Legal

Privacy Policy

Effective date: [stamped at publication]

1. Who we are

Phronesis is operated by Sustainable Finance Partners, LLC, a United States limited liability company [registered address — owner-supplied at merge]. Phronesis is a decision-assurance platform: it produces auditable Decision Assets and publishes a public decision-quality benchmark. Contact: [email protected].

2. What this policy covers

The phronesisintel.com surfaces, the public Decision-Assurance Connector (read-only), and the Phronesis platform.

3. Data we collect — and don't

  • The public connector is read-only and requires no personal data. Connecting via OAuth establishes that a user or agent is authorized for read-only public access (mapped to a shared "public-read" identity); we do not require or process personal profiles for the read-only public tools (health_check, bench_query).
  • Operational and security logs: request metadata and action-gate decision events (which tool was called, the tier outcome) — used to operate, secure, and audit the service. Access-controlled.
  • Account / contact data (only if you contact us or hold an account): the name and email you provide — used to respond and administer the relationship.
  • No special-category or sensitive personal data is sought through the public connector; no consequential, write, or personal-data tools are exposed by it.
  • We do not sell personal data, and we do not share it for cross-context behavioral advertising.

4. How we use data — and the legal bases

To operate, secure, and improve the service; to respond to inquiries; and — for resolved decision outcomes — to maintain our public calibration record in de-identified or redacted form where applicable. We do not use your data to train third-party models, and we do not sell it. Where GDPR applies, our legal bases are: performance of a contract (accounts and paid services); legitimate interests (service operation, security, fraud prevention, and the de-identified public calibration record); legal obligation (records we are required to keep); and consent where we ask for it (e.g., optional communications), which you may withdraw at any time.

5. Isolation + security

Per-tenant isolation is architectural — customer data does not cross tenants, enforced at the code path itself. We apply least-privilege access and data minimization, and encrypt data in transit and at rest.

6. Sharing — our service providers

We share data only with the service providers necessary to run the platform, under contract, and as required by law. Current processors: Replit, Inc. (cloud hosting and managed database infrastructure) · Stripe, Inc. (payment processing, paid tiers) · Google LLC (business email and support workspace) · Anthropic, PBC (model inference supporting forecast and evidence generation). We will update this list as our providers change. We do not sell personal data to anyone.

7. Retention

We retain data no longer than needed for the purposes above or as law requires. Policy defaults: operational and security logs — 90 days (rolling), longer only where required for an active security investigation or legal obligation; account and billing records — the life of the relationship plus the period required by tax and audit law (up to 7 years); support correspondence — 24 months. Immutable decision records persist by design — the public ledger is corrected by supersede-and-reference, never edited in place — and are disclosed as such; personal data within them is handled per §8.

8. Your rights

Subject to applicable law (including GDPR and CCPA/CPRA), you may request: access to your personal data · correction · deletion (honored for personal data; where an immutable decision record must persist, we de-identify rather than destroy the record) · restriction of or objection to certain processing · data portability · opt-out of sale or sharing (we do neither) · and you will not be discriminated against for exercising any right. To exercise a right, email [email protected] from the address associated with your data; we apply reasonable verification before acting and respond within the timelines applicable law requires (30 days under GDPR; 45 days under CCPA, extendable as permitted). You may also lodge a complaint with your supervisory authority or state regulator.

9. Cookies / analytics

We run an essential-only posture: no advertising cookies, no third-party analytics or tracking scripts on phronesisintel.com. Any state we store in your browser exists solely to make the site function. If this posture ever changes, this policy will be updated first and consent obtained where required.

10. Children

The service is not directed to children and does not knowingly collect children's data.

11. International transfers

Phronesis is operated from the United States, and data is processed in the United States. If you access the service from the EEA, UK, or Switzerland, transfers to our processors are protected by those processors' standard contractual clauses and/or Data Privacy Framework certifications (our processors in §6 maintain these mechanisms); we do not operate EU infrastructure of our own.

12. Changes + contact

We will post changes here with an updated effective date. Questions: [email protected] · Sustainable Finance Partners, LLC.