contact, business address, tax identifiers).
• Commercial information (services purchased, usage history).
• Internet or other electronic network activity (pages viewed, API calls, telemetry).
• Geolocation data (approximate, derived from IP).
• Professional or employment-related information (job title, organization).
• Inferences drawn from the above (limited to operational segmentation).

Sensitive personal information. We do not collect or process sensitive personal information for the purpose of inferring characteristics about you. To the extent account credentials are considered "sensitive personal information," we use them only for the purposes of authentication, security, and providing the Services, and we do not use or disclose them for any purpose to which a right to limit use applies under CPRA §1798.121.

14.2 No Sale or Sharing of Personal Information

Citrux AI does not sell your personal information and does not share your personal information for cross-context behavioral advertising, as those terms are defined in the CCPA/CPRA. Because we do not sell or share, we do not provide a "Do Not Sell or Share My Personal Information" link; this notice itself confirms our position. We have not sold or shared personal information of any consumer in the preceding 12 months, including any consumer under 16.

14.3 Purposes of Use

Each category above is collected and used for the operational, security, compliance, and service-improvement purposes described in Section 3. We do not use personal information for purposes that are materially different from, or incompatible with, those disclosed at the point of collection without first providing notice.

14.4 Retention

We retain each category of personal information only for as long as is reasonably necessary for the purpose for which it was collected, in accordance with the retention periods set out in Section 7, plus any period required by law.

14.5 Your California Privacy Rights

Subject to verification of your identity, California residents may:

• Request to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom it is shared.
• Request to delete personal information we have collected about you.
• Request to correct inaccurate personal information.
• Request to limit use and disclosure of sensitive personal information (to the extent applicable).
• Be free from unlawful discrimination for exercising any of these rights.

To exercise these rights, email info@citrux.ai with the subject line "California Privacy Request." We will acknowledge receipt within 10 business days and respond substantively within 45 days, with one further 45-day extension where reasonably necessary, in accordance with CPRA. You may use an authorised agent; we may require written authorisation and identity verification.

14.6 Automated Decision-Making and Profiling

To the extent the California Privacy Protection Agency adopts regulations granting opt-out rights in respect of automated decision-making technology, those rights will apply once they take effect. For most uses of CORA today, automated decisions affecting individual data subjects are configured by our enterprise customers, who act as the relevant business under the CCPA/CPRA.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting a prominent notice on this page or by emailing registered customers at least 30 days before they take effect, except where earlier effectiveness is required by law. The "Effective date" at the top of this page indicates the most recent revision.

16. Contact Information

For privacy questions, requests to exercise your rights, or to report a concern, please contact:

Citrux AI Inc. (群智桔創股份有限公司)
Email: info@citrux.ai
Website: www.citrux.ai

If you reside in the European Economic Area, the United Kingdom, or Switzerland, you may also contact your local supervisory authority. If you reside in Taiwan, you may contact the National Communications Commission or the relevant industry regulator.