Trust Center
Privacy Policy
Catalystium, Inc. — Rhenari Platform
This Privacy Policy explains how Catalystium, Inc. (“Catalystium,” “we,” “us,” or “our”), a Delaware corporation, handles personal information in connection with our website at www.rhenari.com, our marketing and sales activities, and the Rhenari decision-intelligence platform and related services (the “Service”). It is written to be read in plain language. Where a term has a specific legal meaning, we say so.
Rhenari is a business-to-business (B2B) product. We sell it to organizations, and most people whose information we handle encounter us in one of two very different ways. Because those two situations carry different legal responsibilities, the rest of this policy is organized around them. Section 1 explains the distinction; please read it first, because it determines which parts of this policy apply to you and where to send a privacy request.
1. Who We Are and How to Read This Policy
We act in different roles depending on the information involved. Privacy law distinguishes between an organization that decides why and how personal information is used (often called a “controller” or, under the California Consumer Privacy Act, a “business”) and an organization that processes information only on another organization's instructions (a “processor” or “service provider”). Catalystium wears different hats:
1.1 When we are the controller
We decide how personal information is used — and this policy governs it — when you interact with us directly. This includes visitors to www.rhenari.com; people who request a demo, contact us, or subscribe to our communications; the administrators and billing contacts at our customers; and job applicants. Sections 2 through 5 and 7 through 15 describe these activities.
1.2 When we are a processor (personnel data inside the platform)
When an organization (our customer) uses Rhenari, the platform analyzes data relating to that organization's own personnel — behavioral metadata and, where the customer enables it, communication content from the business systems the customer connects. For that personnel data, the customer (your employer) is the controller, and Catalystium acts only as a processor on the customer's documented instructions. We do not decide what personnel data is collected, why it is analyzed, or who sees the results.
If you are an employee or other member of a customer's workforce and you have questions about how your information is processed in Rhenari, or you wish to exercise rights over that data, please contact your employer. Your employer determines those practices and is responsible for responding. Section 6 describes, for transparency, how the platform handles that data; the binding terms are in our customer agreement and Data Processing Agreement (DPA).
1.3 When we are the controller of De-Identified Data
We create De-Identified Data from the operation of the Service and use it for our own purposes — to operate and improve the platform and to conduct research — and we act as a controller over that De-Identified Data. Section 7 explains this in full, including our public commitment not to attempt to re-identify it.
2. Information We Collect as a Controller
This section describes information we collect when you interact with our website, sales, marketing, and support, and as an account administrator or billing contact. (Job-applicant information is described separately in Section 12. Personnel data processed inside the platform is covered in Section 6 and is not collected by us as a controller.)
2.1 Information you provide to us
- Identity and contact details: name, work email address, employer/organization name, job title, and the phone number or other contact details you provide.
- Demo, sales, and qualification information: information you submit when you request a demo or contact sales, which may include your organization’s size, role, use case, and similar qualification details.
- Communication preferences and topic interests: the topics you ask to hear about, your marketing and content preferences, and your subscription status for our communications.
- Event and webinar registrations: information you provide when you register for or attend an event or webinar we host.
- Support requests and correspondence: the content of support tickets, emails, and other messages you send us, and our responses.
- Account administration details: for our customers’ administrators and authorized contacts, the information needed to provision, configure, and support a subscription.
2.2 Billing and transaction information
We use third-party payment processors and marketplaces to handle payments. When you pay by card, the card details are collected and processed by our payment processor (Stripe); we do not receive or store payment card numbers. When you purchase through a marketplace (Microsoft, Google, or Slack), that marketplace acts as the merchant and shares transaction and entitlement records with us. From these processors we retain limited billing records such as billing contact, the last four digits and brand of a card, and invoice and transaction history.
2.3 Information we collect automatically
When you visit our website, we and our privacy-focused analytics provider collect limited technical information about your visit, including:
- Device and connection data, such as IP address, browser type, and operating system; and
- Usage data, such as the pages you view, referring and exit pages, and the dates and times of your visits.
Our website uses privacy-preserving, cookieless analytics that does not set tracking cookies, store a persistent identifier in your browser, or track you across other websites. See Section 4 and our Cookie Policy for details.
3. How We Use Information
As a controller, we use the information described in Section 2 to:
- Provide, operate, secure, and support the website and the Service, and provision and administer subscriptions;
- Respond to your demos, inquiries, and support requests, and communicate with you about your account or transactions;
- Send marketing and product communications consistent with your preferences and applicable law, and measure and improve those communications (you can opt out at any time — see Section 8);
- Process payments and maintain billing and tax records;
- Understand and improve how our website and Service are used, including through analytics;
- Detect, prevent, and address fraud, abuse, security incidents, and technical issues; and
- Comply with law and enforce our agreements.
We do not make decisions that produce legal or similarly significant effects about website visitors or prospects through solely automated processing.
4. Cookies, Analytics, and Opt-Out Signals
Our website is intentionally light on tracking. We use only the limited, strictly necessary cookies and browser storage needed to operate the site securely and to remember a privacy choice if you make one, together with privacy-preserving, cookieless analytics. We do not use advertising or marketing cookies, and we do not track you across other websites. Details about what the website sets, and the choices you have, are in our Cookie Policy (rhenari.com/trust/cookies), which is incorporated into this policy by reference.
Opt-out preference signals (Global Privacy Control). Our website is designed to recognize a Global Privacy Control (GPC) signal. Because we do not sell or share personal information, there is nothing to suppress; as a courtesy, we honor a GPC signal and do not treat your visit as consent to any non-essential cookie.
5. How We Share Information
We share personal information only as described here:
- Service providers and subprocessors. We share information with vendors that perform services for us — such as cloud hosting and infrastructure, payment processing (Stripe), website analytics, email and communications, and customer support — under contracts that require them to protect the information and use it only to provide services to us.
- Marketplaces. Where you transact through the Microsoft, Google, or Slack marketplaces, we exchange the information necessary to provision and manage your subscription.
- Legal and safety. We may disclose information where required by law or legal process, to protect rights, safety, and property, or in connection with an investigation of fraud or abuse.
- Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this policy.
- With your direction or consent. We share information at your direction or with your consent.
We do not sell your personal information. We do not sell personal information for money, and we do not disclose De-Identified Data in a manner that identifies the source customer without that customer's consent, except as required by law.
6. Personnel Data Processed Through the Rhenari Platform
For the personnel data analyzed inside Rhenari, your employer — not Catalystium — is the controller. We process that data as a processor, on the customer's documented instructions, as set out in our customer agreement and DPA. We provide the following description for transparency; it does not make Catalystium a controller of this data. If you are a member of a customer's workforce, direct any questions or requests about this data to your employer.
The platform is built around the following data-handling practices:
- Ephemeral processing of content. Where a customer enables content analysis for specific sources or channels, message and item content is processed transiently in memory solely to produce structured outputs and is then discarded; the structured outputs are retained, but the underlying content that produced them is not stored by the Service. This practice is auditable through the Service's access logs, which are available to the customer's administrators on request.
- Aggregation and non-exposure of individual data. Outputs are presented at the team or department level only. Groups smaller than a configurable minimum size (default three) are suppressed, and the Service does not expose individual-level behavioral data to a customer's executives or managers.
- Pseudonymization. Individual identifiers are pseudonymized before use in persistent analytics where live identifiers are not required.
- Customer responsibility. Our customer is responsible for establishing the lawful basis for the processing and for providing all required notices to, and obtaining all required consents from, its personnel (including any works-council or employee-representative approvals). This is a contractual warranty the customer makes to us.
The governing terms for this processing are in the customer agreement and the Data Processing Agreement. Where this policy and the DPA differ as to personnel data, the DPA controls.
7. De-Identified Data and Research
“De-Identified Data” means data derived from Customer Data or the operation of the Service that has been processed to remove or obscure identifiers such that it cannot reasonably be used, alone or in combination with other information reasonably available to Catalystium, to identify a natural person.
We create and use De-Identified Data, as a controller, in order to: (a) operate, maintain, secure, and improve the Service, including its scoring models, signals, insights, and alerts; and (b) conduct and publish research into organizational dynamics and cognitive sustainability in knowledge work, including the development and training of predictive models and algorithms. This includes research, conducted on a de-identified research dataset, into the diagnosis and intervention of prolonged cognitive stress in knowledge work.
Our public commitment. We do not attempt to re-identify De-Identified Data, and we do not re-identify any individual or disclose any individual's data to that individual's employer. Where we share De-Identified Data with service providers or other recipients, we require them to commit to the same no-re-identification standard. We maintain De-Identified Data as de-identified and do not attempt to derive a natural person's identity from it.
Source-specific limits (Google Workspace). Where Customer Data originates from a connected third-party platform whose terms restrict how data from it may be used, we honor those limits. In particular, for data obtained through the Google Workspace APIs and anything derived from it, we do not use, retain, or transfer that data to create, train, or improve any generalized or non-personalized machine-learning or artificial-intelligence model, consistent with the Google API Services User Data Policy, including its Limited Use requirements. This limit applies even after de-identification.
8. Your Privacy Rights and Choices
Depending on where you live and the role in which we hold your information, you may have some or all of the rights below. These rights apply to information for which we are the controller. For personnel data processed inside the platform (Section 6), please contact your employer, who controls that data.
8.1 Rights that may be available to you
- Access / know — to learn what personal information we hold about you and how we use and share it;
- Correction — to correct inaccurate personal information;
- Deletion — to ask us to delete personal information;
- Portability — to receive a copy of certain information in a portable format;
- Opt out — of the “sale” or “sharing” of personal information and of certain targeted advertising and profiling; and
- Non-discrimination and appeal — to not be discriminated against for exercising your rights, and, in several states, to appeal a denial of a request.
8.2 How to exercise your rights
You can make a request, or opt out of marketing, by emailing us at support@rhenari.com, or by using the unsubscribe link in our communications. We will verify your request as required by law and respond within the timeframes the applicable law sets (for example, 45 days under the California Consumer Privacy Act, which may be extended where permitted). You may use an authorized agent where the law allows.
8.3 U.S. state privacy rights
If you are a resident of California or another U.S. state with a comprehensive privacy law, you have the rights described above to the extent that law provides them. California: we do not sell personal information and have not done so; California residents may exercise the access, deletion, correction, and opt-out rights described above, and may designate an authorized agent. We honor recognized opt-out preference signals as described in Section 4.
8.4 Canada (PIPEDA and Quebec Law 25)
If you are in Canada, you may have rights of access and correction, and choices about how your information is used, under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws, including Quebec's Law 25. You may contact us using the details in Section 15, and you may contact the Office of the Privacy Commissioner of Canada or the relevant provincial regulator.
9. Data Retention
We retain personal information for as long as needed for the purposes described in this policy — for example, to maintain your account or relationship with us, to provide the Service, to meet legal, tax, and accounting obligations, to resolve disputes, and to enforce our agreements — and then delete or de-identify it. De-Identified Data may be retained and used as described in Section 7.
10. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information appropriate to its sensitivity. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
11. Where Your Information Is Processed
We currently offer the Service to organizations in the United States and Canada, and we process personal information in those regions and in the United States.
12. Job Applicants
If you apply for a job with us, we collect the information you provide in your application (such as your name, contact details, résumé/CV, work history, and any information you choose to share) and use it to evaluate your candidacy, communicate with you, and manage our hiring process. We retain applicant information as needed for these purposes and as required by law.
13. Children’s Privacy
The website and the Service are intended for businesses and for individuals who are at least the age of majority in their jurisdiction. They are not directed to children, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us so we can delete it.
14. Changes to This Policy
We may update this policy from time to time. When we do, we will revise the “Last updated” date above and, where required by law or where changes are material, provide additional notice. The version in effect at any time governs our handling of personal information at that time.
15. How to Contact Us
If you have questions about this policy or wish to exercise a privacy right, contact us at:
Catalystium, Inc. · Rhenari
Email: support@rhenari.com
Catalystium is a Delaware corporation.