Privacy Policy (UK, EU & Switzerland)

Deskree Technologies Inc. and Deskree US Inc. ("Deskree," "we," "us," or "our") provide the Tetrix AI platform and related services (the "Services"). This Privacy Policy explains how we collect, use, and protect personal data in compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR and UK Data Protection Act 2018, and the Swiss Federal Act on Data Protection (FADP).

This Policy applies to personal data we process as a controller (for example, account, billing, sales, and support communications) and to the limited categories of personal data we process as a processor on behalf of our enterprise customers. The Data Processing Agreement (DPA) between Deskree and an enterprise customer governs that processor relationship and prevails over this Policy where they conflict in respect of that customer's personal data.

Tetrix AI is delivered as a self-hosted containerized application. The customer installs and operates Tetrix AI inside its own infrastructure (the "Deployment Environment"). The substantive processing performed by Tetrix AI — including ingestion of source code, infrastructure metadata, documentation, and database content; construction and querying of the knowledge graph; and any large language model (LLM) interactions — happens entirely within the customer's Deployment Environment, under the customer's technical and organizational control.

Deskree does not host, store, or have runtime access to the customer's production data. We do not operate a software-as-a-service, hosted, or multi-tenant version of Tetrix AI. We do not run a gateway or proxy that receives the customer's prompts, retrieved context, embeddings, or LLM responses.

Where the customer enables LLM-dependent features or uses client tools that integrate with Tetrix AI, the customer configures those features with the customer's own LLM and embedding provider credentials (for example, OpenAI, Anthropic, or Voyage AI). Prompts and responses flow directly between the customer's environment and the LLM provider chosen by the customer, billed against the customer's account with that provider, and governed by the agreement between the customer and that LLM provider. Deskree is not a party to that data flow and the LLM providers are not Deskree's sub-processors.

Because Tetrix AI is self-hosted, our processing is limited to the following categories.

3.1 Account, License, and Billing Data (we process as controller)

• Names, business email addresses, telephone numbers, and contact information of the individuals who contract with us on behalf of a customer (for example, the signatory of the master services agreement, the procurement contact, and the billing contact)
• Company name, registered address, and tax information
• Records of which customer is provisioned with which Tetrix AI license server, including the seat limit and other commercial terms (we do not collect the identities of the customer's end-users; the customer's deployed license server enforces the seat limit and the customer's own administrators manage end-user access within your Deployment Environment)
• Billing-contact information, billing address, and payment-method records (for example, bank-transfer reference details or other records of payments received)

3.2 Support Data

When a customer requests support or professional services, the customer may voluntarily transmit to us:

• Log files, configurations, screenshots, error reports, and similar artifacts
• Information shared during screen-share or remote-assistance sessions initiated by the customer
• Personal data incidentally present in support communications (for example, identifiers visible in shared logs)

We encourage customers to redact or minimize personal data in support materials where feasible.

3.3 Sales and Relationship Data (we process as controller)

• Pre-sale contact information of prospective administrators
• Records of communications with prospective and existing customers about the Services
• Records of meetings, demos, and similar interactions

3.4 Website and Marketing Data (we process as controller)

• Information you submit through web forms, demo bookings, and newsletter sign-ups
• Cookies and similar technologies — see our Cookie Policy
• Aggregate website analytics

3.5 What We Do NOT Receive

For clarity, the following are not received by Deskree under the standard self-hosted deployment of Tetrix AI:

• Source code, commit history, issues, pull requests, repository contents
• Database schema or database contents
• Cloud infrastructure resource configurations or contents
• Prompts, retrieved context, embeddings, or LLM responses
• Operational telemetry emitted by Tetrix AI inside the Deployment Environment (the Services do not phone home by default)
• Identities of the customer's end-users, their authentication credentials, or per-user usage data — end-user provisioning and access are managed by the customer's own administrators within the Deployment Environment

All such data remains inside the customer's Deployment Environment, under the customer's exclusive control. We do not collect, receive, or aggregate it.

We process personal data under one or more of the legal bases in GDPR Article 6(1) (and equivalent provisions of UK GDPR and the Swiss FADP):

• Contract (Art. 6(1)(b)): to provide the Services and perform the agreement with our customer
• Legitimate Interests (Art. 6(1)(f)): to secure and improve the Services, prevent fraud and abuse, manage our business, and pursue sales and relationship management — balanced against your interests and rights
• Consent (Art. 6(1)(a)): for marketing communications and non-essential cookies, where required
• Legal Obligation (Art. 6(1)(c)): to comply with applicable laws, including tax, accounting, and law-enforcement requests

We use the personal data described in Section 3 to:

• Provision, license, and support Tetrix AI
• Respond to support requests and provide professional services
• Administer accounts and process payments
• Communicate with customers and prospects about the Services
• Maintain the security of our corporate systems and prevent abuse
• Comply with legal obligations

We do not use customer data to train, fine-tune, or otherwise improve generic or shared machine-learning or large-language models. Tetrix AI is not designed to collect, exfiltrate, or transmit customer data from the Deployment Environment to Deskree for any training purpose.

We do not sell personal data.

We share personal data with the following categories of recipients:

6.1 Sub-processors

LLM providers (OpenAI, Anthropic, Voyage AI, and similar) engaged by the customer using the customer's own credentials are NOT our sub-processors. The customer is responsible for executing data-processing terms (and any applicable transfer mechanism) directly with each such provider.

6.2 Other Service Providers (controller relationships)

For the corporate, billing, sales, and website functions described in Section 3, we use service providers including:

• Website analytics and product analytics on our website: PostHog and similar tools
• Error and performance monitoring on our corporate systems: Sentry and similar tools

These providers process limited personal data on our behalf under appropriate contractual safeguards.

6.3 Legal and safety disclosures

We may disclose personal data when required by law, in response to valid legal process, or where we believe disclosure is necessary to protect rights, safety, or property.

Deskree US Inc. is located in the United States. Deskree Technologies Inc. is located in Canada. Where personal data subject to UK, EU, or Swiss data protection law is transferred to either entity, the following transfer mechanisms apply.

7.1 EEA Transfers

For transfers from the European Economic Area (EEA) to Deskree US Inc. in the United States, we rely on the Standard Contractual Clauses (SCCs) approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two or Module Three as applicable. We have implemented supplementary measures, including encryption in transit and at rest, least-privilege time-limited access controls, access logging, and confidentiality obligations on all personnel.

7.2 UK Transfers

For transfers from the United Kingdom, we rely on the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022) issued by the UK Information Commissioner's Office.

7.3 Swiss Transfers

For transfers from Switzerland, we rely on the SCCs with the modifications required by the Swiss Federal Data Protection and Information Commissioner.

7.4 Onward Transfer to Our Canadian Affiliate

Onward transfers from Deskree US Inc. to Deskree Technologies Inc. in Canada are made in reliance on the European Commission's adequacy decision for Canada (commercial organizations subject to PIPEDA). No additional transfer mechanism is required for that onward transfer under EU law. The UK and Swiss regimes recognize equivalent adequacy.

7.5 Transfers to LLM Providers Are Customer Transfers

Any transfer of personal data from a customer's Deployment Environment to an LLM provider is made by the customer, not by Deskree. The customer is responsible for the transfer mechanism (including any SCCs) applicable to such transfer under its agreement with the LLM provider.

A copy of our SCCs as completed for a customer is available on request at help@deskree.com.

8.1 Where Personal Data Is Stored

The limited categories of personal data we process (Section 3) are stored within our corporate IT systems and the systems of the sub-processors and service providers identified in Section 6. These systems are hosted with cloud providers whose data-center physical security is audited under SOC 2 Type II or equivalent.

Customer production data processed by Tetrix AI within a customer's Deployment Environment is not stored by Deskree. That data is stored where the customer chooses to deploy Tetrix AI, under the customer's storage, encryption, and key-management arrangements.

8.2 Security Measures

We implement technical and organizational measures to protect personal data, including:

• AES-256 encryption at rest for personal data we hold
• TLS 1.3 in transit
• Role-based access controls with least privilege
• Multi-factor authentication for personnel accessing systems that hold customer personal data
• Time-limited credentials (24–48 hours) for any support access to information that may contain customer personal data
• Logging of all such access with employee identifier, timestamp, justification, and IP address; logs retained for 7 years
• Documented incident response, backup and recovery, and vulnerability management procedures
• Independent SOC 2 Type II audit

8.3 Product Security Features (Operate in the Customer's Deployment Environment)

Tetrix AI ships with security features that execute within the customer's Deployment Environment, including TLS 1.3 for outbound API calls made by Tetrix AI, AES-256 encryption at rest using keys under the customer's control, role-based access control within the application, configurable SSO/OIDC/SAML integration where supported, structured audit logs consumable via the customer's own observability tooling, and PII detection/masking capabilities (where present, heuristic and defense-in-depth) that execute entirely within the customer's environment.

8.4 Personal Data Breaches

We notify our enterprise customers of any confirmed personal data breach affecting personal data in our possession without undue delay and in any event within 72 hours of becoming aware of the breach. A personal data breach occurring solely within a customer's Deployment Environment is not, by itself, a breach of Deskree's systems; we will reasonably assist the customer in fulfilling its own notification obligations in such cases.

We retain personal data only as long as needed for the purposes described in this Policy, or as required by law.

Upon termination of an enterprise customer's main agreement and at the customer's election within 30 days of termination, we return or delete the customer personal data in our possession, subject to the retention exceptions above.

Customer production data within the Deployment Environment remains under the customer's control. The customer is responsible for uninstalling Tetrix AI and deleting such data within the Deployment Environment when no longer needed.

If you are in the UK, EU, or Switzerland you have the right to:

• Access your personal data and obtain information about how it is processed
• Request rectification of inaccurate or incomplete personal data
• Request erasure ("right to be forgotten") in certain circumstances
• Request restriction of processing in certain circumstances
• Data portability (receive your personal data in a structured, commonly used, machine-readable format) where processing is based on contract or consent and carried out by automated means
• Object to processing based on legitimate interests
• Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal
• Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects — we do not make such decisions

How to Exercise Your Rights

Contact help@deskree.com. We respond within one month, extendable by a further two months for complex requests, in accordance with GDPR Article 12(3).

Where the personal data concerned is processed by Tetrix AI within an enterprise customer's Deployment Environment, that customer is the controller of that data. We will direct your request to the customer or assist the customer in responding, as appropriate.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority. For EEA matters concerning Deskree's processing, the lead supervisory authority is the Irish Data Protection Commission. UK individuals may complain to the Information Commissioner's Office (ICO). Swiss individuals may complain to the Federal Data Protection and Information Commissioner (FDPIC).

We use cookies and similar technologies on our website. EU, UK, and Swiss users are presented with a cookie banner where required. See our Cookie Policy for details.

Tetrix AI's outputs are assistive and require human review. Tetrix AI is not designed for automated decision-making that produces legal effects concerning data subjects or similarly significantly affects them within the meaning of GDPR Article 22. We do not engage in such automated decision-making in our own processing of personal data.

Where Tetrix AI is used by an enterprise customer, the customer is responsible for human review of AI outputs before relying on them in any decision affecting individuals. Our Artificial Intelligence Usage & Governance Policy is available on request.

Tetrix AI is not designed to process special categories of personal data within the meaning of GDPR Article 9. Enterprise customers may not configure Tetrix AI to ingest, or transmit to Deskree, protected health information (PHI) subject to HIPAA without our prior written agreement, and may not connect systems containing personal data of children under 13.

Our Services are not directed to children. We do not knowingly collect personal data from children under 13 (or 16 in jurisdictions that apply that threshold under GDPR Article 8). Enterprise customers may not configure Tetrix AI to process personal data of children under 13.

We may update this Policy from time to time. We will notify enterprise customers of material changes by email or in-product notice at least 30 days in advance.

Privacy Officer: Makar Levashov

Email: help@deskree.com

Legal Department: legal@deskree.com

Deskree Technologies Inc.

169 Gore Vale Avenue, Toronto, Ontario M6J 2R5, Canada

Deskree US Inc.

10900 Stonelake Blvd, Austin, TX 78759, United States

EU Representative under GDPR Article 27

Deskree has not appointed an EU representative under Article 27 GDPR. We rely on the derogation in Article 27(2)(a) GDPR on the basis that our processing of personal data is occasional, does not include large-scale processing of special categories of personal data referred to in Article 9(1) GDPR or of personal data relating to criminal convictions and offences referred to in Article 10 GDPR, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the self-hosted architecture of Tetrix AI (under which the substantive processing of customer data does not reach Deskree). We adopt the same approach for the UK GDPR.

Data Processing Agreements

Enterprise customers can request a Data Processing Agreement at sales@deskree.com.