Privacy Policy
Provider: Carbynix, LLC, a Virginia limited liability company ("Carbynix," "we," "us"). Contact: support@carbynix.com.
1. Scope and the important distinction between two kinds of data
This Privacy Policy explains how Carbynix handles personal information of website visitors, prospective customers, and the people who administer a customer account, in connection with the Carbynix website (carbynix.com) and the customer portal (the "Sites").
It does not govern the security telemetry and other data that Carbynix processes on a customer's behalf to deliver the Managed Detection and Response service ("Customer Data"). Carbynix processes Customer Data as a processor or service provider, on the customer's instructions, under the Master Services Agreement and the Data Processing Agreement; if that Customer Data contains personal information of the customer's employees or end users, the customer (as controller) is responsible for the privacy notices to those individuals, and Carbynix's handling is governed by the Data Processing Agreement, not this policy.
2. Information we collect
- Information you give us: your name, business email, company, phone, and the content of inquiries when you contact us, request a demo, or correspond with us; account registration details for the portal (managed through our identity provider); and billing and contact details when you purchase (payment card data is collected and processed by Stripe, not stored by Carbynix).
- Information collected automatically when you use the Sites: log and usage data such as IP address, browser and device information, pages viewed, and timestamps, and similar data collected through cookies and comparable technologies. We use this only to operate and secure the Sites and to measure Site usage in aggregate; we do not use advertising cookies or track you across other websites.
- Customer Data: handled per the Data Processing Agreement as described in section 1, not under this policy.
3. How we use information
To operate, secure, and improve the Sites; to respond to your inquiries and provide support; to process orders, billing, and account management; to send service and, where permitted, relevant business communications; to maintain the security and integrity of our systems; and to comply with legal obligations and enforce our terms. We do not sell personal information, and we do not use it for purposes incompatible with those described here.
4. Cookies and similar technologies
The Sites use cookies and similar technologies that are necessary for the Sites to function and to keep them secure, plus limited analytics to understand Site usage in aggregate. We do not use advertising cookies or cross-site tracking. Where a jurisdiction requires consent before non-essential cookies are set, we present a consent mechanism before setting them.
5. How we share information; sub-processors
We share personal information with service providers that help us operate the Sites and deliver the Services, under contracts that require them to protect it and use it only for the services they provide to us. Our current sub-processors are listed in the Carbynix sub-processor list and include Amazon Web Services (hosting), Stripe (payment processing), Cloudflare (DNS, CDN, and edge security), our Keycloak identity service, and Anthropic (AI-assisted analysis). We may also disclose information to comply with law, enforce our agreements, or protect rights, safety, and security, and in connection with a corporate transaction with appropriate protections. We do not sell personal information.
6. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information, including access controls and least privilege, encryption in transit and at rest, secret management, and logging and monitoring. Our information security program is described at a high level in our security and trust overview. We are aligning our program to SOC 2, NIST 800-53, and ISO 27001 and are not yet certified; we will update this statement as that posture changes.
7. Data retention
We keep personal information for as long as needed for the purposes described here, to provide the Sites and Services, and to meet legal, accounting, and recordkeeping requirements, then delete or de-identify it. Your checkout consent and order records are kept for at least three years, or one year after your account terminates, whichever is longer, consistent with automatic-renewal recordkeeping requirements. Account and contact records are kept for the life of the account and a reasonable period afterward; inquiry and lead records are kept until they are no longer needed or you ask us to delete them.
8. Your privacy rights
Depending on where you live, you may have rights to access, correct, delete, or port your personal information, and to opt out of certain processing. These rights apply mainly to residents of states with comprehensive privacy laws; most of those laws exempt personal information processed in a business-to-business context, and California's law reaches some business-contact data. Where you have such rights, you can exercise them by contacting us at support@carbynix.com; we will verify your request and respond within the time the applicable law requires. We will not discriminate against you for exercising your rights.
9. Children
The Sites are for businesses and are not directed to children, and we do not knowingly collect personal information from children.
10. International
The Sites are operated from the United States and our infrastructure and sub-processors are US-based, so we do not routinely transfer personal information outside the United States. If that changes, we will apply an appropriate transfer mechanism and update this policy.
11. Breach notification
If a security incident affecting personal information occurs, we will notify affected individuals and authorities as required by applicable breach-notification law (for example Virginia's at Va. Code 18.2-186.6, and the analogous law of each state where affected individuals reside), and we will support our customers' own notification obligations as the Data Processing Agreement provides.
12. Changes and contact
We may update this policy; the current version is published on carbynix.com with its effective date. For material changes, we will post the updated policy with a new effective date and provide notice on the Sites or by email where we have your address. Questions or requests: support@carbynix.com, Carbynix, LLC.