IsoKron

IsoKron Privacy Policy

Effective date: [PENDING — set on launch] Last updated: 2026-05-09

This Privacy Policy describes how IsoKron ("IsoKron", "we", "us") collects, uses, stores, and shares information when you use the IsoKron platform at isokron.ai (the "Service").

1. Who we are

IsoKron is the data controller for personal data processed in connection with the Service. Contact: privacy@isokron.ai.

2. Information we collect

2.1 Information you provide

  • Account information. When you sign up, you provide an email address, name, and organization name. Authentication is handled by our identity provider (Clerk); we receive a stable user_id and org_id from Clerk's verified profile.
  • Project declarations. Free-form text you submit describing the software project you want IsoKron to compile. Treat this as an instruction to the platform, not as protected speech — it is processed by language models and stored as the source of truth for the resulting compilation.
  • BYOK API keys. You bring your own keys (BYOK) for upstream language-model providers (Anthropic, OpenAI, Google, xAI). Keys are encrypted at rest using AES-256-GCM and decrypted only at the moment a stage of the compiler invokes the upstream provider on your behalf.
  • Reference documents. Optional supporting context you attach to a compilation (existing READMEs, code excerpts, screenshots).
  • Customer-review responses. When the platform pauses for human review, your accept/reject verdicts and any free-text notes.

2.2 Information we collect automatically

  • Usage telemetry. Compilation counts, stage durations, success/failure rates, token consumption, error codes. Used to maintain service quality and to enforce rate limits and budget caps.
  • Audit events. A complete, append-only ledger of significant actions taken on or by your workspace (BYOK additions and revocations, compilation start/finish, customer review submissions, security-relevant events). Audit events are workspace-scoped.
  • Request metadata. IP address, user agent, timestamps, request IDs. Used for security, abuse prevention, and operator-side debugging.
  • Compilation artifacts. The structured graph (components, decisions, tickets, acceptance tests) the compiler produces from your declaration. Stored in your workspace's Postgres schema.

2.3 Information we do not collect

  • We do not request, collect, or process payment information for the Service itself in v1. The Service is operated on a BYOK basis: you pay your upstream language-model providers directly under their billing terms. If we introduce paid IsoKron tiers in the future, this Policy will be updated and you will be notified.
  • We do not collect biometric data, precise geolocation, or special-category personal data as defined by GDPR Article 9.

3. How we use information

We use the information described in Section 2 to:

  1. Provide and operate the Service — running your compilation pipeline, persisting results to your workspace, surfacing them in the dashboard.
  2. Authenticate you and route requests to your workspace via the four-layer tenant isolation model (RLS + JWT claim + append-only audit + worker-side workspace filter).
  3. Decrypt your BYOK key for the duration of a single upstream language-model invocation and zero the key from memory immediately afterward. We never persist a decrypted key to disk and never log key material.
  4. Run a security egress filter ("the Critic") on every compilation before it is committed. The Critic detects prompt-injection attempts, parasitic-chaining patterns, and other security-relevant signals. The Critic is operated by IsoKron; we pay for its language-model invocations.
  5. Maintain the audit log for workspace activity, used by you for review and by us for operator support and incident response.
  6. Detect and respond to abuse, security incidents, and violations of the Acceptable Use Policy.
  7. Communicate with you about the Service, including transactional emails (BYOK rotations, compilation completions, security alerts, budget warnings). Marketing email is opt-in.
  8. Comply with legal obligations.

We do not use your declarations, reference documents, or compilation outputs to train any machine-learning model. We do not share customer content with third parties for advertising. Upstream language-model providers process your data under their own terms when you direct IsoKron to call them with your BYOK key — see Section 6.

4. Legal bases for processing (EU/UK)

For users in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases (GDPR Article 6):

  • Performance of a contract — for processing necessary to operate the Service for you.
  • Legitimate interests — for security, abuse prevention, and audit logging. We have determined these interests do not override your rights and freedoms.
  • Compliance with a legal obligation — for retention of records required by law.
  • Consent — for marketing email and any future processing requiring it.

5. Sharing and disclosure

We share information only as described below.

5.1 Sub-processors

We use the following sub-processors to operate the Service. Each is contractually bound to confidentiality and security obligations consistent with this Policy and the Data Processing Agreement.

Sub-processorPurposeLocation
SupabasePostgres database, auth integration, BYOK key encryptionUnited States
CloudflareCold-tier audit log archival (R2), edge networkingGlobal
ClerkIdentity / authenticationUnited States
DopplerOperator-side secret management (does not touch customer data)United States
Fly.ioApplication hostingMulti-region
ResendTransactional emailUnited States
AnthropicLayer 4 security Critic (operator-paid, processes your compiled graph for safety review only)United States

The list of sub-processors and their respective DPAs is also published at https://isokron.ai/legal/sub-processors and is updated when changes occur. EU/UK customers are notified of additions or replacements at least 30 days in advance via the dashboard or email; you may object during that window.

5.2 Upstream language-model providers (BYOK)

When you direct IsoKron to invoke an upstream language-model provider (Anthropic, OpenAI, Google, xAI) using your BYOK key, that provider receives the prompt content and any reference documents you have attached. The provider processes that data under its own terms of service and privacy policy, which you accept by configuring your BYOK key for IsoKron. We do not act as your data controller for those upstream invocations — you are.

5.3 Legal disclosures

We may disclose information when required by law, court order, or other valid legal process; to enforce our agreements; to protect the rights, property, or safety of IsoKron, our customers, or the public; or in connection with a corporate transaction (merger, acquisition, financing, or sale of assets), in which case we will give notice and provide an opportunity to object where required by law.

5.4 Aggregated and de-identified data

We may use and share aggregated or de-identified data — data that cannot reasonably be used to identify you or your workspace — for analytics, product improvement, and public reporting.

6. International data transfers

The Service is operated from the United States and Multi-region Fly.io edges. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States or other countries where our sub-processors operate. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) where required, available on request.

7. Data retention

CategoryRetention period
Account informationFor the life of the account, plus 30 days after deletion
Project declarations and compilation artifactsFor the life of the workspace, plus 30 days after deletion
BYOK encrypted key materialUntil you revoke the key, plus immediate zeroing on revocation
Audit log (hot tier)90 days
Audit log (cold tier R2 archival)7 years
Telemetry and request metadata13 months
Backups35 days, rolling

You may request earlier deletion at any time (see Section 8).

8. Your rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

  • Access — obtain a copy of the personal data we hold about you.
  • Correction — correct inaccurate or incomplete personal data.
  • Deletion — request deletion of your personal data, subject to retention obligations.
  • Portability — receive a machine-readable export of personal data you provided.
  • Restriction — restrict our processing of your personal data in certain circumstances.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — withdraw consent at any time where processing is based on consent.
  • Lodge a complaint — with your local data protection authority. EEA/UK customers may also contact our representative (see Section 12).

To exercise these rights, email privacy@isokron.ai. We will respond within 30 days.

9. Security

We protect your information using:

  • TLS 1.3 in transit.
  • AES-256-GCM at rest for sensitive material, including BYOK key plaintext.
  • Workspace-scoped row-level security on every table containing customer data.
  • Append-only audit logging with 7-year retention.
  • A dedicated security egress filter (the Critic) that reviews every compilation before it is committed, designed to detect prompt-injection and parasitic-chaining attacks.
  • Defense-in-depth secret management: operator-side credentials managed in Doppler with runtime injection; customer BYOK keys encrypted in Supabase Vault with sodium-native zeroization on read.
  • Minimum-privilege access controls; service-role credentials are scoped per workload and audited.

No system is perfectly secure. We will notify affected customers of a confirmed personal-data breach without undue delay and within the window required by applicable law (typically 72 hours for GDPR Article 33).

10. Children's data

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact privacy@isokron.ai and we will delete it.

11. California, Virginia, and other US state rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or another US state with similar legislation, you have additional rights under the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, or equivalent. These rights generally include:

  • The right to know the categories and specific pieces of personal information we have collected about you.
  • The right to delete personal information.
  • The right to correct inaccurate personal information.
  • The right to opt out of the "sale" or "sharing" of personal information. IsoKron does not sell or share personal information for cross-context behavioral advertising.
  • The right to non-discrimination for exercising these rights.

To exercise California rights, see the "Your California Privacy Rights" section at https://isokron.ai/legal/ca or email privacy@isokron.ai.

12. EU representative / UK representative

[PENDING — operator to designate Article 27 representative if processing personal data of EEA / UK residents at scale.]

13. Changes to this Policy

We will post the revised Policy on this page and update the "Last updated" date. For material changes affecting how we process personal data, we will notify you by email or in-product notice at least 30 days before the change takes effect.

14. Contact us

  • General privacy questions: privacy@isokron.ai
  • Security concerns / vulnerability reports: security@isokron.ai
  • Mail: [PENDING — operator address]