Privacy Policy

This Privacy Policy describes how DeltaProof ("DeltaProof", "we", "us") collects, uses, and protects personal data when you visit deltaproof.ai or use our services. DeltaProof is a product of Calmarin Ltd, a company registered in Israel.

We designed DeltaProof to help our customers comply with data protection laws — including GDPR, CCPA/CPRA, and Israel's Privacy Protection Law 5741-1981. We hold ourselves to the same standards.

For data collected through this website and our services, the data controller is:

Calmarin Ltd (operating as DeltaProof)
Registered in Israel
Registered address available upon request at comply@deltaproof.ai
Email: comply@deltaproof.ai

For questions, requests, or complaints regarding your personal data, contact us at the address above.

When you sign up or sign in, we use Clerk as our authentication provider. Clerk collects and stores your email address, name, and (where you provide them) profile attributes. Clerk acts as our processor for this data.

The site is currently in private beta. Entering the beta access code stores a flag in your browser's localStorage so you don't have to enter it again. No data leaves your browser as a result of this action.

When you interact with our services we automatically record:

• IP address (used for security and aggregate analytics; truncated where required)
• Browser, device type, operating system, and language
• Pages visited, referring URL, and timestamps
• API requests, including endpoint, response code, and duration
• Errors and diagnostic information

When an organization deploys our SDK against their own model, the SDK streams metadata only to our compliance cloud — never model weights, never training data. Metadata includes timestamps, action types, content hashes, record counts, and certificate identifiers. Model weights and training data remain on the customer's infrastructure at all times.

When processing Customer's compliance metadata transmitted by the SDK, DeltaProof acts as a Processor(GDPR Art. 4(8); equivalent role under Israeli PPL). Processing occurs solely on the Customer's documented instructions, as governed by a separately executed Data Processing Agreement. The Customer determines the purposes and means of such processing as the Controller.

When you email us, fill out a contact form, or request a demo, we process the data you send (your message, email address, and any attached information) to respond to you.

We and our service providers use cookies and similar technologies. See our Cookie Policy for full details.

• Contract (Art. 6(1)(b)) — to provide the service you request, including authentication, dashboard access, and support.
• Legitimate interest (Art. 6(1)(f)) — to operate, secure, and improve our service; to detect fraud and abuse; to analyze aggregate usage; to communicate updates relevant to active customers.
• Consent (Art. 6(1)(a)) — for non-essential cookies, marketing emails to non-customers, and any other use where we ask explicitly. You may withdraw consent at any time without affecting prior processing.
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and other legal duties.

We rely on the following service providers to operate our platform. Each is bound by a data processing agreement aligned with GDPR Art. 28 obligations.

We will give reasonable advance notice (typically 30 days) before adding or replacing a subprocessor that processes customer personal data.

Customers requiring a Data Processing Agreement (DPA) under GDPR Art. 28 may obtain DeltaProof's standard DPA template by writing to comply@deltaproof.ai. See also Terms of Service Section 8.

Some of our subprocessors are located outside the European Economic Area or Israel. Where personal data is transferred internationally, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (2021/914), supplementary measures where required, and adequacy decisions where applicable.

Data we hold as Controller (visitor and account data):

• Account data — for as long as your account is active, plus up to 12 months after deletion for legal and dispute resolution purposes.
• Server logs — up to 90 days, then aggregated or deleted.
• Marketing communications — until you unsubscribe or object.
• Contact form data — up to 24 months unless an active relationship continues.

Data we hold as Processor(Customer's compliance metadata, governed by an executed DPA):

• Audit and compliance metadata — retained according to the Customer's documented instructions in the executed Data Processing Agreement. Customers typically configure retention to match the strictest applicable regulation (often up to 7 years under HIPAA, Israeli PPL, or sectoral guidance), but the Controller of this data is the Customer, not DeltaProof.

Data export upon termination. If you close your account, you may request an export of your account data within thirty (30) days of termination by emailing comply@deltaproof.ai. After that window, we may delete the data subject to legal retention obligations.

• Access — request a copy of your personal data.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request deletion subject to lawful retention obligations.
• Restriction — limit processing in certain cases.
• Portability — receive your data in a machine-readable format.
• Object — object to processing based on legitimate interest or for direct marketing.
• Withdraw consent — at any time without affecting prior lawful processing.
• Automated decisions — not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (Art. 22). DeltaProof does not engage in such processing — see Section 10.
• Lodge a complaint — with your supervisory authority (e.g., your country's data protection authority).

• Right to know what personal information is collected, used, and disclosed.
• Right to delete personal information held by us.
• Right to correct inaccurate personal information.
• Right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising.
• Right to limit the use of sensitive personal information.
• Right not to receive discriminatory treatment for exercising these rights.

• Right to inspect personal data we hold about you (§13).
• Right to request correction or deletion (§14).
• Right to file a complaint with the Israeli Privacy Protection Authority.

To exercise any of these rights, email comply@deltaproof.ai. We will respond within 30 days (GDPR), 45 days (CCPA), or as otherwise required by law.

We implement appropriate technical and organizational measures including: TLS encryption in transit, encryption at rest for databases, role-based access controls, immutable audit logs, dependency vulnerability scanning, and regular access reviews. Despite our efforts, no system is perfectly secure. We will notify affected users and authorities of personal data breaches as required by applicable law (GDPR Art. 33–34, CCPA breach notice statutes).

DeltaProof is a B2B platform not directed at children. We do not knowingly collect personal data from individuals under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

DeltaProof's customers deploy AI models that may make automated decisions affecting their own end-users; that is governed by the customer's own policies and not this notice. We ourselves do not use automated decision-making with legal or similarly significant effects on visitors to this site.

We may update this policy as our service evolves or as the law changes. Material changes will be announced via email (to active customers) or a banner on the site. The "Last updated" date at the top of this page reflects the current version. Older versions are archived on request.

For privacy questions, requests, or complaints:
comply@deltaproof.ai