Data Sovereignty & Security Privacy Statement
InnerActiv is committed to ensuring true data sovereignty for our customers. Our platform is designed with end-to-end encryption, ensuring that all collected data remains under the sole control of the customer. InnerActiv does not have access to any customer data, as encryption keys are exclusively managed by the customer, preventing unauthorized access by InnerActiv or any third party.
This architecture guarantees that:
- Only the customer can decrypt and access their collected data.
- InnerActiv has no technical capability to view, modify, or share customer data.
- No external entity, including InnerActiv or unauthorized third parties, can access the information.
By maintaining this strict security framework, InnerActiv ensures that companies using our software retain full ownership and control over their sensitive information, protecting against any form of unauthorized surveillance or data misuse.
Privacy Policy
This Privacy Policy (“Policy”) describes how InnerActiv, Inc. (“InnerActiv”, “we”, “us”, or “our”) collects, uses, processes, and protects Personal Information in connection with our website, products, and services (collectively, the “Services”).
This Policy also describes your rights and choices regarding your Personal Information.
1. Scope and Roles
This Policy applies to:
- Visitors to our website
- Customers and their authorized users
- Individuals whose data may be processed through our Services
Depending on the context:
- InnerActiv acts as a data controller for website, marketing, and business operations data
- InnerActiv acts as a data processor/service provider when processing data on behalf of customers within the platform
Customers determine how data is configured, monitored, and used within the InnerActiv platform.
2. Categories of Information We Collect
We collect information necessary to operate our Services, ensure security, and fulfill contractual and legal obligations.
a. Information You Provide
- Name, email address, and contact details
- Account credentials
- Communications and support requests
b. Automatically Collected Information
- Device and system information (e.g., IP address, operating system, browser type)
- Log data and system activity
- Usage and interaction data within our Services
c. Customer Data (Processed on Behalf of Customers)
Depending on customer configuration, InnerActiv may process:
- User activity and behavioral signals
- Application and process usage
- File metadata and contextual indicators
- AI tool usage and interaction patterns
- Content-derived risk indicators (where enabled by the customer)
Depending on customer configuration, this may include analysis of user interactions at the screen, application, and operating system level, including clipboard activity, user interface interactions, and contextual signals necessary to detect risk and enforce policy.
InnerActiv processes this data strictly under customer direction and in accordance with contractual obligations.
3. AI Usage and Monitoring Transparency
InnerActiv provides visibility into the use of artificial intelligence tools within customer environments.
As part of these capabilities, InnerActiv may process:
- Interactions with generative AI systems
- Prompts and responses (where configured by the customer)
- Data flows between users and AI applications
- Indicators of sensitive data exposure
Processing may occur in real time at the endpoint prior to transmission to AI systems, enabling organizations to detect, govern, and control sensitive data before it leaves the device.
These capabilities are designed to:
- Help organizations understand AI usage
- Identify potential risks involving sensitive data
- Support governance, compliance, and security objectives
InnerActiv does not aggregate or use customer data across organizations for analytics, model training, or product development purposes.
InnerActiv does not independently use this data to train public or third-party AI models.
InnerActiv’s Services may be used by customers to monitor user activity within workplace environments for security, compliance, and operational purposes. Customers are responsible for providing appropriate notice to users and complying with applicable employment, monitoring, and privacy laws.
4. How We Use Information
We use Personal Information for the following purposes:
- To provide, operate, and maintain our Services
- To detect, prevent, and respond to security threats and misuse
- To analyze usage and improve product functionality
- To support AI governance and risk visibility capabilities
- To communicate with customers and users
- To comply with legal obligations
- To enforce agreements and policies
We limit processing to what is relevant and necessary for these purposes.
5. Legal Basis for Processing
Where applicable under laws such as GDPR, we process Personal Information based on:
- Contractual necessity
- Legitimate interests (including security, fraud prevention, and product improvement)
- Legal obligations
- Consent, where required
6. Data Sharing and Subprocessors
We do not sell Personal Information.
InnerActiv is designed to limit the sharing of customer data and does not disclose customer-derived risk data, behavioral data, or content-related indicators to third parties except as necessary to provide the Services or as directed by the customer.
We may share limited system and operational data with the following categories of recipients:
a. Service Providers (Subprocessors)Including providers of:
- Cloud hosting and infrastructure
- Data storage and processing
- Security monitoring and logging
- Analytics and performance monitoring
- Customer support and communications
The limited data shared with subprocessors is restricted to system-level and backend operational data necessary for the functioning, security, and performance of the Services, such as:
- System performance and diagnostic data
- Infrastructure and routing metadata required to securely transmit and store customer data
- Service availability and operational metrics
InnerActiv does not share customer-derived risk data, behavioral analytics, AI interaction data, or content-related indicators with subprocessors, except where strictly required to operate the platform or as explicitly directed by the customer.
Subprocessors are not permitted to access or use customer data for their own purposes.
All subprocessors are:
- Contractually bound to protect data
- Restricted from using data for independent purposes
- Subject to security and privacy due diligence
A current list of subprocessors may be made available upon request.
b. Legal and Regulatory Authorities
We may disclose information when required to:
- Comply with applicable law
- Respond to lawful requests
- Protect rights, safety, and security
c. Business Transfers
In connection with mergers, acquisitions, or asset sales
7. Data Retention
We retain Personal Information only as long as necessary for:
- Providing Services
- Meeting contractual obligations
- Complying with legal and regulatory requirements
Retention principles include:
- Account and customer data: retained for the duration of the relationship and a defined period thereafter
- Operational logs and telemetry: retained based on security and operational requirements
- Backup data: retained according to defined backup and recovery cycles
Customers may configure retention periods for telemetry, logs, and activity data based on their organizational policies and regulatory requirements.Data is securely deleted or anonymized when no longer required.
8. Data Security
InnerActiv implements administrative, technical, and physical safeguards designed to protect Personal Information, including:
- Encryption of data in transit and, where applicable, at rest
- Role-based access controls and least-privilege principles
- Authentication and authorization mechanisms
- Continuous monitoring, logging, and alerting
- Secure development and change management practices
- Periodic security assessments and testing
We continuously evaluate and enhance our security posture to address evolving risks.
9. Customer Data Access and Encryption
InnerActiv is designed to protect customer data and limit access to only what is necessary to operate the Services.
- Encryption: Customer data is encrypted in transit using industry-standard protocols and, where applicable, encrypted at rest.
- Access Controls: InnerActiv personnel do not access customer data from endpoints or customer environments as part of normal operations.
- Customer Authorization: Access to customer data is only performed when explicitly authorized by the customer (e.g., for support or troubleshooting).
- Least Privilege: Any authorized access is limited in scope, time-bound, and restricted to the minimum data necessary.
- Auditability: Access to customer data is logged and subject to monitoring and review.
Customers maintain control over their data and determine how it is collected, configured, and used within the InnerActiv platform.
10. International Data Transfers
Personal Information may be transferred to and processed in countries outside your jurisdiction.
Where required, we implement appropriate safeguards, such as:
- Standard contractual clauses
- Equivalent legal transfer mechanisms
11. Your Privacy Rights
Depending on your location, you may have the right to:Access your Personal Information
- Correct inaccurate or incomplete data
- Request deletion of your data
- Restrict or object to processing
- Request data portability
- Withdraw consent (where applicable)
Requests may be submitted to: info@inneractiv.com
We will respond in accordance with applicable laws.
12. California Privacy Rights
California residents have the right to request:
- Categories of Personal Information collected
- Sources and purposes of collection
- Categories of third parties with whom data is shared
InnerActiv does not sell Personal Information.
13. Children’s Privacy
Our Services are not directed to individuals under 13, and we do not knowingly collect Personal Information from children.
14. Do Not Track Signals
Our Services do not currently respond to “Do Not Track” signals. However, we limit data collection to what is necessary to provide our Services.
15. Third-Party Links
Our Services may contain links to third-party websites. We are not responsible for their privacy practices.
16. Data Breach and Incident Response
In the event of a security incident involving Personal Information, InnerActiv will:
- Investigate and contain the incident
- Take appropriate remedial actions
- Notify affected parties without undue delay, where required by law
- Comply with applicable regulatory and contractual obligations
If you have concerns about a potential security incident or believe your data may have been impacted, you may contact us directly at info@inneractiv.com
17. Privacy Governance and Accountability
InnerActiv maintains internal policies, procedures, and controls designed to support privacy and data protection, including:
- Defined roles and responsibilities for data protection
- Employee training and awareness programs
- Ongoing risk assessments
- Monitoring and enforcement of privacy practices
We are committed to continuous improvement of our privacy and security practices.
18. Changes to This Policy
We may update this Policy from time to time. Updates will be posted with a revised effective date.
Continued use of the Services constitutes acceptance of the updated Policy.
This architecture guarantees that:
- Only the customer can decrypt and access their collected data.
- InnerActiv has no technical capability to view, modify, or share customer data.
- No external entity, including InnerActiv or unauthorized third parties, can access the information.
By maintaining this strict security framework, InnerActiv ensures that companies using our software retain full ownership and control over their sensitive information, protecting against any form of unauthorized surveillance or data misuse.
Privacy Policy
This Privacy Policy (“Policy”) describes how InnerActiv, Inc. (“InnerActiv”, “we”, “us”, or “our”) collects, uses, processes, and protects Personal Information in connection with our website, products, and services (collectively, the “Services”).
This Policy also describes your rights and choices regarding your Personal Information.
1. Scope and Roles
This Policy applies to:
- Visitors to our website
- Customers and their authorized users
- Individuals whose data may be processed through our Services
Depending on the context:
- InnerActiv acts as a data controller for website, marketing, and business operations data
- InnerActiv acts as a data processor/service provider when processing data on behalf of customers within the platform
Customers determine how data is configured, monitored, and used within the InnerActiv platform.
2. Categories of Information We Collect
We collect information necessary to operate our Services, ensure security, and fulfill contractual and legal obligations.
a. Information You Provide
- Name, email address, and contact details
- Account credentials
- Communications and support requests
b. Automatically Collected Information
- Device and system information (e.g., IP address, operating system, browser type)
- Log data and system activity
- Usage and interaction data within our Services
c. Customer Data (Processed on Behalf of Customers)
Depending on customer configuration, InnerActiv may process:
- User activity and behavioral signals
- Application and process usage
- File metadata and contextual indicators
- AI tool usage and interaction patterns
- Content-derived risk indicators (where enabled by the customer)
Depending on customer configuration, this may include analysis of user interactions at the screen, application, and operating system level, including clipboard activity, user interface interactions, and contextual signals necessary to detect risk and enforce policy.
InnerActiv processes this data strictly under customer direction and in accordance with contractual obligations.
3. AI Usage and Monitoring Transparency
InnerActiv provides visibility into the use of artificial intelligence tools within customer environments.
As part of these capabilities, InnerActiv may process:
- Interactions with generative AI systems
- Prompts and responses (where configured by the customer)
- Data flows between users and AI applications
- Indicators of sensitive data exposure
Processing may occur in real time at the endpoint prior to transmission to AI systems, enabling organizations to detect, govern, and control sensitive data before it leaves the device.
These capabilities are designed to:
- Help organizations understand AI usage
- Identify potential risks involving sensitive data
- Support governance, compliance, and security objectives
InnerActiv does not aggregate or use customer data across organizations for analytics, model training, or product development purposes.
InnerActiv does not independently use this data to train public or third-party AI models.
InnerActiv’s Services may be used by customers to monitor user activity within workplace environments for security, compliance, and operational purposes. Customers are responsible for providing appropriate notice to users and complying with applicable employment, monitoring, and privacy laws.
4. How We Use Information
We use Personal Information for the following purposes:
- To provide, operate, and maintain our Services
- To detect, prevent, and respond to security threats and misuse
- To analyze usage and improve product functionality
- To support AI governance and risk visibility capabilities
- To communicate with customers and users
- To comply with legal obligations
- To enforce agreements and policies
We limit processing to what is relevant and necessary for these purposes.
5. Legal Basis for Processing
Where applicable under laws such as GDPR, we process Personal Information based on:
- Contractual necessity
- Legitimate interests (including security, fraud prevention, and product improvement)
- Legal obligations
- Consent, where required
6. Data Sharing and Subprocessors
We do not sell Personal Information.
InnerActiv is designed to limit the sharing of customer data and does not disclose customer-derived risk data, behavioral data, or content-related indicators to third parties except as necessary to provide the Services or as directed by the customer.
We may share limited system and operational data with the following categories of recipients:
a. Service Providers (Subprocessors)Including providers of:
- Cloud hosting and infrastructure
- Data storage and processing
- Security monitoring and logging
- Analytics and performance monitoring
- Customer support and communications
The limited data shared with subprocessors is restricted to system-level and backend operational data necessary for the functioning, security, and performance of the Services, such as:
- System performance and diagnostic data
- Infrastructure and routing metadata required to securely transmit and store customer data
- Service availability and operational metrics
InnerActiv does not share customer-derived risk data, behavioral analytics, AI interaction data, or content-related indicators with subprocessors, except where strictly required to operate the platform or as explicitly directed by the customer.
Subprocessors are not permitted to access or use customer data for their own purposes.
All subprocessors are:
- Contractually bound to protect data
- Restricted from using data for independent purposes
- Subject to security and privacy due diligence
A current list of subprocessors may be made available upon request.
b. Legal and Regulatory Authorities
We may disclose information when required to:
- Comply with applicable law
- Respond to lawful requests
- Protect rights, safety, and security
c. Business Transfers
In connection with mergers, acquisitions, or asset sales
7. Data Retention
We retain Personal Information only as long as necessary for:
- Providing Services
- Meeting contractual obligations
- Complying with legal and regulatory requirements
Retention principles include:
- Account and customer data: retained for the duration of the relationship and a defined period thereafter
- Operational logs and telemetry: retained based on security and operational requirements
- Backup data: retained according to defined backup and recovery cycles
Customers may configure retention periods for telemetry, logs, and activity data based on their organizational policies and regulatory requirements.Data is securely deleted or anonymized when no longer required.
8. Data Security
InnerActiv implements administrative, technical, and physical safeguards designed to protect Personal Information, including:
- Encryption of data in transit and, where applicable, at rest
- Role-based access controls and least-privilege principles
- Authentication and authorization mechanisms
- Continuous monitoring, logging, and alerting
- Secure development and change management practices
- Periodic security assessments and testing
We continuously evaluate and enhance our security posture to address evolving risks.
9. Customer Data Access and Encryption
InnerActiv is designed to protect customer data and limit access to only what is necessary to operate the Services.
- Encryption: Customer data is encrypted in transit using industry-standard protocols and, where applicable, encrypted at rest.
- Access Controls: InnerActiv personnel do not access customer data from endpoints or customer environments as part of normal operations.
- Customer Authorization: Access to customer data is only performed when explicitly authorized by the customer (e.g., for support or troubleshooting).
- Least Privilege: Any authorized access is limited in scope, time-bound, and restricted to the minimum data necessary.
- Auditability: Access to customer data is logged and subject to monitoring and review.
Customers maintain control over their data and determine how it is collected, configured, and used within the InnerActiv platform.
10. International Data Transfers
Personal Information may be transferred to and processed in countries outside your jurisdiction.
Where required, we implement appropriate safeguards, such as:
- Standard contractual clauses
- Equivalent legal transfer mechanisms
11. Your Privacy Rights
Depending on your location, you may have the right to:Access your Personal Information
- Correct inaccurate or incomplete data
- Request deletion of your data
- Restrict or object to processing
- Request data portability
- Withdraw consent (where applicable)
Requests may be submitted to: info@inneractiv.com
We will respond in accordance with applicable laws.
12. California Privacy Rights
California residents have the right to request:
- Categories of Personal Information collected
- Sources and purposes of collection
- Categories of third parties with whom data is shared
InnerActiv does not sell Personal Information.
13. Children’s Privacy
Our Services are not directed to individuals under 13, and we do not knowingly collect Personal Information from children.
14. Do Not Track Signals
Our Services do not currently respond to “Do Not Track” signals. However, we limit data collection to what is necessary to provide our Services.
15. Third-Party Links
Our Services may contain links to third-party websites. We are not responsible for their privacy practices.
16. Data Breach and Incident Response
In the event of a security incident involving Personal Information, InnerActiv will:
- Investigate and contain the incident
- Take appropriate remedial actions
- Notify affected parties without undue delay, where required by law
- Comply with applicable regulatory and contractual obligations
If you have concerns about a potential security incident or believe your data may have been impacted, you may contact us directly at info@inneractiv.com
17. Privacy Governance and Accountability
InnerActiv maintains internal policies, procedures, and controls designed to support privacy and data protection, including:
- Defined roles and responsibilities for data protection
- Employee training and awareness programs
- Ongoing risk assessments
- Monitoring and enforcement of privacy practices
We are committed to continuous improvement of our privacy and security practices.
18. Changes to This Policy
We may update this Policy from time to time. Updates will be posted with a revised effective date.
Continued use of the Services constitutes acceptance of the updated Policy.
