Privacy Policy

"Customer Data" means all data, content, and materials you or your users upload, store, or transmit through the Service, including vault content in shared folders and collaborative documents.

"Account Data" means information you provide when registering for an account, such as your name, email address, organization name, and login credentials.

"Billing Data" means payment and billing information, including payment method details, billing address, and transaction history.

"Usage Data" means anonymized, aggregated data about how the Service is accessed and used, such as feature usage patterns, user counts, and software version information.

When you create an account, we collect your name, email address, organization name, and role. If you accept an invitation, we collect the information you provide during the registration process.

When you subscribe to a paid plan, we collect payment information through our payment processor, Stripe. We do not store full credit card numbers on our servers — Stripe handles this directly.

The Plugin transmits only the content of files within explicitly shared folders via Yjs CRDT updates over encrypted WebSocket connections. The Plugin does not transmit vault metadata, file paths outside shared folders, local settings, or any content you have not explicitly chosen to share.

We automatically collect anonymized, aggregated information about how you interact with the Service, such as feature usage, session duration, and error reports. This data does not personally identify you.

Our servers automatically record information when you access the Service, including your IP address, browser type, operating system, referring URL, and timestamps. Application logs include a tenant identifier but do not contain Customer Data content.

We do not read, scan, or analyze the content of your Customer Data for advertising, profiling, or any purpose other than providing the Service.

We do not sell your Personal Information to third parties.

We do not use Customer Data to train machine learning models.

We use the information we collect to: provide and operate the Service (host, store, process, and transmit Customer Data as necessary to enable real-time collaboration); process payments (charge fees, manage subscriptions, and handle billing through Stripe); provide support; and improve the Service by analyzing Usage Data.

We also use information to communicate with you (transactional emails such as account confirmations, billing receipts, and security alerts), ensure security (monitor for unauthorized access, abuse, and security threats), and comply with legal obligations.

We do not sell, rent, or trade your Personal Information.

We use third-party service providers to help operate the Service. Amazon Web Services (AWS) provides infrastructure and hosting and has access to Customer Data (encrypted at rest and in transit), Account Data, and logs. Stripe provides payment processing and has access to Billing Data.

These providers access your information only as necessary to perform services on our behalf and are contractually obligated to protect it. We will notify customers of material changes to the subprocessor list at least 30 days before the change takes effect.

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to comply with a legal obligation, protect our rights or property, prevent fraud, or protect the personal safety of users or the public.

If Tektite is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our Site of any change in ownership.

When you use the hosted Service, Customer Data is stored on infrastructure managed by Tektite within dedicated, isolated AWS environments. Each customer receives a dedicated tenant environment with encryption at rest (AES-256 with AWS KMS-managed keys), encryption in transit (TLS for all connections), network isolation (dedicated VPC with no cross-tenant access), and automated database backups with 7-day retention.

Tektite personnel may access your tenant environment only as necessary to provide support, maintain the Service, or respond to security incidents, and only under strict access controls and audit logging.

When you deploy the Software on your own infrastructure, Customer Data remains entirely on your infrastructure. Tektite has no access to your Customer Data. The only communications with Tektite’s systems are license validation checks, which transmit only the license key and active user count. You are responsible for encryption, backups, access control, and network security of your deployment.

Customer Data (hosted) is retained for the duration of your active subscription. Upon account termination, Customer Data is available for export for 30 days, after which it is permanently deleted. Automated backups are retained for 7 days.

Customer Data (self-hosted) is retained on your infrastructure under your control. Tektite does not retain any Customer Data from self-hosted deployments.

Account Data is retained for as long as your account is active and for a reasonable period thereafter for legal and operational purposes. Billing Data is retained as required by applicable tax and accounting regulations (typically 7 years). Usage Data and logs are retained for up to 12 months, then deleted or anonymized.

We implement security measures designed to protect your information, including: encryption at rest (AES-256) and in transit (TLS) for all Customer Data, network isolation between customer environments, audit logging of all infrastructure and application access, tamper-protected log storage, regular security monitoring and alerting, secure credential storage, and OAuth 2.0 with PKCE for authentication.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of your account credentials and for all activities under your account.

You may export your Customer Data at any time through the Service’s built-in export functionality. You may request a copy of the Personal Information we hold about you by contacting us at privacy@tektite.team.

You may update your Account Data through the Service or by contacting us. You may request deletion of your account and associated Personal Information by contacting us at privacy@tektite.team. Upon receiving a verified deletion request, we will delete your information within 30 days, except where we are required to retain it by law.

You may opt out of promotional communications by following the unsubscribe instructions in any promotional email. You cannot opt out of transactional communications (e.g., billing receipts, security alerts). You can control cookies through your browser settings.

Customer Data for the hosted Service is stored in AWS data centers in the United States. If you require a specific data residency, contact us to discuss options.

If you are located in the EEA or UK, we process your Personal Information on the basis of contract performance, legitimate interests, legal obligation, and consent. For transfers outside the EEA/UK, we rely on Standard Contractual Clauses approved by the European Commission. Customers requiring a Data Processing Agreement (DPA) may request one by contacting privacy@tektite.team.

If you are in the EEA or UK, you have additional rights including the right to access, rectify, erase, restrict processing, data portability, and object to processing. You also have the right to lodge a complaint with your local supervisory authority.

If you are a California resident, you have the right to know what Personal Information we collect, the right to request deletion, the right to opt out of sale (we do not sell your Personal Information), and the right to non-discrimination for exercising your privacy rights.

To exercise these rights, contact us at privacy@tektite.team. We will verify your identity before processing your request.

The Service is not directed to anyone under the age of 13 (or 16 in the EEA). We do not knowingly collect Personal Information from children. If we learn that we have collected Personal Information from a child without parental consent, we will delete that information promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the primary address on your account or by prominent notice on our Site at least 30 days before taking effect. Non-material changes or clarifications take effect immediately upon posting. Your continued use of the Service after changes take effect constitutes acceptance.