Privacy Policy

1. Who we are

Rhenari is an organizational intelligence platform built and operated by Catalystium, Inc., a South Dakota C-corporation ("Rhenari," "we," "us," or "our"). Rhenari connects to tools your organization already uses — including Microsoft Teams, Microsoft 365, Jira, and Azure DevOps — to surface execution health intelligence for product and engineering teams.

Our principal place of business is in South Dakota, United States. You can reach us at privacy@rhenari.com.

2. Scope of this policy

This Privacy Policy describes how Rhenari collects, uses, stores, and protects personal data in connection with:

• visitors to rhenari.com and its subdomains ("the Website"),
• organizations that subscribe to and use the Rhenari platform ("the Service").

This policy applies to both contexts. Where practices differ between the Website and the Service, we say so explicitly.

3. Data we collect

3.1 Website visitors

When you visit rhenari.com, we may collect:

• IP address and approximate location
• Browser type, operating system, and device type
• Pages visited, referral source, and time spent
• Information you voluntarily submit through forms, such as your name, work email address, job title, and company name

We use this data to operate the Website, respond to inquiries, and understand how visitors engage with our content. We do not sell this data.

3.2 Platform users and tenant organizations

When your organization subscribes to Rhenari, we collect and process data in two categories.

Configuration and operational data — This includes tenant and department configuration, role assignments, seat allocations, integration settings, alert preferences, workflow records, and license state. This data is necessary to operate the Service.

Behavioral metadata from connected source systems — Rhenari connects to your approved source systems and reads behavioral signals. Specifically:

• Microsoft Teams: participant identifiers, thread metadata, communication patterns, timestamps. Message bodies are never stored.
• Microsoft 365 / Outlook: sender and recipient metadata, subject lines, timestamps. Email bodies are never stored.
• Calendar: organizer and attendee identifiers, meeting metadata, timestamps. Calendar notes and descriptions are never stored.
• Jira: issue metadata, assignee and reporter identifiers, activity timestamps, delivery signals. Issue descriptions may be read ephemerally to classify events but are never stored.
• Azure DevOps: work item metadata, pull request metadata, pipeline run metadata, contributor identifiers. Descriptions and pipeline logs are never stored.

Ephemeral content reads — When Rhenari's AI needs to classify an event or assess an execution pattern, it may read source content — such as a Teams message or Jira description — ephemerally via a secure reference. The content is processed in memory and immediately discarded. The structured analytical output is persisted. The source content is not.

What we never store: message bodies, email bodies, calendar notes, Jira descriptions, Airtable rationale fields, pull request descriptions, pipeline logs, or any other long-form text content from connected source systems.

4. How we use data

We use the data we collect to:

• Operate and deliver the Rhenari platform and Website
• Authenticate users and enforce license and access controls
• Execute analytics processing to produce Momentum and Confidence scores, insights, and alerts
• Communicate with tenant administrators about service status, updates, and support
• Respond to inquiries submitted through the Website
• Improve the platform based on anonymized usage patterns
• Meet our legal and contractual obligations

We do not use your data to train general-purpose AI models. We do not sell your data. We do not use your data for advertising.

5. How we protect data

All data processed and stored by Rhenari resides on Rhenari-managed infrastructure. No Rhenari infrastructure is deployed in your organization's cloud environment.

Key controls include:

• AES-256 encryption at rest
• TLS 1.2 or higher for all data in transit
• Tenant isolation enforced at every layer — identity, API, secret storage, analytics engine, and serving outputs
• Integration credentials stored in Rhenari-managed Key Vault, namespaced by tenant, never exposed through the UI or API
• Role-gated, time-bound, and fully audited employee access to production data
• Immutable audit logging of all content access events before they occur

6. Data retention

We retain configuration and operational data for as long as your organization's subscription is active and for a reasonable period thereafter as required by law or contract.

Behavioral metadata processed through the analytics pipeline is retained in accordance with our data retention policy and your contractual terms.

Upon offboarding, you may request an export of your scored output history, insights and alert history, workflow records, and configuration snapshots. Following the export window, Rhenari disables access and deletes tenant data in accordance with our offboarding policy and your contractual terms. Deletion confirmation is available where contractually required.

Website visitor data is retained for as long as necessary to fulfill the purposes described in this policy, typically no longer than 24 months.

7. Data sharing and disclosure

We do not sell your data. We do not share your data with third parties for advertising purposes.

We may share data in the following limited circumstances:

• Service providers — We work with trusted third-party service providers who assist in operating the platform and Website, including cloud infrastructure providers, analytics tools, and customer support tools. These providers access data only as necessary to perform services on our behalf and are contractually bound to protect it.
• Microsoft — The Rhenari platform is delivered through Microsoft Teams and uses Microsoft Fabric as its analytics engine. Data flows through Microsoft's infrastructure in accordance with Microsoft's terms and privacy practices. Rhenari's use of Microsoft services does not alter our commitments to you under this policy.
• Legal requirements — We may disclose data if required to do so by law, regulation, court order, or government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Rhenari, our users, or the public.
• Business transfers — In the event of a merger, acquisition, or sale of assets, data may be transferred as part of that transaction. We will notify affected parties as required by law.

8. International data transfers

Rhenari is headquartered in the United States. If your organization is located outside the United States, data we collect may be transferred to and processed in the United States or other countries where our infrastructure providers operate.

Where Rhenari acts as a Data Processor under GDPR, we provide a Data Processing Agreement (DPA) upon request. Region-specific hosting is available subject to contract.

9. Your rights

9.1 All users

You may contact us at privacy@rhenari.com to:

• Request access to personal data we hold about you
• Request correction of inaccurate personal data
• Request deletion of your personal data, subject to legal and contractual retention requirements
• Object to or restrict processing of your personal data in certain circumstances

9.2 European Economic Area and United Kingdom residents (GDPR)

If you are located in the EEA or UK, you have the following additional rights:

• The right to data portability
• The right to lodge a complaint with your local supervisory authority
• Where processing is based on consent, the right to withdraw consent at any time

Rhenari acts as a Data Processor with respect to personal data processed through the Service on behalf of subscribing organizations. In that context, requests relating to individual rights should be directed to the subscribing organization as the Data Controller. We will assist Data Controllers in fulfilling such requests as required by applicable law.

9.3 California residents (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, or sell
• Request deletion of personal information we have collected about you
• Opt out of the sale of personal information — we do not sell personal information
• Non-discrimination for exercising your privacy rights

To exercise your California privacy rights, contact us at privacy@rhenari.com. We will respond to verifiable requests within 45 days as required by law.

10. Children's data

The Rhenari platform is designed for use by enterprise organizations and their employees. It is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected such data, we will delete it promptly.

11. Cookies and tracking

The Website may use cookies and similar tracking technologies to operate core functionality, analyze traffic, and improve the user experience.

You may control cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Website.

We do not currently use advertising cookies or share Website visitor data with advertising networks.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will provide notice through the Website or, where applicable, through the Service. Your continued use of the Website or Service after changes are posted constitutes your acceptance of the updated policy.

13. Contact

For privacy-related questions, requests, or concerns: