Legal

Privacy Policy

Stratogenic AI Ltd · Last updated: June 2026 · UK company 16228684

1. Who we are

Catalyst is a product of Stratogenic AI Ltd, a company registered in England and Wales (company number 16228684). Our registered address and data controller contact is admin@stratogenic.ai.

We process data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Catalyst is

Catalyst is a governance middleware API. Organisations ("tenants") connect their automation tools — such as Zapier — to Catalyst to normalise, deduplicate, risk-score, and audit-log work as it flows through their systems.

Catalyst does not use advertising, tracking pixels, or analytics scripts on this website. The only data collected here is what you voluntarily provide to sign up.

What Catalyst stores — and what it doesn't

Catalyst does not act as a passive pass-through. When your automation tools send work to Catalyst, it normalises that work into a canonical governance representation and stores it in an active working set called the flow cycle. What is stored is normalised governance metadata — canonical fields such as domain, priority, stage, owner, and risk score — not a copy of your source system's raw records, emails, or database content.

The flow cycle is a bounded active working set (capped at 200 items per tenant) designed to hold work that is under active governance. It is not an archive. Tenants control what they choose to ingest, and can delete their data at any time using the GDPR deletion tools described below.

The audit ledger records governance events — timestamps, event types, state checksums, and the actors involved. It records what happened in the governance pipeline, not copies of your source content.

Catalyst's data governance behaviour is defined by the MASC (Minimum AI Standardisation Contract) and WNSC (Work Normalisation & Systemic Clarity) frameworks, both authored and maintained by Stratogenic AI Ltd.

Controller and processor roles

For the data tenants send via the API — normalised work metadata, governance decisions, audit records — Catalyst acts as a data processor on behalf of the tenant organisation. The tenant remains the data controller for the content they choose to ingest. Stratogenic AI processes that content solely to deliver the governance service.

For account data (company name, email address, billing information) — Catalyst acts as a data controller. This policy covers both roles.

3. Data we collect

Account data (controller)

When you register for a Catalyst API key we collect:

Your work email address
Your organisation name
The IP address of the sign-up request (used for spam prevention, not retained long-term)

API usage data (controller)

When you use the API we log:

Request timestamps and response codes
Request IDs (for tracing and debugging)
Your tenant ID (associated with your API key)
Quota consumption counts

We do not log the full content of API request bodies in our infrastructure logs.

Tenant governance data (processor)

When you ingest work via the API, Catalyst stores a normalised governance representation of that work — canonical fields including domain, priority, stage, owner, and risk score — in a per-tenant data store called the GodThread. This is the active governance working set, not an archive of your source systems.

You control what you choose to ingest. Catalyst processes it according to your configuration, applies governance rules, and makes it available to you via the API. The normalised representation may include whatever content you included in the task title and details fields — we do not scrub those unless you use the GDPR pruning endpoint.

The flow cycle (active work) is capped at 200 items and can be cleared at any time via POST /gdpr/delete. The audit ledger records governance events, not copies of source content.

Billing data (controller)

If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We receive confirmation of payment status and your Stripe customer ID. We do not store card numbers, bank details, or CVV codes.

What we do not collect

Personal behavioural data, health data, or sensitive personal categories
Device identifiers or browser fingerprints
Location data beyond country-level from IP addresses
Data from third-party advertising or analytics networks

4. How we use it

We process data under the following legal bases:

Contract performance — to deliver the Catalyst API service you signed up for, including routing your data through the governance pipeline and generating your API key
Legitimate interests — for security monitoring, rate limiting, error logging, and preventing abuse of the service
Legal obligation — to retain financial records as required by UK law

We do not use your data for advertising, profiling, or selling to third parties. We do not train AI models on tenant work data.

AI-generated summaries

Enterprise Pro tenants can request AI narrative summaries of their governance data. These requests are processed by OpenAI using their API. The data sent to OpenAI is a trimmed, structured snapshot of your governance views — it does not include raw task text beyond what you explicitly configured. OpenAI processes this under their API data usage policy. We do not send personally identifiable information to OpenAI beyond what is present in the governance data you have ingested.

5. Third parties

We share data with a small number of service providers under data processing agreements:

Railway — cloud infrastructure and database hosting (EU/UK region)
Stripe — payment processing (PCI DSS compliant)
OpenAI — AI narrative generation (Enterprise Pro plan only, opt-in via API usage)

We do not sell or share your data with any other third parties for commercial purposes.

6. Retention

Account data — retained for the life of your account, then deleted within 30 days of account closure
Tenant work data — retained within your GodThread for the life of your account; you can request deletion at any time via POST /gdpr/delete
Audit ledger entries — retained for up to 7 years where required for legal compliance; anonymised after account deletion
API usage logs — retained for 90 days for debugging and security, then deleted
Billing records — retained for 7 years as required by HMRC financial record-keeping obligations

7. Your rights

Under UK GDPR, you have the right to:

Access — request a copy of the personal data we hold about you
Correction — request that we correct inaccurate data
Erasure — request deletion of your personal data (where no legal retention obligation applies)
Portability — export your tenant data via GET /ledger (JSON or CSV)
Restriction — request that we limit processing in certain circumstances
Objection — object to processing based on legitimate interests

To exercise any of these rights, email admin@stratogenic.ai. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

California residents have additional rights under CCPA/CPRA. Contact us at the address above to exercise them.

8. Security

Catalyst is designed with security as a core requirement, not an afterthought:

API keys are hashed at rest — we cannot retrieve your key, only verify it
All data in transit is encrypted via TLS
Tenant data is isolated by tenant ID — no cross-tenant data access is architecturally possible
The audit ledger is cryptographically chained — each entry contains a SHA-256 hash of the previous, making retroactive tampering detectable
Redis access is restricted to the application layer — no direct external access

If you discover a security vulnerability, please contact admin@stratogenic.ai directly before public disclosure.

9. Contact

For privacy questions, data requests, or concerns:

Email: admin@stratogenic.ai
Subject line: "Privacy — Catalyst"
Company: Stratogenic AI Ltd, registered in England and Wales, company number 16228684

We aim to respond to all privacy enquiries within 5 working days.