Privacy Policy

Version: 2026.01.31

Effective Date: January 31, 2026

Last Updated: January 31, 2026

> v0.3.62 Update: Telemetry model changed to opt-out (enabled by default).

> Community tier telemetry is now anonymous with no registration or email required.

> The /register API endpoint has been removed. See Section 2.3 for details.

1. Introduction and Scope

1.1 Who We Are

This Privacy Policy is provided by Epochly, Inc. ("Epochly," "we,"

"us," or "our"), incorporated in the State of Delaware, United States of

America.

1.2 What This Policy Covers

This Privacy Policy explains how we collect, use, store, share, and protect

information in connection with:

• The Epochly Python performance optimization framework (the "Software")
• The Epochly license validation API (api.epochly.com)
• The Epochly website (epochly.com)
• The Epochly performance dashboard
• CLI tools and deployment utilities

1.3 Contact

For any privacy-related questions, requests, or complaints:

• Email: privacy@epochly.com
• Postal: Epochly, Inc., State of Delaware, USA

2. Data We Collect

2.1 Machine Fingerprint Data (Collected Automatically)

What: The Software collects the following eleven (11) hardware and system

attributes from the device on which it is installed:

1. CPU serial number or processor identifier
2. Motherboard serial number or board identifier
3. Primary disk serial number or partition UUID
4. BIOS or UEFI firmware version
5. Network interface MAC addresses (up to three unique addresses)
6. GPU model and identification information
7. Total physical memory configuration
8. Operating system installation identifier (machine-id)
9. Network interface names and types (up to five interfaces)
10. System UUID (hardware UUID)
11. Boot identifier (changes on system restart)

How it is processed: These eleven attributes are processed locally on your

device into a single one-way SHA-256 cryptographic hash (the "Machine

Fingerprint"). The original attribute values are never transmitted to our servers.

Only the resulting hash value is used for license enforcement. The hash is

irreversible -- the original hardware values cannot be recovered from it.

Purpose: License enforcement and anti-piracy. The Machine Fingerprint binds

your license to a specific device.

Legal basis (GDPR): Legitimate interest -- the Machine Fingerprint is

essential for the Software's licensing model to function. Without it, license

enforcement is not possible.

Opt-out: The Machine Fingerprint cannot be opted out of, as it is required

for the Software to function. If you do not wish to have your device fingerprinted,

do not install or use the Software.

2.2 License Validation Data (Collected Automatically)

What: When the Software validates your license with our servers, the following

data is transmitted:

• License key hash (the key itself is not sent in plaintext)
• Machine Fingerprint hash
• Epochly Software version
• Python version
• Platform and operating system identifier
• Validation timestamp

Purpose: License enforcement, fraud detection, and subscription management.

Legal basis (GDPR): Contractual necessity -- license validation is required

for paid and trial tiers to function.

Frequency: Periodic background sync (approximately once per hour for active

sessions). No communication occurs during offline operation.

2.3 Operational Telemetry (Opt-Out — Enabled by Default)

Default: Telemetry is enabled by default as of v0.3.62 (opt-out model).

Set EPOCHLY_DISABLE_TELEMETRY=1 to opt out.

What: The Software collects anonymous operational telemetry. Data collected

varies by license tier:

(a) Community Tier (anonymous, no registration required):

(b) Trial and Paid Tiers (authenticated via HMAC or Ed25519 license):

• All Community fields above, plus:
• Node ID authenticated with HMAC (Trial) or Ed25519 license signature (Paid)
• Compatibility data: module names and compatibility status
• Performance data: function identifiers (names only, not source code), compilation time, speedup ratios
• Resource utilization: CPU, memory, GPU percentages (aggregates only)
• Workload classification labels (e.g., "compute-bound," "I/O-bound")

What is NOT transmitted:

• IP addresses (not stored in telemetry records)
• Source code, function bodies, or file contents
• Personal information of any kind

Behavior:

• Rate-limited: maximum 1 report per hour per machine
• Fails silently — telemetry errors never impact Python execution

Purpose: Improving Software compatibility, performance optimization, and

product quality. This data helps us identify compatibility issues, optimize

JIT compilation strategies, and power the Epochly Lens fleet management

dashboard for customers who opt in.

Legal basis (GDPR): Legitimate interest with opt-out.

Opt-out: You may disable telemetry at any time using any of these methods:

• Set environment variable: EPOCHLY_DISABLE_TELEMETRY=1 (preferred)
• Set environment variable: EPOCHLY_TELEMETRY=0
• Configure in ~/.epochly/config.yaml:

  telemetry:
    enabled: false

2.4 Trial Registration Data (Provided by You)

What: When you request a trial license, you provide:

• Email address (for magic link activation)

Purpose: Trial activation, verification, expiry reminders, and (if you

opt in) product updates.

Legal basis (GDPR): Consent -- you provide your email voluntarily when

requesting a trial.

Retention: See Section 6.

2.5 Terms Acceptance Data (Collected Automatically)

What: When you accept our Terms of Service, ESLA, or Privacy Policy, we

record:

• Machine Fingerprint hash
• Email address (if available)
• Name and version of the accepted document
• Acceptance timestamp
• Acceptance method (CLI prompt, CLI flag, environment variable, web form)
• Epochly Software version
• Python version
• Platform

Purpose: Legal compliance -- demonstrating that terms were accepted.

Legal basis (GDPR): Legitimate interest and legal obligation.

2.6 What We Do NOT Collect

Epochly does NOT collect:

• IP addresses (not stored in telemetry records)
• Personal information of any kind from Community tier users (no registration required)
• Source code, function bodies or implementations, or file contents
• Variable names or values
• File paths or directory structures
• User data processed by your applications
• Passwords, API keys, or credentials
• Financial or payment information (all payment processing is handled by

Epochly's designated payment processor, identified at

https://www.epochly.com/pricing)

• Browsing history, cookies, or web activity (outside the dashboard)
• Keystrokes, screenshots, or screen recordings
• Location data (GPS, IP-based geolocation)
• Contacts, calendar, or communication data

Note: Function identifiers (names only, not source code) may be collected

as described in Section 2.3(b) when operational telemetry is enabled.

3. How We Use Your Data

We use collected data for the following purposes:

We do NOT use your data for:

• Advertising or ad targeting
• Selling to third parties
• Profiling for purposes unrelated to the Service
• Training machine learning models on your code or data

4. Data Sharing and Third Parties

4.1 Infrastructure Provider: Amazon Web Services (AWS)

Our backend infrastructure is hosted on AWS in the us-west-2 (Oregon) region.

AWS services used include:

• DynamoDB: License data, trial records, terms acceptance records
• Lambda: API request processing
• API Gateway: API endpoint management
• SES (Simple Email Service): Trial activation and reminder emails
• CloudWatch: System monitoring and logging

AWS processes data as our data processor under their Data Processing Addendum.

4.2 Payment Processor

All payments are processed by Epochly's designated payment processor, acting as

Merchant of Record. The payment processor collects and processes payment

information (credit card details, billing addresses, tax information) directly.

Epochly does not receive or store payment card details.

The current payment processor and their privacy policy are identified at

https://www.epochly.com/pricing.

4.3 No Data Sales

We do NOT sell, rent, lease, or trade your personal information to any third

party for any purpose.

4.4 Law Enforcement

We may disclose your information if required to do so by law, court order, or

governmental regulation, or if we believe in good faith that disclosure is

necessary to: (a) comply with legal process; (b) protect our rights or property;

(c) prevent fraud; or (d) protect the safety of users or the public.

4.5 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of

our assets, your data may be transferred as part of that transaction. We will

notify affected users via email and/or prominent notice on our website.

5. Data Security

5.1 Encryption in Transit

All data transmitted between the Software and our servers is encrypted using

TLS 1.2 or higher (HTTPS). The Software communicates exclusively with

api.epochly.com over encrypted connections.

5.2 Encryption at Rest

Data stored in our infrastructure is encrypted at rest using AES-256 encryption

with AWS-managed keys (AWS KMS).

5.3 Machine Fingerprint Security

Machine Fingerprints are stored as irreversible one-way SHA-256 hashes. The

original hardware attribute values cannot be recovered from the stored hash.

5.4 Local Data Security

License cache and configuration data stored locally on your device

(in ~/.epochly/) uses file-system level permissions. Sensitive data such as

cached license keys uses hardware-bound encryption where available.

5.5 Access Controls

Access to production systems is restricted to authorized personnel with

multi-factor authentication. All access is logged and audited.

5.6 Incident Response

In the event of a data breach that affects your personal information, we will

notify affected individuals and relevant supervisory authorities within

seventy-two (72) hours as required by GDPR, or as otherwise required by

applicable law.

6. Data Retention

6.1 Deletion

After the retention period expires, data is permanently deleted from active

systems. Backup copies may persist in encrypted backups for up to ninety (90)

additional days before permanent deletion.

6.2 Archived Data

Certain data required for legal compliance may be archived to cold storage

(AWS Glacier) and retained as required by law.

7. Your Rights (GDPR -- EU/EEA Users)

If you are located in the European Union or European Economic Area, you have

the following rights under the General Data Protection Regulation (GDPR):

7.1 Right of Access

You have the right to request a copy of the personal data we hold about you.

7.2 Right to Rectification

You have the right to request correction of inaccurate personal data.

7.3 Right to Erasure

You have the right to request deletion of your personal data ("right to be

forgotten"). Please note: erasing your Machine Fingerprint data will disable

any active license on the associated device. You may need to reactivate after

erasure.

7.4 Right to Restrict Processing

You have the right to request that we restrict processing of your personal data

under certain circumstances.

7.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used,

and machine-readable format (JSON).

7.6 Right to Object

You have the right to object to processing based on legitimate interest. For

telemetry data, you can exercise this right immediately by setting

EPOCHLY_DISABLE_TELEMETRY=1 (preferred) or EPOCHLY_TELEMETRY=0.

7.7 Right to Withdraw Consent

Where processing is based on consent (e.g., trial email), you may withdraw

consent at any time. Withdrawal does not affect the lawfulness of processing

prior to withdrawal.

7.8 Right to Lodge Complaint

You have the right to lodge a complaint with your local data protection

supervisory authority.

7.9 How to Exercise Your Rights

Contact privacy@epochly.com with your request. We will respond within thirty

(30) days. We may request verification of your identity before processing your

request.

8. Your Rights (CCPA -- California Users)

If you are a California resident, you have the following rights under the

California Consumer Privacy Act (CCPA):

8.1 Right to Know

You have the right to know what categories and specific pieces of personal

information we collect, use, disclose, and sell.

8.2 Right to Delete

You have the right to request deletion of your personal information, subject to

certain exceptions.

8.3 Right to Opt-Out of Sale

We do NOT sell personal information. No opt-out is necessary.

8.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights. All

license tiers and features remain available regardless of privacy choices.

8.5 How to Exercise Your Rights

Contact privacy@epochly.com or visit https://www.epochly.com/legal/privacy/request.

9. International Data Transfers

9.1 Primary Processing Location

Personal data is processed primarily in the United States of America, in the

AWS us-west-2 (Oregon) region.

9.2 EU/EEA Transfers

For transfers of personal data from the EU/EEA to the United States, we rely on:

• The EU-U.S. Data Privacy Framework (if and when certified), or
• Standard Contractual Clauses (SCCs) approved by the European Commission

9.3 Payment Processor

Epochly's designated payment processor processes payment data in accordance

with their own privacy policy and applicable data transfer mechanisms. The

current payment processor is identified at https://www.epochly.com/pricing.

10. Children's Privacy

The Service is not intended for use by individuals under sixteen (16) years of

age in the EU/EEA, or under thirteen (13) years of age in other jurisdictions.

We do not knowingly collect personal information from children. If we learn that

we have inadvertently collected data from a child, we will delete it promptly.

If you believe a child has provided us with personal information, contact us at

privacy@epochly.com.

11. Cookies and Tracking

11.1 Software (CLI/Library)

The Epochly Python library and CLI tools do not use cookies or web-based

tracking technologies.

11.2 Dashboard

The Epochly performance dashboard (web interface) may use:

• Session cookies: Required for dashboard functionality
• Preference cookies: To remember your dashboard settings

The dashboard does NOT use:

• Third-party analytics cookies
• Advertising cookies or tracking pixels
• Cross-site tracking technologies

11.3 Website

The Epochly website (epochly.com) cookie policy is available at

https://www.epochly.com/legal/cookies.

12. Changes to This Policy

12.1 Notification

Material changes to this Privacy Policy will be communicated with at least

thirty (30) days' notice via:

• Email (for users with email addresses on file)
• The Software's CLI messaging system
• The Epochly website

12.2 Version History

Previous versions of this Privacy Policy are maintained at

https://www.epochly.com/legal/privacy/history.

12.3 Acceptance

Continued use of the Service after the effective date of changes constitutes

acceptance. If you disagree with changes, your remedy is to cease using the

Service.

13. Contact Information

For all privacy-related inquiries:

• Privacy inquiries: privacy@epochly.com
• Data protection requests: privacy@epochly.com
• General inquiries: support@epochly.com
• Legal inquiries: legal@epochly.com

Epochly, Inc.

State of Delaware, United States of America

https://www.epochly.com

Summary of Legal Bases (GDPR)