Agentic AI Threat Modeling
Sign inGet started

Legal

Privacy Policy

Last updated: 20 June 2026

This policy explains what personal data Janreth (“Janreth”, “we”, “us”) collects, why, how we protect it, and the rights you have. It is written to align with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, the “PDPL”) and, where it applies to you, the EU/UK General Data Protection Regulation (“GDPR”).

1. Who is responsible, and our two roles

Janreth is operated from the United Arab Emirates; the responsible entity and its contact details are on our Contact page. We act as a data controller for the account, billing, marketing, and usage data we collect to run our business. For the content you submitto be analysed — which you should keep free of personal data — you are the controller and we act as your processor, handling it only on your instructions; a data-processing addendum is available on request.

2. What we collect

  • Account data— name, email, profile photo, organization membership and role, held by our authentication provider, Clerk.
  • Service content— the system descriptions you submit, the reports generated from them, and your edits, stored per organization with database row-level isolation.
  • Usage and audit data— which mutating actions (generate, edit, re-assess, delete) were taken, by whom, and when, kept per organization for security and accountability, plus basic technical logs.
  • Billing data— subscription plan, invoices, and payment method, held by Stripe. We never see or store full card numbers.
  • Marketing and enquiry data— the name and email you give through a lead-magnet form, demo request, or contact email, handled via our email provider, Resend.

3. How and why we use it

We use personal data to authenticate you and operate accounts; to run analyses and render and export your reports; to enforce plan limits and bill subscriptions; to provide support and security; to send the materials and communications you request; and to comply with legal obligations. Where the GDPR applies, our legal bases are the performance of our contract with you, our legitimate interests in operating and securing the Service, your consent (for marketing emails), and compliance with legal obligations. We do not sell personal data or use it for third-party advertising.

4. AI processing of your content

To produce an analysis, the system description you submit is sent to large-language-model providers (such as Anthropic) over their API. Where the provider offers the control, we configure it not to use this data to train its models. The Service does not make automated decisions that produce legal or similarly significant effects about individuals — it analyses systems, and a person in your organization reviews and controls the output.

5. Marketing communications

If you request a guide, lead magnet, or updates, we send them by email via Resend and may add you to our mailing audience on the basis of your consent or our legitimate interest in responding to your enquiry. Every marketing email contains an unsubscribe link, and you can opt out at any time without affecting your use of the Service.

6. Processors and sub-processors

We share personal data only with vetted providers who process it on our behalf:

  • Clerk — authentication and organization management.
  • Stripe — payments and subscription billing.
  • Anthropic(and any other configured LLM provider) — running the analysis on submitted content.
  • Managed PostgreSQL and hosting providers— storing and serving application data.
  • Resend — transactional and marketing email.

7. International transfers

Some processors operate outside the UAE and the EEA, including in the United States. Where personal data is transferred across borders, we rely on the safeguards available — such as the provider's contractual commitments and standard contractual clauses, or a transfer to a jurisdiction recognised as providing adequate protection. Enterprise deployments can be hosted in-region (UAE) on request.

8. Retention and deletion

We keep Service content while your organization exists. Deleting an analysis removes it from the database; deleting your organization removes its reports and audit log; deleting your account removes your profile from Clerk. Stripe retains billing records for the period required by financial regulation, and marketing contacts are kept until you unsubscribe. Routine backups age out on our storage providers' schedules.

9. Your rights

Subject to the PDPL, the GDPR, and other applicable law, you may request access to, correction of, or deletion of your personal data; restrict or object to processing; request portability; and withdraw consent at any time. Organization-level requests should come from an organization administrator. Contact us at the address below and we will respond within the statutory period. You also have the right to lodge a complaint with the UAE Data Office or, if the GDPR applies to you, your local supervisory authority.

10. Security

Data in transit is encrypted with TLS; tenant data is isolated with database row-level security; access is role-based and audited. No system is perfectly secure — please report suspected vulnerabilities to security@janreth.com and we will respond promptly.

11. Children

The Service is a business tool and is not directed at children. We do not knowingly collect personal data from anyone under 18.

12. Cookies

We use essential cookies only: your authentication session (Clerk) and your theme preference. We do not use advertising or cross-site tracking cookies.

13. Changes

We will announce material changes to this policy in the app or by email. The “last updated” date above always reflects the current version.

14. Contact

Privacy questions and data-subject requests: support@janreth.com.