Privacy Policy

Westryx ("we," "our," or "us") provides AI usage monitoring software for workplace environments. This Privacy Policy explains how we collect, use, store, and protect information through our browser extension and dashboard service.

Westryx operates as a business-to-business (B2B) platform. Our customers are organizations ("Employers") who deploy Westryx to monitor their employees' AI tool usage on company devices and accounts. If you are an employee whose activity is being monitored, your Employer is the data controller and Westryx acts as a data processor on their behalf.

• Employee Notification: Employers MUST notify all employees in writing before deploying Westryx. This notification must clearly state that AI tool usage is being monitored, what data is collected, and who has access to that data.
• Written Policy: Employers MUST maintain a written acceptable use or monitoring policy that employees have acknowledged via signature or electronic confirmation.
• Consent Where Required: In jurisdictions requiring employee consent for workplace monitoring (including EU/EEA member states, Canada, and certain US states), Employers MUST obtain valid, documented consent before deploying Westryx.
• Legal Compliance: Employers are solely responsible for ensuring their use of Westryx complies with all applicable local, state, national, and international laws governing workplace monitoring, employee privacy, and data protection.
• No Covert Monitoring: Westryx must not be deployed without employee knowledge. Covert use is a violation of this policy and may constitute a violation of applicable law.

Our browser extension collects the following specific data when employees use AI tools on monitored devices:

• Employee ID: An identifier used to associate activity with a user account — not a name or email unless configured by the Employer.
• Platform URLs: The specific AI tool URL visited (e.g. chatgpt.com, claude.ai) and the timestamp of the visit.
• Prompt Snippets: The text of a prompt at the moment it is submitted to an AI tool. Only final submitted prompts are collected — drafts, unsent text, and intermediate keystrokes are never stored.
• Response Snippets: A partial capture of the AI tool's response — limited to a maximum of 10 sentences from the beginning of each response.
• Interaction Metadata: Timestamps, session counts, and which AI tool was used.

We do not collect passwords, payment information, health data, data outside of designated AI tool platforms, or continued keystrokes outside of the prompt submission event.

Collected data is used solely for:

• Providing AI usage activity logs to authorized company administrators
• Generating alerts when monitored keywords or policy violations are detected
• Producing usage reports and analytics for the Employer
• Service delivery, technical support, and platform improvement

We do not use collected data for advertising, selling to third parties, profiling outside of the employment context, or any purpose not listed above.

• Data is stored on Firebase Cloud Services (Google Cloud infrastructure) with encryption at rest and in transit
• Access is restricted to authorized administrators designated by the Employer
• Industry-standard access controls and audit logging are in place
• Data is processed only within the scope of the Employer's account

We do not sell, rent, or share employee data with third parties. Data is only accessible to the Employer's designated administrators, authorized personnel within the employing organization, and Westryx staff strictly for service delivery under confidentiality obligations.

Employees whose data is collected through Westryx have the following rights, subject to applicable law:

• Right to be informed: Employees must be notified by their Employer before monitoring begins
• Right of access: Employees may request a copy of their collected data through their Employer
• Right to erasure: Employees may request deletion of their data, subject to the Employer's legal retention obligations
• Right to object: Employees in certain jurisdictions may have the right to object to processing

To exercise these rights, contact your Employer first. If your Employer does not respond within 30 days, you may contact Westryx directly at privacy@westryx.com.

Westryx is designed to support compliance with:

• General Data Protection Regulation (GDPR) — EU/EEA
• UK GDPR and the Data Protection Act 2018
• California Consumer Privacy Act (CCPA) and CPRA
• Electronic Communications Privacy Act (ECPA) — United States
• Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada
• Applicable workplace monitoring laws in other jurisdictions

Employers are solely responsible for compliance in the jurisdictions where their employees are located. Westryx does not provide legal advice.

Data is stored on Google Cloud infrastructure, which may involve transfers to servers outside the EEA. For Employers subject to GDPR, Westryx relies on Google Cloud's Standard Contractual Clauses as the legal transfer mechanism. Employers may request a Data Processing Agreement (DPA) at privacy@westryx.com.

Activity logs are retained for the duration of the Employer's active subscription. Upon cancellation or written request, all data is permanently deleted within 30 days. Westryx recommends a maximum retention period of 90 days for conversation snippet data to support GDPR data minimization obligations.

In the event of a data breach affecting employee data, Westryx will:

• Notify affected Employers within 72 hours of becoming aware of the breach, in compliance with GDPR Article 33
• Provide details of the nature of the breach, categories of data affected, likely consequences, and measures taken
• Cooperate fully with Employers to fulfill their own notification obligations to employees and regulators

Employers are responsible for notifying their affected employees and relevant supervisory authorities as required by applicable law in their jurisdiction.

Westryx is not intended for use in environments where individuals under 18 years of age are monitored. We do not knowingly collect information from minors.

Material changes to this policy will be communicated to Employer administrators via email and dashboard notification at least 30 days before taking effect. Continued use of Westryx after the effective date constitutes acceptance of the updated policy.

For privacy questions, Data Processing Agreements, or to report a concern:

• Email: privacy@westryx.com
• Website: westryx.com

For urgent concerns or to report suspected non-consensual monitoring, we will respond within 72 hours.

By activating a Westryx account and deploying the extension, the Employer confirms they have read this Privacy Policy, accept these terms, and will fulfill all Section 2 obligations — including employee notification and obtaining required consents — before monitoring begins.