Privacy policy

Last updated: March 12, 2026

Our commitment to your privacy

Stractal is committed to protecting your privacy and handling your data responsibly. We do not sell your personal information. We do not use your source code to train AI models. We provide the same privacy protections across all subscription tiers.

1. Definitions

In this Privacy Policy, the following terms have the meanings set forth below:

Term	Definition
"Stractal," "we," "us," "our"	Stractal, a company based in Burnaby, British Columbia, Canada, and its affiliates
"Services"	The Stractal platform, website, APIs, AI features, and all related services, including wiki synthesis, blueprint generation, and the AI chat assistant
"You," "your," "User"	Any individual or entity that accesses or uses the Services
"Personal Information" / "Personal Data"	Any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household
"Customer Data"	Source code, repository data, and any content you provide to or upload through the Services
"AI Output"	Functional-Domain Wikis, Blueprint Bundles, architecture diagrams, impact analyses, chat responses, and any other content generated by AI models through the Services
"Usage Data"	Automatically collected data about how you interact with the Services, including feature usage metrics, performance data, device information, and access logs
"Sub-processor"	A third-party service provider that processes Personal Information on behalf of Stractal
"AI Gateway"	The pass-through transmission of your Customer Data to third-party AI model providers (e.g., Google Gemini) for processing. We do not store raw prompts or AI model responses unless explicitly saved by you as AI Output

Capitalized terms not defined in this Policy have the meanings assigned in our Terms of Service.

2. Overview

This Privacy Policy ("Policy") describes how Stractal collects, uses, stores, shares, and protects your Personal Information when you use our Services.

This Policy applies to all users of the Services, regardless of subscription tier (Free, Pro, or Max). By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, you must not access or use the Services.

This Policy should be read in conjunction with our Terms of Service. In the event of any conflict between this Policy and the Terms of Service, the Terms of Service shall prevail to the extent of the conflict.

3. Information we collect

3.1 Account information

When you create an account, we collect:

Email address and display name (from registration or OAuth provider)
OAuth profile data from Google or GitHub (name, avatar URL, provider user ID)
Authentication tokens (securely stored, not accessible to Stractal personnel)

3.2 Repository and source code data

When you connect a GitHub repository, we access:

Repository metadata (name, description, language, visibility, default branch)
File and directory structure (file names, paths, sizes)
Source code file contents (transmitted to Google Gemini for AI processing via our AI Gateway on a pass-through basis)
Dependency information (package files, import/export relationships)

Important: Stractal does not permanently store your raw source code on our servers. Source code is read from GitHub, transmitted to Google Gemini for processing, and discarded after wiki synthesis is complete. Only the AI Output (Functional-Domain Wiki content and derived metadata) is stored in our database. We do not store raw prompts or AI model responses unless you explicitly save them as part of the Services.

3.3 Generated content (AI Output)

We store AI-generated outputs associated with your account:

Functional-Domain Wikis (domain hierarchies, descriptions, dependencies)
Blueprint Bundles (technical design documents)
Architecture diagrams (domain relationship graphs)
Feature specifications and impact analyses
Chat conversation history with the AI assistant

AI Output disclaimer: All AI Output is generated by third-party AI models and may contain errors, inaccuracies, incomplete information, or hallucinations. AI Output does not constitute professional software engineering, legal, security, or architectural advice. Reliance on AI Output is entirely at your own risk. See Section 20 (Disclaimer of warranties) for further details.

3.4 Usage Data

We automatically collect:

Feature usage information (which Services you use, frequency, actions taken)
AI processing metrics (token usage, processing time, model version)
Device and browser information (browser type, operating system, screen resolution)
IP address (hashed for privacy), approximate geographic location, and access timestamps
Referring URLs and pages visited within the Services
Error logs and performance data

3.5 Billing information

For paid subscriptions, Stripe collects and processes your payment information (credit card number, billing address, transaction history). Stractal does not directly collect, store, or have access to your full credit card numbers. We receive from Stripe: subscription status, plan tier, billing cycle dates, and the last four digits of your payment card for display purposes.

3.6 Information we do not intentionally collect

We do not intentionally collect special categories of Personal Data (also known as "sensitive personal information"), including but not limited to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sexual orientation. You should not include such information in your source code, repository data, or communications with Stractal. If you believe that you have inadvertently provided such information, please contact us immediately at privacy@stractal.com.

4. How we use your information

We use the information we collect for the following purposes:

Purpose	Data used
Provide and operate the Services	Account, repository, AI Output
Process wiki synthesis and blueprint generation	Repository data, source code (transient, via AI Gateway)
Process payments and manage subscriptions	Billing information (via Stripe)
Send transactional communications	Email address (via SendGrid)
Monitor, maintain, and improve the Services	Usage Data, error logs
Detect, prevent, and address fraud, abuse, or security issues	Account, Usage Data, IP address
Enforce our Terms of Service	Account and Usage Data
Comply with legal obligations	As required by law
Generate anonymized, aggregated analytics	Usage Data (de-identified)

We do not use raw or identifiable Personal Data to train, fine-tune, or improve any AI or machine learning model. We may anonymize and aggregate Usage Data and use it for any lawful purpose, including product analytics, benchmarking, and industry reporting. Once data has been anonymized in such a manner that it can no longer be associated with an identifiable individual, it is no longer considered Personal Information under this Policy.

5. Legal bases for processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your Personal Data under the following legal bases as defined in the General Data Protection Regulation (EU) 2016/679 ("GDPR"), UK GDPR, and Swiss Federal Act on Data Protection ("FADP"):

Legal basis	Processing activities
Contract performance (Art. 6(1)(b))	Account creation, service delivery, wiki synthesis, subscription management, payment processing
Legitimate interests (Art. 6(1)(f))	Product improvement, security monitoring, fraud prevention, aggregated analytics, enforcing Terms of Service, protecting our rights
Consent (Art. 6(1)(a))	Marketing communications, optional analytics cookies, optional functional cookies
Legal obligation (Art. 6(1)(c))	Tax records, regulatory compliance, law enforcement requests, court orders
Vital interests (Art. 6(1)(d))	Protection of an individual's vital interests in emergency situations (extremely rare; used only when necessary to protect life)

Where processing is based on consent, you may withdraw your consent at any time by contacting us at privacy@stractal.com or by adjusting your account settings. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.

6. AI processing and your source code

Stractal does not train AI models on your code

Your source code is never used by Stractal to train, fine-tune, or improve any AI or machine learning model. This applies equally to all subscription tiers (Free, Pro, and Max).

6.1 How your code is processed

When you initiate wiki synthesis or blueprint generation:

Stractal reads your source code files from GitHub via the GitHub API using your authorized OAuth token
File contents are transmitted to Google Gemini via the Google AI API for real-time AI processing (AI Gateway, pass-through basis)
Google Gemini analyzes the code and returns structured domain analysis, wiki content, and architectural insights
The AI Output (not your raw source code) is stored in our Supabase database
Your raw source code is discarded from Stractal's systems after processing is complete

6.2 Google Gemini data handling

Your source code is processed by Google Gemini through the Google AI API. Per Google's API terms:

API input data is not used by Google to train its foundation models (per Google's API data usage policy)
Data may be temporarily cached by Google for processing purposes and is subject to Google's data retention policies
Processing occurs in Google's cloud infrastructure, which may span multiple geographic regions

For more information, refer to Google's Generative AI Additional Terms and Google's Privacy Policy.

6.3 AI Output accuracy and reliability

Important: Our Services provide AI-assisted tools that can generate or suggest documentation, architectural analysis, and code blueprints, but they are not a substitute for professional software engineering judgment. AI Output may contain errors, inaccuracies, hallucinations, incomplete analysis, or biased interpretations. Reliance on AI Output is entirely at your own risk. You are solely responsible for reviewing, validating, and determining the suitability of any AI Output before using it in any context, including but not limited to production systems, security decisions, or architectural planning.

7. Ownership of data and AI-generated content

7.1 Your Customer Data

You retain all ownership rights in your Customer Data (source code, repository content, and any materials you provide to the Services). By using the Services, you grant Stractal a limited, non-exclusive, revocable license to access and process your Customer Data solely for the purpose of providing the Services to you.

7.2 AI Output

Subject to your compliance with the Terms of Service, you may use AI Output generated through the Services for your own purposes. Stractal does not claim ownership of AI Output generated from your Customer Data. However, Stractal makes no representations or warranties regarding the originality, accuracy, completeness, or fitness for any purpose of any AI Output.

7.3 Usage Data

Stractal owns all Usage Data. We may use, anonymize, aggregate, and derive insights from Usage Data for any lawful purpose, including product analytics, service improvement, benchmarking, and industry reporting, without restriction and without compensation to you.

8. Third-party service providers (sub-processors)

We share your information with the following Sub-processors who process data on our behalf. Each provider is contractually bound to process your data only for the specified purposes and in accordance with applicable data protection laws.

Provider	Purpose	Data shared	Location
GitHub	Repository access, OAuth	OAuth tokens, API requests	United States
Google (Gemini)	AI processing (AI Gateway)	Source code, metadata (transient, pass-through)	United States
Supabase	Authentication, database, storage	Account data, AI Output, application data	United States
Stripe	Payment processing	Billing info, subscription status	United States
SendGrid (Twilio)	Transactional email delivery	Email address, message content	United States
Vercel	Hosting, CDN, edge functions	Request data, IP address, server logs	United States / Global CDN

Third-party availability: The Services rely on third-party providers, including but not limited to Supabase, Google, GitHub, and Stripe. We cannot guarantee the uninterrupted availability, security, or performance of these third-party services. Data interruptions, delays, or losses may occur due to actions or events beyond our control, including third-party service outages, force majeure events, or changes in third-party terms or policies. Stractal shall not be liable for any loss, damage, or disruption arising from the acts, omissions, or failures of any third-party service provider.

We may update this list of Sub-processors from time to time. We will provide at least 30 days' notice before adding a new Sub-processor that handles Personal Information. Material changes will be communicated via email to your registered address. If you object to a new Sub-processor, you may terminate your use of the Services.

10. Data retention

We retain your information for as long as necessary to provide the Services and fulfill the purposes described in this Policy. Specific retention periods:

Data category	Retention period
Account information	While account is active + 30 days after account deletion
Source code (transient)	Not retained — discarded after AI processing
Wiki and blueprint data (AI Output)	While account is active + 30 days after account deletion
Usage and analytics data	Up to 12 months (anonymized after retention period)
Server/access logs	Up to 90 days
Payment and billing records	As required by tax and financial law (typically 7 years)
Support communications	24 months after last communication
Cookie consent records	Duration of consent + up to 3 years for audit trail compliance
System backups	May persist in encrypted backups for up to 90 days

When data is deleted, it is permanently removed from our active systems. Residual copies in encrypted backups are automatically purged according to our backup rotation schedule.

Notwithstanding the above, we may retain Personal Information for longer periods where required by applicable law (e.g., tax records, fraud prevention, legal defense) or where necessary to protect our legitimate interests. We will notify you of any extended retention upon request.

11. International data transfers

Stractal is based in Canada. Your data may be transferred to and processed in countries outside your country of residence, including:

Canada: Primary business operations and application management
United States: Cloud infrastructure (Supabase, Vercel), AI processing (Google Gemini), payment processing (Stripe), email delivery (SendGrid), and repository access (GitHub)

11.1 Safeguards for EEA/UK/Swiss users

For transfers of Personal Data from the EEA, UK, or Switzerland to countries that have not received an adequacy determination, we rely on the following mechanisms:

EU adequacy decisions: Canada has received a partial adequacy determination from the European Commission for transfers under PIPEDA
EU-US Data Privacy Framework (DPF): Where applicable, our US-based Sub-processors may rely on the EU-US Data Privacy Framework for transatlantic data transfers
Standard Contractual Clauses (SCCs): We use EU-approved SCCs (Module 2: Controller-to-Processor) with our US-based Sub-processors
UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA or the UK Addendum to the EU SCCs as appropriate
Swiss Addendum: For transfers from Switzerland, we apply the Swiss Federal Data Protection Act (FADP) requirements alongside the applicable SCCs
Supplementary measures: We implement additional technical and organizational safeguards as needed, including encryption, pseudonymization, and access controls

11.2 PIPEDA compliance (Canada)

As a Canadian company, Stractal complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and the British Columbia Personal Information Protection Act (PIPA). These laws govern how we collect, use, and disclose personal information in the course of our commercial activities.

12. Your privacy rights

Depending on your location, you may have the following rights regarding your Personal Information:

12.1 Rights for all users

Access: Request a copy of the Personal Information we hold about you
Deletion: Request deletion of your account and Personal Information (subject to legal retention requirements and legitimate interests)
Portability: Export your wikis, blueprints, and account data in machine-readable format (JSON)
Correction: Request correction of inaccurate Personal Information
Opt-out: Unsubscribe from marketing communications at any time

12.2 Additional rights for EEA/UK/Swiss residents (GDPR)

Restrict processing: Request restriction of processing in certain circumstances
Object to processing: Object to processing based on legitimate interests or for direct marketing purposes
Withdraw consent: Withdraw consent for consent-based processing at any time without affecting the lawfulness of prior processing
Lodge a complaint: File a complaint with your local data protection authority (supervisory authority)
Automated decision-making: Stractal does not make automated decisions with legal or similarly significant effects based solely on automated processing, including profiling, as defined in GDPR Article 22

12.3 Exercising your rights

To exercise any of these rights, contact us at privacy@stractal.com. We will respond to your request within 30 days (or sooner if required by applicable law). We may ask you to verify your identity before processing your request. You may also manage certain preferences directly through your privacy settings.

We will not discriminate against you for exercising any of your privacy rights. However, some rights are not absolute and may be subject to our legitimate interests, legal obligations, or regulatory requirements.

13. Jurisdiction-specific provisions

13.1 California (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to know: Request disclosure of the categories and specific pieces of Personal Information collected, the sources, the business purposes, and the categories of third parties with whom it is shared
Right to delete: Request deletion of Personal Information, subject to certain exceptions
Right to correct: Request correction of inaccurate Personal Information
Right to opt-out of sale/sharing: Stractal does not sell or share (as defined by CCPA/CPRA) your Personal Information. No opt-out is necessary, but you may submit a request at any time
Right to limit use of sensitive personal information: Stractal does not use sensitive personal information for purposes other than those permitted under the CPRA
Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

We honor Global Privacy Control (GPC) signals as a valid opt-out of sale/sharing request under the CCPA/CPRA.

13.2 Virginia (VCDPA)

Virginia residents have rights under the Virginia Consumer Data Protection Act (VCDPA), including the right to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, or profiling. To appeal a decision regarding your request, contact us at privacy@stractal.com.

13.3 Colorado (CPA)

Colorado residents have rights under the Colorado Privacy Act (CPA), including access, correction, deletion, portability, and opt-out of targeted advertising, sale, or profiling. We honor universal opt-out mechanisms as required by the CPA.

13.4 Connecticut (CTDPA)

Connecticut residents have rights under the Connecticut Data Privacy Act (CTDPA), including access, correction, deletion, portability, and opt-out of targeted advertising, sale, or profiling. We provide an appeal process for denied requests.

13.5 Utah (UCPA)

Utah residents have rights under the Utah Consumer Privacy Act (UCPA), including access, deletion, and opt-out of sale or targeted advertising.

13.6 Other jurisdictions

If you are located in a jurisdiction with applicable data protection laws not specifically addressed above, we will endeavor to comply with the requirements of those laws to the extent they apply to our processing of your Personal Information. Nothing in this Policy is intended to limit any rights you may have under mandatory applicable consumer protection or data protection legislation.

14. Cookies and tracking technologies

Stractal uses cookies and similar technologies to operate the Services, remember your preferences, and understand how you use our platform. We follow an opt-in consent model for non-essential cookies, in compliance with GDPR and ePrivacy requirements.

14.1 Cookie categories

Category	Purpose	Examples	Consent required
Strictly necessary	Essential for core functionality — authentication, security, consent storage	Authentication session tokens, CSRF protection, consent preference cookie	No (required)
Analytics	Understand how users interact with the Services — page views, feature usage, performance metrics	Anonymized usage analytics, performance monitoring	Yes (opt-in)
Functional	Remember your preferences and UI customizations	Theme preference, sidebar state, language settings	Yes (opt-in)

14.2 No marketing or advertising cookies

Stractal does not use marketing, advertising, or tracking cookies. We do not engage in behavioral advertising, retargeting, or cross-site tracking. We do not share cookie data with ad networks or data brokers.

14.3 Managing your cookie preferences

You can manage your cookie preferences at any time through:

The cookie consent banner displayed on your first visit
The "Cookie preferences" button in the website footer
Your privacy settings page (for authenticated users)
Your browser's cookie settings

Disabling optional cookies will not affect core Service functionality. Strictly necessary cookies cannot be disabled as they are essential for the Services to function.

14.4 Do Not Track and Global Privacy Control

Stractal honors Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser, we treat it as a valid opt-out request under applicable privacy laws (including CCPA/CPRA).

Regarding Do Not Track (DNT) browser signals: there is currently no universally accepted standard for how to respond to DNT signals. We do not currently respond to DNT signals, but we do honor GPC signals as described above.

14.5 Cookie retention

Consent preference cookies are retained for up to 1 year and are renewed upon subsequent consent actions. Analytics cookies are deleted or anonymized after a maximum of 13 months, in compliance with data protection authority recommendations.

15. Data security

We implement reasonable industry-standard technical and organizational measures to protect your information, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Secure authentication via OAuth 2.0 (no passwords stored in plaintext)
Role-based access controls for internal systems
Database access logging and monitoring
Row-level security (RLS) policies on all database tables
Regular security reviews of application code
IP address hashing (SHA-256) for consent audit records

No guarantee of security: Despite our reasonable security measures, no method of electronic transmission over the Internet or method of electronic storage is 100% secure or error-free. We cannot and do not guarantee the absolute security of your information. You acknowledge that you transmit data to and through the Services at your own risk. You are responsible for maintaining the confidentiality of your account credentials, OAuth tokens, and any other authentication mechanisms. Stractal shall not be liable for any unauthorized access to your account resulting from your failure to safeguard your credentials.

If you have reason to believe that your account or data has been compromised, please contact us immediately at security@stractal.com.

16. Data breach notification

In the event of a data breach that affects your Personal Information, Stractal will:

Notify affected users within 72 hours of discovering the breach (as required by GDPR and PIPEDA), or as soon as reasonably practicable where notification within 72 hours is not feasible
Provide details of the breach, including the nature of the data affected, the approximate number of individuals affected, and the likely consequences
Describe the measures taken to address the breach and mitigate its effects
Report the breach to the relevant supervisory authority where required by law
Cooperate with you in your own regulatory notification obligations where applicable

Written notice of the breach is available upon request. Breach notifications will be sent to your registered email address and/or posted as a prominent notice on our website.

17. Children's privacy

The Services are not directed at and are not intended for use by individuals under the age of 18. We do not knowingly collect Personal Information from anyone under the age of 18. If you are under 18, you may not use the Services.

If you are a parent or guardian and believe your child has provided Personal Information to us without your consent, please contact us at privacy@stractal.com. If we learn that we have collected Personal Information from a person under 18, we will take steps to delete that information promptly and terminate the associated account.

18. EU AI Act transparency

In compliance with the European Union Artificial Intelligence Act (EU AI Act, Regulation (EU) 2024/1689), we provide the following transparency disclosures:

AI system disclosure: Stractal uses artificial intelligence (Google Gemini large language models) to analyze source code and generate documentation. All interactions with our AI chat assistant are interactions with an AI system, not a human
AI-generated content labeling: All Functional-Domain Wikis, Blueprint Bundles, and impact analyses are AI-generated content and are labeled as such within the platform
Model information: The primary AI model used is Google Gemini, accessed via the Google AI API. The specific model version is configurable and may change as Google releases updates. We use the model version specified in our environment configuration
Known limitations: AI-generated outputs may contain errors, hallucinations, incomplete analysis, biased interpretations, or outdated information. Human review and validation are required before relying on any AI Output for any purpose
Human oversight: All AI-generated content is presented for user review. Users must validate outputs before making decisions or taking actions based on them. Stractal does not deploy autonomous AI systems that act without human oversight
No automated decision-making: Stractal does not use AI to make automated decisions about individuals that produce legal effects or similarly significant effects. AI-generated content is informational and advisory only

If you use Stractal's AI Output in systems subject to EU AI Act high-risk classifications, you are solely responsible for implementing the required risk management, documentation, transparency, human oversight, and accuracy measures as mandated by the applicable risk category.

19. Third-party links and services

The Services may contain links to third-party websites, services, or resources that are not owned or controlled by Stractal, including but not limited to GitHub, Google, and Stripe. This Policy does not apply to those third-party services.

We are not responsible for the privacy practices, content, or security of any third-party websites or services. We encourage you to review the privacy policies of any third-party services you access through the Services. Your use of third-party services is at your own risk and is subject to the terms and conditions and privacy policies of those third parties.

20. Disclaimer of warranties

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICES AND ALL AI OUTPUT ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, ACCURACY, COMPLETENESS, RELIABILITY, OR AVAILABILITY.

WITHOUT LIMITING THE FOREGOING, STRACTAL DOES NOT WARRANT THAT: (A) THE SERVICES WILL MEET YOUR REQUIREMENTS OR BE AVAILABLE ON AN UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE BASIS; (B) THE RESULTS OBTAINED FROM THE USE OF THE SERVICES (INCLUDING ANY AI OUTPUT) WILL BE ACCURATE, RELIABLE, COMPLETE, OR FREE FROM ERRORS OR HALLUCINATIONS; (C) ANY DEFECTS IN THE SERVICES WILL BE CORRECTED; OR (D) THE SERVICES OR SERVERS THAT MAKE THE SERVICES AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

AI OUTPUT IS GENERATED BY THIRD-PARTY LARGE LANGUAGE MODELS AND DOES NOT CONSTITUTE PROFESSIONAL SOFTWARE ENGINEERING, LEGAL, SECURITY, COMPLIANCE, OR ARCHITECTURAL ADVICE. YOU BEAR SOLE RESPONSIBILITY FOR ANY DECISIONS OR ACTIONS TAKEN IN RELIANCE ON AI OUTPUT. STRACTAL EXPRESSLY DISCLAIMS ANY LIABILITY FOR LOSSES, DAMAGES, OR HARM ARISING FROM YOUR RELIANCE ON AI OUTPUT.

21. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL STRACTAL, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, LICENSORS, OR SERVICE PROVIDERS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, REVENUE, GOODWILL, DATA, USE, OR OTHER INTANGIBLE LOSSES, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL THEORY, RESULTING FROM OR ARISING OUT OF:

YOUR USE OF OR INABILITY TO USE THE SERVICES
ANY AI OUTPUT, INCLUDING BUT NOT LIMITED TO ERRORS, INACCURACIES, HALLUCINATIONS, OR OMISSIONS IN AI-GENERATED CONTENT
ANY UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR DATA, TRANSMISSIONS, OR ACCOUNT
ANY CONDUCT OR CONTENT OF ANY THIRD PARTY ON OR RELATED TO THE SERVICES, INCLUDING THIRD-PARTY SERVICE PROVIDERS
ANY DATA INTERRUPTIONS, DELAYS, OR LOSSES DUE TO THIRD-PARTY PROVIDER ACTIONS OR EVENTS BEYOND OUR CONTROL, INCLUDING FORCE MAJEURE EVENTS
ANY OTHER MATTER RELATING TO THE SERVICES

IN NO EVENT SHALL STRACTAL'S TOTAL AGGREGATE LIABILITY EXCEED THE GREATER OF: (A) THE AMOUNTS YOU HAVE PAID TO STRACTAL IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM; OR (B) ONE HUNDRED CANADIAN DOLLARS (CAD $100.00).

SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES. IN SUCH JURISDICTIONS, OUR LIABILITY SHALL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY LAW. NOTHING IN THIS SECTION SHALL EXCLUDE OR LIMIT LIABILITY FOR: (I) DEATH OR PERSONAL INJURY CAUSED BY NEGLIGENCE; (II) FRAUD OR FRAUDULENT MISREPRESENTATION; OR (III) ANY OTHER LIABILITY THAT CANNOT LAWFULLY BE EXCLUDED OR LIMITED.

22. Indemnification

To the maximum extent permitted by applicable law, you agree to indemnify, defend, and hold harmless Stractal, its affiliates, officers, directors, employees, agents, licensors, and service providers from and against any and all claims, demands, actions, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) arising from or related to:

Your use of the Services or any activity under your account
Your reliance on any AI Output, including but not limited to any decisions or actions taken based on AI-generated content
Your violation of this Policy or the Terms of Service
Your violation of any applicable law, rule, or regulation
Your infringement or misappropriation of any third-party rights, including intellectual property rights
Any content you provide to the Services (Customer Data) that causes harm to a third party
Any privacy or security claims arising from interactions with third-party service providers facilitated through the Services
Your misuse of the Services causing cost spikes, excessive resource consumption, or damage to Stractal or third parties

This indemnification obligation shall survive the termination of your account and your use of the Services. In jurisdictions where consumer protection laws prohibit or limit indemnification obligations, this section applies to the maximum extent permitted by applicable law.

23. Governing law and dispute resolution

23.1 Governing law

This Policy and any disputes arising out of or related to it or the Services shall be governed by and construed in accordance with the laws of the Province of British Columbia and the federal laws of Canada applicable therein, without regard to conflict of law principles.

23.2 Dispute resolution

Any dispute, controversy, or claim arising out of or relating to this Policy or the Services shall first be resolved through good faith negotiation between the parties for a period of not less than thirty (30) days. If the dispute cannot be resolved through negotiation, it shall be submitted to binding arbitration administered under the rules of the British Columbia International Commercial Arbitration Centre (BCICAC), or its successor, seated in Vancouver, British Columbia, Canada. The language of arbitration shall be English. The arbitral award shall be final and binding.

23.3 Exceptions for EEA/UK residents

If you are located in the EEA or the UK, nothing in this section shall deprive you of the protection afforded by mandatory provisions of consumer protection or data protection law in your country of residence. You retain the right to bring claims in your local courts and to lodge complaints with your local data protection supervisory authority.

23.4 Class action waiver

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, YOU AGREE THAT ANY DISPUTE RESOLUTION PROCEEDINGS WILL BE CONDUCTED ON AN INDIVIDUAL BASIS AND NOT IN A CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTION. YOU WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS ACTION OR CLASS-WIDE ARBITRATION. IF FOR ANY REASON A CLAIM PROCEEDS IN COURT RATHER THAN IN ARBITRATION, YOU WAIVE ANY RIGHT TO A JURY TRIAL.

24. Changes to this privacy policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Send an email notification to your registered email address at least 30 days before the changes take effect
Display an in-app notification upon your next login
Increment the consent version, which may trigger a new cookie consent prompt

Your continued use of the Services after the effective date of a revised Policy constitutes your acceptance of the changes. If you do not agree with the revised Policy, you must stop using the Services and delete your account.

For revisions that are materially less restrictive in how we use or share your Personal Information, we will obtain your affirmative consent before the changes take effect.

25. Contact information

If you have questions about this Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us:

Stractal — Privacy team

Burnaby, BC, Canada

Privacy inquiries: privacy@stractal.com

Security issues: security@stractal.com

General inquiries: support@stractal.com

We will endeavor to respond to all privacy-related inquiries within 30 days of receipt, or sooner where required by applicable law.

For EEA/UK residents, if you are not satisfied with our response to your privacy request, you have the right to lodge a complaint with your local data protection supervisory authority.