SpaltX

Legal · Updated June 2026

Privacy Policy

SpaltX builds AI and agent systems, multi-tenant platforms, and document-intelligence pipelines, and operates a gated client platform on top of that work. We practice data minimization, encrypt sensitive fields, never sell your data, and never train models on your tenant content. This page explains what we collect, why, and how we protect it.

01What we collect

Inbound forms: the name, email, optional company, and message you submit so we can respond to your inquiry. We record a coarse request IP and timestamp for abuse prevention and bot protection.

Platform account identity: your email address, which is the identity we authenticate. Sign-in is by email magic link plus a TOTP two-factor code; TOTP secrets are stored encrypted, never in plaintext.

Membership and role data: which tenant workspace you belong to, your role within it, and the permissions that follow from that role.

Tenant content you create: the material you bring into your workspace, including documents you upload for extraction, AI-agent configurations, project and deliverable records, and support correspondence.

02How we use it

To respond to inquiries and review access requests, to operate your workspace and the products within it, and to meet legal and contractual obligations.

To secure accounts: enforcing multi-factor authentication, running anomaly detection on sign-in and privileged actions, and maintaining audit records of access to tenant data.

We do not use your tenant content to train models. AI and agent processing runs under your entitlement and stays within your tenant boundary; your content is never pooled into a shared training set.

03How we protect it

Tenant data is isolated two ways: by scoping every query in the application, and by Postgres row-level security that holds even if the application code is wrong.

Sensitive columns are encrypted at the field level, separate from transport encryption, so that the most sensitive data is protected even at rest within the database.

Access to production data is limited to what each person needs, and it is logged. Staff must use multi-factor sign-in, sensitive actions require an extra check, and every action against tenant data is recorded.

04Document extraction

Our document-intelligence pipeline keeps what the model reads separate from what the system decides. Verbatim capture is stored apart from any normalized values, business-rule outcomes, or downstream decisions.

Every document carries a per-document audit trail that traces each extracted field back to its source, and low-confidence output is routed to human review rather than silently accepted.

05Your rights

You may request access to, correction of, or deletion of your personal data. On deletion, tenant data is tombstoned so it is no longer served or processed.

Audit logs are retained for integrity and security, but are scrubbed of payload PII so the record of what happened survives without preserving the underlying sensitive content.

To exercise any of these rights, contact privacy@spaltx.com.

06Email & sign-in

Sign-in and other account email is sent from an authenticated domain (SPF, DKIM, and DMARC aligned) to keep delivery trustworthy and hard to spoof.

Public forms and sign-in give the same response whether or not an account exists, so the system cannot be used to find out who has an account.

07Contact

Questions about this policy or about how we handle your data can be sent to privacy@spaltx.com. For security reports specifically, use security@spaltx.com.