Privacy Policy

I. Introduction

Welcome to IT Folder (“IT Folder,” “we,” “us,” or “our”). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our websites, applications, and related services (collectively, the “Services”). By using the Services, you agree to this Policy.

II. Information We Collect

• Account & Contact: name, email, organization, role.
• Usage, Device & Logs: app interactions; device information including browser type (e.g., "Chrome", "Firefox"), platform (e.g., "macOS", "Windows"), timezone, language, and mobile/desktop detection; full IP addresses in security logs for fraud detection and monitoring; masked IP prefixes (e.g., "192.168.x.x") stored with session data for privacy; user agent strings (truncated to 200 characters); and event logs (e.g., sign-in/out, password view, session creation/termination).
• Session Management: We maintain up to 5 concurrent sessions per user. Session idle timeout is configurable per organization, or 30 days for "remember me" sessions. Session data includes device information, creation/access timestamps, and masked IP prefixes for security monitoring.
• Support: messages and attachments you send to us.
• Cookies & Similar Tech: essential cookies for authentication and security; analytics cookies where permitted (see "Cookies" below).

III. How We Use Information

• Provide, secure, and improve the Services (including debugging, monitoring, and fraud prevention).
• Operate features like search, documentation, and AI-assisted tools.
• Send transactional communications (e.g., security alerts, changes to terms).
• Comply with law, enforce agreements, and protect our customers.

IV. AI Features

IT Folder's Intelligent Search uses local AI models by default. Your data stays on our servers and is never sent to external AI providers unless you choose otherwise.

• Default (Local Models): We use Sentence Transformers (all-MiniLM-L6-v2) running entirely on our infrastructure. Your documents and search queries are processed locally and never leave our servers.
• Optional OpenAI Integration: If you explicitly enable OpenAI in your settings and provide your own API key, document snippets and prompts will be sent to OpenAI for processing. This is entirely opt-in. OpenAI's data usage policies apply; we configure the API to avoid training on your content where supported.
• No Third-Party AI by Default: We do not share your data with any AI provider unless you explicitly enable and configure the integration yourself.

V. Cookies & Similar Technologies

We use essential cookies to operate and secure the Services. Our authentication system uses opaque tokens over HTTPS with CSRF protection and automatic session management.

• access_token: Opaque session token (10-minute rolling expiration, automatically refreshed during activity) with Secure, HttpOnly, and SameSite=Strict attributes.
• refresh_token: Long-lived token (7 days, or 30 days for "remember me") for automatic session renewal across browser restarts, with the same security attributes.
• csrf_token: Anti-forgery token paired with X-CSRF-Token header for state-changing requests. Set with Secure and SameSite=Strict but readable by JavaScript to send the matching header.
• Session Limits: Maximum 5 concurrent sessions per user account. Oldest sessions are automatically removed when the limit is exceeded.
• Idle Timeout: Sessions expire based on your organization's configured idle timeout, or after 30 days for "remember me" sessions.
• Analytics: We use Google Analytics on marketing pages to measure engagement where permitted. You can control analytics via cookie settings where presented.

VI. Service Providers & Sub-Processors

We share information with the following categories of service providers who assist us in delivering the Services. These providers process data only on our behalf and under our instructions:

• Amazon Web Services (AWS) – Cloud hosting, database, storage, and infrastructure services (US West regions). AWS processes and stores all customer data.
• Stripe – Payment processing. Stripe receives only payment-related information (name, email, billing address, payment method) necessary to process your subscription.
• Google Analytics – Website analytics on marketing pages only (not the application). Google receives anonymized usage data. We configure IP anonymization.

We do not sell, rent, or share your personal information with third parties for their own marketing purposes. A current list of sub-processors is maintained at itfolder.com/sub-processors. We will notify customers at least 30 days before engaging a new sub-processor.

VII. Data Breach Notification

In the event of a confirmed security breach that results in unauthorized access to, or disclosure of, your personal data or customer data:

• We will notify affected customers within 72 hours of confirming the breach, consistent with GDPR Article 33 requirements.
• Our notification will include: (a) the nature of the breach; (b) the categories and approximate number of records affected; (c) the likely consequences; (d) the measures taken or proposed to address the breach; and (e) a point of contact for further information.
• We will cooperate with your reasonable requests for additional information and will assist with your obligations to notify supervisory authorities or affected individuals as required by applicable law.
• We will notify the relevant supervisory authority where required by law.

VIII. Security

Security is built into our architecture and supports our privacy commitments. The details below describe our current controls at a high level; we may refine implementation without reducing protections.

• Network & Infrastructure: Hosted on Amazon Web Services (AWS). Traffic is filtered by an AWS Web Application Firewall (WAF) in front of our load balancer. Application services and databases run inside a VPC on private subnets that are not publicly routable; databases are not exposed to the public internet.
• Encryption: TLS protects data in transit. At rest we use AES‑256 with AWS Key Management Service (KMS) using envelope encryption. Each tenant is assigned its own KMS key, and sensitive fields (e.g., license keys and API secrets) are encrypted with dedicated data‑encryption keys (DEKs) managed and rotated via AWS KMS. KMS keys are rotated at least annually. Amazon S3 storage is encrypted at rest (SSE‑KMS) and in transit.
• Tenant Isolation: Logical isolation of customer data at the application and data layers.
• Sessions & Cookies: opaque server‑side session IDs with expirations; Secure, HttpOnly, SameSite cookies over HTTPS; CSRF protection on state‑changing requests (separate CSRF cookie paired with an X‑CSRF‑Token header); per‑user session limits; revocation endpoints.
• Logging & Monitoring: we maintain audit and security logs for product actions and service operations. Logs may include timestamp, user/account, IP address, and browser/user‑agent. Logs are retained for a limited period consistent with security and compliance needs.
• Access Controls & Audit: Role‑based access and least‑privilege IAM. Event logging for sensitive actions (e.g., password viewing is re‑masked within 60–120 seconds), along with monitoring and alerting.
• Password & Breach Checks: we never store plain passwords. For breach checks we hash your password locally (SHA‑1 for compatibility with Have I Been Pwned’s k‑anonymity API) and send only the first 5 characters of that hash to HIBP. We never send your raw password or the full hash.

IX. Session Data Retention

Session-specific data is automatically deleted when:

• You explicitly log out from the application
• Your session expires due to inactivity (based on organization settings or 30 days for "remember me")
• Your refresh token expires (7 days, or 30 days for "remember me")

Security logs containing full IP addresses may be retained longer (typically 90 days) for fraud detection, security monitoring, and compliance purposes, separate from session data. Device information associated with sessions (browser type, platform, masked IP prefixes) is automatically deleted when the session ends and is not retained beyond the session lifetime (7 days for standard sessions, or 30 days for "remember me" sessions).

X. Data Retention

We retain information while your organization uses the Services. Admins can delete data within the product. Upon account termination, we begin deletion promptly and permanently remove uploaded data within 7 days, subject to limited backups/archives retained for a short period for security, continuity, and legal compliance.

XI. Your Rights & Choices

Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your information, and to opt out of certain processing.

• California (CPRA): rights to know, delete, correct, portability, and to opt out of “sharing” for cross‑context behavioral advertising (we do not sell personal information). You may also limit the use of sensitive personal information.
• EEA/UK (GDPR): rights to access, rectification, erasure, restriction/objection to processing, and portability; processing bases include performance of contract, legitimate interests (security, product improvement), compliance with legal obligations, and consent where required.

To exercise rights, contact us at support@itfolder.com. We may verify your request and, where applicable, act on behalf of your organization’s administrator.

XII. International Transfers

We process and store information primarily in the United States (AWS US West regions). Where personal data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (June 2021 version), specifically Module 2 (Controller to Processor) for transfers of personal data from our customers to IT Folder, and Module 3 (Processor to Processor) for onward transfers to sub-processors.
• UK International Data Transfer Addendum: For transfers from the UK, we supplement the SCCs with the UK Information Commissioner's International Data Transfer Addendum.
• Supplementary Measures: We implement technical measures including encryption in transit and at rest (AES-256), tenant isolation, and access controls as described in our Security section above.

Pre-signed SCCs are included in our Data Processing Addendum (DPA), available upon request at support@itfolder.com. See also our Sub-Processor List.

XIII. Children's Privacy

The Services are not directed to children under 13 (or the relevant age of consent in your jurisdiction), and we do not knowingly collect such information.

XIV. Changes to this Policy

We may update this Policy periodically. We will update the “Last updated” date at the top and, if changes are material, provide additional notice.

XV. Contact Us

Questions about this Policy or our privacy practices? Contact support@itfolder.com.