Privacy Policy
Definite is a B2B platform. We do not sell or rent customer data to third parties, we do not run third-party advertising, and we do not run any behavioral analytics on the personal data you or your users submit through the platform.
1. Who we are
Ledgix Inc., doing business as Definite (“Definite”, “we”, “us”), operates the Definite ALCV platform — an authorization and audit layer for AI agent actions. Our primary point of contact for privacy matters is contact@usebylaw.com.
This policy applies to the Definite platform (Vault API, customer dashboard at app.usebylaw.com, developer documentation at docs.usebylaw.com), and our published SDKs (bylaw-ts and bylaw-python). It does not apply to third-party services your organization connects to Definite.
2. What data we collect
Account and organization data
When you create an account or accept an invitation, we collect your email address, your organization name, and the authentication credentials required to log in (managed through our auth provider, Supabase). If your organization configures SSO, your identity provider shares the claims required to authenticate you.
Clearance request data (the ledger)
The core function of Definite is to authorize and record agent actions. Each clearance request your application submits is recorded in your tenant’s append-only audit ledger and includes:
tool_name — the name of the action being requested
tool_args — the arguments passed to that action
agent_id and session_id — identifiers your application provides
decision, reason, confidence — the policy evaluation result
policy_id and the hash of the policy content applied
request_id, timestamps, and cryptographic proof artifacts
Important: The tool_args field may contain personal data belonging to your end-users depending on how your application is built. You are responsible for ensuring that data sent to Definite through tool_args is limited to what is necessary for the authorization decision and complies with your own privacy obligations.
Policy content
Documents, structured rules, or text you upload to define how your agents should behave. This content is stored in your tenant’s isolated database and used by our policy evaluation engine to process clearance requests.
Notification and reporting settings
Email addresses you provide as review notification recipients, Slack webhook URLs you configure, and compliance report delivery preferences. These are stored per tenant and used only to deliver the notifications and reports you configure.
Usage and operational data
Standard server logs including IP addresses, request timestamps, HTTP methods and paths, response codes, and latencies. These are retained for operational purposes and not used for behavioral profiling.
What we do not collect
We do not run third-party behavioral analytics, advertising pixels, or session recording on any Definite property. We do not collect credit card numbers directly — billing is handled by our payment processor (Stripe) under their own privacy policy.
3. How we use your data
We use the data described above to:
Operate, maintain, and improve the Definite platform
Evaluate clearance requests against your policies and return authorization decisions
Produce cryptographically tamper-evident audit records on your behalf
Generate compliance reports you request through the dashboard
Deliver review notifications and alerts to the contacts you configure
Authenticate users and enforce access controls within your organization
Detect drift and anomalies in agent behavior against your established baselines
Respond to support requests, enforce our Terms of Service, and meet legal obligations
We do not use the content of clearance requests, policy documents, or ledger entries to train AI models without your explicit consent.
4. When we share data
Service providers
We share data with sub-processors that help us deliver the platform, including:
AWS — compute, Secrets Manager (credential storage), S3 (Merkle checkpoint anchoring)
Supabase — authentication and control-plane database hosting
Stripe — billing and payment processing
Vercel — hosting for the dashboard and documentation sites
Each sub-processor is bound by data processing agreements consistent with applicable law.
Legal requirements
We may disclose data when required by law, regulation, court order, or governmental authority, or when we believe disclosure is necessary to protect the rights, property, or safety of Definite, our customers, or others.
Business transfers
If Definite is acquired, merged, or transfers substantially all its assets, customer data may be transferred as part of that transaction. We will provide notice before your data becomes subject to a materially different privacy policy.
What we do not do
We do not sell or rent personal data to third parties. We do not share ledger content or policy documents with other Definite customers. Tenant data is logically and cryptographically isolated.
5. Retention and deletion
The audit ledger is intentionally designed to be append-only and tamper-evident. Once a clearance decision is recorded and anchored, it cannot be selectively deleted without breaking the cryptographic chain — this is a core feature for SOX 404 and other regulatory frameworks that require immutable audit trails.
By default, ledger entries are retained for the lifetime of your tenant. Enterprise customers may negotiate specific retention terms in their order form, including legal hold procedures.
Account data (email addresses, organization settings, notification preferences) is deleted within 30 days of a verified account deletion request. Policy content is deleted when you remove it or upon tenant deletion.
6. Security
We apply the following technical controls:
All data in transit is encrypted over TLS 1.2 or higher
Approval tokens are signed with Ed25519; each token carries a unique one-time-use identifier that is burned on consumption
Ledger entries are individually hashed and Merkle-chained into a tamper-evident structure; checkpoints are signed and anchored to immutable external storage (S3 with versioning)
Per-tenant databases are isolated; tenant credentials are stored in AWS Secrets Manager and never written to the control-plane database
Multi-factor authentication is available and configurable for all tenant members
Administrative access follows a break-glass model with mandatory audit logging
No security system is impenetrable. If you discover a vulnerability, please contact us at contact@usebylaw.com.
7. International transfers
Definite infrastructure runs primarily in AWS regions in the United States. If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with data transfer restrictions, data may be transferred to the US. We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for such transfers. Enterprise customers with data residency requirements should contact us to discuss region-specific deployment options.
8. Your rights
Depending on your location, you may have the right to:
Access — request a copy of personal data we hold about you
Correction — request correction of inaccurate personal data
Deletion — request deletion of personal data, subject to our retention obligations (see section 5)
Restriction — request that we limit processing in certain circumstances
Portability — receive personal data in a structured, machine-readable format
Objection — object to processing based on legitimate interests
Withdrawal of consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing
To exercise any of these rights, email contact@usebylaw.com. We will respond within 30 days. Note that some rights may be limited where the data forms part of a legally required audit record.
CCPA (California): California residents have the right to know what personal information is collected, to delete personal information, to opt out of sale (we do not sell personal information), and to non-discrimination for exercising these rights.
9. Cookies and tracking
The Definite dashboard uses a minimal number of first-party cookies for session management and authentication state. We do not use third-party advertising cookies, behavioral tracking pixels, or fingerprinting scripts on any Definite property.
10. Children
Definite is a B2B platform intended for use by organizations and their authorized personnel. We do not knowingly collect personal data from individuals under 18 years of age.
11. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify tenant administrators by email at least 14 days before the change takes effect. Continued use of the platform after that date constitutes acceptance of the updated policy.
12. Contact
For privacy questions, requests, or concerns:
Email: contact@usebylaw.com
See also our Terms of Service.