Privacy Policy
Effective Date: April 25, 2026
1. Introduction
Cellilox Limited ("Cellilox," "Company," "we," "us," or "our") is a company registered in the Republic of Rwanda. This Privacy Policy explains how we collect, use, store, share, and protect information when you visit our website, create an account, or use the Cellilox document-analysis and chat platform (collectively, the "Services"). It applies to individuals and organizations ("you" or "your") regardless of plan tier (Standard, BYOK, or Managed).
We process personal data in accordance with Rwanda Law N° 058/2021 of 13/10/2021 relating to the protection of personal data and privacy, and — where applicable — the EU General Data Protection Regulation (GDPR), the UK GDPR, and other local data-protection laws applicable to users who access the Services from those jurisdictions.
By accessing or using the Services, you agree to this Privacy Policy in addition to our Terms of Service and Refund Policy. If you do not agree, please do not use the Services.
2. Definitions
- Account: Your registered user profile on the Cellilox platform, including your authentication credentials and the settings stored against your user ID.
- Personal Information: Any information that identifies you directly or can be combined with other information to identify you (e.g. name, email, IP address, billing details).
- Customer Content: The files (PDFs, images, spreadsheets, emails, etc.) that you upload to the Services, the fields/questions you define against them, the answers produced by AI extraction, and any chat messages you send through the platform's retrieval chat.
- Usage Data: Metadata about how you interact with the Services — for example, access timestamps, device/browser information, pages viewed, and actions performed.
- Services: The Cellilox SaaS platform, including its web application, APIs, chat, and any feature offered under the Cellilox brand.
- Subprocessor: A third-party vendor engaged by Cellilox to process data on our behalf (listed in §6).
- Your AI Provider: For BYOK users, the third-party AI provider (e.g. OpenRouter, OpenAI, Anthropic, DeepSeek, or Google) whose API key you supply to the Services and who independently processes and bills you for AI requests.
- Daxno-Managed Subkey: For Managed-plan users, a dedicated API subkey that Cellilox provisions on OpenRouter on your behalf and funds from your credit balance.
3. Information We Collect
3.1 Information You Provide Directly
- Registration & Account Setup. When you create an account we collect your name, email address, and (where applicable) your organization. Authentication is handled by our identity provider (Clerk). Passwords, OAuth tokens, and multi-factor-authentication factors are managed by Clerk — Cellilox never stores plaintext passwords on its own servers.
- Payment Information. Card numbers, CVCs, and similar sensitive payment details are collected and processed directly by our payment processor (Flutterwave). Cellilox does not see or store full card numbers. From Flutterwave we receive transaction metadata (amount, currency, status, transaction reference, masked card summary) which we retain to manage your balance, invoices, and refunds.
- Profile & Communication. Any optional profile details you provide (phone number, job title, etc.) and the content of support correspondence you send us.
- Customer Content. Files you upload for extraction, the field names and descriptions you define, the answers extracted by AI, and messages you send in chat. See §5 for how Customer Content is processed.
3.2 Information Collected Automatically
- Usage Data. IP address, approximate geolocation derived from the IP, browser type and version, operating system, timestamps, pages/screens viewed, and actions performed within the application.
- Cookies & Similar Technologies. We use session cookies and local storage to keep you signed in, remember your preferences, and collect aggregate analytics. See §10 and our Cookie Policy for details.
- Security & Abuse Telemetry. Rate-limit counters, failed-authentication events, and request fingerprints used to detect fraud or abuse.
3.3 Information from Third Parties
- Social Logins (via Clerk). If you sign in with a third-party identity provider (such as Google), Clerk receives your name, email, and profile picture where permitted by that provider and passes a verified identity to us. We receive the email and a stable user ID — not your social-provider password.
- User-Initiated Integrations. If you connect a data source such as Google Drive or HubSpot, we receive, with your explicit consent, an OAuth access token and the scopes you authorize. We use that access only to perform the actions you initiate inside Cellilox (e.g. importing a file).
- AI Provider Responses. When we call an AI provider on your behalf, the provider returns a response (extracted fields, chat answer, usage metadata). That response is associated with your account for billing and display.
4. How We Use Your Information
- Provide and operate the Services. Authenticate you, route requests, run file analysis and chat, store your project and Customer Content, enforce quotas, and maintain your balance (Managed plan) or subscription (BYOK plan).
- Billing and payments. Charge you for BYOK subscriptions or Managed top-ups through Flutterwave, apply the disclosed Service Fee to Managed top-ups, deduct consumption from your Managed balance, generate receipts, and handle refunds under our Refund Policy.
- Communications. Send transactional emails (account verification, password/OTP, receipts, security alerts, quota notices, refund confirmations, policy updates). Transactional email is sent through our email provider (Resend).
- Marketing (with consent). With your consent we may send product news or newsletters. You can withdraw consent at any time via the unsubscribe link in any marketing email or by emailing hello@support.cellilox.com.
- Security, fraud prevention, and abuse detection. Detect and mitigate abuse, rate-limit requests, investigate suspicious activity, and enforce our Terms of Service.
- Product improvement (aggregated / de-identified). We analyze aggregated, non-identifying usage patterns to diagnose issues, prioritize features, and measure performance. We do not use Customer Content to train AI models (see §5).
- Legal and regulatory compliance. Comply with applicable law, responding to lawful requests from public authorities, and enforcing or defending our legal rights.
5. How Your Customer Content Is Processed
Because the core of the Services is document analysis, it is important for you to understand exactly how Customer Content moves through our infrastructure and third-party providers. We describe it below by plan, because the data flow differs.
5.1 All Plans — Upload, OCR, and Indexing
- Storage: Uploaded files are stored encrypted at rest on Amazon S3 and referenced by our application servers hosted on DigitalOcean.
- OCR:For image and PDF uploads, the raw file (or a preprocessed version) is sent to Amazon Web Services (AWS Textract) for text and geometry extraction. Textract processes the file, returns the extracted blocks to us, and operates under AWS's own privacy and security terms.
- Retrieval Indexing (Chat). Extracted text from your files is indexed into our self-hosted retrieval engine (a fork of the open-source project Onyx) so you can ask questions about your data in chat. The index lives on the same DigitalOcean infrastructure and is scoped to your project.
5.2 Standard Plan
AI extraction requests are routed through OpenRouter using a per-user subkey that Cellilox provisions on your behalf. The prompt (containing text from your file plus the fields you asked for) is sent to an OpenRouter-routed model (currently a Gemini-family model by default). Cellilox pays the OpenRouter cost for Standard users.
5.3 BYOK Plan (Bring Your Own Key)
You supply your own API key for a third-party AI provider (OpenRouter, OpenAI, Anthropic, DeepSeek, or Google). On each request Cellilox forwards your prompt — including relevant Customer Content — to that provider under your key.Processing by your chosen provider is governed by that provider's own privacy policy and terms, not by this Policy. Cellilox has no ability to control how your chosen provider stores or uses the content you route through it. We store your API key encrypted at rest and only decrypt it to make calls on your behalf.
5.4 Managed Plan
Cellilox provisions a dedicated OpenRouter subkey on your behalf and funds it from your Managed credit balance. Your prompts and Customer Content are forwarded to OpenRouter under that subkey. OpenRouter's own privacy policy applies to the onward processing of that content. Cellilox does not send your Customer Content to any AI provider other than the one you have selected for extraction or chat.
5.5 AI Model Training — Explicit Statement
Cellilox does not train, fine-tune, or otherwise develop any proprietary AI model using Customer Content.Customer Content is sent to third-party AI providers solely to produce the response you have requested. Whether a specific AI provider uses your content for its own model training depends on that provider's policies and account settings (many, including OpenRouter's zero-data- retention routes and OpenAI's API, offer opt-outs or default no-training terms). For BYOK, you control that relationship directly.
6. Sharing and Disclosure — Our Subprocessors
We share data with the following categories of trusted third parties, limited to the purpose of delivering, billing, or supporting the Services. Each is contractually bound to confidentiality and to using the data solely for the purpose we engage them for.
6.1 Current Subprocessors
| Subprocessor | Purpose | Data Involved |
|---|---|---|
| Clerk | Authentication, session management, MFA | Email, name, social-login identifiers, session tokens |
| Flutterwave | Payment processing (BYOK subscriptions, Managed top-ups) | Card details (processed by Flutterwave; not stored by us), transaction metadata, billing name/email |
| DigitalOcean | Primary application hosting, database, Redis, chat/retrieval index | All data stored on our infrastructure: account, Customer Content metadata, balances, logs |
| Amazon Web Services (AWS) | File storage (S3) and OCR (Textract) | Uploaded files; file contents passed to Textract for OCR |
| OpenRouter | AI request routing for Standard and Managed plans (and for BYOK when the user selects OpenRouter) | Prompts containing extracted text, model selection, usage metadata |
| OpenAI, Anthropic, DeepSeek, Google | AI processing for BYOK users who elect to use those providers directly | Prompts you choose to route to the provider under your own API key |
| Resend | Transactional and notification email delivery | Your email address, the content of messages sent to you |
| Google (Drive) & HubSpot | User-initiated integrations (optional) | OAuth tokens and data you authorize us to read/write |
We review our subprocessors periodically and may add or replace them. Material changes to this list will be communicated under §13.
6.2 Business Transfers
If Cellilox undergoes a merger, acquisition, reorganization, insolvency, or sale of all or a portion of its assets, Personal Information and Customer Content may be transferred to the successor entity. We will notify affected users by email or in-app notice before the change takes effect.
6.3 Legal Requirements & Protection of Rights
We may disclose information if required by law, subpoena, court order, or valid request from a public authority, or when we reasonably believe disclosure is necessary to investigate, prevent, or act against suspected illegal activity, fraud, or threats to safety. Where legally permitted, we will notify the affected user before disclosure.
6.4 Aggregated and De-Identified Data
We may share aggregated, de-identified statistics (e.g. total pages processed, feature-usage distributions) that cannot reasonably be used to identify an individual user or tenant.
6.5 Selling Personal Information
We do not sell your Personal Information or your Customer Content.
7. Data Retention
We retain different categories of data for different periods. In general, we keep data for as long as we need it to deliver the Services and then for as long as legitimately required for legal, tax, accounting, audit, or dispute-resolution purposes.
- Account information: retained for the lifetime of your account. Upon account deletion, we remove your profile and project records from production systems within thirty (30) days.
- Customer Content (files and extracted answers): retained while the record or project exists. When you delete a record, project, or account, the corresponding files are removed from S3 and the associated entries are removed from the Onyx retrieval index, typically within seventy-two (72) hours.
- Billing and transaction records: retained for the period required by Rwandan tax and accounting law (currently up to ten (10) years for transactional records), regardless of account deletion, in order to support audits and regulatory obligations.
- Usage logs and security telemetry: retained up to twelve (12) months for debugging, incident response, and abuse detection.
- Backups: encrypted backups of production data are retained for rolling periods of up to ninety (90) days and are purged on a rolling basis. Deletion of a record in production propagates to backups as those backups expire.
8. Security of Your Information
We implement technical, administrative, and physical safeguards proportionate to the sensitivity of the data we hold, including:
- Encryption in transit: TLS for all connections between your browser, our servers, and our subprocessors.
- Encryption at rest: files stored in S3 are encrypted at rest; sensitive credentials (your BYOK API key, Daxno-managed subkey secret) are additionally encrypted at the application layer using keys managed by Cellilox.
- Access controls: access to production systems is restricted to authorized Cellilox personnel on a need-to-know basis and protected by multi-factor authentication.
- Secrets management: API keys, database credentials, and webhook secrets are stored in environment-segregated secret stores, never checked into source code.
- Monitoring and incident response: logs and anomaly alerts are reviewed regularly; we maintain a documented incident-response procedure.
- Secure development: code is reviewed before deployment and dependencies are monitored for known vulnerabilities.
No system can be guaranteed 100% secure. If we become aware of a security breach that affects your Personal Information or Customer Content, we will notify you and the relevant authorities as required by Rwanda Law N° 058/2021 and any other applicable law.
9. Third-Party Links & Embedded Content
The Services may link to third-party websites or embed content from third parties (e.g. payment redirects, AI-provider dashboards). We do not control those third parties and their privacy practices are governed by their own policies. Please review those policies before providing them with Personal Information.
10. Cookies and Tracking Technologies
We use cookies and similar technologies to:
- Keep you authenticated and maintain your session.
- Remember your preferences and settings.
- Analyze aggregate usage trends to improve the Services.
Most browsers allow you to control cookies through their settings. Disabling strictly-necessary cookies may prevent the Services from functioning correctly. See our Cookie Policy for more detail.
11. Children's Privacy
The Services are not directed at children. We do not knowingly collect Personal Information from users under the age of sixteen (16) in the European Economic Area, the United Kingdom, or any jurisdiction where that is the applicable digital minimum age; or under the age of thirteen (13) in other jurisdictions. If you believe a child has provided us with Personal Information, please contact hello@support.cellilox.com and we will promptly delete it.
12. Your Rights and Choices
Subject to the law applicable to you — including Rwanda Law N° 058/2021, the GDPR (for EEA users), and the UK GDPR — you may have the following rights over your Personal Information:
- Access: receive confirmation of whether we hold data about you and obtain a copy.
- Rectification: correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"): request deletion, subject to legal retention obligations (e.g. tax law).
- Restriction: ask us to limit how we process your data in certain circumstances.
- Portability: receive your data in a structured, commonly-used, machine-readable format where processing is based on contract or consent.
- Objection: object to processing based on legitimate interests or for direct marketing.
- Withdraw consent: where we rely on consent, you may withdraw it at any time without affecting prior lawful processing.
- Complaint: lodge a complaint with a supervisory authority — the National Cyber Security Authority (NCSA) in Rwanda, or your local data-protection regulator in another jurisdiction.
To exercise any of these rights, email hello@support.cellilox.com. We may request reasonable information to verify your identity before responding. We will respond within thirty (30) days of a valid request or the period required by applicable law, whichever is shorter. If we are unable to fulfill a request — for example, because we must retain certain records to comply with tax law — we will explain why.
13. International Data Transfers
Cellilox operates from Rwanda, but the infrastructure and subprocessors that deliver the Services are located in multiple regions. In particular:
- Application servers, databases, Redis, and the Onyx retrieval index are hosted on DigitalOcean.
- File storage and OCR run on AWS (S3 and Textract).
- AI providers (OpenRouter, OpenAI, Anthropic, DeepSeek, Google) operate globally; their regional processing locations are governed by their own policies.
- Authentication (Clerk), payments (Flutterwave), and email (Resend) are operated by their respective providers and may process data outside Rwanda.
Where Personal Information originating in the EEA, UK, or another jurisdiction with cross-border transfer restrictions is transferred to a country with a different data-protection framework, we rely on lawful transfer mechanisms such as Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, subprocessors, or applicable law.
- Non-material changes— for example, clarifying language or typographical corrections — take effect when the revised Policy is posted on this page. The "Effective Date" at the top of the Policy will be updated accordingly.
- Material changes — for example, adding a new category of data collected, a new subprocessor with materially different processing, or a change to retention periods — will not take effect for at least thirty (30) days after we notify you. Notice will be given by email to the address on your account and/or by a prominent in-app notice.
- Your options if you do not agree.If you disagree with a material change, you may delete your account before the change's Effective Date (see §12). Continuing to use the Services after the Effective Date constitutes acceptance of the revised Policy.
15. Contact Us
For any question, concern, complaint, or rights request relating to this Privacy Policy or our handling of your data, please contact:
Cellilox Limited Privacy & Data Protection Email: hello@support.cellilox.com Registered office: Republic of Rwanda
Rwandan users may also contact the National Cyber Security Authority (NCSA), the supervisory authority for personal-data protection under Rwanda Law N° 058/2021. Users in the EEA, the United Kingdom, or another jurisdiction may contact their local data-protection regulator.
Acknowledgment
By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy and agree to be bound by it. If you do not agree, please do not use the Services.