Privacy Policy

Last Updated: December 5, 2025

Chrysalis is built on a simple truth: your data belongs to you.
This Privacy Policy explains how we handle information across our products and services, in alignment with our consent-first, zero-access architecture.

Our services operate on explicit, user-driven consent, never on passive or implied permission.

1. Who We Are

Chrysalis AE Inc. and its subsidiaries (including Chrysalis Labs LLC and Chrysalis Labs R&D LLC) provide identity, consent, and experience technology designed to give individuals control over their data.

Corporate Address
Chrysalis AE Inc.
1621 Central Avenue
Cheyenne, Wyoming 82001
USA

Contact for Privacy Questions
You can reach our privacy team at: security@chrysalis.inc

2. What This Policy Covers

This Privacy Policy applies to all current and future products, services, features, and experiences offered by Chrysalis, including those still in development or released on a limited or pilot basis.

This may include, but is not limited to:

Chrysalis websites and web applications
Identity, consent, or data-continuity tools
Consumer, enterprise, or developer-facing products
Experimental or beta features made available to select users or partners

As we evolve, any new product or feature that processes personal data will be covered by this Policy unless explicitly stated otherwise.

3. Information We Process

Chrysalis is designed so that you own your data and we cannot see or interpret the personal context you store in our systems.

Wherever possible, information is encrypted, pseudonymized, or fully anonymized so that it cannot be linked back to you by Chrysalis.

Below is an overview of the categories of information we process in order to operate our services. The specifics depend on how each product is architected.

Definitions

“Vault”: The encrypted, user-controlled storage space where identity context, reflections, and other personal data are held. Chrysalis cannot access Vault contents.
"Chrysalis Key" or "CKey": Chrysalis's consent and access-control system that allows users to approve, limit, change, or revoke how their Chrysalis information is shared with connected apps, partners, or third-party platforms.
“Identity Context”: User-generated personal meaning, preferences, or reflective content stored in the Vault.
“Encrypted Content”: Any data stored in a form that Chrysalis cannot view without explicit user permission.
“Partner-Integrated Tools”: Experiences provided by an enterprise or program using Chrysalis technology.
“Subprocessor”: A third party engaged by Chrysalis to support hosting, security, analytics, or operations.
“Personal Data”: Any information relating to an identified or identifiable individual.
“User” or “You”: Any individual accessing or using Chrysalis services.

3.1 Information You Provide Directly (User-Controlled)

These are items you intentionally configure or store, but which Chrysalis cannot read in an identifiable form.

Examples include:

Account setup details
Profile settings or personalization preferences
Consent selections
Encrypted content you choose to store (e.g., identity context, reflection entries, or partner-generated assessments)

All such data is handled in a way that prevents Chrysalis from accessing the underlying content unless you explicitly permit it and it is technically required for the service.

3.2 Information Collected Automatically (Non-Identifiable)

We collect limited technical information to operate, secure, and improve the platform. This information is designed to be non-identifying and is not linked to the personal content you store.

Examples include:

Device type
Browser version
General location (e.g., city-level) if enabled
Log data (timestamps, performance metrics, error events)
Cookies or similar technologies used strictly for functionality and—if consented—privacy-respecting analytics

This operational data helps ensure stability, prevent abuse, and support product improvement without revealing your personal identity or the content you store.

Cookies and Similar Technologies

Chrysalis uses a minimal set of cookies and similar technologies strictly for:

Functionality (e.g., session continuity, authentication)
Security and fraud prevention
Privacy-respecting analytics, when consented

Chrysalis does not use advertising cookies or third-party tracking.

You may control cookies through your browser settings. Some features may not function without essential cookies.

For enterprise implementations, specific analytics tools, logging configurations, and monitoring systems will be disclosed during the security and technical assessment process.

3.3 Information From Partners

Some organizations use Chrysalis technology inside their own applications, programs, or systems.

In these cases, any information a partner sends to Chrysalis is controlled by your explicit consent—and is handled in a way that prevents Chrysalis from accessing your identifiable personal data.

Partners may send certain data elements to enable identity continuity, personalization, reporting, or other functionality you have opted into. When this occurs, Chrysalis processes the information in an encrypted, pseudonymized, or anonymized form so that we cannot view or reconstruct your underlying personal content.

Chrysalis does not use partner-provided data for any purpose beyond the specific service you consented to.

3.4 Information Shared With Third-Party AI Apps and Connectors

If you choose to connect Chrysalis with a third-party AI platform, such as ChatGPT or Claude, Chrysalis may share limited information from your Chrysalis account with that platform based on the permissions you approve.

These permissions are managed through Chrysalis Key, also called CKey, our consent and access control system. CKey is designed to let you choose what categories of information a connected app can access, how much context it can receive, and how long that permission should last.

Depending on your choices, Chrysalis may share information such as profile preferences, communication style, goals, selected topics or life areas, and other context intended to help the third-party AI provide more personalized responses.

Chrysalis does not share your full account history, full reflection history, private notes, or complete stored profile by default. More detailed context is shared only when you explicitly authorize that level of access through your consent settings.

If you ask a third-party AI platform to send information back to Chrysalis, such as saving a conversation summary or updating your profile, Chrysalis will process that information only when you intentionally request or approve the action. In some cases, submitted information may be held for review before it is added to your Chrysalis account.

You may change or revoke connected app permissions through Chrysalis settings, CKey controls, or by disconnecting the app from the third-party platform. Once information is shared with a third-party platform at your direction, that platform’s own privacy policy and terms may also apply.

4. How We Use Information

We use limited information in order to operate, secure, and improve Chrysalis services.
Where possible, this information is encrypted, pseudonymized, or anonymized so that Chrysalis cannot view your identifiable personal data.

We use information to:

Provide, maintain, and improve Chrysalis services
Maintain account integrity and security
Honor the consent choices you make
Support identity continuity across experiences you explicitly opt into
Respond to support requests (without accessing user-owned personal content whenever possible)

For enterprise deployments, product-specific operational uses, processing flows, and data-retention durations are documented in the technical and security assessment provided during implementation.

We do not sell personal data.
We do not use data in ways that override, bypass, or assume consent.
We do not access the personal content you store unless you explicitly grant permission and it is technically required for the service.

4.1 Legal Basis for Processing (GDPR)

For individuals located in the European Economic Area (EEA), the United Kingdom, or Switzerland, Chrysalis processes personal data under the following lawful bases:

Consent: You provide explicit consent for any processing that supports the services you choose to use.
Contractual Necessity: Processing is required to provide the Chrysalis services you request.
Legitimate Interests: Limited operational, security, and anti-abuse processing, performed in a privacy-preserving manner that does not override your rights or freedoms.

Chrysalis does not use personal data for unrelated purposes or profiling.

4.2 International Data Transfers

Chrysalis is hosted in the United States (GCP us-central1).
If you are located outside the U.S., your data may be transferred to and processed in the United States.

Where required, Chrysalis relies on:

Standard Contractual Clauses (SCCs) for EU/EEA, UK, and Swiss transfers
Data Processing Agreements (DPAs) with partners and subprocessors
Additional technical safeguards, including strong encryption and a zero-access architecture

These mechanisms ensure a level of protection essentially equivalent to that in your home jurisdiction.

5. How We Share Information

Because Chrysalis is built on user ownership and explicit consent, we share only what is necessary to operate the service you choose to use.

We may share data with:

Service providers acting on our behalf (for example, hosting, security, or support tools)
Partners, but only when you provide explicit consent for a specific experience
Legal authorities, when we are legally required to do so

We do not share data with advertisers, data brokers, or any entity that seeks to monetize personal information.

For enterprise clients, Chrysalis provides a detailed list of subprocessors, data-flow pathways, and any applicable cross-border transfer mechanisms as part of the vendor security and contractual due-diligence process. All subprocessors are required to meet security, privacy, and confidentiality standards at least as strong as those used by Chrysalis.

6. Data Storage, Security & Retention

Security is foundational to Chrysalis. Data is processed in encrypted or anonymized forms wherever possible.

Hosting provider(s) and regions

Chrysalis is hosted on Google Cloud Platform (GCP) in a dedicated production environment, with primary services deployed in the us-central1 region across multiple availability zones for resilience.

Encryption at rest and in transit

All storage layers (servers, databases, configuration stores, backups, and logs) are encrypted at rest using strong, cloud‑provider–managed encryption. Network connections between components and to public endpoints are protected with TLS encryption in transit, and sensitive secrets are injected at runtime from a dedicated secret management system rather than stored in code.

Backup cadence and disaster recovery approach

Production databases are protected by automated daily backups and point‑in‑time recovery over a 7‑day window, allowing restoration to a specific point in time in the event of corruption or operator error. Infrastructure is fully defined as code and deployed via automated pipelines, enabling consistent re‑provisioning and rollback of environments as part of the disaster recovery strategy.

Access controls and authentication requirements

Access to production systems and data is governed by role‑based access control, using dedicated service identities with least‑privilege permissions for servers, background jobs, deployment automation, and monitoring. Direct human access is limited to authorized personnel, requires strong authentication, and all changes to infrastructure flow through reviewed pull requests and controlled CI/CD workflows.

Data retention durations

Database backups are retained for 7 days to support point‑in‑time recovery. Operational logs and metrics are retained for approximately 30 days to support security monitoring, troubleshooting, and capacity planning, after which they are deleted or aggregated in line with internal retention practices. Application data retention and deletion follow product and customer requirements and are not hard‑coded in this infrastructure layer.

Data retention durations

Chrysalis retains personal data only for as long as necessary to provide the services you have selected or to meet legal or contractual requirements.

Account Data: Retained while your account is active; deleted upon request or account closure unless legal obligations require otherwise.
Vault Content: Controlled entirely by the user; deleted when you delete it or close your account.
Pseudonymized Metadata: Retained up to 24 months for security, anti-abuse, and operational analytics.
Backups: Retained for 7 days before automatic deletion.
Logs and metrics: Retained for approx. 30 days, then deleted or anonymized.

Enterprise agreements may define additional retention requirements, which override the above.

6.1 Breach Notification

If Chrysalis becomes aware of a data breach that affects your personal data, we will notify you without unreasonable delay and in accordance with applicable laws.

This includes:

Within 72 hours for incidents requiring notification under GDPR
Notification to individuals as required under U.S. state breach laws
Notification to applicable regulators or enterprise partners when legally required

Chrysalis will provide details of the nature of the breach, the data impacted (if determinable within our zero-access architecture), mitigation steps, and actions you may take.

7. Your Rights

Depending on your region, you may have rights to:

Access your data
Correct inaccurate data
Delete your data
Withdraw consent
Request portability
Object to certain types of processing

We will honor these rights in accordance with the privacy laws that apply to you (for example, GDPR in the EU or CCPA/CPRA in California).

Because Chrysalis is designed with encryption, pseudonymization, and zero-access principles, some requests may require you to take action directly within your account. When you contact us, we’ll guide you through what’s possible within our architecture.

California Privacy Rights (CCPA/CPRA)

If you reside in California, you have the right to:

Know what categories of personal information we collect
Request deletion of your data
Correct inaccurate data
Request access or portability
Opt out of data “sale” or “sharing” (Chrysalis does neither)
Limit the use of sensitive personal information

You may exercise these rights by contacting: security@chrysalis.inc

Chrysalis will not discriminate against you for exercising your rights.8. Children’s Privacy

Chrysalis does not knowingly collect personal information from children under the age required by applicable law. In most regions, this means:

Under 13 in the United States (COPPA)
Under 16 in the European Union (GDPR), unless a member state sets a lower age (but never below 13)

If we learn that we have unintentionally processed information from a child below the applicable age, we will take steps to delete it as quickly as possible.

Parents or guardians who believe their child’s information may have been submitted to Chrysalis can contact us at security@chrysalis.inc.

9. Changes to This Policy

We may update this Policy as our products evolve.
If we make material changes, we will notify you clearly—for example, by updating the “Last Updated” date and, where appropriate, by providing additional notice through our services.

Your continued use of Chrysalis services after changes become effective means you accept the updated Policy.

10. Contact

For questions regarding privacy or your personal data, you can contact us at:

Email: security@chrysalis.inc
Mail:
Chrysalis AE Inc.
1621 Central Avenue
Cheyenne, Wyoming 82001
USA

Chrysalis maintains an up-to-date list of authorized Subprocessors at: https://chrysalis.inc/subprocessor