Privacy Policy

1. Our Privacy Commitment

Pramaana Labs builds frontier AI systems for formal verification, secure reasoning, code assurance, proof generation, and related enterprise and government use cases. Our customers may entrust us with sensitive technical, operational, legal, regulated, or government data. We treat that trust as a core product requirement.

Our privacy principles are:

Customer data belongs to the customer.
We do not claim ownership of Customer Content, enterprise data, government data, formal specifications, source code, proof artifacts, prompts, outputs, models, or datasets submitted by customers.

No cross-client data sharing.
Data from one customer is not shared with, exposed to, used for, or made available to another customer.

No training on customer data by default.
We do not use Customer Content to train, fine-tune, adapt, or improve shared models unless the customer has expressly authorized that use in writing.

Customer-specific fine-tuning remains customer-specific.
When Pramaana fine-tunes, adapts, evaluates, or configures a model for an enterprise or government customer, the resulting customer-specific model artifacts are accessible only to Pramaana and that customer, unless the customer gives written authorization otherwise.

Privacy and security by design.
We design our systems around data minimization, access control, auditability, isolation, encryption, secure development, and documented processing instructions.

2. Scope of this Policy

This Privacy Policy explains how Pramaana Labs collects, uses, stores, protects, discloses, and deletes personal data and customer data in connection with:

  • Pramaana’s websites, portals, and documentation sites.

  • Pramaana’s AI, formal verification, proof-assistant, code-analysis, model-evaluation, and enterprise/government platforms.

  • APIs, SDKs, command-line tools, integrations, managed deployments, private cloud deployments, on-premises deployments, and support services.

  • Customer-specific fine-tuning, model adaptation, evaluation, benchmarking, and deployment services.

  • Sales, procurement, professional services, customer success, security review, and compliance activities.

This Policy does not replace a negotiated Master Services Agreement, Data Processing Addendum, Government Addendum, Business Associate Agreement, classified-data agreement, Statement of Work, or other written contract. Where a signed customer agreement provides stronger privacy or security protections, that agreement controls.

3. Definitions

Customer means an enterprise, government agency, public-sector body, research institution, prime contractor, systems integrator, or other organization that contracts with Pramaana.

Customer Content means any data, files, code, prompts, outputs, specifications, formal models, theorem statements, proof traces, verification tasks, source repositories, logs, documents, test cases, datasets, binaries, diagrams, annotations, metadata, or other materials submitted to or generated through Pramaana’s services by or for a Customer.

Personal Data means information that identifies, relates to, describes, or can reasonably be linked to an identified or identifiable individual.

Sensitive Data means data requiring heightened protection, including government identifiers, authentication credentials, financial information, health information, biometric data, precise geolocation, children’s data, export-controlled data, confidential business information, classified information, controlled unclassified information, source code, cryptographic material, security vulnerabilities, or other regulated data.

Government Data means data provided by or on behalf of a government customer, including public-sector records, regulated agency data, controlled unclassified information, official-use data, national-security-adjacent data, procurement data, or other government-designated data.

Fine-Tuned Model means a model, adapter, checkpoint, embedding set, retrieval index, evaluation harness, configuration, or model artifact trained, tuned, adapted, or otherwise customized using Customer Content.

Subprocessor means a third party engaged by Pramaana to process Personal Data or Customer Content on Pramaana’s behalf.

4. Our Role: Controller, Processor, Service Provider, or Data Fiduciary

For most enterprise and government workloads, Pramaana acts as a processor, service provider, or equivalent role, processing Customer Content only on behalf of and under the documented instructions of the Customer.

For limited business operations, Pramaana may act as an independent controller or equivalent role for data such as website visitor data, account registration data, billing contacts, sales communications, security logs, support tickets, and compliance records.

Where applicable, Pramaana will support contractual frameworks for GDPR, UK GDPR, CCPA/CPRA, India DPDP, and other privacy laws. UK ICO guidance emphasizes that obligations depend on whether an organization acts as controller, processor, joint controller, or another role, so Pramaana determines its role based on the processing context and the governing customer agreement. (ICO)

5. Data We Collect and Process

5.1 Customer Content

Depending on the services used, Customer Content may include:

  • Source code, repositories, binaries, build artifacts, test suites, and dependency metadata.

  • Formal specifications, theorem statements, proof obligations, proof traces, proof scripts, verification conditions, and counterexamples.

  • Hardware, software, infrastructure, or protocol designs.

  • Prompts, completions, model outputs, user feedback, annotations, and evaluation results.

  • Enterprise documents, engineering tickets, regulatory requirements, technical standards, or internal policies.

  • Government data, if expressly permitted by contract and deployment environment.

  • Customer-selected datasets for fine-tuning, retrieval, benchmarking, or evaluation.

5.2 Account and Administrative Data

We may collect:

  • Name, work email, phone number, job title, employer, department, and business contact details.

  • Authentication data, role assignments, access permissions, and organization membership.

  • Billing, procurement, tax, purchase order, and contract information.

  • Support tickets, security questionnaire responses, and communications.

5.3 Usage, Security, and Operational Data

We may collect:

  • API request metadata, timestamps, system events, error reports, latency, and performance metrics.

  • Audit logs, access logs, device information, IP address, browser type, and session metadata.

  • Security telemetry used to detect abuse, unauthorized access, vulnerabilities, policy violations, or service misuse.

5.4 Website and Marketing Data

When someone visits Pramaana’s website or interacts with Pramaana’s public materials, we may collect:

  • Contact forms, demo requests, newsletter signups, event registrations, and business inquiries.

  • Cookie and analytics data, subject to applicable consent and opt-out requirements.

  • Communications with sales, partnerships, recruiting, or investor relations teams.

6. How We Use Data

Pramaana uses data only for legitimate, documented, and privacy-aligned purposes, including:

  • Providing, operating, securing, monitoring, and improving the services.

  • Performing formal verification, model inference, proof generation, code analysis, system evaluation, and related technical tasks requested by the Customer.

  • Authenticating users and enforcing access controls.

  • Supporting enterprise administration, billing, procurement, onboarding, and customer support.

  • Detecting, preventing, and responding to security incidents, abuse, fraud, or misuse.

  • Meeting legal, regulatory, contractual, and government procurement obligations.

  • Conducting internal quality, reliability, safety, and security testing using appropriately protected, minimized, anonymized, aggregated, or synthetic data where feasible.

  • Fine-tuning or adapting models only when expressly authorized by the Customer in writing.

We do not use Customer Content for targeted advertising.

We do not sell Customer Content.

We do not share Customer Content for cross-context behavioral advertising.

We do not use one customer’s data to improve, train, or fine-tune another customer’s model.

7. No Cross-Client Data Sharing

Pramaana maintains strict separation between customer environments.

Customer Content from one enterprise or government customer is not:

  • Disclosed to another customer.

  • Used to train another customer’s model.

  • Used to generate outputs for another customer.

  • Included in another customer’s retrieval index, fine-tuned model, benchmark set, evaluation set, or analytics.

  • Reviewed by personnel assigned to another customer unless expressly authorized under a written agreement.

Pramaana applies tenant isolation, logical separation, access controls, audit logging, and internal confidentiality obligations to prevent unauthorized cross-customer access.

8. AI Training, Fine-Tuning, and Model Customization

8.1 Default Rule: No Training on Customer Content

Pramaana does not train, fine-tune, adapt, distill, or otherwise improve shared or general-purpose models using Customer Content unless the Customer has expressly authorized that use in a written agreement.

8.2 Customer-Specific Fine-Tuning

If a Customer authorizes Pramaana to use Customer Content for fine-tuning or model adaptation:

  • The Fine-Tuned Model is created only for that Customer.

  • Access to the Fine-Tuned Model is limited to Pramaana and that Customer.

  • The Fine-Tuned Model is not made available to other customers.

  • Customer Content used for fine-tuning is not commingled with other customer datasets.

  • The Fine-Tuned Model is not used to provide services to another customer.

  • Pramaana will document the scope, data sources, purpose, access rights, retention period, deletion process, and security controls for the fine-tuning engagement.

  • Fine-tuning may be performed in a private tenant, dedicated environment, customer cloud, government cloud, on-premises environment, or other contractually approved deployment model.

8.3 Evaluation and Benchmarking

Pramaana may evaluate customer-specific models for accuracy, reliability, safety, hallucination resistance, proof soundness, code security, vulnerability detection, formal-methods correctness, and compliance with agreed technical requirements. Evaluation artifacts are treated as Customer Content unless otherwise agreed.

8.4 General Research

Pramaana may conduct general AI, formal methods, verification, safety, and security research. However, Customer Content is excluded from general research unless the Customer has given explicit written authorization or the data has been irreversibly anonymized or aggregated so that it cannot reasonably identify the Customer, its users, systems, or confidential information.

The EU AI Act includes obligations for certain general-purpose AI models, including transparency and risk-management expectations, and Pramaana’s AI governance program is designed to support applicable AI-law obligations without weakening customer confidentiality commitments. (Digital Strategy)

9. Government and Regulated Workloads

Pramaana recognizes that government and regulated customers may require enhanced controls. Where required by contract, Pramaana will support additional safeguards, including:

  • Data residency and sovereign cloud requirements.

  • Dedicated tenants or isolated deployments.

  • Customer-managed encryption keys.

  • Government-only or customer-approved support personnel.

  • Enhanced audit logging and access review.

  • Background checks or citizenship/residency restrictions for personnel, where applicable.

  • Incident reporting procedures aligned with agency requirements.

  • Compliance mapping to applicable government security frameworks.

  • Restrictions on subcontractors and subprocessors.

  • Secure deletion, return, and evidence-of-destruction workflows.

  • Export-control, procurement, public-sector, or classified-data handling requirements, where expressly agreed.

Pramaana does not knowingly accept classified data, export-controlled data, defense-restricted data, protected health information, criminal justice information, or other highly regulated data unless the governing agreement expressly authorizes that processing and the approved environment is designed for that data category.

For U.S. federal cloud workloads, FedRAMP is a government-wide program for standardized, reusable security assessment and authorization for cloud products and services that process unclassified agency information; Pramaana will only represent FedRAMP authorization status where such status has been formally achieved and is applicable to the relevant service boundary. (FedRAMP)

10. Security Measures

Pramaana uses administrative, technical, and organizational safeguards appropriate to the nature of the data and the risk of processing. These may include:

  • Encryption in transit and at rest.

  • Role-based and least-privilege access controls.

  • Multi-factor authentication for administrative access.

  • Tenant isolation and environment segmentation.

  • Audit logs for access to Customer Content.

  • Secure software development practices.

  • Vulnerability management and patching.

  • Security monitoring, alerting, and incident response.

  • Backup and disaster recovery controls.

  • Secrets management and key management.

  • Access reviews and personnel offboarding procedures.

  • Confidentiality obligations for personnel and contractors.

  • Security review of subprocessors.

  • Data minimization and retention controls.

Because Pramaana specializes in formal verification, Pramaana may also apply formal methods, model checking, proof-based validation, or mathematically rigorous assurance techniques to selected components where appropriate and technically feasible.

NIST describes its Privacy Framework as a voluntary tool for helping organizations identify and manage privacy risk while protecting individuals’ privacy; Pramaana’s privacy program is designed to align with this kind of risk-based privacy management approach. (NIST)

11. Access to Customer Content

Pramaana personnel may access Customer Content only when necessary to:

  • Provide the services.

  • Troubleshoot or support customer-requested issues.

  • Secure, monitor, or maintain the platform.

  • Investigate suspected misuse, abuse, or security incidents.

  • Comply with legal or contractual obligations.

  • Perform customer-authorized fine-tuning, evaluation, or professional services.

Access is limited by role, need-to-know, authentication, authorization, confidentiality obligations, and logging. Where contractually required, Pramaana can support customer approval workflows before support personnel access Customer Content.

12. Subprocessors and Third Parties

Pramaana may use subprocessors to provide infrastructure, hosting, storage, monitoring, analytics, support, communications, billing, security, or other business-critical services.

Pramaana will require subprocessors that process Customer Content or Personal Data to:

  • Process data only for authorized purposes.

  • Maintain confidentiality obligations.

  • Use appropriate security measures.

  • Support deletion or return of data.

  • Assist with incident response and legal compliance.

  • Not use Customer Content for their own training, advertising, or unrelated purposes.

For enterprise and government customers, Pramaana will provide a list of material subprocessors upon request or through a trust portal. Where required by contract, Pramaana will provide advance notice of new subprocessors and an opportunity to object.

13. International Data Transfers and Data Residency

Pramaana may process data in countries where Pramaana, its affiliates, infrastructure providers, or subprocessors operate, subject to customer agreements and applicable law.

For regulated, enterprise, or government workloads, Pramaana can support agreed data residency, sovereign cloud, region lock, dedicated infrastructure, or customer-managed deployment requirements.

Where cross-border transfers of Personal Data are required, Pramaana will use appropriate transfer mechanisms, which may include Standard Contractual Clauses, adequacy decisions, transfer impact assessments, or other lawful mechanisms. The European Commission adopted Standard Contractual Clauses for controller-processor relationships and for transfers of personal data outside the EEA. (European Commission)

14. Data Retention

Pramaana retains data only for as long as necessary to provide the services, comply with legal obligations, resolve disputes, enforce agreements, maintain security, or satisfy customer instructions.

Unless otherwise agreed:

  • Customer Content is retained for the duration of the customer relationship.

  • Customer Content is deleted or returned after termination according to the applicable agreement.

  • Backups are deleted according to Pramaana’s backup lifecycle.

  • Security logs may be retained for security, audit, compliance, and incident-response purposes.

  • Fine-Tuned Models are retained only for the period agreed with the Customer.

  • Support records and business communications may be retained as required for legal, compliance, and operational purposes.

Customers may request deletion of Customer Content in accordance with their agreement and applicable law.

15. Deletion and Return of Customer Content

Upon termination or written request, Pramaana will delete or return Customer Content as required by the governing agreement.

For enterprise and government customers, Pramaana can support:

  • Secure deletion workflows.

  • Return of Customer Content in an agreed format.

  • Deletion of fine-tuning datasets.

  • Deletion or transfer of Fine-Tuned Models.

  • Deletion certificates or attestations, where contractually required.

  • Backup expiration aligned with defined retention periods.

Pramaana may retain limited data where required by law, security obligations, dispute resolution, audit requirements, or government records obligations.

16. Personal Data Rights

Depending on applicable law, individuals may have rights to:

  • Access Personal Data.

  • Correct inaccurate Personal Data.

  • Delete Personal Data.

  • Restrict or object to certain processing.

  • Port Personal Data.

  • Withdraw consent.

  • Opt out of sale or sharing of Personal Data.

  • Limit use of Sensitive Personal Data.

  • Appeal certain decisions.

  • Lodge a complaint with a supervisory authority.

California’s CCPA/CPRA provides rights including know, delete, opt out of sale or sharing, correct, limit sensitive-data use, and non-discrimination. (California DOJ Attorney General)

For Customer Content, Pramaana usually acts as a processor or service provider. Individuals seeking to exercise rights relating to data controlled by a Customer should contact that Customer directly. If Pramaana receives a request relating to Customer-controlled data, Pramaana may refer the request to the Customer or assist the Customer in responding, as required by contract and law.

For data where Pramaana acts as controller, individuals may contact:

privacy@pramaanalabs.ai

17. Children’s Data

Pramaana’s services are intended for enterprise, government, professional, and institutional use. They are not directed to children.

Pramaana does not knowingly collect children’s Personal Data through its public website or services unless expressly authorized under a customer agreement and permitted by applicable law.

Where children’s data is processed for a government, education, research, or regulated customer, Pramaana will process it only under documented customer instructions and applicable legal safeguards.

18. Cookies and Similar Technologies

Pramaana may use cookies, pixels, local storage, and similar technologies on its public websites to:

  • Operate the website.

  • Remember preferences.

  • Measure website performance.

  • Understand business engagement.

  • Improve content and navigation.

  • Support security and fraud prevention.

Where required by law, Pramaana will obtain consent before using non-essential cookies. Users may manage cookie preferences through browser settings or Pramaana’s cookie controls, where available.

Pramaana does not use Customer Content for advertising cookies or behavioral advertising.

19. Automated Decision-Making and AI Outputs

Pramaana provides AI-assisted tools for formal verification, reasoning, code assurance, proof support, evaluation, and technical analysis. Outputs may assist customers in decision-making, but Pramaana does not intend its services to replace human review for high-impact, legal, employment, financial, healthcare, national security, safety-critical, or rights-affecting decisions unless expressly governed by a contract, validated use case, and applicable legal safeguards.

Customers are responsible for determining whether their use of Pramaana services is appropriate for their legal, regulatory, operational, safety, and governance requirements.

Pramaana supports human oversight, logging, evaluation, benchmarking, and auditability features for enterprise and government deployments.

20. Confidentiality

Pramaana treats Customer Content as confidential information.

Pramaana personnel, contractors, and subprocessors with access to Customer Content are bound by confidentiality obligations. Pramaana does not disclose Customer Content except:

  • To provide the services.

  • As instructed by the Customer.

  • To approved subprocessors under appropriate obligations.

  • To comply with law, court order, or lawful government request.

  • To prevent harm, fraud, abuse, or security threats.

  • As otherwise permitted by the governing agreement.

21. Legal Requests and Government Access

If Pramaana receives a legal demand for Customer Content, Pramaana will, unless legally prohibited:

  • Notify the Customer.

  • Redirect the requesting authority to the Customer where appropriate.

  • Challenge or narrow overbroad requests where legally available and commercially reasonable.

  • Disclose only the minimum information required by law.

For government customers, legal request handling may be governed by agency-specific, sovereign, national security, classified, or public records requirements.

22. Incident Response and Breach Notification

Pramaana maintains an incident response program designed to detect, investigate, contain, remediate, and notify affected parties of security incidents.

If Pramaana determines that a security incident has affected Customer Content or Personal Data, Pramaana will notify affected Customers without undue delay and in accordance with the applicable agreement and law.

Pramaana will provide available information reasonably necessary for the Customer to meet its own legal, regulatory, contractual, and government reporting obligations.

23. Compliance and Customer Assurance

Upon request and subject to confidentiality, Pramaana may provide enterprise and government customers with appropriate security and privacy assurance materials, such as:

  • Security whitepapers.

  • Data flow diagrams.

  • Subprocessor lists.

  • Data Processing Addendum.

  • Government or regulated workload addenda.

  • Technical and organizational measures.

  • Penetration test summaries.

  • Vulnerability management summaries.

  • Audit reports or certifications, if available.

  • Security questionnaire responses.

  • Model governance and AI risk documentation.

  • Fine-tuning data handling documentation.

Pramaana does not claim certification, authorization, or compliance status unless formally achieved and applicable to the relevant service, deployment, region, and control boundary.

24. Data Minimization

Pramaana seeks to minimize the data it collects and processes.

Customers are responsible for configuring services, access controls, retention settings, and integrations appropriately. Customers should not submit Sensitive Data, classified data, export-controlled data, health data, children’s data, or other regulated data unless the governing agreement and deployment environment authorize that processing.

Pramaana may provide features to help customers redact, filter, minimize, pseudonymize, anonymize, or segregate data.

25. Customer Responsibilities

Customers are responsible for:

  • Ensuring they have the legal right to submit Customer Content to Pramaana.

  • Providing required notices and obtaining required consents from their users, employees, contractors, citizens, or data subjects.

  • Configuring access controls, identity providers, retention settings, regions, and integrations.

  • Reviewing outputs before relying on them in production, legal, regulated, safety-critical, or government contexts.

  • Ensuring their use of Pramaana complies with applicable laws, procurement rules, AI governance rules, cybersecurity requirements, and internal policies.

  • Not submitting data that is prohibited under the applicable agreement.

26. Changes to this Policy

Pramaana may update this Privacy Policy from time to time. If we make material changes, we will provide notice through our website, customer portal, email, contract notice process, or other appropriate means.

The “Last Updated” date at the top of this Policy indicates when it was most recently revised.

27. Contact Us

For privacy questions, data requests, or complaints:

Pramaana Labs Privacy Team
Email: privacy@pramaanalabs.ai

For security reports:

Pramaana Labs Security Team
Email: security@pramaanalabs.ai

For enterprise or government compliance inquiries:

Pramaana Labs Trust / Compliance Team
Email: trust@pramaanalabs.ai

Optional Addendum Language for Enterprise and Government Contracts

You can add this to MSAs, DPAs, procurement responses, or trust center pages:

Customer Data Isolation Commitment

Pramaana Labs contractually and technically separates Customer Content between customers. Pramaana will not disclose, expose, train on, fine-tune with, benchmark against, or otherwise use one customer’s Customer Content for the benefit of another customer. Each customer’s data, model artifacts, retrieval indexes, evaluation records, and fine-tuning outputs are logically isolated and access-controlled.

Customer-Specific Model Commitment

Where a model is fine-tuned, adapted, or customized using Customer Content, the resulting Fine-Tuned Model and related artifacts are restricted to Pramaana and the relevant Customer. Pramaana will not use that Fine-Tuned Model to serve, support, benchmark, train, or improve services for any other customer without the Customer’s prior written authorization.

No General Training Without Authorization

Pramaana will not use Customer Content to train, fine-tune, distill, or improve shared foundation models, general-purpose models, or services made available to other customers unless expressly authorized in a written agreement signed by the Customer.

Government Data Handling

Pramaana will process Government Data only in accordance with the applicable government contract, security addendum, data handling instructions, and deployment boundary. Pramaana will not accept classified, export-controlled, controlled unclassified, defense-restricted, criminal justice, health, or other specially regulated data unless expressly authorized by contract and supported by an approved environment.