Privacy Policy — Enovari

1. Introduction

Silicon Harbor Technologies, LLC ("Silicon Harbor," "we," "us," or "our") operates the Enovari platform, a cloud-based code intelligence, data visualization, and AI memory system. This Privacy Policy explains what information we collect, how we use it, how we protect it, and your rights regarding that information when you use the Enovari platform and its component products — Scanner, Orrery, and Tapestry.

This policy applies to all users who access our services through the web application, API, or Model Context Protocol (MCP) connections. By creating an account or using our services, you agree to the collection and use of information in accordance with this policy.

This Privacy Policy should be read together with our Terms of Service, Enovari Cloud AI Terms, and Acceptable Use Policy.

2. What We Collect

2.1 Account Information

When you create an account, we collect:

Name — Your full name, used for account identification and personalized communication.
Email address — Used for account authentication, verification, password resets, and service notifications.
Organization (optional) — Your company or team name, if you choose to provide it.
Password — Stored as a salted cryptographic hash using industry-standard algorithms (bcrypt). We never store your password in plain text and cannot retrieve it.

2.2 API Keys and MCP Access Credentials

When you generate an API key for programmatic or MCP (Model Context Protocol) access, we store a cryptographic hash of the key. The full key is displayed to you exactly once at generation time. We cannot retrieve or view your API key after that point. API keys authenticate your requests to our services, including connections from AI coding assistants and other MCP-compatible clients.

2.3 Subscription and Payment Data

When you subscribe to a paid plan, we store your subscription status, plan type, billing period dates, and Stripe customer identifier. We do not store your credit card number, bank account information, or other payment instrument details on our servers. All payment processing is handled exclusively by Stripe, Inc.

2.4 Your Content — Code, Data, and Knowledge

Depending on which products you use, we process the following types of content you submit:

Scanner: Source code files, directory structures, and codebases submitted for analysis. Scanner processes your code to generate dependency graphs, complexity metrics, dead code detection, security analysis, and AI-powered code question-and-answer responses.
Orrery: Structured datasets submitted for three-dimensional visualization, including CSV, JSON, and other structured formats.
Tapestry: Knowledge notes, session memories, persona configurations, and contextual data stored in your personal memory database (tapestry.db). Tapestry maintains persistent cross-session memory for AI agents operating on your behalf.

Important: Your Content is processed solely to provide the services to you. We do not access, review, mine, or use Your Content for training machine learning models, improving our algorithms, advertising, or any purpose other than delivering the specific service you requested. Each user's content is stored in isolated per-user storage and is never commingled with other users' data.

2.5 Persona Memory Data (mind.db)

If you use the Tapestry persona system, the services maintain a private memory database ("mind.db") for each active persona. This is a distinct data category that requires specific disclosure:

What it contains: AI-generated observations, reasoning, contextual notes, and assessments produced during your sessions. This may include the AI's analysis of patterns in your work, organizational observations, and session-to-session continuity data.
How it is generated: Persona memories are generated by the AI based on your interactions with the service. Some observations may be generated autonomously by the AI persona as part of its contextual awareness function.
Storage and isolation: mind.db is stored in your isolated user space and is not accessible to other users or Silicon Harbor personnel.
Your rights: You may review, export, and delete the contents of any mind.db at any time through the services interface or by request. mind.db files are included in data export and are permanently deleted when you delete the associated persona or terminate your account.
Access by Silicon Harbor: We do not access, read, or review the contents of your mind.db databases. We do not use persona memory data for any purpose other than providing the persona continuity service to you.

If you exercise your right of data access under applicable law (such as GDPR Article 15), the response will include the contents of any mind.db databases associated with your account.

2.6 Organizational Knowledge Sensitivity

We acknowledge that your Tapestry and persona data may include information of varying sensitivity levels, including general technical knowledge, business-confidential information, and potentially material non-public information about your organization. We treat all user content as confidential, regardless of its perceived sensitivity level. However, the services are not designed for data subject to specific regulatory compliance requirements. See Section 4.2 of our Terms of Service for content restrictions.

2.7 AI Processing Data

Our services use AI-powered analysis to provide features such as code question-and-answer, knowledge retrieval, and intelligent recommendations. When your content is processed by our AI systems:

Processing occurs on our servers hosted on Oracle Cloud Infrastructure. Your content is not transmitted to third-party AI model providers by Silicon Harbor for training purposes.
AI-generated analysis results (such as code insights, knowledge connections, and recommendations) are stored within your isolated user space and are accessible only to you.
We do not use your content or the results of AI analysis to train, fine-tune, or improve any machine learning models serving other users.
Temporary processing data (intermediate computation results) is held in memory only during active analysis and is not persisted to disk.

Note regarding your AI client: When you access Enovari through an MCP-compatible AI assistant (such as Claude, ChatGPT, or similar), your AI client receives the output of Enovari tools as part of its conversation context. The handling of that data by your AI client is governed by that provider's terms and privacy policy, not ours. We recommend reviewing your AI client provider's data practices.

2.8 Usage and Log Data

We collect standard server logs including IP addresses, request timestamps, API endpoints accessed, HTTP methods, response status codes, and request duration. This data is used for security monitoring, abuse prevention, debugging, rate limiting enforcement, and service reliability.

2.9 Information We Do Not Collect

We want to be explicit about what we do not collect:

We do not collect biometric data.
We do not collect location data beyond what is present in server logs (IP address).
We do not use tracking pixels, fingerprinting, or cross-site tracking technologies.
We do not collect data from third-party sources to supplement your profile.
We do not monitor or log the content of your MCP sessions beyond standard API request logging.

3. How We Use Your Information

We use the information we collect for the following purposes and no others:

Provide, operate, and maintain the services, including processing your code, data, and knowledge through our analysis engines.
Authenticate your identity and manage your account and API key access.
Process payments and manage subscriptions through Stripe.
Send transactional communications, including email verification, password resets, billing notifications, and critical service announcements.
Monitor and improve the security, performance, and reliability of the services, including detecting and preventing unauthorized access, abuse, and fraud.
Enforce our Terms of Service and Acceptable Use Policy, including usage limits.
Respond to your inquiries and support requests.
Comply with applicable legal obligations.

We do not use your information for advertising, behavioral profiling, selling to data brokers, or any purpose unrelated to providing the services. We do not sell, rent, or trade your personal information to third parties. We do not use Your Content to develop competing products or to provide services to other customers.

4. Data Storage and Security

4.1 Infrastructure

Your data is stored on Oracle Cloud Infrastructure located in the United States. Our infrastructure runs on a dedicated server, and each user's data is stored in isolated per-user databases and directories.

4.2 Per-User Data Isolation

Each user's data is stored in their own isolated directory and database files on our servers. Your code, datasets, knowledge notes, and persona memories are physically separated from other users' data at the filesystem level. This architecture ensures that a vulnerability affecting one user's data does not expose another user's information.

4.3 Security Measures

We implement the following security measures to protect your data:

Passwords are hashed using bcrypt with per-user salts. We never store or transmit passwords in plain text.
API keys are stored as cryptographic hashes only. The plaintext key exists only in the user's possession.
When transmitted over HTTPS, all data in transit is encrypted via TLS 1.2 or higher. We are in the process of enforcing HTTPS across all endpoints. Until HTTPS enforcement is complete, some connections may not be encrypted in transit.
Access to production systems is restricted to authorized personnel through SSH key authentication and is logged.
Security headers are enforced on all responses, including Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and strict Referrer-Policy.
Rate limiting is applied to authentication endpoints and API access to prevent brute-force attacks and abuse.
Session tokens are cryptographically generated and expire after a defined period of inactivity.

While we implement commercially reasonable security measures to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and you use the services at your own risk.

5. Third-Party Services and Sub-Processors

We use the following third-party services to operate the platform. Under GDPR Article 28, these constitute our sub-processors:

Sub-Processor	Purpose	Data Processed	Location
Stripe, Inc.	Payment processing	Customer ID, subscription data, payment instrument	USA
Resend	Transactional email delivery	Email address, name	USA
Oracle Cloud Infrastructure	Cloud hosting (IaaS)	All customer data (at-rest storage)	USA

We will notify users of changes to our sub-processor list by updating this page and, for material changes, by email notification at least 30 days in advance.

We do not use any advertising networks, behavioral analytics services, social media pixels, or third-party tracking tools. We do not share your data with any party beyond the services listed above.

6. User Rights

You have the following rights regarding your personal information, which we will honor regardless of your jurisdiction:

Access — You may request a copy of the personal information we hold about you, including the contents of any mind.db databases associated with your account. We will provide this in a commonly used electronic format within 30 days.
Correction — You may request that we correct any inaccurate or incomplete personal information.
Deletion — You may request that we delete your account and all associated personal information and content, including all Tapestry databases and mind.db files. Upon receiving a verified deletion request, we will delete your data within 30 days, except where retention is required by law (see Section 7).
Data Export / Portability — You may export your data at any time in machine-readable formats: SQLite database files (tapestry.db, mind.db) and JSON export. This includes your account information, Tapestry knowledge notes, persona memories, and Scanner analysis results.
Objection — You may object to the processing of your personal information for specific purposes.
Restrict Processing — You may request that we restrict the processing of your personal information while a complaint or objection is being resolved.

To exercise any of these rights, contact us at legal@silicon-harbor.net. We will verify your identity before processing any request and will respond within 30 days. If we need additional time, we will notify you of the reason and extension period.

6.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know what personal information we collect, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA/CPRA rights, contact us at legal@silicon-harbor.net.

6.2 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, our legal basis for processing your personal information is: (a) performance of a contract (providing the services you signed up for), (b) legitimate interests (security monitoring, fraud prevention, service improvement), and (c) your consent (where applicable). You have the right to lodge a complaint with your local data protection authority.

7. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

Account information: Retained for as long as your account is active.
Your Content (code, data, knowledge, persona memories): Retained for the duration of your subscription. Upon account deletion or subscription termination, we provide a 30-day window for data export before permanent deletion.
Billing records: Retained for 7 years as required for tax, accounting, and legal compliance purposes.
Server logs: Retained for 90 days for security and debugging purposes, then automatically deleted.
Support correspondence: Retained for 2 years after resolution, then deleted.

When data is deleted, it is permanently removed from our active systems. Backup copies, if any, are purged within 30 days of the deletion from active systems.

8. Automated Decision-Making

The Enovari platform includes automated decision-making systems that may affect which information is presented to you and how it is prioritized:

Consensus Engine: Tapestry's Consensus Engine automatically ranks and surfaces memories based on multiple signals, including source credibility, evidence weight, temporal decay, access reinforcement, and contradiction analysis. This automated processing determines which memories your AI assistant sees and acts upon.
Confidence Scoring: The system assigns confidence scores to knowledge notes, affecting their prominence in retrieval results.
Contradiction Detection: The system automatically identifies potentially conflicting information and may flag or de-prioritize memories accordingly.

These systems are information retrieval and ranking tools. They do not make decisions that produce legal effects or similarly significant effects on you. However, under GDPR Article 22, you have the right to:

Understand the general logic of the ranking and retrieval system.
Contest specific confidence scores or ranking decisions.
Pin or suppress specific memories to override automated ranking.
Request human review of automated assessments by contacting us.
Provide direct instructions to your AI assistant that override the system's recommendations.

For more details on how AI features process your data, see our Enovari Cloud AI Terms.

9. Cookies and Local Storage

We use minimal browser storage strictly necessary for the operation of the services:

Authentication token — Stored in your browser's local storage to maintain your signed-in session. This token is a cryptographically generated string that does not contain any personal information. It is cleared when you sign out.

We do not use tracking cookies, advertising cookies, analytics cookies, or any third-party cookies. We do not participate in cross-site tracking, retargeting, or cookie-based advertising programs. No consent banner is required because we do not use any non-essential cookies.

For more details, see our Cookie Policy.

10. Children's Privacy

The services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information within 72 hours of discovery. If you believe we have inadvertently collected information from a child, please contact us immediately at legal@silicon-harbor.net.

11. International Data Transfers

Our services are operated from the United States, with infrastructure hosted on Oracle Cloud Infrastructure in the United States. If you are accessing the services from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the services, you acknowledge and consent to this transfer.

For users in the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses and your explicit consent as the legal mechanisms for transferring your personal data to the United States.

12. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

Notify affected users by email within 72 hours of confirming the breach.
Provide a description of the breach, the types of information affected, and the steps we are taking to address it.
Notify relevant regulatory authorities as required by applicable law.
Provide guidance on steps you can take to protect yourself.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and by posting a prominent notice on our website at least 30 days before the changes take effect. Your continued use of the services after the effective date constitutes your acceptance of the updated policy.

We encourage you to review this policy periodically. The "Effective Date" at the top of this page indicates when the policy was last updated. Previous versions of this policy are available upon request.

14. Contact

If you have any questions about this Privacy Policy, our data practices, or wish to exercise any of your rights described above, please contact us:

Silicon Harbor Technologies, LLC
Charleston, South Carolina, United States
Email: legal@silicon-harbor.net

For data protection inquiries, please include "Privacy" in your email subject line to ensure prompt routing.