Optra Prism — Privacy Policy

Effective Date: April 4, 2026 Last Updated: April 4, 2026 Entity: Grumatic, Inc. ("Company," "we," "us," "our")

1. Introduction

This Privacy Policy describes how Grumatic, Inc. ("Optra Prism," "we," "us") collects, uses, shares, and protects information when you use the Optra Prism platform, website (prism.optra-ai.com), dashboard, APIs, Claude Code Plugin, and related services (collectively, the "Service").

This Privacy Policy applies to:

Website visitors who browse our marketing site and documentation
Platform users who create accounts, install the Plugin, and use the Dashboard
API consumers who interact with our Ingest Service or Prism Engine endpoints

For the processing of Customer Data (as defined in our Terms of Service) — including telemetry, prompts, traces, logs, and metrics — our Data Processing Agreement (DPA) governs the specific obligations and rights. This Privacy Policy and the DPA should be read together.

2. Information We Collect

2.1 Information You Provide Directly

Data Type	Examples	Purpose
Account Information	Name, email address, organization name, password	Account creation and authentication
Billing Information	Payment method, billing address	Subscription management (processed by Stripe; we do not store full card numbers)
Communications	Support requests, emails, feedback	Customer support and product improvement
Profile Preferences	Notification settings, dashboard preferences, theme	Personalization

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

Data Type	Examples	Purpose
Device & Browser Data	IP address, browser type and version, operating system, device type, screen resolution	Service delivery, security, and analytics
Usage Data	Pages visited, features used, click patterns, session duration, timestamps	Product improvement and analytics
Log Data	Server logs, error reports, API request metadata (endpoints called, response codes, latency)	Debugging, monitoring, and security

2.3 Customer Data (Platform Data)

When you use the Platform (via the Plugin, SDK, or API), the following data is processed:

Data Type	Examples	Source
Telemetry Data	OTLP traces, logs, metrics from AI coding sessions	Plugin / OTLP endpoints
Prompt Data	LLM prompts, completions, model metadata	Plugin / Prompt capture API
Prism Scores	Prompt Efficiency Scores, Sub-Session Efficiency Scores, Skill score, and coaching recommendations	Generated by Prism Engine
Analytics Data	Tool usage, error rates, efficiency metrics, vibe metrics	Derived from telemetry

Important: Customer Data is owned by you and processed solely to provide the Service. See Section 5 for our commitments regarding Customer Data.

2.4 Information from Third Parties

Source	Data Type	Purpose
Authentication Providers	OAuth profile (name, email, avatar) via Supabase Auth	Single sign-on
Payment Processor	Transaction status, billing events	Subscription management

3. How We Use Your Information

We use collected information for the following purposes:

Service Operation

Provide, maintain, and improve the Platform
Authenticate users and manage accounts
Process and display telemetry, analytics, and PRISM Scores
Generate intelligence outputs (waste detection, throttle analysis, rightsizing)
Respond to support requests

Security and Compliance

Detect and prevent fraud, abuse, and security threats
Monitor for unauthorized access
Comply with legal obligations
Enforce our Terms of Service

Product Improvement

Analyze usage patterns to improve features (using Operational Metadata only)
Create Aggregate Data for benchmarking and research
Debug errors and improve reliability

Communications

Send transactional emails (account verification, billing, security alerts)
Send product updates and feature announcements (opt-out available)
Respond to inquiries and support requests

We do NOT use your information for:

Selling Personal Data to third parties
Behavioral advertising or ad-tech profiling
Training machine learning models on Customer Data (see Section 5)

4. Legal Basis for Processing (EEA/UK Users)

If you are in the European Economic Area or United Kingdom, our legal bases for processing are:

Basis	Applies To
Performance of contract	Account management, service delivery, billing, Customer Data processing
Legitimate interests	Security, fraud prevention, product improvement (using Operational Metadata), analytics
Consent	Marketing emails, optional analytics, cookies beyond strictly necessary
Legal obligation	Tax records, law enforcement requests, regulatory compliance

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

5. Customer Data Commitments

Given that Optra Prism processes sensitive developer telemetry and AI interaction data, we make the following commitments:

5.1 No Model Training. We do not use Customer Data to train, fine-tune, develop, or improve any machine learning models — ours or any third party's. This applies during and after your use of the Service.

5.2 Purpose Limitation. Customer Data is processed exclusively to: (a) provide the Service to you, (b) generate PRISM Scores and intelligence outputs for your account, (c) comply with legal obligations.

5.3 Third-Party LLM Processing. When LLM-powered features are enabled (e.g., LLM PRISM scoring, insights reports), minimal prompt data may be sent to:

Anthropic (Claude) — governed by Anthropic's API terms, which prohibit training on API inputs
OpenAI — governed by OpenAI's API terms, which prohibit training on API inputs by default

You control which LLM features are active. You may disable all third-party LLM processing via the Dashboard settings, in which case only heuristic (Rust-native) scoring is used.

5.4 Data Isolation. Each customer's data is logically isolated. Customer Data is never shared with, visible to, or accessible by other customers.

5.5 Encryption. Customer Data is encrypted using TLS 1.2+ in transit and AES-256 at rest. API keys (gck_*) are encrypted with AES-256-GCM using a master encryption key.

6. How We Share Information

We share information only in the following circumstances:

6.1 Service Providers (Sub-processors)

We use the following categories of service providers who process data on our behalf:

Provider	Purpose	Data Processed
AWS (Amazon Web Services)	Cloud infrastructure, S3 storage, compute	Customer Data (encrypted), Operational Metadata
Supabase	PostgreSQL database, authentication	Account data, PRISM Scores, session metadata
Stripe	Payment processing	Billing information
NATS	Message streaming (self-hosted)	Customer Data (in transit, ephemeral)

All sub-processors are bound by data processing agreements. A current list is maintained at [optra-ai.com/legal/sub-processors].

6.2 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request. We will notify you before disclosure unless legally prohibited, and will challenge overly broad requests.

6.3 Business Transfers

In connection with a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your information becomes subject to a different privacy policy.

6.4 With Your Consent

We may share information with third parties when you explicitly direct us to do so (e.g., integrations you configure).

6.5 Aggregate Data

We may share Aggregate Data (de-identified, anonymized, non-attributable) with third parties for research, benchmarking, or industry reports. Aggregate Data cannot reasonably be used to identify you or any individual.

We do NOT:

Sell Personal Data
Share Personal Data with advertising networks
Provide Personal Data to data brokers

7. Data Retention

Data Type	Retention Period
Account Information	Duration of account + 30 days after deletion request
Customer Data (telemetry, prompts, scores)	Configurable by customer; default 90 days. Deleted within 30 days of account termination (after the 30-day export window)
Operational Metadata	12 months
Aggregate Data	Indefinitely (cannot identify individuals)
Billing Records	As required by tax law (typically 7 years)
Server Logs	90 days
Backup Copies	Purged within 90 days of primary deletion

You can request early deletion of Customer Data at any time via the Dashboard or by contacting privacy@optra-ai.com.

8. Your Rights

8.1 All Users

Regardless of location, you may:

Access your account data and Customer Data via the Dashboard
Export your data via the Dashboard or API
Delete your account and associated data
Opt out of marketing communications
Disable LLM-powered features
Configure data retention periods

8.2 EEA/UK Users (GDPR)

If you are in the EEA or UK, you additionally have the right to:

Access: Request a copy of your Personal Data in a structured, commonly used, machine-readable format
Rectification: Request correction of inaccurate Personal Data
Erasure: Request deletion of your Personal Data ("right to be forgotten")
Restriction: Request that we limit processing of your Personal Data
Portability: Receive your Personal Data in a portable format and transmit it to another controller
Object: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent at any time for consent-based processing
Lodge a Complaint: File a complaint with your local supervisory authority

To exercise these rights, contact privacy@optra-ai.com. We will respond within 30 days.

GDPR Representatives:

EU: [To be appointed — contact legal@optra-ai.com]
UK: [To be appointed — contact legal@optra-ai.com]

8.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

Know: Request disclosure of Personal Information collected, used, and shared in the past 12 months
Delete: Request deletion of your Personal Information
Correct: Request correction of inaccurate Personal Information
Opt Out of Sale/Sharing: We do not sell or share Personal Information for cross-context behavioral advertising. No opt-out is necessary
Non-Discrimination: We will not discriminate against you for exercising your rights

Categories of Personal Information Collected (past 12 months):

Category	Collected	Sold	Shared for Ads
Identifiers (name, email, IP)	Yes	No	No
Commercial information (billing)	Yes	No	No
Internet activity (usage data)	Yes	No	No
Professional information (organization)	Yes	No	No
Geolocation (IP-derived, approximate)	Yes	No	No

To exercise these rights, contact privacy@optra-ai.com or call [to be established].

8.4 Other Jurisdictions

We respect privacy rights under applicable laws worldwide, including but not limited to Brazil's LGPD, Canada's PIPEDA, and Australia's Privacy Act. Contact privacy@optra-ai.com to exercise your rights under local law.

9. Cookies and Tracking

9.1 Types of Cookies

Type	Purpose	Examples
Strictly Necessary	Authentication, security, session management	Supabase auth cookies (`sb--auth-token`), CSRF tokens
Functional	User preferences, theme, locale	Dashboard settings, theme preference
Analytics	Usage patterns, feature adoption	[Analytics provider to be selected]

9.2 Managing Cookies

Browser Controls: You can block or delete cookies via your browser settings. Blocking strictly necessary cookies may impair functionality.
Do Not Track: We honor Do Not Track (DNT) browser signals. When DNT is enabled, we disable non-essential analytics tracking.

9.3 No Advertising Cookies

We do not use advertising cookies, tracking pixels for ad networks, or cross-site tracking technologies. We do not participate in real-time bidding or ad exchanges.

10. International Data Transfers

Customer Data is primarily processed and stored in the United States (AWS us-east-1 region). If you are located outside the United States:

EEA/UK: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by technical measures (encryption, access controls), for transfers of Personal Data.
Other Jurisdictions: We implement appropriate safeguards as required by applicable law.

We are evaluating EU data residency options. Contact sales@optra-ai.com for current availability.

11. Data Security

We implement comprehensive security measures including:

Encryption: TLS 1.2+ in transit; AES-256 at rest; AES-256-GCM for API keys
Access Control: IAM role-based access to cloud infrastructure (no static credentials); least-privilege principles; multi-factor authentication for internal systems
Infrastructure: Dedicated VPC; network segmentation; firewall rules; DDoS protection
Monitoring: Continuous security monitoring; automated alerting; audit logging
Practices: Regular security reviews; dependency vulnerability scanning; secure development lifecycle

No system is 100% secure. If you discover a vulnerability, please report it to security@optra-ai.com.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect Personal Data from children. If we learn that we have inadvertently collected Personal Data from a child under 18, we will promptly delete it. Contact privacy@optra-ai.com if you believe we have collected data from a minor.

13. Third-Party Links and Integrations

The Service may contain links to third-party websites or integrate with third-party services (e.g., GitHub, IDE extensions). We are not responsible for the privacy practices of third parties. We encourage you to review their privacy policies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on our website with a revised "Last Updated" date
Sending email notification to the address on your account
Displaying a notice in the Dashboard

Material changes take effect 30 days after notification. Continued use of the Service after the effective date constitutes acceptance. If you disagree with a material change, you may terminate your account.

15. Contact Us

For privacy-related inquiries, data subject requests, or complaints:

Grumatic, Inc. Email: privacy@optra-ai.com Website: optra-ai.com/legal

Data Protection Officer: dpo@optra-ai.com

For unresolved concerns, you may contact your local data protection authority.

Appendix: Data Flow Summary

Developer Machine
    │
    ├── Claude Code Plugin ──→ Ingest Service (ingest.prism.optra-ai.com)
    │   (prompts, telemetry)     │
    │                            ├── Auth: validates gck_* key
    │                            ├── NATS JetStream (publish)
    │                            │         │
    │                            │    Prism Engine (internal)
    │                            │         ├── NATS → S3 (Parquet, AES-256)
    │                            │         ├── PRISM Scoring → Postgres
    │                            │         └── DataFusion → Query API
    │                            │
    └── Dashboard (dashboard.prism.optra-ai.com) ◄──┘── API responses (scores, analytics)
        (view scores, analytics)

All data encrypted in transit (TLS 1.2+) and at rest (AES-256).
Customer Data isolated per organization. No cross-customer access.