1. Scope and Purpose

This Privacy Policy describes:

• What information Stellarbridge collects
• How that information is used
• How it is protected
• The choices available to Customers

This Privacy Policy does not describe how Customers use the Service or how they manage data within their own environments.

2. Information We Collect

2.1 Customer-Provided Information

We collect information that Customers provide directly, including:

• Account information (such as name, email address, organization name)
• Authentication and access configuration data
• Support communications and requests

2.2 Files and Content

Stellarbridge provides file transfer and storage functionality. Customers upload files and data at their own discretion.

Stellarbridge does not access or inspect file contents, except where required by law (for example, pursuant to a valid court order).

3. Metadata, Logs, and Usage Information

Stellarbridge collects non-content data, including:

• File metadata (such as file size, timestamps, and transfer events)
• Audit logs and chain-of-custody records
• Security and access logs
• Service usage and performance data

This information is used in aggregated or de-identified form to:

• Operate and maintain the Service
• Monitor and protect security
• Detect and prevent abuse
• Improve reliability and performance
• Meet legal, regulatory, and compliance obligations

4. How We Use Information

Stellarbridge uses collected information to:

• Provide and operate the Service
• Authenticate users and manage access
• Maintain audit trails and security controls
• Respond to support requests
• Comply with applicable law

Stellarbridge does not use Customer data for advertising, resale, or third-party marketing purposes.

5. Regulated Data

5.1 Protected Health Information (PHI)

The Service may be used to transmit Protected Health Information (PHI) only where legally permitted by the Customer.

When PHI is processed:

• Stellarbridge acts as a Business Associate where applicable
• Processing is governed by a separate Business Associate Agreement (BAA)
• Stellarbridge does not access or inspect PHI contents

5.2 Prohibited Data

Customers may not use the Service to transmit or store:

• Classified information
• Controlled Unclassified Information (CUI)
• Federal Contract Information (FCI)
• ITAR-regulated data

6. Sharing of Information

Stellarbridge shares information only as necessary to operate the Service:

6.1 Service Providers (Subprocessors)

We use third-party service providers to support infrastructure, storage, email delivery, and monitoring.

These providers:

• Act solely on Stellarbridge's behalf
• Are subject to confidentiality and security obligations
• Do not use Customer data for their own purposes

6.2 Legal Requirements

We may disclose information where required to comply with applicable law, legal process, or lawful government requests.

7. Data Retention

• File retention periods are fixed by plan, unless Customers delete files earlier
• Upon account termination, Customer files are deleted immediately
• Audit logs and security records are retained for three (3) years for compliance, security, and chain-of-custody purposes

8. Customer Rights and Choices

Customers may:

• Access and download their own data through the Service
• Request data deletion, subject to compliance-related retention obligations
• Manage user access and permissions within their account

Requests may be submitted through Stellarbridge support channels.

9. Security

Stellarbridge maintains administrative, technical, and organizational safeguards designed to protect information processed by the Service.

Security operates under a shared responsibility model, meaning:

• Stellarbridge is responsible for security within the Service platform
• Customers are responsible for security controls within their own environments

No system can guarantee absolute security.

10. International Data Transfers

Customer information may be processed or stored in jurisdictions where Stellarbridge or its service providers operate.

Appropriate safeguards are implemented to protect information in accordance with applicable law.

11. Changes to This Privacy Policy

• Non-material changes will be posted on the Stellarbridge website
• Material changes will be communicated by email and posted on the website
• Continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy