Privacy Policy
Last updated: April 6, 2026 · Effective immediately
This Privacy Policy explains how NOI Technologies ("Company", "we", "us") collects, uses, and protects information when you use the Corla platform ("Service"). We are committed to protecting your privacy and handling your data with transparency.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Name and email address
- Enterprise name and organisation details
- Password (stored as a bcrypt hash — we never store plaintext passwords)
1.2 Enterprise Asset Content
Enterprises upload proprietary assets (system prompts, skills, playbooks, knowledge documents) to the Service. Important distinctions about how we handle this content:
- Raw asset content is never stored in our database. Content is stored in secure external storage (S3 or encrypted vault) and referenced by cryptographic content hash.
- Content is processed in memory only. During compilation, content passes through our redaction, scope-projection, and signing pipeline entirely in memory.
- Compiled packages are derivative works — processed, redacted, and scope-projected. They are not copies of the original content.
1.3 Audit and Usage Data
We collect operational data to provide the Service and ensure security:
| Data | What we store | What we do NOT store |
|---|
| Developer prompts | SHA-256 hash only | The actual prompt text |
| AI responses | SHA-256 hash only | The actual response text |
| Authentication tokens | Token ID (JTI) only | The actual JWT token value |
| Session activity | Timestamps, developer ID, project ID | IP addresses (not logged) |
| Disclosure attempts | Pattern match result, timestamp, developer ID | The triggering prompt |
1.4 Technical Data
We collect standard technical data necessary for operating the Service:
- Server logs (request method, URL path, response status, latency)
- Error reports for debugging
- Usage metrics (context deliveries, active developers, asset counts) for billing
2. How We Use Information
- Service delivery: Processing assets, compiling context packages, authenticating users, enforcing access policies
- Security: Detecting disclosure attempts, anomaly detection, audit logging, rate limiting
- Billing: Usage metering, invoice generation, subscription management
- Communication: Account notifications, security alerts, service updates (no marketing without consent)
- Improvement: Aggregated, anonymised usage patterns to improve the Service (never individual content)
3. Data Protection
3.1 Encryption
- At rest: Sensitive fields (OAuth tokens, signing keys, thread messages) are encrypted using AES-256-GCM with a dedicated encryption key
- In transit: All data is transmitted over TLS 1.2 or higher
- Package signing: Compiled packages are cryptographically signed with HMAC-SHA256 to prevent tampering
3.2 Access Control
- Enterprise data is isolated — one enterprise cannot access another's data
- Developer access is scoped by project, role, and grant expiration
- Token revocation propagates within 30 seconds via Redis
- Admin actions require separate authentication from developer actions
3.3 Audit Trail
All significant events are recorded in an append-only audit log. Audit events are never updated or deleted. Enterprise admins can export audit logs in CSV or JSON format for compliance purposes.
4. Data Sharing
We do not sell, rent, or trade your personal information. We share data only in these circumstances:
- Service providers: Infrastructure providers (hosting, database, email) that process data on our behalf under strict data processing agreements
- Legal requirements: When required by law, regulation, or legal process
- Enterprise admins: Enterprise administrators can view audit logs, session activity, and developer grant information for their own enterprise
- SIEM integration: If configured by the enterprise, security events are forwarded to the enterprise's designated SIEM endpoint
5. Data Retention
- Account data: Retained while your account is active, deleted within 30 days of account termination upon request
- Asset content: Stored in external storage while the asset is active, removed when the enterprise deletes the asset or terminates service
- Audit logs: Retained for the duration required by applicable law or the enterprise's compliance requirements (minimum 1 year)
- Compiled packages: Cached temporarily (duration based on grant TTL), then automatically purged
- Session tokens: Automatically expire per the configured TTL, revoked tokens are purged after 24 hours
6. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of your personal data
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your personal data (subject to legal retention requirements)
- Portability: Request your data in a structured, machine-readable format
- Objection: Object to processing of your data for specific purposes
To exercise these rights, contact privacy@corla.ai.
7. International Data Transfers
The Service is hosted on infrastructure that may process data in multiple regions. Where data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses where applicable.
8. Cookies and Tracking
The admin console uses browser local storage for authentication state (JWT token, enterprise ID). We do not use tracking cookies, analytics pixels, or third-party advertising trackers on the admin console or the API.
The marketing website (corla.ai) may use analytics cookies — refer to the cookie banner on the website for details.
9. Children's Privacy
The Service is not directed to individuals under 16. We do not knowingly collect personal information from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to account holders. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
For privacy-related questions or requests: