Skip to content
Legal

Privacy Policy

EntropyX ("EntropyX", "we", "our") provides an industrial CMMS with a 3D viewer and an AI assistant called Shelby. This page explains what personal data and customer content we process, why we process it, and the rights you have over it.

Last updated:

1. Scope

This policy applies to the EntropyX marketing site and the EntropyXapplication ("Service"). The Service is in early access. We are onboarding design-partner plants under a separate agreement; any conflict between that agreement and this policy is governed by the agreement.

2. Data we collect

2.1 Account data

When you create an account we collect your name, work email, and the organisation you represent. Passwords are hashed with bcrypt before they reach our database; we never store them in clear text.

2.2 Customer workspace content

Your team uploads 3D models, asset records, work orders, maintenance schedules, runtime data, and supporting documents (PDF, DOCX, XLSX, CSV, TXT, and images up to 20 MB per file). You retain ownership of this content. We process it solely to provide the Service to you.

2.3 Operational telemetry

We collect request logs, error traces, and authentication events needed to operate, debug, and secure the Service. Logs may contain user IDs, workspace IDs, IP addresses, and request paths.

2.4 Marketing-site analytics

If Google Analytics is enabled for the marketing site, we collect aggregate visit data (page, referrer, approximate location, device class). See our Cookie Policy for details and opt-out paths.

3. How we use data

  • Provide, secure, and maintain the Service.
  • Authenticate users and isolate data per workspace.
  • Detect and respond to abuse, attacks, and outages.
  • Send transactional email (via Resend) related to your account, work orders, and alerts.
  • Send SMS notifications (via Twilio) where you opt in.
  • Respond to support requests you initiate.
  • Generate AI responses through Shelby (see Section 5).

We do not sell personal data. We do not use customer workspace content to train shared AI models.

4. Legal bases (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on (i) contract for service delivery, (ii) legitimate interests for security, abuse prevention, and product analytics, (iii) consent for optional cookies and marketing email, and (iv) legal obligation for tax, accounting, and lawful requests.

5. AI processing (Shelby)

Shelby uses an enterprise-grade large language model deployed on a vetted cloud sub-processor under a no-training data agreement. When you query Shelby or upload a document, the relevant text is sent to that provider for inference or embedding generation. The provider is contractually prohibited from retaining your prompts or using them to train its foundation models. The specific provider is disclosed under NDA to qualified buyers as part of our DPA.

Shelby's database tools are read-only and scoped to your workspace. Shelby cannot create, modify, or delete records. It cannot reach the public internet. Outputs are validated to redact accidentally surfaced secrets before they reach you.

6. Sub-processors

We rely on a small set of vetted infrastructure providers. The current list — including purpose and processing region — is published at /subprocessors. We will notify workspace owners by email before adding a new sub-processor that handles customer content.

7. International transfers

EntropyXmay process data in jurisdictions outside your own (primarily the United States and the European Union). Where required, we rely on the European Commission's Standard Contractual Clauses or an equivalent transfer mechanism, supplemented by encryption in transit and at rest.

8. Data retention

Active-workspace content is retained for as long as your account is active. On cancellation, we retain workspace content for thirty (30) days to allow recovery, then permanently delete it. Authentication and security logs are retained for up to twelve (12) months. Backups are rotated on a thirty-day cycle.

You can request earlier deletion at any time by emailing [email protected].

9. Your rights

Subject to your jurisdiction, you may have rights to access, correct, export, restrict, or delete your personal data, and to object to certain processing. To exercise any of these rights, email [email protected] from the address associated with your account. We respond within thirty (30) days.

EU/EEA and UK residents have the right to lodge a complaint with their local supervisory authority.

10. Data Processing Agreement

We offer a Data Processing Agreement (DPA) incorporating the EU Standard Contractual Clauses for workspace owners who require one. Request a copy via [email protected].

11. Security

For our technical and organisational controls — authentication, workspace isolation, encryption, and our compliance roadmap — see the Security page.

12. Children

The Service is not directed at children under sixteen. We do not knowingly collect personal data from children. Contact us if you believe a child has provided us data and we will delete it.

13. Changes to this policy

We will update this policy as the product matures. Material changes will be communicated to workspace owners by email at least thirty (30) days before they take effect.

14. Contact

Privacy questions and data-subject requests: [email protected].
Security concerns: [email protected].