Privacy Policy
1. Data Controller
Cyberian Systems (hereinafter "we", "us", "our", or "the Company") is the data controller responsible for processing your personal data as described in this policy. The Company is registered in Quebec, Canada.
Contact for any privacy matter, including the rights set out in section 9: contact@cyberiansystems.ai.
2. Scope of this policy
This policy covers two surfaces:
- The marketing website at
cyberiansystems.ai(and its French counterpart). Static HTML pages explaining the platform. - The verified-inference platform reachable at
api.cyberiansystems.ai, used through our Python SDK or directly over HTTPS. Trial signups, API key issuance, job submission, and receipt issuance happen here.
Different data flows apply to each. The sections below specify which.
3. Data we collect when you sign up for a trial
Creating a trial account (at cyberiansystems.ai/signup.html) collects:
- Email address - required, used to deliver your activation link and operational notices.
- Password - never stored in clear. We hash it with bcrypt (cost 12) and discard the plaintext immediately. We additionally perform an anonymized check against the Have I Been Pwned public corpus using k-anonymity: we send only the first five hex characters of the SHA-1 of your password and inspect the response locally - the full hash and the password itself never leave our server.
- Optional account name / company - if you provide one. Free-form text used only as a display label.
- Consent record - a pinned version identifier of the trial terms you accepted at signup. Stored so we can prove what version of the terms you agreed to.
- Network metadata at signup - the source IP address and HTTP request headers of the signup call, retained in coordinator and reverse-proxy logs for abuse detection (typically about 30 days, see section 8).
After you click the activation link in the email we send you:
- Account identifiers are generated: an account UUID, a trial start date, a trial end date, and one API key (prefix
cyb_). The plaintext API key is shown to you exactly once - we store only its SHA-256 hash.
4. Data we receive through the API
When you call the verified-inference API (using either the Python SDK or direct REST), we receive and process:
- Your inputs - the texts you submit to
POST /jobsorPOST /verify. We need them to run inference. - The outputs we compute - the embeddings or other model outputs produced by our infrastructure on your inputs.
- Cryptographic commitments - SHA-256 hashes of your inputs and our outputs, organized into Merkle receipts. These are part of the verification product itself, not separate metadata.
- Usage metadata - timestamps, chunk counts, the model identifier you requested, the verification level you chose, the request IP, and which of your API keys was used. Retained for billing accuracy, abuse detection, and operational debugging.
We do not train any AI model on your inputs or outputs. The platform performs inference and verification only; no learning pipeline reads your data. We do not generate aggregate statistics from your content beyond chunk counts (for quota accounting) and timing metrics (for capacity planning) - neither contains the content of your inputs.
5. Data collected via the website
The marketing website at cyberiansystems.ai does not host a contact form and does not set tracking cookies. No advertising or social-media tracking scripts are loaded.
Aggregate usage analytics (Cloudflare Web Analytics). The site loads the Cloudflare Web Analytics beacon to measure aggregate usage (pages visited, where visitors arrive from, common browsers and operating systems). The tool is privacy-preserving by design:
- no cookies or other persistent identifiers are set on your device;
- no personal data is collected - we never see your name, email address, or any individual identifier;
- your IP address is not stored: Cloudflare derives your country from it at the moment of the request, then discards it;
- the data points received per page view are: page URL, referrer URL, anonymized device type, browser, operating system, screen size, and country;
- visitors located in the European Union are excluded from this collection - the Cloudflare analytics beacon is not loaded for those visits.
Legal basis: legitimate interest in measuring aggregate website performance (Art. 6(1)(f) GDPR; Quebec Law 25 equivalent: legitimate interest tied to the operation of the service). No consent is required because no cookies are set and no personal data (as defined under Law 25 / GDPR) is processed.
Two browser storage mechanisms are used, strictly to make the signup and account flows work:
- sessionStorage on the signup → email-verification → account pages, to hand the freshly-issued API key from the verification landing page to the account dashboard within the same tab session. The key never leaves your browser through this channel and is cleared when you close the tab.
- localStorage on the account page only, optionally, if you check "remember key on this device" - never set automatically.
Neither is a tracking cookie. Both fall under the "strictly necessary" category that does not require consent under Quebec Law 25, CNIL guidance, and the GDPR's ePrivacy framework.
If you email us at any of the addresses published on the site (contact@, support@, models@, upgrade@, privacy@), we receive the information you voluntarily put in that email.
6. Purposes and legal basis
We process your personal data only for the purposes listed below. The legal basis under Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the EU/EEA General Data Protection Regulation (GDPR) is given for each.
| Purpose | Data used | Legal basis |
|---|---|---|
| Provide the trial service you requested | Signup data, API inputs and outputs, usage metadata | Performance of a contract (the trial terms you accepted at signup) - PIPEDA / GDPR Art. 6(1)(b) |
| Issue and verify receipts; prove receipt integrity later | SHA-256 commitments of your inputs and outputs; the receipt itself | Performance of a contract - GDPR Art. 6(1)(b); Law 25 implicit consent |
| Authenticate you; prevent abuse and fraud; enforce quotas | Email, password hash, API key hash, source IP, request logs | Legitimate interest (security and service integrity) - GDPR Art. 6(1)(f); PIPEDA reasonable purpose |
| Send transactional emails (welcome, verification, key rotation, ops alerts visible to you) | Email address | Performance of a contract - GDPR Art. 6(1)(b) |
| Respond to questions you email us | Email content you provide | Legitimate interest / pre-contractual measures - GDPR Art. 6(1)(b) and (f) |
| Comply with legal obligations (e.g. tax records, lawful access requests) | Whatever a specific obligation strictly requires | Legal obligation - GDPR Art. 6(1)(c) |
We do not process your data for advertising, profiling, or automated decision-making that produces legal or similarly significant effects on you.
7. Sub-processors
We use the following infrastructure providers to operate the service. Each one only processes the categories of data we instruct, and only as needed to deliver the function listed.
| Provider | Role | Region |
|---|---|---|
| Google Cloud Platform (Google LLC) | Hosts the coordinator API, PostgreSQL database, and Redis queues. Receives signup data, API inputs and outputs, and operational logs. | Montreal, Canada (northamerica-northeast1) |
| Cloudflare, Inc. | DNS, edge TLS termination, DDoS / WAF, CDN for the website. Sees request metadata (IP, URL, headers) but not request bodies decrypted at the edge in ways that persist beyond ephemeral processing. Also provides Cloudflare Web Analytics for aggregate site-usage measurement (no cookies, no IP stored - see section 5). | Global anycast (traffic terminates at the nearest CF edge to the caller) |
| cPanel hosting provider (current: see contact@ on request) | Serves the static marketing website and the live-demo PHP proxy. Does not receive trial signups directly (those go to the API). | Disclosed on request |
| Google Workspace (Google LLC) | Outbound transactional email (welcome, verification, operational alerts) and the @cyberiansystems.ai mailboxes that receive your replies. | Multiple regions per Google's infrastructure |
We do not currently route customer inputs to third-party compute backends (Modal, RunPod, SaladCloud, etc.). If we add one in the future, this table will be updated and existing customers notified before any of their data is routed through it.
We do not sell, rent, or otherwise share your personal data with parties beyond those listed here.
8. Retention
We keep each category of data only for as long as needed for the purpose it was collected, then delete it or anonymize it.
- Account record (email, password hash, name, trial dates): for the active life of your account. If you ask us to delete your account, we erase the record within 30 days, retaining only what's needed for legal obligations (e.g. anonymized billing aggregates).
- API keys (hashes, labels, last-used timestamps): until you revoke a key, plus 30 days after revocation for audit, then deleted.
- Job inputs and outputs (the texts you submit and the embeddings we return): retained for the duration of your trial and for the receipt-verification window. We are introducing a configurable automatic-purge schedule in Phase 3 (paid tier launch); before that ships, we honor explicit deletion requests promptly. The Merkle receipt itself never contains your raw inputs - only their SHA-256 hashes.
- Receipts (SHA-256-rooted Merkle commitments and the slim public receipt JSON): retained indefinitely, because the receipt is the artifact you may need long after the inputs have been deleted in order to prove that the inference ran correctly. Receipts do not contain your raw inputs or outputs - only cryptographic hashes of them.
- Operational logs (request metadata, IP at request time, error traces): typically about 30 days, longer for entries related to a specific security incident.
- Email correspondence: typically deleted within 12 months after the last interaction, unless an ongoing business relationship continues.
9. Your rights
Under Quebec Law 25, Canada's PIPEDA, and (for European residents) the GDPR, you have the right to:
- Access - request a copy of the personal data we hold about you.
- Rectification - request correction of inaccurate or incomplete data.
- Erasure - request deletion of your data ("right to be forgotten"). Receipts (which contain only hashes of your data) may be retained where deletion would defeat their cryptographic purpose.
- Restriction - request that we limit how we process your data.
- Portability - receive the data you provided to us in a structured, machine-readable format.
- Objection - object to processing based on legitimate interest.
- Withdraw consent - where processing is based on consent, you can withdraw it at any time without affecting prior lawful processing.
- Lodge a complaint - with the supervisory authority of your jurisdiction (see section 13).
To exercise any of these rights, contact contact@cyberiansystems.ai. We will respond within 30 days. We may ask you to confirm your identity before acting, to prevent us from disclosing your data to someone else.
10. Security
We take the following measures to protect your data:
- Transport encryption. All traffic to
cyberiansystems.aiandapi.cyberiansystems.aiis over TLS 1.2 or 1.3. The origin server only accepts connections from Cloudflare's published IP ranges - direct origin access is blocked at the cloud firewall and at the host firewall. - Password handling. Passwords are hashed server-side with bcrypt (cost 12) before storage. The plaintext is discarded immediately. We perform a HaveIBeenPwned k-anonymity check at signup so commonly-breached passwords are rejected; the full hash and the password itself never leave our server.
- API key handling. Plaintext API keys are shown to you exactly once - at issuance, key rotation, or in the verification email. We store only the SHA-256 hash of each key and a 12-character prefix for identification.
- Authorization. Every customer endpoint requires a Bearer token and enforces account-ownership checks on cross-account access (returning 404 to avoid leaking the existence of resources that belong to other accounts).
- Internal protocol. Communication between the coordinator and our worker processes is gated by per-chunk one-time dispatch tokens and a separate worker-only authentication header. None of these tokens are ever visible to customers or accessible from the public Internet.
- Network isolation. The coordinator's internal queues and database are reachable only through a WireGuard tunnel from our worker hosts; they are not exposed on the public Internet. Worker hosts have no inbound public ingress.
- Operational hardening. The infrastructure runs with unattended security updates, fail2ban on SSH, a least-privilege service-account model on cloud resources, and structured request logging with sensitive fields redacted.
- Cloudflare WAF rules. Edge-level filtering blocks attempts to reach internal-only paths or to abuse the API surface via spoofed Host headers.
No system is perfectly secure. If we ever experience a breach affecting your personal data, we will notify you and the relevant supervisory authority within the timeframes required by applicable law (notably 72 hours under GDPR Art. 33 and the corresponding Law 25 timelines).
11. International transfers
Our primary infrastructure is in Montreal, Canada. The sub-processors listed in section 7 may transmit or process data outside Canada or outside the European Economic Area as part of their global infrastructure (notably Cloudflare's anycast edge and Google Workspace's mail routing). Any cross-border transfers rely on the recipient's certification under recognized adequacy mechanisms (e.g. Canada's PIPEDA adequacy decision for transfers between Canada and the EEA, and the EU-US Data Privacy Framework) or appropriate contractual safeguards (e.g. EU Standard Contractual Clauses).
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make a material change - for example, adding a new sub-processor that handles your data, expanding what we collect, or changing retention periods - we will update the "Last updated" date at the top of this page and, for active customers, send a notice to the email address on your account. For non-material changes (clarifications, typo fixes, supervisory-authority URL updates), we update the date only.
13. Supervisory authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority:
- Quebec, Canada: Commission d'accès à l'information du Québec (CAI) - www.cai.gouv.qc.ca
- Canada (federal): Office of the Privacy Commissioner of Canada (OPC) - www.priv.gc.ca
- United States: Federal Trade Commission (FTC) - reportfraud.ftc.gov; California residents may also contact the California Privacy Protection Agency - cppa.ca.gov
- European Union: your local data protection authority under the GDPR