Privacy Policy

This Privacy Policy ("Policy") explains how Tessarai, LLC ("Tessarai," "we," "us," or "our") collects, uses, shares, and protects personal information in connection with Capsara, our zero-trust, encrypted document and message exchange software-as-a-service (SaaS) platform, accessible via https://www.capsara.com (the "Website") and associated services (collectively, the "Services").

We are committed to protecting your privacy through principles of privacy-by-design, data minimization, and cryptographic isolation. The Services are engineered such that content is encrypted end-to-end, ensuring that Tessarai does not have access to plaintext data. This Policy empowers you to make informed decisions about your information by providing transparency into our practices.

Capitalized terms used but not defined herein shall have the meanings ascribed to them in our Terms of Service. For purposes of this Policy:

• "Personal Data" or "Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under applicable data protection laws (e.g., GDPR, CCPA/CPRA).
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.

By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, please do not use the Services.

1. Scope and Applicability

This Policy applies to all individuals and entities interacting with the Services, including:

• Visitors to the Website;
• Organizations that subscribe to the Services ("Customer Organizations");
• Authorized users acting on behalf of Customer Organizations ("Authorized Users"); and
• Third parties exchanging encrypted envelopes, messages, or files via Capsara.

This Policy does not apply to information practices of third-party websites, applications, or services that may link to or integrate with Capsara but are not operated or controlled by Tessarai. We encourage you to review the privacy policies of those third parties.

2. Roles and Responsibilities

In most instances, particularly with respect to encrypted content and customer-managed data:

• Customer Organizations act as the Data Controller (under GDPR) or Business (under CCPA/CPRA); and
• Tessarai acts as a Data Processor (under GDPR) or Service Provider (under CCPA/CPRA), processing data solely on behalf of and as instructed by the Customer Organization.

For limited operational data (e.g., account administration, billing information, security telemetry), Tessarai acts as an independent Data Controller or Business.

Where Tessarai processes Personal Data as a Controller, we do so in accordance with this Policy and applicable laws.

3. Information We Collect

We collect information in the following categories. Due to the zero-trust architecture of Capsara, we do not access or process plaintext content of encrypted envelopes.

3.1 Encrypted Content (Zero-Trust Data)

Capsara facilitates the exchange of encrypted envelopes, which may include messages, files, and associated metadata.

• All envelope contents are encrypted on the client-side prior to transmission;
• Encryption keys are generated, controlled, and retained exclusively by the exchanging parties, not Tessarai;
• Tessarai has no ability to decrypt, access, or view envelope contents in plaintext; and
• Encrypted content is stored transiently or as configured by Customer Organizations solely to facilitate the Services, in accordance with customer-defined retention policies.

Tessarai processes this data in encrypted form only, without access to plaintext.

3.2 Account and Administrative Information

To provide the Services, we may collect:

• Identifying information such as name, business email address, company name, and role;
• Account credentials, including usernames, passwords, and multi-factor authentication artifacts;
• Billing and payment details, such as credit card information (processed securely via third-party payment processors);
• Communications related to support inquiries or service requests; and
• Preferences and settings configured for your account.

3.3 Technical and Usage Data

We automatically collect limited operational and technical data to ensure the security and functionality of the Services, including:

• Device and network information, such as IP addresses, device identifiers, browser type, and operating system;
• Platform and session details, including timestamps, envelope identifiers (without content), and transaction events;
• Audit and security logs, which may include access attempts and error reports; and
• Aggregated usage metrics for service improvement and billing.

This data does not reveal or expose encrypted content and is used strictly for operational purposes.

3.4 Information from Third Parties

We may receive supplemental information from trusted third parties, including:

• Payment processors (e.g., transaction confirmations);
• Identity verification or fraud-prevention services (e.g., authentication results); and
• Resellers or enterprise partners (e.g., referral details).

4. Legal Bases for Processing Personal Data

Where required by applicable law (e.g., GDPR, UK GDPR), our processing of Personal Data is based on one or more of the following legal grounds:

• Performance of a contract with you or the Customer Organization;
• Our legitimate interests, such as maintaining security, preventing fraud, ensuring service reliability, and improving the Services (balanced against your rights and interests);
• Compliance with legal obligations, including regulatory requirements; and
• Your consent, where explicitly obtained and required (e.g., for certain optional features).

You may withdraw consent at any time, though this may limit access to certain features.

5. How We Use Information

We use collected information solely for the following purposes. We do not use information to analyze, mine, or inspect encrypted envelope contents.

• To operate, maintain, and provide the Services, including facilitating secure exchanges;
• To authenticate users, enforce access controls, and manage accounts;
• To process transactions, handle billing, and fulfill contractual obligations;
• To provide customer support and respond to inquiries;
• To detect, prevent, and respond to abuse, fraud, security incidents, or technical issues;
• To comply with applicable laws, regulations, legal processes, or enforceable governmental requests;
• To conduct internal research and analysis for service improvement (using anonymized or aggregated data where possible); and
• To communicate with you about the Services, including updates, security alerts, and policy changes.

6. Cryptography and Zero-Trust Architecture

Capsara employs zero-trust principles and cryptographic isolation to safeguard data:

• Data encryption occurs client-side before transmission to our infrastructure;
• Private keys are generated and managed solely by users or Customer Organizations—Tessarai does not store, escrow, or have access to them;
• Loss or compromise of keys may result in permanent inaccessibility of encrypted content, for which Tessarai bears no responsibility; and
• Users and Customer Organizations are solely responsible for secure key management practices.

No security measure is infallible, and users assume risks associated with key management.

7. Cookies and Tracking Technologies

The Website utilizes limited cookies and similar technologies essential for:

• Core functionality and session management;
• Security measures and fraud prevention; and
• Basic analytics to monitor site performance.

We do not employ cookies for advertising, behavioral tracking, or cross-site profiling. You may manage cookie preferences via your browser settings, though disabling them may impair Website functionality.

8. Disclosure of Information

We may disclose information under the following circumstances, always subject to contractual safeguards where applicable. Encrypted content remains encrypted and inaccessible without the appropriate keys.

• To service providers and vendors (e.g., cloud hosting, payment processors) bound by strict confidentiality and data protection agreements;
• To professional advisors, such as legal counsel, accountants, or security consultants, as necessary for business operations;
• To governmental authorities or law enforcement when required by law, subpoena, or to protect rights, property, or safety;
• In connection with corporate events, such as mergers, acquisitions, or asset sales, where the transferee agrees to honor this Policy; and
• With affiliates or subsidiaries for internal administrative purposes.

We do not sell, rent, or share Personal Information for monetary or other valuable consideration, nor do we engage in cross-context behavioral advertising.

9. International Data Transfers

The Services are operated globally, and information may be transferred to, stored, and processed in jurisdictions outside your country of residence, including the United States, where data protection laws may differ.

To ensure adequate protection, we implement lawful transfer mechanisms, including:

• EU Standard Contractual Clauses (SCCs);
• UK International Data Transfer Addendum;
• Adequacy decisions by relevant authorities; and
• Other equivalent safeguards under applicable law.

We assess transfer risks and require third parties to maintain comparable protections.

10. Data Retention

We retain information only as long as necessary for the purposes outlined in this Policy or as required by law:

• Encrypted envelopes are retained based on Customer Organization configurations and contractual terms, typically until delivery or as specified;
• Account and administrative data is retained for the duration of the account plus any period required for billing, audits, or legal compliance (e.g., up to 7 years for financial records);
• Technical and usage data is retained for security and operational needs, generally up to 24 months; and
• Upon termination or request, data is deleted or anonymized, subject to legal holds.

11. Security Measures

We implement reasonable administrative, technical, and physical safeguards to protect information, including:

• Encryption of data in transit (e.g., TLS) and at rest;
• Network segmentation, access controls, and least-privilege principles;
• Continuous audit logging, monitoring, and incident response protocols; and
• Regular vulnerability assessments, penetration testing, and compliance audits.

While we strive to protect your information, no system is completely secure. We cannot guarantee absolute security and disclaim liability for unauthorized access beyond our reasonable control.

12. Your Rights

Subject to applicable law and verification of your identity, you may exercise the following rights regarding your Personal Data:

• Access: Request details of the Personal Data we hold and obtain a copy;
• Correction: Update or rectify inaccurate or incomplete information;
• Deletion: Request erasure (subject to legal exceptions, e.g., retention requirements);
• Restriction: Limit processing in certain circumstances;
• Objection: Oppose processing based on legitimate interests or for direct marketing;
• Portability: Receive your data in a structured, machine-readable format; and
• Withdraw Consent: Revoke consent where processing relies on it.

For data controlled by a Customer Organization, direct requests to them. For data where Tessarai is the Controller, submit requests via the contact information below. We respond within legally required timeframes (e.g., 30 days under GDPR, 45 days under CCPA). We do not discriminate against users exercising rights.

13. California and Other U.S. State Privacy Rights

California residents (under CCPA/CPRA) and residents of other states with similar laws (e.g., Virginia, Colorado) have additional rights, including:

• To know categories of Personal Information collected, sources, purposes, and third-party sharing;
• To delete Personal Information;
• To correct inaccurate Personal Information;
• To opt out of sales or sharing (though we do not sell or share for targeted advertising); and
• To limit use of sensitive Personal Information (we do not process sensitive data without consent).

Authorized agents may submit requests on your behalf with verification. Metrics on requests received/processed are available upon request.

14. Children's Privacy

The Services are designed for business and professional use and are not intended for or directed to children under the age of 16 (or applicable age of digital consent). We do not knowingly collect Personal Data from children. If we become aware of such collection, we will delete the information and terminate the account. Parents or guardians discovering unauthorized use should contact us immediately.

15. Third-Party Services

The Services may integrate with or link to third-party tools, services, or APIs. Such integrations are governed by the third parties' privacy policies. Tessarai is not responsible for their practices, and we disclaim any liability for third-party data handling.

16. Changes to This Policy

We may revise this Policy from time to time to reflect changes in our practices, technology, or legal requirements. Updated versions will be posted on the Website with a revised "Effective Date." For material changes affecting your rights, we will provide prominent notice (e.g., via email or in-app alert) and may seek your consent where required by law. Continued use of the Services after changes constitutes acceptance.

17. Contact Information

For questions, requests, or concerns regarding this Policy or our privacy practices, please contact:

If you are in the European Union, UK, or EEA, our Data Protection Officer can be reached at the above email. You also have the right to lodge a complaint with your local supervisory authority (e.g., Irish Data Protection Commission for EU matters).

For U.S. inquiries outside California, contact us at the above address. This Policy is governed by the laws of the State of Texas, without regard to conflict of laws principles.