top of page

Enlaye Privacy Policy

Last Updated: May 10, 2026

This Privacy Policy (“Policy”) describes how Enlaye, Inc., together with its subsidiaries and affiliates (collectively, “Enlaye,” “we,” “our,” or “us”), collects, uses, discloses, and protects personal data in connection with our websites (including www.enlaye.com and www.enlaye.app), applications, integrations, sales activities, support channels, and the Enlaye Risk Lifecycle Management™ Software platform (the “Platform”), and any other service we operate (collectively, the “Services”).

This Policy is structured in two parts. Part A is the global policy that applies to everyone, regardless of where you are. Part B is a set of region-specific addenda for residents of the European Economic Area and the United Kingdom, Canada, California, and other U.S. states with comprehensive privacy laws. The addenda do not replace Part A; they add to it where applicable law gives you specific rights or imposes specific obligations on us.

In any conflict between this Policy and a signed customer Master Service Agreement, Customer Agreement, or Data Processing Addendum with respect to the customer’s data, the signed agreement governs. Mandatory rights granted to you by applicable law cannot be reduced or waived by this Policy or by any other agreement.

By using the Services you confirm that you have read this Policy.

 

Part A — Global Privacy Policy

A.1 Who We Are

Enlaye, Inc. is a Delaware corporation. Enlaye builds and operates the Platform, which helps construction-industry customers analyze, benchmark, and predict commercial, contractual, and financial risk across the construction project lifecycle.

We play one of two roles in relation to your personal data, and the role determines who is accountable to you and how you exercise your rights.

Enlaye as controller. Enlaye is the controller (the entity that determines the purposes and means of the processing) of personal data we collect directly from you in connection with our website, marketing, sales, recruiting, support, events, and corporate operations. Examples include the contact details you submit on a form, marketing-list information, recruiting-candidate information, and the personal data of our own employees and contractors.

Enlaye as processor. Enlaye is a processor (the entity that processes personal data on a controller’s documented instructions) when one of our customers uses the Platform and uploads or otherwise routes personal data through it — for example, project documents that contain personal information about the customer’s own personnel, sub-contractors, or counterparties. In that case, the customer is the controller and Enlaye acts under the customer’s Master Service Agreement, Customer Agreement, and any Data Processing Addendum.

If you are an end user of a customer’s Platform deployment and you wish to exercise rights with respect to data the customer controls, please contact your employer or the customer that authorized your access first; we will route your request through them so that the controller decides how to respond.

A.2 Age Requirements

Our Services are intended for users who are at least 18 years old, because the Platform is a professional B2B service used in connection with commercial construction projects. We do not knowingly collect personal data from children. If you believe we hold personal data of a child, please contact us at privacy@enlaye.com and we will delete it promptly. In jurisdictions where the minimum legal age for the relevant processing is higher than 18, we follow that requirement.

A.3 Personal Data We Collect

Enlaye seeks to limit the collection and processing of personal data to what is reasonably necessary and proportionate for the purposes described in this Policy.

We collect the following categories of personal data, depending on how you interact with us.

Identifiers and contact information. Name, work email, work phone, postal address, company, job title, and professional credentials.

Account and authentication data. Usernames, identifiers issued by our identity provider, session metadata, and authentication events. We do not store passwords for the Platform; passwords (where used) are processed by our identity provider in cryptographic form.

Customer Content uploaded to the Platform. Project documents, drawings, contracts, schedules, financial information, risk-analysis inputs, and any incidental personal data your organization chooses to include in those materials. You and your employer determine what is uploaded; this material is processed by Enlaye as a processor on the customer’s behalf. Customers are responsible for ensuring that Customer Data uploaded to the Platform is appropriate for processing through the Services and that they have provided any required notices and obtained any required consents or authorizations under applicable law.

Technical and usage data. IP address, approximate location derived from IP, browser type and version, operating system, device identifiers, referring page, pages viewed, session duration, feature usage events, and product-analytics events. On our marketing site we collect this through cookies and similar technologies (see §A.9). On the Platform we collect this through application logs and product analytics so that we can operate, secure, and improve the Services.

Communications records. Support tickets, email correspondence, chat messages, recordings of meetings or calls (where you have been notified of the recording), and survey responses.

Marketing and event data. Preferences, opt-in status, event registration and attendance, and engagement with our marketing communications.

Recruiting data. For candidates: name, contact details, CV/resume content, prior employment history, and any additional information you choose to provide.

Payment data. Handled by our third-party payment processors. Enlaye does not store card numbers in its own systems.

Special categories of personal data. We do not solicit and do not require special categories of personal data (data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation). If special categories are incidentally included in materials a customer uploads to the Platform, we treat them as Restricted under our internal Data Classification Policy and apply the strictest handling controls.

A.4 How We Use Your Personal Data

We use personal data to:

  • provide the Services to our customers and their authorized end users;

  • create and authenticate accounts and control access;

  • deliver customer support and handle incidents;

  • operate, secure, monitor, and troubleshoot the Services;

  • improve the Services and develop aggregated analytics, using only de-identified, aggregated, pseudonymized, or otherwise protected Customer Content as permitted by the applicable Customer Agreement;

  • train, evaluate, and fine-tune Enlaye’s artificial-intelligence models, in accordance with the constraints in §A.5;

  • run sales, account management, and B2B prospecting activities;

  • send marketing communications and event invitations, where you have given consent or where we have another lawful basis;

  • recruit candidates;

  • comply with legal obligations and audit requirements applicable to our operations;

  • detect and prevent fraud, abuse, and security incidents;

  • establish, exercise, or defend legal claims.

We do not engage in solely automated decision-making that produces legal or similarly significant effects on you. The Platform produces AI Outputs that are recommendations to inform your organization’s decision-making; the Customer Agreement requires that human review and final decision authority remain with the customer.

The lawful basis for each of these processing activities under EU/UK GDPR is set out in §B.1.1. The “business purpose” categorization for CCPA/CPRA purposes is set out in §B.3.

A.5 Customer Data, AI Training, and the Limits on What We Do With It

This section describes how Enlaye uses Customer Data and is calibrated to Enlaye’s standard Customer Agreement and to our internal Acceptable Use Policy.

Customer Data ownership. The customer retains all right, title, and interest in and to its Customer Data. Enlaye does not claim ownership of Customer Content.

Service-delivery license. The customer grants Enlaye a limited license to host, copy, transmit, process, and display Customer Data only as necessary to deliver the Services to the customer.

AI training license. Where the customer’s Customer Agreement so provides, the customer grants Enlaye a license to use Customer Data to develop, improve, evaluate, and train Enlaye’s artificial-intelligence models and algorithms, subject to all of the following constraints:

  1. Customer Data used for training, evaluation, or model improvement is de-identified, aggregated, pseudonymized, or otherwise protected as described in the applicable Customer Agreement, using technical and organizational safeguards designed to reduce the likelihood of identifying a customer, individual, or project;

  2. The training does not, and is not intended to, reveal any customer Confidential Information to third parties;

  3. The resulting models and any outputs or derivatives are owned by Enlaye, but the underlying Customer Data remains the customer’s property;

  4. Enlaye does not use Customer Data in a way that could reasonably re-identify the customer or its end users;

  5. Where the customer’s contract or applicable law requires, Enlaye honors customer-level opt-outs from AI training and model-improvement activities.

Customer opt-out from AI training. Where required by applicable law, contract, or customer configuration, Enlaye provides mechanisms allowing customers to opt out of the use of Customer Data for model training and improvement activities.

Personnel access. Enlaye personnel access Customer Data only when there is a specific, current, business-justified need. Access is logged and reviewed under our Access Control and Termination Policy. Customer Data is not used for marketing without the customer’s consent and is not used by Enlaye personnel for AI productivity tools that fall outside our sub-processor controls.

No overbroad license. Enlaye does not claim a perpetual, irrevocable, sublicensable, royalty-free license to use Customer Data for any purpose. The licenses Enlaye relies on are the ones described in this section and in the customer’s Customer Agreement, and they are constrained as described above.

Where Customer Data is stored and where AI inference happens. Enlaye operates regional Platform stacks in the United States, the European Union, and Canada. Customer Data uploaded to the Platform is stored in the customer’s home regional stack and does not leave the home region for routine production storage and processing. AI model inference is handled differently by region: for EU customers, model inference occurs entirely within the EU region; for U.S. and Canadian customers, model inference may use providers located in other regions during the inference call. In those cases Customer Data is transmitted in encrypted form, encrypted at rest by the inference provider, and is configured, where the inference provider supports it, not to be retained beyond the inference call.

A.6 How We Share Personal Data

We share personal data only as described below.

Sub-processors. Enlaye uses sub-processors to deliver the Services, in categories including hosting and infrastructure providers, identity and authentication providers, product-analytics providers, AI inference providers, and corporate SaaS providers (for email, document storage, payroll, e-signature, endpoint management, and related corporate functions). Each sub-processor that processes personal data is bound by a written contract that includes confidentiality, security, breach notification, sub-processor controls, audit rights, and data return or destruction obligations consistent with GDPR Article 28. A current list of sub-processors that process Customer Data is available on written request to privacy@enlaye.com, and Enlaye will provide a mechanism for customers to be notified of material sub-processor changes.

Customer-elected platform integrations. When you (or your employer) choose to integrate the Platform with a third-party platform or comparable systems, Enlaye exchanges data with that platform on the customer’s instructions. The third-party platform operates under its own privacy policy and is generally an independent controller (or, where the customer is its customer, the customer’s processor) with respect to the personal data it then handles.

Customer’s employer. If you are an authorized end user of a customer’s Platform deployment, your employer can see your usage of the Platform in the course of normal administration (for example, who accessed which document, audit trails, license assignment).

Service providers and professional advisors. We share personal data with our service providers and professional advisors (legal counsel, accountants, auditors, insurance brokers, banks) where necessary for them to perform their function, under appropriate confidentiality obligations.

Legal and regulatory disclosures. We disclose personal data when required by applicable law, court order, or other lawful process, or when reasonably necessary to protect the rights, property, or safety of Enlaye, our customers, or others.

Corporate transactions. If we are involved in a merger, acquisition, financing, reorganization, or sale of all or substantially all of our assets, personal data may be transferred to the acquiring entity, subject to appropriate confidentiality obligations and to this Policy continuing to apply, or to a successor policy that is no less protective.

We do not sell personal data and we do not “share” personal data for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

A.7 Security

We maintain administrative, technical, and physical safeguards designed to protect personal data, calibrated to the sensitivity of the data and consistent with our information security program. These measures include encryption of personal data at rest and in transit using industry-standard cryptography (TLS 1.2 or higher in transit; provider-managed encryption at rest; full-disk encryption on Enlaye-issued endpoints), role-based access control on a least-privilege basis with multi-factor authentication for sensitive systems, centralized logging and monitoring, vulnerability and patch management, secure development practices including code review and dependency scanning, formal change management, and a documented incident response and breach notification program.

Enlaye’s information security program is designed in alignment with SOC 2 security principles and industry-standard security practices. Enlaye is pursuing SOC 2 Type 2 attestation; the controls described above are operational today and are subject to periodic internal review and external audit.

A.8 Retention

We retain personal data only as long as we have a lawful basis to do so. The headline retention windows below are aligned to our internal Data Management and Retention Policy. Where a longer period is required by law, regulation, contract, or a legal hold, the longer period applies; where a shorter period is required, the shorter period applies. Retention periods may be shortened where deletion is requested and legally permissible, or where the relevant data is no longer reasonably necessary for the purpose for which it was collected. The same retention table applies across all three regional stacks (U.S., EU, CA).

  • Customer Data uploaded to the Platform — Duration of the customer’s contract, plus up to ninety (90) days after termination, unless a longer period is required by the Customer Agreement or by law.

  • Account and authentication records for an authorized end user — Duration of the user’s authorization; deleted thereafter consistent with our identity provider’s deletion tooling.

  • Application and security logs that reference user activity — Up to twelve (12) months in hot storage, with longer archival only where a contractual or legal obligation requires it.

  • Product-analytics events — Duration of the customer’s contract plus up to ninety (90) days after termination, subject to our analytics provider’s retention controls.

  • Marketing and event data — Until you withdraw consent or, where consent is not the basis, until two (2) years of marketing inactivity.

  • Sales and customer-relationship management records — Duration of the relationship plus seven (7) years for commercial-records retention.

  • Recruiting data for unsuccessful candidates — Up to twelve (12) months from the close of the role, unless you consent to a longer retention for future opportunities.

  • Personnel records (Enlaye employees and contractors) — As required by U.S. federal and state employment and tax law (typically a minimum of seven (7) years for payroll-tax records).

  • Executed contracts and corporate records — Seven (7) years post-termination of the contract.

  • Transaction and accounting records — Seven (7) years, consistent with IRS and accounting recordkeeping guidance.

  • Records subject to a legal hold — Preserved for the life of the hold, then disposed of per the ordinary schedule.

When a retention period ends, we delete or anonymize the personal data, unless retention is required for the establishment, exercise, or defense of legal claims, compliance with a legal obligation, or another lawful ground.

Backup, archival, and disaster-recovery cycles. Deletion from backups, archives, security and observability logs, and disaster-recovery systems may occur on a delayed cycle relative to deletion from primary production systems, provided that such residual data remains protected by the same controls described in §A.7 and is not restored to active systems except for legal, security, business-continuity, or regulatory-compliance purposes.

A.9 Cookies and Similar Technologies

Enlaye operates two distinct web properties that have different cookie footprints:

  • The public Marketing Site (www.enlaye.com), which serves both English and French content (the French content is at /fr, also reachable via the redirected domain www.enlaye.fr), is hosted on Wix and uses Wix’s functional and session cookies (for site rendering, language preferences, server-session binding, and CSRF protection) together with Google Analytics 4 for first-party site analytics, plus YouTube embeds gated behind marketing-category consent. Cookie consent on the marketing site is managed by Usercentrics for Wix. The marketing site does not deploy retargeting or cross-context behavioral advertising tools, and Google Signals is off in the GA4 property.

  • The Platform (www.enlaye.app) uses first-party cookies and similar technologies for authentication (provided by our identity provider), bot protection (provided by our edge network), session continuity, language and UI-state preferences, and product-usage analytics on a logged-in B2B-service basis. The Platform does not deploy advertising or marketing tracking technologies.

In both contexts, the categories of cookies and similar technologies we use are:

  1. Strictly necessary cookies for core site and Platform functionality (for example, authentication, load balancing, security). These cannot be disabled through our cookie banner because the Services would not work without them.

  2. Functional cookies for enhanced features (for example, remembering language preferences and UI state).

  3. Analytics cookies to understand how the Services are used so that we can improve them.

You can manage your preferences through our cookie banner, by adjusting your browser settings, and through industry opt-out tools provided by the Network Advertising Initiative and the Digital Advertising Alliance. We honor the Global Privacy Control (GPC) signal as an opt-out of analytics cookies and as a CCPA/CPRA “Do Not Sell or Share” signal where applicable. We treat a Do Not Track (“DNT”) header as a non-binding indication of preference; because there is no industry consensus on DNT, GPC is the more reliable opt-out and we recommend it.

A.10 Data Breach Notification

If we confirm a breach of security that affects your personal data, we will respond in line with our internal Breach Notification Policy. Notification commitments calibrated to your jurisdiction are set out in the regional addenda below. In every region, we document personal-data breaches in our internal Breach Log regardless of whether external notification is required.

Where Enlaye acts as a processor on behalf of a customer, Enlaye will reasonably cooperate with the customer in investigating, mitigating, documenting, and responding to confirmed security incidents affecting Customer Data, consistent with our obligations under the Data Processing Addendum and GDPR Article 28(3)(f).

A.11 External Links

The Services may contain links to third-party websites and platforms. We are not responsible for the content, security, or privacy practices of those third parties. We encourage you to review their privacy policies before providing personal data.

A.12 Changes to This Policy

We may update this Policy. Material changes will be announced through the Services and, where required by law, by direct notice to you, at least thirty (30) days before they take effect, except where a change is required by law to take effect sooner. We will keep prior versions available on request.

A.13 Relationship to Other Agreements

Scope of this Policy. This Policy governs personal data. Customer Confidential Information and other non-personal Customer Data are also protected under the applicable Customer Agreement, Master Service Agreement, Data Processing Addendum, and confidentiality obligations between the customer and Enlaye; this Policy is not the sole source of those protections.

Conflict and primacy. Where you have a separate signed agreement with Enlaye — including a Master Service Agreement, Customer Agreement, Data Processing Addendum, Non-Disclosure Agreement, or employment or contractor agreement — that agreement governs to the extent of any conflict between it and this Policy with respect to personal data covered by that agreement. Mandatory rights granted to you by applicable law cannot be reduced or waived by this Policy or by any other agreement.

Data Processing Addendum. Where Enlaye processes personal data on behalf of a customer, the processor-relationship terms are governed by the data-protection terms in the customer’s Customer Agreement or, where applicable, in a separate Data Processing Addendum. Enlaye will provide a Data Processing Addendum to a customer where required by applicable data-protection law.

A.14 Contact

For privacy inquiries, including data subject rights requests:

Email: privacy@enlaye.com

Mailing address: Enlaye, Inc., 125 Western Avenue, Boston, MA 02163, USA

For general inquiries: contact@enlaye.com

The contact for region-specific privacy authorities is set out in the regional addenda below.

 

Part B — Region-Specific Addenda

The addenda below add to Part A for residents of specific jurisdictions. If more than one addendum applies to you (for example, you are a French resident who also moved to California), the rights under each addendum apply to the extent provided by the applicable law.

B.1 Additional Rights for EU/EEA Residents (GDPR) and UK Residents (UK GDPR)

This section applies if you are located in the European Economic Area, Switzerland, or the United Kingdom, or if your personal data was collected in connection with offering the Services in those territories.

B.1.1 Lawful basis for each processing activity

Article 6 of the EU GDPR (and the parallel provisions of the UK GDPR) requires us to identify a lawful basis for each processing activity. The table below maps each purpose described in §A.4 to its lawful basis. Where we rely on legitimate interests, we have performed a balancing test that you can request a copy of by writing to privacy@enlaye.com.

  • Providing the Services to a customer’s authorized end users — Performance of a contract with the customer (Art. 6(1)(b)); for end users, Enlaye acts as processor on the customer’s behalf.

  • Account creation, authentication, and access control — Performance of a contract (Art. 6(1)(b)); legitimate interests in security (Art. 6(1)(f)).

  • Customer support and incident handling — Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)).

  • Operating, securing, monitoring, and troubleshooting the Services — Legitimate interests in keeping the Services secure and reliable (Art. 6(1)(f)); legal obligation where applicable (Art. 6(1)(c)).

  • Improving the Services and developing aggregated analytics — Legitimate interests in product improvement (Art. 6(1)(f)); for Customer Content, the contractual basis in the customer’s Customer Agreement governs.

  • Training, evaluating, or fine-tuning Enlaye’s artificial-intelligence models — Legitimate interests (Art. 6(1)(f)) supported by de-identification, aggregation, pseudonymization, or other safeguards described in the Customer Agreement; for Customer Content, the contractual basis in the customer’s Customer Agreement, which limits AI training as set out in §A.5 and prohibits use that could re-identify the customer or its end users.

  • Sales, account management, and prospecting — Legitimate interests in growing our business (Art. 6(1)(f)); consent where required by local law (Art. 6(1)(a)).

  • Marketing communications, events, and newsletters — Consent where required (Art. 6(1)(a)); legitimate interests for B2B marketing where lawful (Art. 6(1)(f)). You can withdraw consent or unsubscribe at any time.

  • Recruiting — Steps prior to entering into a contract at your request (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)); consent for retention beyond a specific application (Art. 6(1)(a)).

  • Compliance with legal obligations and audit requirements — Legal obligation (Art. 6(1)(c)); legitimate interests in defending claims (Art. 6(1)(f)).

  • Detecting and preventing fraud, abuse, and security incidents — Legitimate interests (Art. 6(1)(f)); legal obligation where applicable (Art. 6(1)(c)).

  • Establishing, exercising, or defending legal claims — Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)).

We do not engage in solely automated decision-making that produces legal or similarly significant effects on you (Art. 22). We do not process special categories of personal data (Art. 9) except where they are incidentally included in Customer Content, in which case we treat them as Restricted under our internal Data Classification Policy.

B.1.2 Your rights under the EU/UK GDPR

You have the following rights with respect to your personal data, subject to the conditions set out in the GDPR. Where Enlaye is the controller, we respond directly. Where Enlaye is a processor, we route your request to the customer who is the controller and assist them in responding under Article 28(3)(e).

  1. Right of access (Article 15) — to obtain confirmation of whether we process your personal data, a copy of it, and information about the processing.

  2. Right to rectification (Article 16) — to have inaccurate personal data corrected and incomplete data completed.

  3. Right to erasure / “right to be forgotten” (Article 17) — subject to the exceptions in Article 17(3), including retention for the establishment, exercise, or defense of legal claims, compliance with legal obligations, or public-interest purposes.

  4. Right to restriction of processing (Article 18).

  5. Right to data portability (Article 20) — for processing that is based on your consent or on a contract with you and that is carried out by automated means.

  6. Right to object (Article 21) — including an absolute right to object to direct marketing and a qualified right to object to processing based on legitimate interests.

  7. Right to withdraw consent (Article 7(3)) — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

  8. Rights regarding automated decision-making (Article 22) — we do not engage in solely automated decision-making with legal or similarly significant effects on you.

  9. Right to lodge a complaint with a supervisory authority — including the supervisory authority of your habitual residence, place of work, or place of the alleged infringement. For French residents, the Commission Nationale de l’Informatique et des Libertés (CNIL, www.cnil.fr) is the competent authority. For UK residents, the Information Commissioner’s Office (ICO, ico.org.uk). For other Member States, see the European Data Protection Board’s list of national supervisory authorities (edpb.europa.eu).

B.1.3 How to exercise these rights and our response timeline

To exercise a right, email privacy@enlaye.com with enough information for us to verify your identity. We will respond within one (1) month of receipt under Article 12(3), extendable by up to two further months for complex requests, with notice to you of the extension and the reasons. We may decline a request that is manifestly unfounded or excessive, or where a statutory exception applies, in which case we will tell you why and how you may appeal.

B.1.4 International data transfers and where your data is stored

Customer Data: stored and processed in the EU. Customer Data uploaded to the Platform by EU customers — including project documents, drawings, and the records associated with project work — is stored on infrastructure in the EU region. Customer Data does not leave the EEA for routine production storage or processing.

AI model inference: in-region for EU customers. Model inference for EU customers runs entirely within the EU region. Customer Data is not transferred outside the EU during inference.

Limited residual cross-border flows. Certain operational categories of data — authentication and identity-management metadata, product-analytics telemetry, and Enlaye personnel access for support and incident response — may involve transfers to the United States. Each such transfer is supported by an appropriate Article 46 transfer mechanism (the EU-U.S. Data Privacy Framework where the recipient is a participant, otherwise Standard Contractual Clauses) and by supplementary technical measures including encryption in transit and at rest, role-based access control, multi-factor authentication, and access logging. We do not rely on Article 49(1)(a) consent as a routine transfer basis. You can request a copy of the relevant transfer mechanism by writing to privacy@enlaye.com.

B.1.5 Data breach notification — EU/EEA-specific

Where Enlaye is the controller and a personal-data breach is reasonably likely to result in a risk to your rights and freedoms, we notify the competent supervisory authority within 72 hours of awareness, where feasible, in accordance with Article 33 of the GDPR. Where the breach is reasonably likely to result in a high risk to your rights and freedoms, we communicate the breach to you without undue delay in accordance with Article 34, unless one of the exceptions in Article 34(3) applies (for example, the data was rendered unintelligible to unauthorized persons through encryption).

Where Enlaye is the processor, we notify the customer (controller) without undue delay after becoming aware of the breach, in accordance with Article 33(2) and our customer Data Processing Addendum, with the information they need to satisfy their own Article 33 and Article 34 obligations.

B.1.6 Data Protection Officer and EU/UK Representative

Data Protection Officer. As of the effective date of this Policy, Enlaye has determined that the conditions in Article 37(1) of the GDPR are not met for our current operations and has not appointed a Data Protection Officer. The Privacy & Security Manager (privacy@enlaye.com) performs the internal privacy and security accountability function. We will reassess the need for a formal DPO appointment as our processing activities evolve.

EU Representative under Article 27. Enlaye has designated Enlaye SAS, a wholly owned French subsidiary of Enlaye, Inc., as its representative in the European Union under Article 27 of the EU GDPR. Enlaye SAS may be contacted in writing in connection with issues related to the processing of personal data of EU residents, in addition to the privacy contact set out in §B.1.7.

UK Representative. As of the effective date of this Policy, Enlaye has not appointed a representative under Article 27 of the UK GDPR. Enlaye will appoint a UK representative where required by applicable law and will reassess as its processing activities involving UK residents evolve.

B.1.7 EU/EEA contact

For EU or UK residents, the privacy contact is privacy@enlaye.com. For matters relating to Enlaye’s EU representative, you may also contact Enlaye SAS via privacy@enlaye.com, which routes to both the Privacy & Security Manager at Enlaye, Inc. and the Enlaye SAS team. The mailing address for Enlaye, Inc. is 125 Western Avenue, Boston, MA 02163, USA.

 

B.2 Additional Rights for Canadian Residents (PIPEDA and Provincial Laws)

This section applies if you are a resident of Canada. It supplements Part A and identifies the specific rights you have under the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), Quebec’s Act to modernize legislative provisions as regards the protection of personal information (“Law 25”) and the Act respecting the protection of personal information in the private sector (“Quebec Private Sector Act,” as amended by Law 25), Alberta’s Personal Information Protection Act (“Alberta PIPA”), and British Columbia’s Personal Information Protection Act (“BC PIPA”).

B.2.1 Compliance framework

Enlaye is committed to complying with PIPEDA at the federal level and with the provincial private-sector privacy laws of Quebec, Alberta, and British Columbia where applicable. Where Quebec Law 25 imposes a stricter requirement than PIPEDA, we follow Law 25 for Quebec residents; the same approach applies to Alberta PIPA and BC PIPA in their respective provinces.

B.2.2 Consent

Our consent approach follows PIPEDA Principle 3 (Consent) and Principle 4 (Limiting Collection):

Express consent is sought where the personal data is sensitive, the processing is outside the reasonable expectations of an individual entering a B2B service relationship, or applicable law (in particular Quebec Law 25 for sensitive personal information) requires it.

Implied consent is relied on for processing that is reasonably necessary to deliver the Services to the customer and that an individual entering an authorized-user relationship with a B2B platform would reasonably expect — for example, authenticating you, logging your activity for security purposes, and processing your work contact information to provide support.

You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may affect Enlaye’s ability to provide the Services to you.

B.2.3 Your rights

You have the following rights under PIPEDA and the applicable provincial law:

  1. Right of access — to be informed of the existence, use, and disclosure of your personal information and to access that information.

  2. Right to correction — to challenge the accuracy and completeness of your personal information and have it amended as appropriate.

  3. Right to withdraw consent — subject to legal or contractual restrictions and reasonable notice.

  4. Right to file a complaint — with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca, or with the relevant provincial commissioner where your provincial law applies.

For Quebec residents specifically, Law 25 adds:

  1. Right to data portability — for personal information that you provided to us in a structured, commonly used technological format, since the relevant Law 25 provisions came into force in September 2024.

  2. Right to be informed of automated decision-making — if a decision is based exclusively on automated processing of your personal information, you have the right to be informed of it and to obtain certain information about the principal factors and parameters that led to the decision and the right to make observations to a person able to review the decision. As stated in §A.4 and §B.1.1, Enlaye does not engage in solely automated decision-making with legal or similarly significant effects; the Platform produces AI Outputs that the Customer reviews before making a decision, consistent with the human-review requirement of the Customer Agreement.

  3. Right to require de-indexation or cessation of dissemination — in certain circumstances under the Quebec Private Sector Act.

B.2.4 How to exercise these rights and response timeline

To exercise any of these rights, email privacy@enlaye.com with enough information for us to verify your identity. We will respond within 30 days under PIPEDA and Quebec Law 25; an extension may be available where the request is complex or where compliance would unreasonably interfere with our activities, in which case we will notify you of the extension and the reasons.

B.2.5 Cross-border transfer disclosure

Under PIPEDA Principle 1 (Accountability) and Quebec Law 25 Article 17, we are required to inform you about transfers of personal information outside Canada and, for Quebec residents, outside Quebec.

Customer Data storage: in Canada. Customer Data uploaded to the Platform by Canadian customers is stored on infrastructure in Canada. Customer Data does not leave Canada for routine production storage.

AI model inference: cross-border path during the inference call. Model inference for Canadian customers may use providers located in other regions during the inference call (typically in the United States). Customer Data is transmitted in encrypted form, encrypted at rest by the inference provider, and is configured, where the inference provider supports it, not to be retained beyond the inference call. This is the principal cross-border path for Canadian customer personal information and is the path that requires the most attention under Quebec Law 25 Article 17.

Limited additional cross-border flows. Certain operational categories of data — authentication and identity-management metadata, product-analytics telemetry, and Enlaye personnel access for support and incident response — may involve transfers to the United States, supported by Standard Contractual Clauses, the EU-U.S. Data Privacy Framework (where the recipient is a participant), or another lawful transfer mechanism, together with supplementary technical measures including encryption in transit and at rest, role-based access control, multi-factor authentication, and access logging.

Quebec Law 25 Article 17 privacy impact assessment. For Quebec residents, before transferring personal information outside Quebec, Enlaye conducts a privacy impact assessment of the receiving jurisdiction’s data-protection regime, including the United States, taking into account the safeguards in place. The transfer is supported by the contractual and technical measures described above.

Variation in cross-border processing. Cross-border processing may vary depending on the customer’s configuration of the Services, the integrations and Third-Party Platforms the customer chooses to use, the sub-processors engaged in the customer’s deployment, and the terms of the applicable Customer Agreement. The descriptions in this section reflect our general operations and may differ in scope or destination for a particular customer.

B.2.6 Designated Person Responsible for the Protection of Personal Information

PIPEDA Principle 1 requires that an individual or individuals be accountable for the organization’s compliance with the principles. Quebec Law 25 Article 3.1 makes this explicit and requires publication of the designated person’s contact information. Enlaye’s designated person responsible for the protection of personal information is:

The Privacy & Security Manager Enlaye, Inc. Email: privacy@enlaye.com

B.2.7 Provincial Commissioners

If you are not satisfied with our response to a complaint, you may also file a complaint with:

  • Office of the Privacy Commissioner of Canada — www.priv.gc.ca

  • Commission d’accès à l’information du Québec (for Quebec residents) — www.cai.gouv.qc.ca

  • Office of the Information and Privacy Commissioner of Alberta — www.oipc.ab.ca

  • Office of the Information and Privacy Commissioner for British Columbia — www.oipc.bc.ca

 

B.3 Additional Rights for California Residents (CCPA/CPRA)

This section applies if you are a California resident as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”). It is the “Notice of Privacy Practices” required by California law.

B.3.1 Categories of personal information collected

In the past 12 months we have collected the following categories of personal information, as defined by the CCPA/CPRA:

  • A. Identifiers — Examples: name, work email, account identifiers, IP address. Sources: you, your employer (Customer), cookies. Business purposes: service delivery, security, auditing.

  • B. Customer Records (Cal. Civ. Code §1798.80) — Examples: work contact information, signature on contracts. Sources: you, your employer. Business purposes: service delivery, business operations.

  • C. Protected classification characteristics under California or federal law — Generally not collected.

  • D. Commercial information — Examples: subscription and transaction records. Sources: you, your employer, payment processor. Business purposes: service delivery, business operations.

  • E. Biometric information — Not collected.

  • F. Internet or other electronic network activity — Examples: cookies, log data, product-analytics events, feature usage. Sources: cookies, servers, analytics tools. Business purposes: service delivery, product improvement, security.

  • G. Geolocation data — Example: approximate location derived from IP. Source: servers. Business purposes: security, auditing.

  • H. Sensory data — Example: meeting recordings where you have been notified. Source: you. Business purposes: service delivery, recordkeeping.

  • I. Professional or employment information — Examples: job title, employer, professional credentials. Sources: you, your employer. Business purposes: service delivery, business operations.

  • J. Education information — Generally not collected.

  • K. Inferences drawn from other personal information — Limited; product-usage patterns. Source: internal. Business purpose: product improvement.

  • L. Sensitive personal information (CCPA-specific) — Example: account log-in credentials. Sources: you, identity provider. Business purposes: service delivery, security.

We do not knowingly collect sensitive personal information beyond the limited categories above (account credentials), and we do not use sensitive personal information for any purpose other than those permitted by California Civil Code §1798.121(a) and the implementing regulations. Accordingly, the right to limit the use of sensitive personal information described in §B.3.4 does not change how we process your data, but you may still exercise it.

B.3.2 Categories of sources

We collect personal information directly from you, from your employer or the customer that authorized your access to the Platform, automatically through the Services (cookies, server logs, application logs, security telemetry, product analytics), and from third parties (including business-data providers, public sources, event partners, and marketing-service providers).

B.3.3 Sale, sharing, and use of personal information

We do not sell personal information for monetary or other valuable consideration, and we do not “share” personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not sold or shared the personal information of California residents in the preceding 12 months. We have no actual knowledge of selling or sharing the personal information of consumers under 16 years of age.

Enlaye does not use Customer Data for cross-context behavioral advertising and does not monetize Customer Data through advertising networks, data brokerage, or consumer profiling activities.

B.3.4 Your rights as a California resident

You have the following rights under the CCPA/CPRA:

  1. Right to know what personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties to whom we disclose it.

  2. Right to delete the personal information we have collected from you, subject to the exceptions in California Civil Code §1798.105(d) (including retention to complete the transaction for which the personal information was collected, detect security incidents, comply with a legal obligation, or other permitted purposes).

  3. Right to correct inaccurate personal information.

  4. Right to opt out of sale or sharing — moot for Enlaye because we do not sell or share, but you may submit such a request and we will confirm the no-sale/no-share posture.

  5. Right to limit use of sensitive personal information — moot for Enlaye because we do not use sensitive personal information beyond the purposes permitted under California Civil Code §1798.121(a), but you may submit such a request and we will confirm.

  6. Right to non-discrimination — we will not discriminate against you for exercising these rights.

B.3.5 How to submit a request and our response timeline

To submit a request, email privacy@enlaye.com. We will:

  • acknowledge receipt within 10 business days;

  • respond substantively within 45 calendar days of receipt, extendable by an additional 45 days where reasonably necessary, with notice to you of the extension and the reasons;

  • verify your identity by matching information you provide with information we hold about you;

  • respond to authorized agents acting on your behalf with proof of authorization.

The right to know covers a 12-month look-back period unless the request relates to data collected on or after January 1, 2022, in which case the look-back may be longer where you specifically request and we can fulfill it without disproportionate effort.

B.3.6 No financial incentive

We do not offer financial incentives or price or service differences in exchange for the collection, sale, or retention of personal information.

B.3.7 Shine the Light

California Civil Code §1798.83 (“Shine the Light”) permits California residents to request information about personal information disclosed to third parties for those parties’ direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

B.3.8 California contact

To exercise any of these rights, email privacy@enlaye.com. You can also file a complaint with the California Privacy Protection Agency (CPPA) at www.cppa.ca.gov, or with the California Attorney General.

 

B.4 Additional Rights for Other U.S. State Residents

This section applies if you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another U.S. state with a comprehensive consumer privacy law that affords you rights similar to those of California residents.

B.4.1 Applicability and scope

Each of these state laws has its own applicability thresholds, definitions, and exemptions. Several of them (notably Virginia, Texas, Connecticut, and Utah) include exemptions for personal data processed in a B2B or employment context that may meaningfully reduce the rights we owe you under those laws. We honor the rights described below to the extent the law applies to our processing of your personal data and subject to the exemptions and exceptions in the relevant statute.

B.4.2 Rights generally available to residents of these states

Subject to the applicability and exemptions in §B.4.1, you generally have the right to:

  1. Know whether we process your personal data and access that data;

  2. Correct inaccurate personal data;

  3. Delete personal data we have collected about you, subject to exceptions;

  4. Receive a copy of your personal data in a portable, technologically usable format, where required by the applicable state law;

  5. Opt out of the sale of personal data, of targeted advertising, and of certain profiling that produces legal or similarly significant effects (we do not sell personal data, do not engage in targeted advertising, and do not engage in solely automated decision-making with legal or similarly significant effects, but you may submit such requests);

  6. Appeal our decision on a rights request, where the applicable state law provides an appeal mechanism;

  7. Non-discrimination for exercising these rights.

B.4.3 How to submit a request and response timeline

To submit a request, email privacy@enlaye.com. We will respond within 45 calendar days of receipt under the applicable state laws, extendable by an additional 45 days where reasonably necessary, with notice of the extension. Where the applicable state law provides an appeal right, you may appeal our decision within 60 days by replying to our response, and we will respond to the appeal within 60 days.

If you are not satisfied with our response or our appeal decision, you may contact the Attorney General of your state. For Colorado residents, you may also contact the Colorado Department of Law.

bottom of page