SemSwitch Privacy Policy
Version: 1.0 Effective Date: January 1, 2026
This Privacy Policy explains how SemSwitch, Inc. ("Company," "we," "us," or "our") collects, uses, discloses, and retains information when you (a) visit our public website and related marketing pages (the "Site"), and/or (b) use our governance control plane, evidence services, SDKs, APIs, and related tooling (the "Services").
This Privacy Policy does not describe the privacy practices of third parties you may interact with through integrations or links.
1. Scope
1.1 Site vs. Services
Site: Public-facing pages and communications (e.g., contact forms, sales inquiries, newsletter sign-ups).
Services: SemSwitch product functionality, including evidence capture and verification, policy/guard distribution, optional LLM governance endpoints, optional cross-tenant intelligence features, and optional tooling (including an installer).
1.2 Customer Deployments
SemSwitch is built for enterprise use. In many deployments, the Customer (the organization using SemSwitch) determines what data is sent into the Services, including what end-user identifiers or content are included in evidence events.
If you are an end user of a Customer (e.g., you interacted with a Customer's application that is instrumented with SemSwitch), privacy requests about that Customer's data should generally be directed to the Customer. See Section 12.
2. Definitions
"Personal Data": Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable individual.
"Customer": The organization that enters into an agreement with SemSwitch for the Services (or that otherwise authorizes use of the Services).
"Authorized User": An individual the Customer authorizes to access the Services (e.g., administrators, developers, compliance users).
"End User": An individual who uses or interacts with a Customer's product or service that integrates SemSwitch.
"Customer Data": Data submitted to the Services by or on behalf of a Customer or Authorized Users, or collected via a Customer's integration (including evidence events, configuration snapshots, policy inputs, logs, and related artifacts).
"Evidence Artifacts": Cryptographic and audit-related records produced by the Services (for example: tamper-evident event-chain metadata, Merkle roots/batches, timestamp or anchoring receipts, and verification reports).
"Cross-Tenant Insights": Optional features that generate aggregated benchmarks/patterns across multiple participating Customers using privacy-preserving contribution signals (see Section 9).
3. Roles: Controller vs. Processor
SemSwitch's role depends on context:
Site Personal Data: SemSwitch generally acts as a controller for Personal Data collected on the Site (e.g., marketing inquiries).
Customer Data in the Services: In many enterprise arrangements, SemSwitch acts as a processor/service provider for Customer Data, and the Customer acts as the controller/business. If your agreement or deployment assigns roles differently, those terms control.
If you require a Data Processing Addendum (DPA), please contact privacy@semswitch.com or legal@semswitch.com. Our DPA is available at /dpa and may be executed via countersignature or incorporated by reference in an Order Form.
4. Information We Collect
4.1 Information You Provide on the Site
We may collect:
- Contact and business information (e.g., name, business email, company, job title) when you request information or contact us.
- Communications (e.g., message content and attachments) when you email or otherwise contact us.
- Marketing preferences (e.g., subscription/unsubscribe states) where applicable.
4.2 Information Processed in the Services
Depending on how a Customer configures and uses SemSwitch, the Services may process:
(A) Account and Access Data (Authorized Users)
- Account identifiers (e.g., name, email, role/permissions)
- Authentication and access logs (e.g., login timestamps, IP addresses)
- Administrative actions in the product (e.g., configuration changes)
- If billing is enabled: billing/contact and payment-related data may be collected or processed via Stripe (our payment processor).
(B) Usage and Operational Telemetry
- Device and connection metadata (e.g., IP address, user agent, coarse location derived from IP)
- Product usage events (e.g., feature usage, performance and reliability events)
- Diagnostic logs and error reports
(C) Evidence and Audit Artifacts (Customer Data)
SemSwitch is designed to capture and manage evidence events and related artifacts, which may include:
- Identifiers and metadata (e.g., project/workspace identifiers, session/saga identifiers, timestamps, event sequencing, guard/policy identifiers and versions).
- Configuration snapshots associated with evidence events (e.g., active guard profile version/hash and related configuration context).
- Evidence payloads provided by the Customer integration (which may include application/UI content, decision context, enforcement outcomes, and other Customer-provided fields).
- Cryptographic integrity metadata used to make evidence tamper-evident (e.g., hash-chain metadata; Merkle batching and anchoring receipts, if enabled).
(D) LLM Governance Endpoints (Optional; Customer Controlled)
If a Customer enables LLM governance endpoints, SemSwitch may process:
- Text, context, and policy inputs submitted for validation/contradiction checks.
- Routing metadata indicating whether evaluation ran via a Customer-local model path or a cloud model path (if configured).
- Result artifacts (e.g., validation outcomes, contradiction tests, supporting traces).
(E) Cross-Tenant Insights (Optional; Opt-In)
If a Customer opts in to Cross-Tenant Insights, SemSwitch may process:
- Contribution signals derived from Customer activity that are designed to be privacy-preserving (e.g., embeddings, slugs, and metrics—not plaintext excerpts), plus associated governance/audit metadata (e.g., consent versioning, privacy budget ledger entries).
See Section 9.
4.3 Support Interactions
If you contact support, we may process:
- Contact information and account identifiers
- Support ticket content and attachments
- Troubleshooting logs you choose to provide
4.4 Cookies and Similar Technologies
We (and our service providers) may use cookies, local storage, pixels, and similar technologies on the Site and/or Services for:
- Essential functionality
- Security
- Analytics and performance measurement
- Marketing (if enabled)
Cookie tools used: We use standard analytics tools on the Site. The Services application uses essential cookies only.
Cookie preferences: You can manage cookie preferences through your browser settings.
5. Purposes of Processing
We use information for the following purposes (as applicable):
- Provide and operate the Services (including evidence capture/verification, configuration distribution, and optional intelligence features).
- Authenticate and administer accounts and enforce access controls.
- Security and abuse prevention, including detecting suspicious or unauthorized activity.
- Reliability and performance, including debugging and incident response.
- Customer support and responding to inquiries.
- Compliance and legal obligations, including responding to lawful requests.
- Sales, marketing, and communications (where enabled and permitted by law). Marketing communications are sent only with consent or where permitted by applicable law; you may opt out at any time.
- Research and product improvement using aggregated and/or de-identified information where appropriate, and Cross-Tenant Insights where Customers opt in (see Section 9).
Data use for training: Customer agrees that SemSwitch may use usage data and evidence logs in an aggregated, anonymized format to improve Services and train internal/external models.
6. Legal Bases for Processing (EEA/UK)
If you are in the EEA/UK, we process Personal Data only when we have a valid legal basis. Depending on context, legal bases may include:
| Processing Purpose | Typical Legal Basis | Notes |
|---|---|---|
| Provide Services to Customers / Authorized Users | Contract | Applies to account administration and service delivery |
| Security, fraud prevention, service reliability | Legitimate interests | Necessary to protect the Services, Customers, and users |
| Optional Cross-Tenant Insights participation | Consent and/or Contract | Based on Customer opt-in controls |
| Marketing communications | Consent and/or legitimate interests | Depends on region and message type; opt-out available |
| Compliance with law | Legal obligation | E.g., responding to lawful requests |
7. Disclosures and Sharing
We disclose information as follows:
7.1 Service Providers (Subprocessors)
We may share Personal Data and/or Customer Data with vendors that help us operate the Site and Services (e.g., hosting, database, caching, monitoring, error reporting, workflow orchestration).
See Section 8 for a subprocessor table.
7.2 LLM Providers (Customer-Configured)
If a Customer enables cloud-routed LLM governance, submitted content may be transmitted to third-party model providers configured by SemSwitch and/or the Customer.
Available providers: OpenRouter (US), CometAPI (Hong Kong). LLM provider selection is customer-configurable; data location varies by provider selected.
7.3 Timestamping and Anchoring Providers (Optional)
If enabled, SemSwitch may send cryptographic hashes (e.g., Merkle roots) and associated integrity metadata to third parties for timestamping and/or anchoring (e.g., RFC 3161 Timestamp Authorities). These are intended to be non-plaintext integrity artifacts.
7.4 Public Blockchain Networks (Optional)
If a Customer enables blockchain anchoring, SemSwitch may write integrity artifacts (e.g., Merkle roots) to a public blockchain. Public blockchains are public and effectively permanent. SemSwitch does not publish plaintext evidence payloads to blockchains; only cryptographic integrity artifacts.
7.5 Legal, Safety, and Corporate Transactions
We may disclose information:
- To comply with law or legal process
- To protect rights, safety, and security (including investigating misuse)
- In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets
7.6 Customer-Controlled Sharing
Customers may export evidence reports or share artifacts outside SemSwitch. That sharing is controlled by the Customer.
8. Subprocessors
SemSwitch uses third parties to support operations.
| Subprocessor | Purpose | Processing Location |
|---|---|---|
| DigitalOcean | Hosting/compute | US |
| Cloudflare | CDN/site delivery | Global edge; US (logs) |
| AWS RDS | Database | US |
| Aiven | Redis caching | US |
| Datadog | Metrics/monitoring | US |
| Honeybadger | Error monitoring | US |
| Temporal Cloud | Workflow orchestration | US |
| Prefect | Workflow orchestration | US |
| OpenRouter | LLM evaluations (optional; if enabled) | US |
| CometAPI | LLM evaluations (optional; if enabled) | Hong Kong |
| DigiCert / Sectigo / FreeTSA | RFC 3161 timestamping (optional; if enabled) | US |
Note on LLM providers: LLM provider selection is customer-configurable. If you select CometAPI, data may be processed in Hong Kong. Customers requiring US-only processing should select OpenRouter or other US-based providers.
9. Cross-Tenant Insights (Optional)
SemSwitch offers optional Cross-Tenant Insights features intended to provide aggregated benchmarks and patterns across participating Customers.
9.1 Opt-In and Contribution Controls
Cross-Tenant Insights are designed to require Customer participation controls (e.g., consent versioning and contribution tiers). Participation is opt-in only via admin controls in the Services.
9.2 What Is Contributed
Cross-tenant contributions are designed to be privacy-preserving signals (e.g., embeddings, slugs, metrics), and to exclude plaintext excerpts.
9.3 What Is Not Provided (Hard Boundaries)
Cross-Tenant Insights are designed not to provide:
- Individual-level (user-level) cross-tenant signals
- Real-time cross-tenant queries
- Live generative UI that auto-mutates production UX/copy
- Autonomous config push into Customer environments without Customer control
9.4 Auditability and Retention for Cross-Tenant Governance Logs
Where Cross-Tenant Insights are enabled, SemSwitch maintains audit logs such as:
- Privacy budget ledger entries (retained 7 years)
- Pattern lifecycle proof-chain records (retained indefinitely)
- Network settings change logs (retained 7 years)
- Contribution signal extraction job IDs (retained 3 years)
10. Data Lifecycle: Collection → Processing → Storage → Disclosure → Retention → Deletion
10.1 Collection and Processing
Site: Collected directly from you and your browser/device.
Services: Collected from Customer systems, SDKs, APIs, and tooling (including evidence events and related configuration snapshots).
10.2 Storage
SemSwitch stores different kinds of data in different logical layers, including:
- Operational records (e.g., configuration, job metadata)
- Evidence/audit artifacts (including cryptographic integrity metadata)
- Encrypted evidence payload storage (an "evidence vault" concept)
10.3 Tamper-Evident vs. Immutable (Important)
Tamper-evident: Evidence Artifacts are designed so that post‑ingest modification of evidence records can be detected (e.g., via cryptographic chaining and verification).
Immutable: SemSwitch does not represent that Customer Data is stored as WORM/immutable storage by default. If optional anchoring is enabled:
- Timestamping receipts and/or public blockchain anchors are effectively immutable once published, but they are intended to contain only cryptographic hashes, not plaintext evidence payloads.
10.4 Retention
Except where a specific period is stated in this Policy (e.g., Section 9.4 for cross-tenant governance logs), retention is as follows:
| Data Category | Retention |
|---|---|
| Site contact inquiries and communications | 24 months |
| Site analytics logs | 13 months |
| Authorized User account data | Account lifetime + 30 days |
| Service operational telemetry/logs | 90 days |
| Evidence vault payloads (encrypted) | 365 days default (customer-configurable) |
| Evidence chain metadata and verification artifacts | 7 years after payload deletion/termination |
| Support tickets and attachments | 2 years after closure |
| Backups | 30 days rolling |
Note on evidence chain metadata: Hash-only metadata, receipts, and verification artifacts may persist after payload deletion to preserve verifiability of audit trails. This metadata is not sufficient to reconstruct deleted payloads.
10.5 Deletion and Crypto-Shredding
Where supported by the Services, deletion of encrypted evidence payloads is implemented by cryptographically destroying encryption keys ("crypto-shredding"), rendering encrypted payloads unreadable. Crypto-shredding occurs immediately upon deletion request; hard-delete completes within 30 days.
Integrity metadata: Hash-only integrity metadata, receipts, and verification artifacts may remain after payload deletion to preserve audit trail verifiability.
Public anchors: If optional public blockchain anchoring is enabled, published anchors are effectively permanent and cannot be erased. Anchors contain only cryptographic hashes, not plaintext evidence payloads.
11. Security
SemSwitch is designed with governance-grade security controls, including:
- Encryption in transit
- Encryption at rest and envelope encryption for evidence payloads (as configured)
- Tenant isolation and access controls (including enforced row-level security for tenant-scoped stores)
- Integrity verification processes for evidence artifacts
- Least-privilege access for internal services
SemSwitch cannot guarantee absolute security. Customers are responsible for secure integration, including protecting service tokens, validating inputs, and controlling what data is submitted.
12. Your Rights and Choices
12.1 EEA/UK Rights
Depending on your location and applicable law, you may have rights to:
- Access, correct, or delete Personal Data
- Object to or restrict processing
- Data portability
- Withdraw consent (where processing is based on consent)
- Lodge a complaint with a supervisory authority
12.2 California Privacy Rights (CCPA/CPRA)
California residents may have rights to:
- Know/access categories and specific pieces of Personal Information
- Delete Personal Information (subject to exceptions)
- Correct inaccurate Personal Information
- Opt out of "sale" or "sharing" (as defined by law)
- Limit the use/disclosure of sensitive Personal Information (where applicable)
Sale/Sharing: SemSwitch does not "sell" or "share" Personal Information as those terms are defined under California law.
12.3 How to Exercise Rights
Who can request:
- (A) Service/account data: The individual Authorized User for their own account data; and/or the Account Owner/Admin for org-level admin/account deletion.
- (B) Customer Data / Evidence payloads: Account Owner/Admin only (or an authorized delegate designated by the Customer).
- (C) End users of Customer apps: SemSwitch does not take direct deletion instructions from end users for Customer-controlled data; end users must contact the Customer (controller).
Where to submit requests:
- Primary: Authenticated request inside the Services (admin controls / account settings).
- Fallback: Email to privacy@semswitch.com with "Deletion Request" in subject.
Identity verification:
- If submitted in-product: authenticated session + re-auth for destructive actions (e.g., password/SSO re-check) + confirmation step.
- If submitted by email: must come from the email on the account + may require additional verification or proof of authority (for admin/org deletion).
- If identity/authority cannot be verified, request is denied.
Response timeline: We will acknowledge receipt within 5 business days (and in any case within 10 business days where required for certain consumer-request regimes).
Completion timeline: We will fulfill requests without undue delay and within the time required by applicable law:
- GDPR/UK: Within 1 month (extendable by up to 2 additional months for complex/voluminous requests with notice).
- CCPA/CPRA: Within 45 days (extendable by another 45 days with notice).
- Operational target: Typically completed within 30 days.
If we process your data on behalf of a Customer as a processor/service provider, we may direct you to the Customer or support the Customer in responding.
13. Children's Privacy
The Site and Services are not intended for children under 18 years of age. We do not knowingly collect Personal Data from children under 18.
14. International Transfers
SemSwitch processes data primarily in the United States. If you are located outside the US, your data may be transferred to and processed in the US.
For transfers from the EEA/UK/Switzerland, we rely on Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Addendum (UK IDTA) as applicable.
Note: If you select CometAPI as your LLM provider, data may be processed in Hong Kong. Customers can select US-only LLM providers if required.
15. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice consistent with applicable law and contracts (e.g., by posting notice on the Site and/or notifying Account Owners via email).
16. Contact
Privacy contact: privacy@semswitch.com
Legal notices: legal@semswitch.com
Security contact: security@semswitch.com
Mailing address: SemSwitch, Inc. 8 The Green, Suite B Dover, DE 19901
Version 1.0 — Effective January 1, 2026