Privacy Policy

Licentric Inc.(“Licentric”, “we”, “us”, or “our”) is the data controller responsible for your personal information collected through the Licentric software licensing platform (the “Service”). Licentric Inc. is incorporated under the laws of Delaware, United States.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have with respect to your data. It applies to all users of the Service, including dashboard users, API consumers, and end users of the self-service portal.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please do not use the Service. For questions, contact us at privacy@licentric.com.

Where the General Data Protection Regulation (GDPR) or equivalent legislation applies, we rely on the following lawful bases under Article 6 GDPR to process your personal data:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, process payments, and fulfil our contractual obligations to you.
• Legitimate interests (Art. 6(1)(f)): Processing for fraud prevention, security monitoring, abuse detection, and service improvement, where our interests are not overridden by your rights. You may object to this processing at any time.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, including financial record-keeping, tax obligations, and responses to lawful requests from public authorities.
• Consent (Art. 6(1)(a)):Where we rely on your consent — such as for non-essential analytics cookies and optional communications — you may withdraw it at any time without affecting the lawfulness of prior processing.

We do not knowingly process special category data through normal Service operations. Where such processing occurs, we rely on Article 9 GDPR exceptions as applicable.

We collect personal data that is necessary to provide and operate the Service. We minimise collection to what is strictly required.

• Account data:When you register, we collect your name, email address, company name, and billing information. Payment card data is handled exclusively by Stripe — we do not store card numbers or full payment credentials.
• Usage data: We automatically collect API request logs, dashboard interactions, IP addresses, browser type, and device information to operate, secure, and improve the Service.
• License and activation data: License keys (stored as SHA-256 hashes), activation records, product configurations, entitlement metadata, and machine fingerprints used for license enforcement across devices.
• Payment data: Billing history, subscription status, and plan information. Card numbers and payment credentials are processed exclusively by Stripe and never stored on our servers.
• Support data: Communications you send to us, including support requests, feedback, and correspondence, retained to resolve issues and improve the Service.

We use your personal data only for the purposes described in this Privacy Policy and for purposes compatible with those for which it was collected.

• Service delivery: Provisioning and managing your account, processing API requests, issuing and validating license keys, and operating the dashboard and portal.
• Security monitoring: Detecting, investigating, and preventing fraud, abuse, unauthorised access, and security incidents across the platform.
• Billing: Processing subscription payments, issuing invoices, managing plan changes, and complying with financial and tax reporting obligations.
• Customer support: Responding to support tickets, resolving technical issues, and communicating service-related information.
• Product improvement: Analysing aggregated, anonymised usage patterns to improve reliability, performance, and features.
• Legal compliance: Meeting obligations under applicable law, responding to lawful legal process, and enforcing our Terms of Service.

We do not use your data for advertising, behavioural profiling, or sell it to third parties for any purpose.

We share your personal data only with trusted sub-processors who process it on our behalf under written data processing agreements compliant with GDPR Article 28. We do not sell personal data. We provide at least 30 days' advance notice when sub-processors are added or removed (GDPR Art. 28(2)), during which you may object.

• Supabase — Database and authentication (United States)
• Stripe — Payment processing (United States)
• Vercel — Application hosting, CDN, and usage analytics (United States)
• Postmark — Transactional email delivery (United States)

Beyond the processors listed above, we may disclose your personal data when required by applicable law, court order, or binding governmental regulation; to protect the rights, property, or safety of Licentric Inc., our users, or the public; or in connection with a merger, acquisition, or sale of assets, subject to standard confidentiality protections.

To object to a new sub-processor, contact us at privacy@licentric.com within 30 days of notice. If we cannot accommodate your objection, you may terminate the relevant services without penalty.

We retain personal data for no longer than necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting obligations. When data is no longer required, we securely delete or anonymise it.

• Account data: Retained for the duration of your account, plus 90 days after closure for data export and dispute resolution.
• Audit logs and financial records: Retained for 7 years as required by applicable tax, financial, and accounting regulations.
• Backup data: Encrypted backups retained for 30 days before secure overwriting.
• Deletion requests: Fulfilled within 30 days of verification, except where retention is required by law.
• License key hashes: Retained for audit purposes until account closure, then purged with account data.

Soft-deleted records are permanently removed within 90 days unless a legal hold applies. You may request early deletion at any time by contacting privacy@licentric.com.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you specific rights regarding your personal information, in addition to the rights described elsewhere in this Policy.

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of personal information we have collected from you, subject to certain exceptions (such as legal obligations and fraud prevention).
• Right to correct: You may request correction of inaccurate personal information we maintain about you.
• Right to opt out of sale or sharing: We do not sell or share your personal information with third parties for cross-context behavioural advertising. No opt-out action is required.
• Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond those permitted under CPRA Section 1798.121.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights. You will not be denied goods or services or charged different prices.

To exercise your California privacy rights, submit a verifiable consumer request to privacy@licentric.com. We will respond within 45 days, with a possible 45-day extension where reasonably necessary.

For users in the United Kingdom, Licentric Inc. processes personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters, if you believe your personal data has been processed in breach of applicable law. The ICO can be contacted at ico.org.uk or by phone at 0303 123 1113.

International transfers of personal data from the UK to third countries are made using the International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses, as approved by the Secretary of State under Section 119A of the DPA 2018.

For questions about our UK data protection practices or to exercise your rights under UK GDPR, contact us at privacy@licentric.com.

We use essential cookies to provide a functional, secure experience. Non-essential analytics cookies are loaded only after you give explicit consent via our cookie consent banner.

• Session cookies (essential): Used to maintain your authenticated session in the dashboard and portal. These expire when you close your browser or your session times out.
• CSRF protection cookies (essential): Used to prevent cross-site request forgery attacks. These are essential security cookies required for safe operation of the Service.
• Preference cookies (essential): Where applicable, used to remember your display preferences (e.g., theme) and cookie consent choice. These expire after 12 months.
• Analytics cookies (consent required): We use Vercel Analytics to collect anonymised, aggregated usage data (page views, performance metrics). These cookies are loaded only if you accept non-essential cookies. No personally identifiable information is transmitted. You may withdraw consent at any time by clearing your browser cookies; analytics will not load on subsequent visits until you consent again.

We do not use third-party tracking cookies, advertising cookies, or cookies that transmit personal data to external advertising networks. We do not participate in cross-site behavioural advertising.

Essential cookies are covered by the “strictly necessary” exemption under PECR and applicable ePrivacy rules. Analytics cookies require your explicit consent under GDPR Article 6(1)(a) and are not loaded until consent is given.

If you are located in the European Economic Area (EEA) or another jurisdiction with comparable data protection laws, you have the following rights with respect to your personal data:

• Access: Request a copy of the personal data we hold about you, along with information about how it is processed.
• Rectification: Request correction of inaccurate or incomplete personal data we hold about you.
• Erasure: Request deletion of your personal data, subject to legal retention obligations.
• Portability: Request your personal data in a structured, commonly used, machine-readable format for transfer to another controller.
• Restriction: Request that we restrict processing of your personal data in certain circumstances, such as while a dispute about accuracy is resolved.
• Objection: Object to processing of your personal data based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Supervisory authority complaint: Lodge a complaint with the supervisory authority in your EU member state if you believe we have violated your data protection rights.

To exercise any of these rights, contact us at privacy@licentric.com. We will respond within 30 days. Exercising these rights is free of charge.

We are headquartered in Delaware, United States. Your personal data may be transferred to and processed in countries outside the EEA or UK, including the United States, where data protection laws may differ.

Where we transfer personal data from the EEA or UK to third countries, we rely on the following transfer mechanisms to ensure an adequate level of protection:

• Standard Contractual Clauses (SCCs): EU Commission Decision 2021/914 implementing clauses for controller-to-processor transfers, ensuring our sub-processors are bound to equivalent data protection obligations.
• Adequacy decisions: Transfers to countries recognised by the European Commission or UK Secretary of State as providing an adequate level of data protection.
• UK International Data Transfer Agreements (IDTAs): Used for UK-origin data transfers where EU SCCs do not apply directly.

Copies of our Standard Contractual Clauses or other applicable transfer safeguards are available upon written request to privacy@licentric.com.

We implement technical and organisational security measures appropriate to the risk of processing personal data, in line with industry standards and applicable legal requirements.

• Encryption at rest: All personal data stored in our database is encrypted using AES-256-GCM. License key hashes are stored using SHA-256; raw license keys are encrypted at rest via Supabase Vault.
• Encryption in transit: All communications between your browser or API client and our servers use TLS 1.3. Connections using older protocol versions are rejected.
• Digital signatures: License integrity is verified using Ed25519 digital signatures, preventing tampering without our private key.
• Multi-tenant isolation: Row Level Security (RLS) policies at the database layer ensure each account can only access its own data.
• Access controls: Internal access to production data is restricted to authorised personnel on a need-to-know basis. All access is logged and auditable.

No method of transmission over the internet or electronic storage is 100% secure. In the event of a personal data breach, we will notify affected users and relevant supervisory authorities within the timeframes required by applicable law.

The Service is a business-to-business platform intended for use by adults aged 16 and over. It is not directed to, and we do not knowingly collect personal data from, individuals under the age of 16.

If we become aware that we have inadvertently collected personal data from a child under 16 without verifiable parental consent, we will take prompt steps to delete that information. If you are a parent or guardian and believe a child in your care has provided personal information to us, please contact us at privacy@licentric.com.

In the United States, we comply with the Children's Online Privacy Protection Act (COPPA). Where we have actual knowledge that a user is under 13, we will not collect, use, or disclose their personal information and will delete any such data upon discovery.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a prominent notice on the Service at least 30 days before the changes take effect. The effective date at the top of this Policy reflects the most recent revision.

Your continued use of the Service after the effective date of any revised Policy constitutes your acceptance of the updated terms. If you do not agree with material changes, you may close your account before they take effect.

For all privacy-related questions, to exercise your data rights, or to raise concerns about our data practices, contact our privacy team:

• Data Protection Contact: privacy@licentric.com
• Data controller: Licentric Inc., Delaware, United States

Licentric Inc. has assessed and determined that the appointment of a Data Protection Officer (DPO) is not required under GDPR Article 37, as our core activities do not involve regular, systematic large-scale monitoring of individuals or large-scale processing of special categories of data. This assessment is reviewed annually. In the interim, all data protection enquiries may be directed to privacy@licentric.com.

We will respond to all enquiries within 30 days. For complex requests requiring additional verification, we may take up to 60 days, and will inform you within the initial 30-day period if an extension is required.