Corax
TermsPrivacyDPASLA

Privacy Policy

Last updated: March 25, 2026

1. Introduction

Corax (operated by Coraxity, Inc.) is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding your data.

2. Data We Collect

2.1 Account Data

When you create an account we collect: name, email address, organization name, and authentication credentials (stored and managed by Auth0).

2.2 Infrastructure Credentials

To connect your sites and platforms we collect API tokens, access keys, and connection credentials. All credentials are encrypted at rest using AES-256-GCM encryption. Credentials are never logged or returned in full in API responses.

2.3 Infrastructure and Code Data

When Corax monitors your systems and performs healing sessions, it accesses: application logs, error messages, stack traces, source code files relevant to detected errors, deployment configurations, and website behavioral data via Microsoft Clarity.

2.4 Usage and Billing Data

We collect: credit balance and transaction history, healing event records, command history, audit logs of all actions taken in the platform, and payment information (processed and stored by Stripe — we do not store full card numbers).

2.5 Communication Data

We collect records of emails and VAPI phone calls made by the Corax system on your behalf, including escalation calls and their outcomes.

3. How We Use Your Data

3.1 To provide the service: monitoring your infrastructure, generating and deploying fixes, sending escalation calls and notifications.

3.2 To improve the service: analyzing aggregate usage patterns, error rates, and healing success rates. We do not use your specific code or infrastructure data to train AI models.

3.3 To communicate with you: sending service notifications, billing communications, and product updates.

3.4 To ensure security: detecting and preventing fraud, abuse, and unauthorized access.

4. AI Processing

4.1 Corax uses Anthropic's Claude AI models to analyze errors and generate fixes. Your error context, relevant log data, and code files are sent to Anthropic's API for this purpose.

4.2 Anthropic processes this data under their usage policies and zero data retention policy for API customers. Your code is not used to train Anthropic's models.

4.3 Enterprise customers may configure Corax to use their own Azure OpenAI or Azure AI Foundry instance. In this case your data is not sent to Anthropic.

4.4 HIPAA-tier customers must use their own AI provider. PHI-adjacent data is never sent to Corax's shared Anthropic API account.

5. Data Sharing

We share your data only with:

5.1 Service providers who help us operate the platform:

  • Auth0 (authentication)
  • Stripe (payments)
  • Railway (hosting)
  • Cloudflare (CDN and security)
  • Anthropic (AI processing)
  • VAPI (voice services)
  • Mailgun (email delivery)
  • Microsoft (Clarity analytics)
  • AWS (LightSail infrastructure)

5.2 Law enforcement or government authorities when required by law and after verification of valid legal process.

5.3 A successor entity in the event of a merger, acquisition, or sale of assets, with notice to you.

We do not sell your data to third parties for any purpose.

6. Data Retention

6.1 Account data: retained while your account is active and for 30 days after termination.

6.2 Infrastructure credentials: deleted within 24 hours of site disconnection or account termination.

6.3 Healing event records and audit logs: retained for 12 months for standard customers, 6 years for HIPAA customers as required by law.

6.4 Billing records: retained for 7 years as required by applicable tax and financial regulations.

7. Data Security

7.1 All data is encrypted in transit using TLS 1.3.

7.2 Credentials and sensitive data are encrypted at rest using AES-256-GCM with key rotation support.

7.3 Access to production systems is restricted to authorized personnel and is audit logged.

7.4 We conduct regular security reviews and are pursuing SOC 2 Type II certification.

8. Your Rights

Depending on your location you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Request deletion of your personal data
  • Export your data in a portable format
  • Object to certain processing of your data
  • Withdraw consent where processing is consent-based

To exercise these rights contact privacy@coraxity.com. We will respond within 30 days.

9. GDPR — EU/EEA Customers

9.1 For customers in the EU or EEA, Corax processes your data under the following legal bases:

  • Contract performance: to provide the service you have subscribed to
  • Legitimate interests: to improve the service, detect fraud, and ensure security
  • Legal obligation: to comply with applicable laws

9.2 Data transfers outside the EU are made under the EU-US Data Privacy Framework or standard contractual clauses.

9.3 Enterprise customers may request a Data Processing Agreement at legal@coraxity.com.

10. CCPA — California Customers

California residents have the right to know what personal information we collect, the right to delete personal information, the right to opt out of sale (we do not sell personal information), and the right to non-discrimination for exercising these rights.

Contact privacy@coraxity.com to exercise these rights.

11. Cookies

Corax uses cookies for authentication session management and Microsoft Clarity for UX analytics. You may disable non-essential cookies in your browser settings. Disabling authentication cookies will prevent you from staying logged in.

12. Children

Corax is not directed at children under 18 and we do not knowingly collect data from children under 18.

13. Contact

For privacy questions or to exercise your rights:

Email: privacy@coraxity.com
Address: Coraxity, Inc., Tampa, Florida, United States