This Privacy Policy describes how Compact Machines Inc. (“Compact Machines,” “We,” “Us,” or “Our”) collects, uses, discloses, and protects personal information when you access or use our website, platform, and related services (“Services”). By using the Services, you agree to the practices described in this Policy.

Compact Machines is committed to protecting your privacy, maintaining confidentiality, and complying with applicable data protection laws, including the GDPR, CCPA/CPRA, and PIPEDA, where applicable.

1.Information We Collect

1.1 Information You Provide

We may collect personal information you voluntarily provide, including:

• Name
• Email address
• Company information
• Phone number
• Contact preferences
• Documents, files, or data submitted through the Platform
• Information provided when contacting support or requesting services

You may also provide data when filling out forms, requesting demos, or communicating through the website.

1.2 Integration Data

If you choose to connect optional third-party integrations—such as QuickBooks, Google Drive, Dropbox, CRM systems, or Virtual Data Rooms (VDRs)—we collect only the data you explicitly authorize via the integration permissions. This may include financial records, documents, file metadata, folder structures, or other information required to provide Platform functionality. Compact Machines does not access or retrieve data beyond what you authorize and you may revoke integration access at any time.

1.3 Automatically Collected Information

We automatically collect certain technical and usage information, such as:

• IP address
• Browser type and version
• Operating system
• Device identifiers
• Time stamps and access logs
• Referring and exit pages
• Interaction data and clickstream behavior

This information is collected for security, troubleshooting, fraud monitoring, and optimization.

1.4 Cookies and Tracking Technologies

We use cookies, web beacons, embedded scripts, and similar technologies to:

• Enable essential website functionality
• Maintain session activity
• Improve user experience
• Analyze website performance
• Provide security and identify unusual activity

You may disable cookies in your browser settings. Disabling cookies may limit certain website features.

1.5 Customer Inquiries

When you inquire about products or services, we may collect:

• Name
• Email address
• Mailing address
• Phone number
• IP address
• Location or device data
• Any additional information you choose to provide

1.6 Social Media and Integrations

If you interact with features such as “share,” “like,” or sign-in with social accounts, we may receive information from those platforms in accordance with your privacy settings.

1.7 Embedded Scripts

We may use embedded scripts to collect usage data during interactions with the Services. These scripts load temporarily, operate only while you interact with the site, and are removed thereafter.

2. How We Use Your Information We collect 

We use the information we collect solely for legitimate business purposes, including to:

• Operate, deliver, and maintain the Platform and its core functionality
• Generate SLM-based Outputs, including document analysis, structuring, classifications, and automated summaries
• Train, fine-tune, or optimize private, tenant-specific, or organization-specific SLMs, only when explicitly enabled by the user or Customer
• Improve accuracy, performance, reliability, and quality across all Platform features
• Provide onboarding, technical support, troubleshooting, and user guidance
• Protect the security of the Platform, including preventing misuse, unauthorized access, fraud, or malicious activity
• Conduct logging, auditing, diagnostics, and error detection to maintain system integrity
• Enhance the Platform, develop new features, and optimize system performance
• Comply with legal obligations, including auditing, reporting, and law enforcement requests where required
• You own all AI-generated outputs (reports, summaries, classifications, re-organized data rooms, and any other work product) created from your User Content.

Compact Machines does not:

• Sell personal information
• Share confidential User Content for advertising
• Train public or general-purpose models on your data
• Use your documents for any purpose outside providing and improving the Platform

All processing is restricted to the purposes described above.

3. Data Security

We employ enterprise-grade security practices, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and least-privilege principles
• Multi-factor authentication for internal access
• Secure cloud infrastructure (AWS, GCP, VPC, or on-prem deployment)
• Logging, monitoring, and intrusion detection
• Regular security reviews, audits, and penetration testing
• Network segmentation and firewalling

3.1 Compliance & Certifications

Compact Machines follows industry-standard security practices equivalent to SOC 2 Type II controls. We are currently completing our formal SOC 2 Type II audit (target completion Q2 2026). Upon request and under NDA, we provide a detailed bridging letter, penetration-test summary, and current control matrix to paying customers.

Access to production systems is limited to authorized personnel and logged regularly.

4. Data Retention

We retain User Content only as long as necessary to operate the Platform or to comply with legal obligations. You may request data deletion at any time, and Compact Machines will delete or anonymize data according to our retention schedule unless retention is legally required.

5. Third-Party Processors

Compact Machines may engage sub-processors to support infrastructure, analytics, monitoring, and operational functions. Such processors include:

• Cloud hosting (AWS, GCP, Azure, VPC providers)
• Database services ( managed Postgres)
• Logging tools (Elastic, Datadog, CloudWatch)
• Email and communication services

All sub-processors are contractually bound to confidentiality and security obligations.

6. International Data Transfers

Your data may be processed or stored globally depending on your deployment option (e.g., Canadian region, US region, EU region, custom VPC, or on-prem). When transferring data outside your jurisdiction:

• GDPR: We use Standard Contractual Clauses (SCCs) or equivalent safeguards.
• CCPA: We act as a “Service Provider” and will not sell or share personal information.
• PIPEDA: Transfers comply with Canadian data-protection requirements.

We ensure all transfers are protected by recognized legal mechanisms.

7. Your Rights

Under GDPR (EU/UK residents):

You may:

• Access your data
• Correct inaccurate data
• Request deletion (“right to be forgotten”)
• Restrict or object to processing
• Request data portability
• Withdraw consent

Under CCPA/CPRA (California residents):

You may:

• Request to know what personal information is collected
• Request deletion of personal information
• Request that your personal information not be sold
• Not be discriminated against for exercising your rights

Compact Machines does not sell or share personal information.

Under PIPEDA (Canada):

You may:

• Access personal information
• Request corrections
• Challenge the accuracy of stored information
• Withdraw consent subject to contractual/legal limits

Submit requests to: support@compactmachines.ai

8. Contact Information

For privacy-related questions or rights requests, contact:
Email: support@compactmachines.ai

DATA PROCESSING AGREEMENT (DPA)

This DPA supplements the Terms of Service when Compact Machines processes personal data or confidential business data on behalf of the Customer.

1. Roles of the Parties

The Customer is the Data Controller.
Compact Machines Inc. and Compact Machines Inc. are the Data Processors.

Under CCPA, Compact Machines acts as a Service Provider.
Under PIPEDA, Compact Machines is an Organization Processing on Your Behalf.

2. Purpose of Processing

Compact Machines processes Customer Data solely for:

• Providing services described in the Platform
• Document analysis, structuring, workflow automation
• Generating SLM-based Outputs
• Technical support, debugging, and maintenance

Compact Machines does not process Customer Data for its own purposes.

3. Processor Obligations

Compact Machines shall:

• Process data only per Customer’s instructions
• Implement encryption at rest and in transit
• Maintain administrative, physical, and technical safeguards
• Restrict employee access to necessary personnel
• Ensure confidentiality obligations for all employees
• Ensure sub-processors comply with equivalent protections
• Provide breach notifications without undue delay
• Assist Customer with GDPR, CCPA, or PIPEDA rights requests
• Maintain records of processing activity
• Support compliance audits (subject to reasonable limits)

Compact Machines will not:

• Sell Customer Data
• Use Customer Data for advertising
• Train public models on Customer Data

4. Customer Obligations

The Customer agrees to:

• Provide data lawfully and ensure proper authorization
• Configure user access, permissions, and internal security
• Avoid uploading unlawful or restricted materials
• Ensure user compliance with Terms and this DPA

5. Sub-Processors

Compact Machines may use vetted sub-processors, including:

• Cloud hosting and infrastructure providers
• Database and storage services
• Monitoring and logging tools
• Email service providers

A current list of sub-processors is available upon request.

6. International Transfers

Compact Machines may store or process data globally. For cross-border transfers:

• GDPR: Standard Contractual Clauses (SCCs) apply
• UK GDPR: International Data Transfer Addendum (IDTA) may apply
• PIPEDA: Adequate safeguards maintained
• CCPA: Compact Machines acts strictly as a Service Provider

All transfers follow applicable legal requirements.

7. Data Subject Rights Assistance

Compact Machines will assist Customer in fulfilling data subject rights requests under GDPR, CCPA, or PIPEDA, including access, correction, restriction, deletion, and portability.

8. Return or Deletion of Data

Upon Customer request or termination of services, Compact Machines will delete or return all Customer Data within thirty (30) days, except where retention is legally required. Backup data is purged according to scheduled rotation.

9. Contact for DPA

All privacy and DPA inquiries:
support@compactmachines.ai

COOKIES POLICY

Compact Machines uses cookies and similar technologies to operate and improve the Platform. Cookies may collect information such as browser type, session duration, pages visited, and technical identifiers.

Compact Machines uses:

• Essential cookies for authentication and security
• Functional cookies for preferences and user experience
• Analytics cookies for performance and usage metrics
• No advertising cookies and no sale of cookie data

You may disable cookies through your browser settings, but certain features of the Platform may not function properly without them.

SECURITY POLICY

Compact Machines is committed to maintaining a secure environment for all users. Our security practices include:

• Encryption of data at rest and in transit
• Secure cloud infrastructure (AWS, GCP, or private VPC)
• Zero-trust access controls and MFA
• Regular penetration testing and vulnerability scanning
• Continuous monitoring, SIEM logging, and threat detection
• Network isolation, firewalling, and segmentation
• Strict employee onboarding/offboarding procedures
• Principle of least privilege (PoLP)
• Enforced secure coding practices and code reviews

Compact Machines maintains incident response protocols and will notify affected users of data breaches without undue delay as required by applicable law.