LEGAL

Privacy Policy

Last updated: March 2026

1. Scope and Applicability

This Privacy Policy ("Policy") governs the collection, use, storage, and disclosure of personal information and confidential data by Engram, Inc. ("Engram," "we," "us," or "our") in connection with the Engram cognitive telemetry platform ("Platform"). By accessing or using the Platform, you consent to the practices described in this Policy.

2. Information We Collect

2.1 Account Information. We collect information you provide during registration: name, email address, professional role, firm type, industry specialization, and session preferences.

2.2 Session Data. When you use the Platform, we capture and process audio recordings, screen captures, and transcripts of expert analysis sessions. This data may contain Confidential Information Memoranda (CIMs), proprietary financial analyses, non-public financial data, and other material non-public information ("MNPI").

2.3 Derived Data. We generate structured cognitive event data from your sessions, including timestamped event boundaries, confidence scores, behavioral metadata, and reasoning traces ("Derived Data").

2.4 Usage Metadata. We collect platform interaction metadata including pages visited, features used, session timestamps, and IP addresses. We do not employ third-party behavioral tracking or advertising cookies.

3. How We Use Your Information

To process and decompose expert analysis sessions into structured cognitive event data in accordance with the services described in your agreement.
To generate Derived Data for use in AI model training, subject to the data licensing terms established during onboarding.
To improve the accuracy and performance of our cognitive telemetry pipeline.
To communicate with you regarding your account, sessions, and material platform updates.
To enforce our Terms of Service, comply with legal obligations, and protect the security of the Platform.

4. Data Protection and Security

Engram handles confidential financial data subject to regulatory requirements including, but not limited to, the Gramm-Leach-Bliley Act (GLBA) and SEC Regulation S-P. We implement administrative, technical, and physical safeguards designed to protect data confidentiality and integrity:

Encryption. All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 via our infrastructure provider.
Access Controls. Session data is protected by role-based access controls (RBAC) with three-tier authorization (Expert, Client, Admin). Row-level security enforces tenant isolation at the database level.
Logging. We do not log transcript content or session audio in application logs. Only structural metadata (word count, duration, event counts) is retained in logs.
Audit Trail. Data exports are audit-logged with user identity, timestamp, scope, and IP address.
Third-Party Processing. Transcript data is transmitted to Anthropic, PBC for cognitive event boundary detection via their Claude API. Anthropic's data processing practices are governed by their enterprise terms of service and do not permit use of transmitted data for model training.

5. Data Sharing and Disclosure

5.1 We do not sell personal information.

5.2 Derived Data (structured cognitive event traces) may be licensed to third parties for AI model training, solely in accordance with the licensing terms agreed upon during your onboarding and subject to per-customer royalty obligations.

5.3 We will not share raw session recordings, audio, or unprocessed transcripts with any third party without your explicit, prior written consent.

5.4 We may disclose information where required by law, regulation, subpoena, or court order, or where necessary to protect the rights, safety, or property of Engram, our users, or the public.

6. Data Retention

Account information is retained for the duration of your active account plus 12 months following termination. Session data and Derived Data are retained in accordance with the applicable data licensing agreement. Upon expiration of all applicable retention periods, data will be securely deleted or anonymized.

7. Your Rights

Subject to applicable law, you have the right to:

Access the personal information we hold about you.
Request correction of inaccurate personal information.
Request deletion of your personal information and session data ("right to erasure"), subject to legal retention obligations.
Object to or restrict certain processing activities.
Receive your personal information in a portable, machine-readable format.

To exercise any of these rights, contact us at legal@engram.ai. We will respond within 30 days of receipt.

8. International Data Transfers

Your data may be processed in the United States regardless of your location. By using the Platform, you consent to the transfer of your information to the United States, where data protection laws may differ from those in your jurisdiction.

9. Children's Privacy

The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors.

10. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated via email to the address associated with your account or through a prominent notice on the Platform at least 30 days prior to taking effect. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.

11. Contact

For questions regarding this Privacy Policy or our data practices, contact:
Engram, Inc.
legal@engram.ai
New York, NY