CyroWinterMuteLegal

Privacy Policy

Last Updated: February 8, 2026 · Effective: February 8, 2026

1. Introduction

This Privacy Policy ("Policy") describes how Stratir, a Wyoming corporation ("Stratir," "we," "us," or "our"), collects, uses, discloses, and protects your personal information when you access or use the WinterMute desktop application, our website at wintermute.app, and any related services (collectively, the "Services").

Stratir is incorporated in the State of Wyoming, United States. Our principal place of business is in Wyoming. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with this Policy, please do not use our Services.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Registration: When you create an account, we collect your name, email address, and organizational affiliation (if applicable).
  • Waitlist and Early Access: If you sign up for our waitlist, we collect your email address and any additional information you voluntarily provide.
  • Communications: When you contact us via email or other channels, we collect the content of your message, your contact information, and any attachments you provide.
  • Payment Information: If you purchase a subscription, payment information is processed by our third-party payment processor (Stripe, Inc.). We do not store full credit card numbers on our servers.

2.2 Information Collected Automatically

  • Usage Data: We collect information about how you interact with our website, including pages visited, time spent, referral URLs, and click patterns. This data is collected via privacy-respecting analytics and does not include fingerprinting.
  • Device Information: We may collect device type, operating system, browser type, and general geographic location (country/region level only) derived from your IP address.
  • Log Data: Our servers automatically record information including your IP address, access times, and the pages you request. Server logs are retained for a maximum of 90 days and are used exclusively for security monitoring and debugging.

2.3 Information We Do NOT Collect

WinterMute is designed with a local-first, privacy-preserving architecture. We want to be explicit about what we do not collect:

  • Investigation Data: We do not collect, transmit, or store any data from your investigations, cases, dossiers, or intelligence work. All investigation data is stored locally on your device.
  • Browsing Activity: We do not monitor, log, or transmit your browsing activity within the embedded Tor browser or any other platform workspace.
  • AI Conversations: Conversations with the Cyro AI copilot are processed in real-time and are not stored on our servers. AI processing is handled by Google Gemini's API, and we do not retain conversation logs.
  • Biometric or Genetic Data: We do not collect biometric identifiers, genetic data, or health-related information, consistent with the Wyoming Genetic Data Privacy Act.
  • Telemetry: The WinterMute desktop application does not include telemetry, usage tracking, or phone-home functionality.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide, maintain, and improve our Services
  • To process transactions and send related notifications
  • To respond to your inquiries, comments, or support requests
  • To send you technical notices, security alerts, and administrative messages
  • To communicate with you about products, services, and events offered by Stratir (you may opt out at any time)
  • To detect, investigate, and prevent fraudulent transactions and unauthorized access
  • To comply with legal obligations

4. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom, our legal basis for collecting and using your personal information depends on the specific information and the context in which we collect it:

  • Contractual Necessity: Processing necessary to perform our contract with you (e.g., providing the Services).
  • Legitimate Interests: Processing necessary for our legitimate interests, such as improving our Services, provided these are not overridden by your rights.
  • Consent: Where you have given us specific consent to process your information for a particular purpose (e.g., marketing communications).
  • Legal Obligation: Processing necessary to comply with applicable law.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following limited circumstances:

  • Service Providers: We share information with third-party vendors who perform services on our behalf, including payment processing (Stripe), email delivery (Resend), and cloud infrastructure (Vercel, AWS). These vendors are contractually obligated to protect your information.
  • AI Processing: When using Cyro AI features, query content is transmitted to Google's Gemini API for processing. Google's data handling is governed by their API Terms of Service. We do not send personally identifiable information to AI providers unless explicitly included by you in your queries.
  • Legal Requirements: We may disclose your information if required to do so by law or if we believe in good faith that such action is necessary to comply with legal obligations, protect our rights or property, prevent fraud, or ensure the safety of our users.
  • Business Transfers: In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS 1.3
  • Local-first architecture ensuring investigation data never leaves your device
  • Regular security assessments and code audits
  • Access controls and principle of least privilege for internal systems
  • No persistent storage of sensitive investigation content on our infrastructure

While we take commercially reasonable steps to secure your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. Specifically:

  • Account Data: Retained for the duration of your account plus 30 days after deletion request.
  • Server Logs: Automatically purged after 90 days.
  • Payment Records: Retained for 7 years as required by applicable tax and financial regulations.
  • Marketing Preferences: Retained until you opt out or request deletion.

8. Data Breach Notification

In accordance with Wyoming Statute § 40-12-501 et seq., in the event of a security breach involving your personal information (including Social Security numbers, driver's license numbers, or financial account information), we will notify affected individuals promptly and without unreasonable delay. Notification will be provided via email to the address associated with your account, and where required, to the Wyoming Attorney General.

If we determine that a breach has occurred that is reasonably likely to cause identity theft or fraud, we will also provide information about the nature of the breach, the types of information compromised, and steps you can take to protect yourself.

9. Your Rights

9.1 All Users

Regardless of your location, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate or incomplete information
  • Request deletion of your personal information
  • Opt out of marketing communications at any time
  • Request a copy of your data in a portable format

9.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell personal information. However, you have the right to direct us not to sell your information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information: You may limit the use and disclosure of sensitive personal information.

9.3 European Economic Area and United Kingdom Residents (GDPR/UK GDPR)

If you are located in the EEA or United Kingdom, you have the following additional rights under the General Data Protection Regulation:

  • Right of Access: You may request a copy of the personal data we hold about you (Article 15).
  • Right to Rectification: You may request correction of inaccurate data (Article 16).
  • Right to Erasure: You may request deletion of your data in certain circumstances (Article 17).
  • Right to Restrict Processing: You may request that we restrict processing of your data (Article 18).
  • Right to Data Portability: You may request your data in a structured, machine-readable format (Article 20).
  • Right to Object: You may object to processing based on legitimate interests (Article 21).
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
  • Right to Lodge a Complaint: You have the right to file a complaint with your local data protection authority.

9.4 Exercising Your Rights

To exercise any of the rights described above, please contact us at Vance@Stratir.com. We will respond to your request within 30 days (or 45 days for complex CCPA requests, with notice). We may require verification of your identity before processing your request.

10. International Data Transfers

Our Services are operated from the United States. If you are located outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards as required under the GDPR and UK GDPR.

11. Cookies and Tracking Technologies

Our website uses a minimal set of cookies:

  • Essential Cookies: Required for the website to function (e.g., session management, authentication). These cannot be disabled.
  • Analytics Cookies: Used to understand aggregate usage patterns. We use privacy-respecting analytics that do not track individual users across sites.

We do not use advertising cookies, retargeting pixels, or third-party tracking scripts. We do not participate in cross-site tracking or behavioral advertising.

12. Third-Party Services

Our Services integrate with the following third-party providers:

ProviderPurposeData Shared
Google (Gemini API)AI-powered analysis via CyroUser-initiated query content only
Stripe, Inc.Payment processingPayment details, billing address
Vercel, Inc.Website hostingAccess logs, IP address
ResendTransactional emailEmail address
SupabaseAuthentication and databaseAccount credentials, user profile

Each provider is bound by their own privacy policy and applicable data protection agreements. We encourage you to review their respective policies.

13. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe that we have inadvertently collected information from a child, please contact us at Vance@Stratir.com.

14. Do Not Track Signals

Our Services respect Do Not Track ("DNT") signals sent by your browser. When a DNT signal is detected, we disable all optional analytics tracking. Note that essential cookies required for the website to function will continue to operate regardless of DNT settings.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this page and, where appropriate, by sending you an email notification. We encourage you to review this Policy periodically.

Your continued use of the Services after any changes to this Policy constitutes your acceptance of those changes. If you do not agree to the revised Policy, you must discontinue use of our Services.

16. Governing Law and Dispute Resolution

This Privacy Policy is governed by and construed in accordance with the laws of the State of Wyoming, United States, without regard to its conflict of law provisions. Any disputes arising out of or relating to this Policy shall be resolved exclusively in the state or federal courts located in the State of Wyoming, and you consent to the personal jurisdiction of such courts.

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Stratir
Attn: Privacy Officer
State of Wyoming, United States
← Back to WinterMute