Document — Culprit Privacy Policy

Culprit — Privacy Policy

Effective Date: 2026-04-26 Last Updated: 2026-05-10

Feida Management Consulting Co. Ltd (the operator of the Culprit platform; "Culprit," "we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with the Culprit platform, websites located at or under theculprit.ai, and related services (collectively, the "Services").

Principal place of business: 7F., No. 51, Ln. 128, Jingye 1st Rd., Taipei 104051, Taiwan

Contact:

• Privacy requests (including GDPR, CCPA, and MODPA data-subject requests): privacy@theculprit.ai
• General support: support@theculprit.ai
• Legal notices: legal@theculprit.ai

This Privacy Policy applies to:

• Account users — individuals who register for and use Culprit on behalf of a Customer organization (for whom we generally act as a data processor on behalf of the Customer as data controller, with the exception of account-management data for which we are controller).
• Website visitors — individuals who visit theculprit.ai (for whom we act as controller).
• Prospective customers — individuals who contact us for sales, support, or partnership inquiries (for whom we act as controller).

For Customer-submitted telemetry that contains personal data of end-users of Customer's systems, we act as a processor on behalf of the Customer, and processing is governed by our Data Processing Agreement (DPA).

1. Information We Collect

1.1 Information you provide directly

• Account information: name, business email, organization name, role, password hash, and optional profile details.
• Billing information: payment details collected by our payment processor, Paddle (we do not store full payment card numbers on our systems).
• Communications: content of emails, support tickets, survey responses, and similar correspondence.

1.2 Information collected automatically

• Usage information: pages visited, features used, session timestamps, approximate location derived from IP address, browser and device metadata.
• Authentication and security events: login events, IP addresses, failed-login counts, session identifiers.
• Cookies and similar technologies: see Section 7.

1.3 Customer-submitted telemetry (processor role)

When a Customer uses Culprit to ingest alerts and telemetry from its IT systems, those payloads may contain personal data of the Customer's end-users or employees (for example, usernames, email addresses, or IP addresses appearing in log lines). Culprit's two-way tokenization architecture automatically replaces detected sensitive fields with opaque tokens (e.g., <TOKEN_...>) on ingest. AI models and downstream processing components see only tokens; plaintext is re-hydrated only on an authenticated session with a matching tenant identifier, server-side over HTTPS, and each re-hydration is logged for audit.

For Customer-submitted telemetry, Culprit acts as a data processor on behalf of the Customer, who is the data controller. The Customer determines the purposes and means of processing and is responsible for establishing a lawful basis for its end-users' data.

1.4 Information from third parties

• Identity providers (for example, if you log in via a social or enterprise SSO provider): basic profile information from that provider.
• Business contact databases: for prospecting, limited to business-context information (name, title, employer, work email).

2. How We Use Information

We use information to:

1. Provide the Services, including authenticating users, ingesting telemetry, correlating events, generating RCA summaries, delivering notifications, and supporting Customer administrators.
2. Secure the Services, including fraud and abuse detection, rate limiting, incident response, and audit logging.
3. Operate our business, including billing, analytics aggregated to non-identifying metrics, customer support, and internal accounting.
4. Communicate with you, including transactional messages (service alerts, password resets, billing) and — with appropriate consent or legitimate interest under applicable law — product updates and relevant marketing.
5. Comply with law, respond to lawful requests, and enforce our Terms of Service.

We do not use personal information to train AI models. AI inference is performed via third-party APIs under zero-retention or no-training terms as described in Section 5.

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, our lawful bases for processing are:

• Contract: to provide the Services to you or the organization you represent.
• Legitimate interests: to operate, secure, and improve the Services, and to communicate with existing customers about relevant products; always balanced against your rights and interests.
• Legal obligation: to comply with applicable laws.
• Consent: where required, for example for certain marketing communications or non-essential cookies. You may withdraw consent at any time by contacting privacy@theculprit.ai.

For Customer-submitted telemetry, the Customer is responsible for establishing the legal basis and for providing required notices to data subjects.

3.1 Legal-basis matrix

The following table identifies the principal legal basis Culprit relies on for each category of processing of personal data for which Culprit acts as a controller:

| Processing activity | Legal basis (GDPR Art. 6) | |---|---| | Account creation, authentication, session management | Contract — Art. 6(1)(b) | | Service delivery (incident ingestion, correlation, RCA) for Culprit's own controller-role purposes | Contract — Art. 6(1)(b) | | Security monitoring, fraud detection, abuse prevention, audit logging | Legitimate interests — Art. 6(1)(f) | | Transactional email (service alerts, password resets, billing notices) | Contract — Art. 6(1)(b) | | Product-update and relevant-marketing email to existing account administrators | Legitimate interests — Art. 6(1)(f), with opt-out | | Cookie-based analytics or marketing requiring consent | Consent — Art. 6(1)(a) | | Compliance with tax, accounting, and other legal obligations | Legal obligation — Art. 6(1)(c) | | Establishment, exercise, or defense of legal claims | Legitimate interests — Art. 6(1)(f) |

For Customer-submitted telemetry where Culprit is a processor, the lawful basis for processing is established by the Customer as controller.

4. How We Disclose Information

We disclose personal information only as described in this Policy:

• To Subprocessors who provide infrastructure, AI inference, and email delivery on our behalf, under written data-protection terms (see Section 5).
• To Customer administrators, for account-user information associated with the Customer's account.
• To professional advisors (lawyers, accountants, auditors) under confidentiality obligations.
• In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality and to providing notice where required by law.
• For legal reasons, including to comply with valid legal process, to protect the rights, property, or safety of Culprit, our Customers, or others, and to enforce our agreements.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. "Sell" and "share" have the meanings assigned by the California Consumer Privacy Act as amended by the CPRA ("CCPA").

5. Subprocessors

We use the following Subprocessors:

| Subprocessor | Entity | Purpose | Region | |---|---|---|---| | Supabase | Supabase Inc. | Managed Postgres database and authentication | United States (us-east-1) | | Cloudflare | Cloudflare, Inc. | Workers (compute, application + edge), Queues, Durable Objects, DNS, domain registration | Global edge network | | Anthropic | Anthropic, PBC | LLM inference for Root Cause Analysis | United States | | OpenAI | OpenAI, L.L.C. | Text embedding generation for event correlation | United States | | Resend | Resend, Inc. | Transactional email delivery (invites, notifications, password resets) | United States | | Paddle | Paddle.com Market Limited (UK) and Paddle, Inc. (US) | Merchant-of-record billing, payment processing, sales-tax calculation and remittance, invoicing | United Kingdom and United States |

All Subprocessors are expected to maintain SOC 2 Type II or equivalent independent security certifications and to bind themselves to data-protection commitments at least as protective as those Culprit provides to Customers.[^soc2] AI provider Subprocessors (Anthropic and OpenAI) are engaged under terms that prohibit use of Culprit data for model training and apply zero-retention or short-retention policies consistent with API use. The Billing Subprocessor (Paddle) acts as Merchant of Record and processes only account-owner billing identifiers (name, billing address, payment-method token, transaction history); it does not receive incident data, tokenization keys, or end-user Personal Data flowing through the alert pipeline.

Because Culprit tokenizes sensitive fields before any call to an AI Subprocessor, those Subprocessors receive only opaque tokens and non-sensitive metadata — not plaintext PII or ePHI.

A current list of Subprocessors is maintained here and in the Data Processing Agreement. Material changes will be communicated to Customers in accordance with the DPA.

[^soc2]: SOC 2 Type II status is an aspirational commitment tracked at onboarding. Customers seeking the current independent-audit posture of any Subprocessor should request it at privacy@theculprit.ai.

6. International Data Transfers

Culprit operates primarily from Taiwan, and our Subprocessors operate globally. Taiwan is not currently recognized by the European Commission as providing adequate protection under the GDPR. When we transfer personal data originating in the European Economic Area, the United Kingdom, or Switzerland to a country not recognized as providing adequate protection (including Taiwan and the United States, where our Subprocessors operate), we rely on:

• the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum or equivalent, where applicable) as incorporated in our Data Processing Agreement; and
• supplementary measures, including encryption in transit, encryption at rest, and the two-way tokenization architecture, which reduces the personal data exposed to downstream Subprocessors.

Customers may request a copy of the Standard Contractual Clauses by emailing privacy@theculprit.ai.

7. Cookies and Similar Technologies

We use a minimal set of cookies and similar technologies:

• Strictly necessary — required for authentication, session management, and security.
• Preferences — to remember settings (for example, dark mode) where applicable.
• Analytics (server-side and privacy-preserving) — we use internal server-side analytics run against our own database rather than third-party client-side analytics services.

We do not use advertising cookies or cross-site tracking. Where required by law, we will present a cookie banner with granular consent. You can control cookies through your browser settings; disabling strictly-necessary cookies may prevent you from using the Services.

7.1 Cookie inventory

The following cookies are set by, or in connection with, the Services on the theculprit.ai domain. Cookies set by the Paddle checkout flow on Paddle's own domain are governed by Paddle's privacy notice presented at checkout.

| Cookie | Category | Purpose | Duration | |---|---|---|---| | sb-rfpkeqxtovlycqzllheb-auth-token (and chunked variants .0, .1, …) | Strictly necessary | Supabase authentication session | Session / up to 30 days (refresh) | | sb-rfpkeqxtovlycqzllheb-auth-token-code-verifier | Strictly necessary | PKCE code verifier during OAuth/SSO sign-in | ~5 minutes (transient) | | __cf_bm | Strictly necessary | Cloudflare bot-management challenge | ~30 minutes | | cf_clearance | Strictly necessary | Cloudflare challenge clearance after CAPTCHA, where applicable | Up to 1 year | | culprit-theme (where set) | Preferences | Persists dark-mode preference | 1 year |

We do not currently set analytics, advertising, or social cookies on the Services. If we introduce non-essential cookies in the future, a cookie banner with granular consent will be presented in jurisdictions where consent is required.

8. Data Retention

• Active-account data: retained indefinitely while the Customer's account is active.
• Post-termination: Customer Data is deleted within 30 days of account closure, excluding backups, which are purged within 90 days per our database provider's backup retention schedule.
• Earlier deletion: Customer may request earlier deletion of specific data by emailing privacy@theculprit.ai; we will complete the deletion within 30 days of a verified request, unless retention is required by law.
• Audit logs: retained for a minimum of 12 months in tamper-evident storage to support security and compliance.

9. Security

We maintain administrative, physical, and technical safeguards designed to protect personal information, including:

• Two-way tokenization of potentially sensitive fields on ingest, before AI processing;
• Row-Level Security at the database layer to enforce tenant isolation;
• Encryption in transit (TLS) and encryption at rest for sensitive payloads (pgp_sym_encrypt) and token mappings;
• Access controls (least privilege, MFA for production access, audit logging of sensitive operations);
• Vulnerability management, including regular patching, dependency scanning, and security reviews;
• Incident response procedures, including breach-notification workflows as required by law and contract.

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Your Rights

10.1 Under the GDPR / UK GDPR

You have the right to:

• Access the personal data we hold about you;
• Rectify inaccurate personal data;
• Erase personal data ("right to be forgotten"), subject to legal retention requirements;
• Restrict or object to processing;
• Data portability in a structured, commonly used, machine-readable format;
• Withdraw consent where processing is based on consent;
• Lodge a complaint with your local supervisory authority.

For personal data we process as a processor on behalf of a Customer, please direct requests to the Customer first; we will assist the Customer in responding as required by the DPA.

10.2 Under the CCPA (California)

For personal information that Culprit processes on behalf of a Customer, Culprit acts as a "Service Provider" as defined in California Civil Code §1798.140(ag) and does not "sell" or "share" personal information within the meaning of the CCPA. Culprit's processing of such personal information is governed by the Data Processing Agreement, which contains the service-provider representations required by §1798.140(ag)(2), including the limitations on retention, use, and disclosure described in DPA Section 2.4.

California residents have the right to:

• Know what personal information we collect, use, disclose, and (if applicable) sell or share. We do not sell or share personal information.
• Delete personal information, subject to exceptions permitted by law;
• Correct inaccurate personal information;
• Limit the use of sensitive personal information. We use sensitive personal information only for permitted business purposes listed in CCPA regulations; we do not use it for inferring characteristics.
• Non-discrimination for exercising rights.

10.3 Under the Maryland Online Data Privacy Act (MODPA)

If MODPA applies to your relationship with us, Maryland residents have the right to confirm, access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale of personal data, and certain profiling. We do not engage in the sale of personal data or in targeted advertising. As of the Effective Date, Culprit is an early-stage service and is not expected to meet the MODPA applicability threshold (processing of personal data of 35,000 or more Maryland consumers), but this Policy is written to be MODPA-aware.

10.4 Under other U.S. state comprehensive privacy laws

Residents of states with comprehensive privacy laws — including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Tennessee, Iowa, Indiana, Montana, Delaware, New Hampshire, New Jersey, Nebraska, Kentucky, Rhode Island, and Minnesota — have rights substantially similar to those described in §10.1 (GDPR) and §10.3 (MODPA), including the right to confirm whether Culprit is processing their personal data, to access a portable copy, to correct inaccurate data, to delete personal data, and to opt out of targeted advertising, sale of personal data, and certain profiling. Culprit does not engage in the sale of personal data, in targeted advertising, or in profiling that produces legal or similarly significant effects on individuals. Culprit honors recognized universal opt-out signals, including Global Privacy Control (GPC), where required by applicable state law for sale-or-share opt-outs.

To the extent the applicable state law imposes specific procedural requirements (for example, an appeal process for denied requests under Colorado, Connecticut, Virginia, or other state laws), Culprit will comply with those requirements when responding to verified requests submitted by residents of those states.

10.5 How to exercise rights

Email privacy@theculprit.ai with your request. We will verify your identity (typically by confirming control of the email address associated with your account) and respond within the timeframe required by the applicable law (generally 30 days under GDPR, 45 days under CCPA, extendable as permitted).

You may authorize an agent to make a request on your behalf in accordance with applicable law.

11. Children's Privacy

The Services are intended for business use by adults and are not directed to children. We do not knowingly collect personal information from any child below the age at which a child can consent to the processing of personal information under applicable law (which is 13 years under the U.S. Children's Online Privacy Protection Act, 16 years in many EU member states absent national derogation, and 15 years in France, among other thresholds — Culprit treats the highest applicable age in any reachable jurisdiction as the operative floor). If we learn we have inadvertently collected information from a child below the applicable threshold without verifiable parental consent, we will delete it. Contact privacy@theculprit.ai if you believe we have collected information from a child.

12. Automated Decision-Making and AI

Culprit uses AI to cluster related events into incidents and to generate Root Cause Analysis ("RCA") summaries. These outputs are decision-support intended for IT operations engineers; they do not produce legal or similarly significant effects on individuals within the meaning of GDPR Article 22 or comparable state-law provisions. Customers are responsible for human review before acting on AI outputs.

EU AI Act classification. Culprit's AI components are not classified by Culprit as a "high-risk AI system" under Annex III of the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), because the Services support IT-operations decisions rather than decisions in the regulated areas listed in Annex III (employment, education, essential public services, law enforcement, migration, administration of justice, etc.). Culprit complies with Article 50 transparency obligations applicable to AI systems by disclosing in this Privacy Policy and in the Terms of Service that the Services use AI to generate RCA outputs. Customers using Culprit's outputs in their own downstream systems are responsible for performing their own classification under Annex III if those downstream uses fall within regulated areas; the Terms of Service Section 11.2 prohibits using Culprit's AI outputs as the sole basis for consequential decisions about individuals.

Use of underlying AI providers. RCA inference is performed by Anthropic and embedding generation by OpenAI, in each case under terms that prohibit use of Customer data for model training and apply zero-retention or short-retention policies. Culprit's two-way tokenization architecture replaces sensitive fields with opaque tokens before any call to those providers; the AI providers therefore do not receive plaintext personal data.

You can contact privacy@theculprit.ai for more information about AI processing or to object to AI-based processing where applicable law provides such a right.

13. Do Not Track

Our Services do not respond to "Do Not Track" browser signals, because there is no industry consensus on how such signals should be interpreted. We honor opt-out preference signals (such as Global Privacy Control) where required by applicable law for sale-or-share opt-outs; because we do not sell or share personal information, GPC does not change our behavior.

14. Changes to This Policy

We may update this Policy from time to time. Material changes will be announced via in-product notice or email to account administrators and will take effect no earlier than 30 days after notice. Non-material changes (clarifications, typos, updated contact info) may take effect on posting. The "Last Updated" date at the top reflects the most recent revision.

15. Contact Us

For privacy questions or to exercise your rights:

• Email: privacy@theculprit.ai
• Postal: Feida Management Consulting Co. Ltd, 7F., No. 51, Ln. 128, Jingye 1st Rd., Taipei 104051, Taiwan

EU representative under GDPR Article 27. Where Culprit's processing of personal data is subject to GDPR Article 27, Culprit will designate a representative established in an EU member state and will update this Policy with the representative's name, address, and contact information at the time the designation takes effect. Until that designation, EU data subjects with privacy questions or rights requests may contact Culprit directly at privacy@theculprit.ai, and Culprit will respond within the timeframe required by GDPR.

Other jurisdictions. Where individuals are entitled to data-protection rights under applicable national law (including, without limitation, Brazil's Lei Geral de Proteção de Dados ("LGPD"), the United Kingdom's Data Protection Act 2018 and UK GDPR, Switzerland's Federal Act on Data Protection ("FADP"), Singapore's Personal Data Protection Act ("PDPA"), Australia's Privacy Act 1988 and Australian Privacy Principles, Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), South Korea's Personal Information Protection Act ("PIPA"), India's Digital Personal Data Protection Act ("DPDPA"), and the People's Republic of China's Personal Information Protection Law ("PIPL")), Culprit will respond to verified requests in accordance with the applicable law. Culprit's principal data-protection commitments — purpose limitation, data minimization, two-way tokenization, encrypted storage, tenant isolation, no use of personal data for AI training, and the response timelines described in §10 — apply globally.

The People's Republic of China and Russia maintain data-localization regimes that may impose additional obligations on transfers of personal data of residents of those countries; Customers operating in those jurisdictions should consult their own counsel and engage Culprit at privacy@theculprit.ai before submitting personal data subject to those regimes.