Privacy Policy

1. Introduction

Sevrel is operated by Romulus, Inc. ("we," "our," or "us"). We provide an AI-powered document intelligence platform for commercial real estate organizations. This Privacy Policy explains how we collect, use, store, and protect your information when you use our services.

2. Information We Collect

• Account information: Name, email address, and organization details provided through Microsoft Entra ID authentication.
• Chat queries and conversations: The questions you ask and the conversation history you build with the Service, stored in our database to provide continuity across sessions.
• Document context:Excerpts from your organization's Egnyte document library retrieved in real time to answer your queries. We do not permanently store copies of your documents.
• Integration data: Email, calendar, and meeting data accessed through authorized Microsoft Graph connections, used only for the features you initiate.
• Usage data: Feature usage patterns, query metadata, and performance metrics to improve the service.
• Billing information: Payment details are collected and processed by Stripe. We do not store credit card numbers on our servers.
• User preferences and memories: Notes and preferences you ask the Service to remember, stored in our database and associated with your account.

3. How We Use Your Information

• Providing and improving the Sevrel platform
• Processing your queries through Anthropic's Claude API for AI-powered analysis, document search, and web research
• Retrieving relevant documents from your organization's Egnyte library to ground AI responses in your actual data
• Searching the web for current market data, news, and public information when relevant to your queries
• Maintaining audit trails for compliance purposes
• Processing billing and subscription management
• Communicating service updates and security notices

4. AI Processing & Data Sharing with Anthropic

Your queries and relevant document excerpts are sent to Anthropic's Claude API for processing. This is essential to the core functionality of the Service. Anthropic processes this data under their API Privacy Policy, which states that data sent via the API is not used to train their models. We use tiered model routing (Haiku, Sonnet, and Opus) to balance speed and cost, sending only the minimum context necessary for each query.

When the AI determines that web search is needed to answer your query (for example, current market data or news), Claude's built-in web search capability may be used. Web searches are executed server-side by Anthropic and the results are incorporated into the AI's response.

5. Data Storage & Security

Your data is stored in encrypted PostgreSQL databases hosted on Railway. All communication is encrypted in transit via TLS. Authentication tokens and sensitive credentials are encrypted at rest using Fernet symmetric encryption. Session management uses HttpOnly, Secure cookies that are never exposed to client-side JavaScript.

Additional security measures include role-based access control (RBAC), per-user and per-IP rate limiting, append-only audit logging with correlation IDs, input validation and sanitization, and optional multi-factor authentication (TOTP).

6. Third-Party Services

We integrate with the following third-party services, each of which has its own privacy policy:

• Anthropic (Claude API): AI processing of queries and documents
• Microsoft 365 (Microsoft Graph API): Email, calendar, and authentication via Entra ID
• Egnyte: Document storage access and retrieval
• Cloudflare: Frontend hosting (Cloudflare Pages) and content delivery
• Railway: Backend application and database hosting
• Stripe: Payment processing and subscription billing
• Sentry: Error tracking and performance monitoring (no personally identifiable information is sent)
• Resend: Transactional email delivery

A current list of our sub-processors is maintained at sevrel.com/subprocessors.

7. Cookies

We use a single HttpOnly, Secure, SameSite=Lax session cookie for authentication. This cookie is not accessible to JavaScript and cannot be used for tracking. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

8. Organization & Tenant Isolation

The Service operates on a multi-tenant architecture. Your organization's data is logically isolated from other organizations. Organization administrators control user access, manage integrations (such as the Egnyte connection), and can view audit logs for their organization. Users within an organization share access to connected document libraries as configured by the administrator.

9. Your Rights

You may request access to, correction of, or deletion of your personal data by contacting us. Organization administrators can manage user accounts and data through the admin panel. You may delete individual conversation memories at any time through the Service interface. Upon request, we will delete your account and all associated conversation history, preferences, and memories.

10. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Conversation history is retained until you delete it or your account is terminated. Audit logs are retained in accordance with applicable compliance requirements and cannot be modified or deleted by users. You may request deletion of your account and associated data at any time.

11. Children's Privacy

The Service is designed for business use by commercial real estate professionals. We do not knowingly collect information from children under 13. If we learn that we have collected personal information from a child under 13, we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. The "Effective date" at the top of this page indicates when the policy was last revised.

13. Contact

For privacy-related inquiries, contact us at support@sevrel.com.