Privacy Policy

I. Introduction

Welcome to IT Folder (“IT Folder,” “we,” “us,” or “our”). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our websites, applications, and related services (collectively, the “Services”). By using the Services, you agree to this Policy.

II. Information We Collect

• Account & Contact: name, email, organization, role.
• Usage, Device & Logs: app interactions; device information including browser type (e.g., "Chrome", "Firefox"), platform (e.g., "macOS", "Windows"), timezone, language, and mobile/desktop detection; full IP addresses in security logs for fraud detection and monitoring; masked IP prefixes (e.g., "192.168.x.x") stored with session data for privacy; user agent strings (truncated to 200 characters); and event logs (e.g., sign-in/out, password view, session creation/termination).
• Session Management: We maintain up to 5 concurrent sessions per user. Session idle timeout is configurable per organization, or 30 days for "remember me" sessions. Session data includes device information, creation/access timestamps, and masked IP prefixes for security monitoring.
• Support: messages and attachments you send to us.
• Cookies & Similar Tech: essential cookies for authentication and security; analytics cookies where permitted (see "Cookies" below).

CCPA Categories of Personal Information

Under the California Consumer Privacy Act (CCPA), the categories of personal information we may collect include:

• Identifiers: name, email address, IP address, account credentials.
• Commercial information: subscription and billing records, service usage history.
• Internet or other electronic network activity: browsing and interaction data within the Services, device information, event logs.
• Professional or employment-related information: job title, organization, role (as provided during account creation).
• Inferences drawn from personal information: AI-generated embeddings, search results, and documentation suggestions derived from your content.
• Sensitive personal information: account login credentials (username and password combinations) stored within your IT documentation. IT documentation may also contain network configurations, IP addresses, and other technical data that could constitute sensitive personal information under applicable law.

III. How We Use Information

• Provide, secure, and improve the Services (including debugging, monitoring, and fraud prevention).
• Operate features like search, documentation, and AI-assisted tools.
• Send transactional communications (e.g., security alerts, changes to terms).
• Comply with law, enforce agreements, and protect our customers.

Under CCPA, the business purposes for our processing include: performing services on behalf of the business (providing AI-assisted documentation, search, and workflow features you have opted into); detecting security incidents and protecting against malicious or illegal activity; debugging and repairing errors; and short-term transient use of personal information that is not disclosed to third parties and is not used to build a profile about a consumer. We do not use personal information for purposes that are incompatible with the context in which it was collected.

IV. AI Data Privacy

IT Folder includes optional AI-powered features to assist with documentation, search, and workflow automation. Your organization retains full ownership of its data at all times. IT Folder acts solely as a data processor.

What Data Is Used

When AI features are enabled, the following data may be processed:

• User inputs (e.g., questions, prompts, document titles)
• Selected document content or snippets (for search and summarization)
• Metadata (e.g., database schema context for query generation)
• Limited conversation history (for continuity in AI responses)

How AI Processing Works

Some AI features require sending data to third-party AI providers for real-time processing.

• Data is transmitted securely over HTTPS
• Processing is performed only to generate a response
• Results are returned immediately to IT Folder

IT Folder also uses local machine learning models (e.g., embeddings, summarization) that run entirely within its infrastructure and do not send data externally.

AI Providers

Depending on configuration, IT Folder may use:

• OpenAI
• Google
• Anthropic

Some providers use organization-supplied API keys, while others may use IT Folder-managed access.

Data Usage Boundaries

• Data is used only for real-time AI inference
• IT Folder does not use customer data to train its own AI models
• IT Folder does not sell or reuse customer data
• Data is not shared across organizations (tenants)

Third-party providers process data according to their own API policies, which may include temporary processing or short-term caching.

AI Data Storage

Within IT Folder:

• AI-generated outputs may be temporarily cached (e.g., to reduce duplicate requests)
• Embeddings (vector data) are stored within your tenant database
• AI activity (e.g., queries, outputs) may be logged for audit and troubleshooting

All data remains isolated to your organization.

AI Security Controls

• Tenant-level data isolation
• Encrypted API keys (when customer-provided)
• Secure transmission (HTTPS)
• Input validation, prompt sanitization, and automated PII redaction (Presidio)
• Feature-level controls (AI can be enabled or disabled per organization)

What to Be Aware Of

• Data sent to AI providers is visible to those providers during processing
• IT Folder does not control external provider retention or transient logging
• AI features are enabled at the organization level (not per-user consent)
• IT Folder automatically detects and redacts common sensitive data patterns (SSNs, credit cards, API keys, credentials) before sending to AI providers, but detection is not guaranteed for all formats

Your Responsibilities

We recommend that users:

• Avoid including highly sensitive data (e.g., passwords, private keys, regulated personal data) in AI prompts unless necessary
• Review internal policies before enabling AI features
• Use organization-level controls to manage AI access

AI Control & Transparency

• AI features can be disabled at any time
• API keys for supported providers can be managed by your organization
• Only configured integrations are activated—no hidden data sharing occurs

Limiting Use of Sensitive Personal Information in AI Features

IT documentation may contain sensitive personal information as defined under CPRA (Cal. Civ. Code §1798.121), including account login credentials, precise geolocation data (IP addresses, network maps), and potentially financial account information. Under CPRA, California consumers have the right to limit the use and disclosure of sensitive personal information to uses that are necessary to perform the services you have requested.

To exercise this right in the context of AI features, you or your organization administrator may:

• Disable AI features entirely at the organization level, preventing any data from being transmitted to AI providers.
• Avoid including sensitive personal information in AI prompts and interactions where possible.
• Contact us at support@itfolder.com to request that we limit the use of your sensitive personal information to what is necessary to provide the Services.

IT Folder uses automated PII detection (powered by Microsoft Presidio) to scan and redact common sensitive personal information patterns — including Social Security numbers, credit card numbers, API keys, and credentials — before data is transmitted to third-party AI providers. This scanning is applied to all AI prompts, document chunks, and search queries. For more details on our AI safeguards, see our AI Transparency page.

V. Cookies & Similar Technologies

We use essential cookies to operate and secure the Services. Our authentication system uses opaque tokens over HTTPS with CSRF protection and automatic session management.

• access_token: Opaque session token (10-minute rolling expiration, automatically refreshed during activity) with Secure, HttpOnly, and SameSite=Strict attributes.
• refresh_token: Long-lived token (7 days, or 30 days for "remember me") for automatic session renewal across browser restarts, with the same security attributes.
• csrf_token: Anti-forgery token paired with X-CSRF-Token header for state-changing requests. Set with Secure and SameSite=Strict but readable by JavaScript to send the matching header.
• Session Limits: Maximum 5 concurrent sessions per user account. Oldest sessions are automatically removed when the limit is exceeded.
• Idle Timeout: Sessions expire based on your organization's configured idle timeout, or after 30 days for "remember me" sessions.
• Analytics: We use Google Analytics on marketing pages to measure engagement where permitted. You can control analytics via cookie settings where presented.

VI. Service Providers & Sub-Processors

We share information with the following categories of service providers who assist us in delivering the Services. These providers process data only on our behalf and under our instructions:

• Amazon Web Services (AWS) – Cloud hosting, database, storage, and infrastructure services (US West regions). AWS processes and stores all customer data.
• Stripe – Payment processing. Stripe receives only payment-related information (name, email, billing address, payment method) necessary to process your subscription.
• Google Analytics – Website analytics on marketing pages only (not the application). Google receives anonymized usage data. We configure IP anonymization.

We do not sell, rent, or share your personal information with third parties for their own marketing purposes. A current list of sub-processors is maintained at itfolder.com/sub-processors. We will notify customers at least 30 days before engaging a new sub-processor.

VII. Data Breach Notification

In the event of a confirmed security breach that results in unauthorized access to, or disclosure of, your personal data or customer data:

• We will notify affected customers within 72 hours of confirming the breach, consistent with GDPR Article 33 requirements.
• Our notification will include: (a) the nature of the breach; (b) the categories and approximate number of records affected; (c) the likely consequences; (d) the measures taken or proposed to address the breach; and (e) a point of contact for further information.
• We will cooperate with your reasonable requests for additional information and will assist with your obligations to notify supervisory authorities or affected individuals as required by applicable law.
• We will notify the relevant supervisory authority where required by law.

VIII. Security

Security is built into our architecture and supports our privacy commitments. The details below describe our current controls at a high level; we may refine implementation without reducing protections.

• Network & Infrastructure: Hosted on Amazon Web Services (AWS). Traffic is filtered by an AWS Web Application Firewall (WAF) in front of our load balancer. Application services and databases run inside a VPC on private subnets that are not publicly routable; databases are not exposed to the public internet.
• Encryption: TLS protects data in transit. At rest we use AES‑256 with AWS Key Management Service (KMS) using envelope encryption. Each tenant is assigned its own KMS key, and sensitive fields (e.g., license keys and API secrets) are encrypted with dedicated data‑encryption keys (DEKs) managed and rotated via AWS KMS. KMS keys are rotated at least annually. Amazon S3 storage is encrypted at rest (SSE‑KMS) and in transit.
• Tenant Isolation: Logical isolation of customer data at the application and data layers.
• Sessions & Cookies: opaque server‑side session IDs with expirations; Secure, HttpOnly, SameSite cookies over HTTPS; CSRF protection on state‑changing requests (separate CSRF cookie paired with an X‑CSRF‑Token header); per‑user session limits; revocation endpoints.
• Logging & Monitoring: we maintain audit and security logs for product actions and service operations. Logs may include timestamp, user/account, IP address, and browser/user‑agent. Logs are retained for a limited period consistent with security and compliance needs.
• Access Controls & Audit: Role‑based access and least‑privilege IAM. Event logging for sensitive actions (e.g., password viewing is re‑masked within 60–120 seconds), along with monitoring and alerting.
• Password & Breach Checks: we never store plain passwords. For breach checks we hash your password locally (SHA‑1 for compatibility with Have I Been Pwned’s k‑anonymity API) and send only the first 5 characters of that hash to HIBP. We never send your raw password or the full hash.

IX. Session Data Retention

Session-specific data is automatically deleted when:

• You explicitly log out from the application
• Your session expires due to inactivity (based on organization settings or 30 days for "remember me")
• Your refresh token expires (7 days, or 30 days for "remember me")

Security logs containing full IP addresses may be retained longer (typically 90 days) for fraud detection, security monitoring, and compliance purposes, separate from session data. Device information associated with sessions (browser type, platform, masked IP prefixes) is automatically deleted when the session ends and is not retained beyond the session lifetime (7 days for standard sessions, or 30 days for "remember me" sessions).

X. Data Retention

We retain information while your organization uses the Services. Admins can delete data within the product. Upon account termination, we begin deletion promptly and permanently remove uploaded data within 7 days, subject to limited backups/archives retained for a short period for security, continuity, and legal compliance.

XI. Your Rights & Choices

Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your information, and to opt out of certain processing.

• California (CPRA): rights to know, delete, correct, portability, and to opt out of “sharing” for cross‑context behavioral advertising (we do not sell personal information). You may also limit the use of sensitive personal information.
• EEA/UK (GDPR): rights to access, rectification, erasure, restriction/objection to processing, and portability; processing bases include performance of contract, legitimate interests (security, product improvement), compliance with legal obligations, and consent where required.

To exercise rights, contact us at support@itfolder.com. We may verify your request and, where applicable, act on behalf of your organization’s administrator.

XII. International Transfers

We process and store information primarily in the United States (AWS US West regions). Where personal data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (June 2021 version), specifically Module 2 (Controller to Processor) for transfers of personal data from our customers to IT Folder, and Module 3 (Processor to Processor) for onward transfers to sub-processors.
• UK International Data Transfer Addendum: For transfers from the UK, we supplement the SCCs with the UK Information Commissioner's International Data Transfer Addendum.
• Supplementary Measures: We implement technical measures including encryption in transit and at rest (AES-256), tenant isolation, and access controls as described in our Security section above.

Pre-signed SCCs are included in our Data Processing Addendum (DPA), available upon request at support@itfolder.com. See also our Sub-Processor List.

XIII. Children's Privacy

The Services are not directed to children under 13 (or the relevant age of consent in your jurisdiction), and we do not knowingly collect such information.

XIV. Changes to this Policy

We may update this Policy periodically. We will update the “Last updated” date at the top and, if changes are material, provide additional notice.

XV. Contact Us

Questions about this Policy or our privacy practices? Contact support@itfolder.com.