Privacy Policy

Effective Date: January 1, 2024

1. Our Privacy Commitment

EEPIS operates on zero-knowledge architecture. We cannot decrypt your content because we never possess your private encryption keys. This privacy policy explains what limited data we collect and how we protect it.

2. Data We Cannot Access

Due to our end-to-end encryption architecture, we cannot access:

  • Your content (documents, conversations, media, notes)
  • Your private encryption keys
  • Metadata within encrypted resources
  • Search queries executed locally on your device
  • Entity relationships extracted from your content

Your mobile device generates a cryptographic keypair during initial setup. The private key remains on your device and never transmits to our servers. All content is encrypted client-side before upload.

3. Data We Collect

3.1 Account Information

We collect minimal account identifiers:

  • Tenant ID (randomly generated UUID)
  • Device public keys for authentication
  • OAuth 2.1 token metadata (expiration, scope, grant type)
  • Account creation timestamp

3.2 Encrypted Content Metadata

We store metadata necessary for system operation:

  • Encrypted blob storage locations (S3 paths)
  • File sizes and upload timestamps
  • Content category classifications (encrypted)
  • Vector embedding dimensions and provider identifiers

This metadata does not reveal content details due to encryption.

3.3 System Logs

Operational logs for security and performance:

  • Authentication attempts (timestamps, device identifiers)
  • API request patterns (rate limiting, abuse detection)
  • Error logs (sanitized, no user content)
  • Performance metrics (query latency, storage utilization)

Logs are retained for 90 days and do not contain decrypted content.

4. How We Use Data

Limited data usage:

  • Authenticate devices via OAuth 2.1 device flow
  • Route encrypted content to correct storage locations
  • Process vector embeddings for semantic search (on encrypted data)
  • Monitor system health and detect abuse
  • Improve system performance and reliability

We do not use your data for advertising, profiling, or third-party sales.

5. Data Storage and Security

5.1 Encryption Standards

  • AES-256 encryption for all content at rest
  • Client-side encryption before transmission
  • TLS 1.3 with certificate pinning for transport
  • Key derivation using industry-standard PBKDF2

5.2 Infrastructure

  • SeaweedFS S3-compatible encrypted blob storage
  • TiDB/TiKV distributed database with encryption at rest
  • Kubernetes cluster with network policies and pod security
  • Regular security audits and penetration testing

5.3 Access Controls

  • Multi-factor authentication for infrastructure access
  • Principle of least privilege for system components
  • Automated key rotation for service accounts
  • Audit logging for all administrative actions

6. Data Sharing and Disclosure

We do not sell or share your data with third parties. Limited disclosure occurs only when:

  • Required by law (court orders, subpoenas) - we will notify you unless prohibited
  • Necessary to prevent harm (credible threats, illegal activity)
  • Service providers require access (encrypted infrastructure only, under strict contracts)

Due to zero-knowledge architecture, we cannot provide decrypted content even under legal compulsion.

7. Your Rights

You control your data:

  • Access: Export all your encrypted data at any time
  • Deletion: Permanently delete your account and all associated data
  • Portability: Download content in standard formats
  • Rectification: Modify or correct your information
  • Restriction: Limit processing of specific data

Exercise these rights through the mobile application or by contacting privacy@eepis.ai.

8. Data Retention

  • Active accounts: Data retained while account is active
  • Deleted accounts: Immediate removal from active systems, 30-day backup retention
  • System logs: 90-day retention for security and debugging
  • Authentication tokens: Expired tokens deleted within 24 hours

9. International Data Transfers

Your encrypted data may be stored in multiple geographic regions for redundancy and performance. All transfers use encryption and comply with applicable data protection regulations including GDPR and CCPA.

10. Children's Privacy

EEPIS is not intended for users under 13 years of age. We do not knowingly collect data from children. If we discover underage account usage, we will terminate the account and delete associated data.

11. Changes to Privacy Policy

We may update this privacy policy to reflect system changes or legal requirements. Material changes will be communicated via:

  • In-app notification at least 30 days before effective date
  • Email to registered contact addresses
  • Prominent notice on eepis.ai website

Continued use after effective date constitutes acceptance of updated terms.

12. Contact Information

For privacy-related questions or to exercise your rights:

Email: privacy@eepis.ai
Security Issues: security@eepis.ai
General Inquiries: contact@eepis.ai

13. Technical Measures Summary

For transparency, our technical privacy protections:

  • Client-side key generation (private keys never transmitted)
  • Zero-knowledge encryption (we cannot decrypt your content)
  • OAuth 2.1 device flow (no password storage)
  • AES-256-GCM for content encryption
  • TLS 1.3 for all network communication
  • Certificate pinning to prevent man-in-the-middle attacks
  • Encrypted database fields for metadata
  • Regular security audits and vulnerability assessments