Privacy Policy

Mach33 is a workflow and SOP execution platform operated by Rogue Arrow LLC, a Florida limited liability company, doing business as Mach33. This policy explains what personal data we handle, why, and the choices you have. In it, “we,” “us,” and “Mach33” mean that entity.

We handle data in two roles. For account and identity data — the information that lets you sign in and operate Mach33 — we are the controller: we decide why and how it is processed. For the business records you put into the platform — your particles, manifest field values, and uploaded files — you (or your organization) are the controller, and we act as a processor that holds and processes that data on your behalf and on your instructions.

Data we control (account and identity). This is the data that makes your account work: your name, email, profile image, role, and security details. We decide how this data is used, within the limits of this policy and the law.

Data we hold on your behalf (your business records). When you use Mach33 to run your work, you load in your own records — your clients and leads, the values you enter into manifest fields, the files you upload. You own and control that data. We process it only to deliver the service to you and only as you direct.

Account and identity. Your name, email, profile image, role within your organization, and the links between your user account and your organization. When you are invited, we record the invitee email and who invited you.

Authentication and security. A hashed (never plain-text) password if you use password sign-in, and provider tokens if you sign in another way. For each session we record the IP address, browser user-agent, and a session token so we can keep you signed in and protect your account.

Your business records. The particles you create (names plus whatever data you choose to store), the values entered into manifest fields, and the files you upload. This content is yours; we only hold and process it for you.

External-recipient submissions. When your workflow asks someone outside Mach33 to respond, we record their name and email, the typed legal name and text of any attestation they sign, and the IP address and user-agent of the submission. This is a compliance record of who responded and when.

Billing. If your plan is paid, billing is processed through Stripe. We hold your billing contact and the customer and subscription identifiers that link your organization to Stripe. We do not store full card numbers.

Sales and support leads. If you submit our demo-request form, we collect your name, company, phone, and email and forward them to our internal inbox so we can follow up. These leads are emailed, not stored in our database.

We use the data above to provide and secure the service: to authenticate you, run your workflows, bill paid plans, send transactional email (sign-in, invitations, notifications), keep an audit trail of activity, and monitor for errors so we can fix them.

We use personal data only to operate and secure Mach33. We do not sell personal data or use it for advertising.

We use a small number of strictly-necessary cookies. A session cookie keeps you signed in. An m33_billing_okflag records your organization’s current billing state so the app behaves correctly. A theme preference, stored in your browser, remembers your light or dark choice.

We use Vercel Analytics and Speed Insights to understand performance and usage. These are cookieless — they set no tracking cookies. We use no advertising or tracking cookies, so no cookie-consent banner is required to use Mach33.

We share data only with the sub-processors we use to run the platform — for hosting, storage, email, billing, and error monitoring. Each one, the data it touches, and where it is hosted is listed on our sub-processors page, which is the source of truth and is updated when the list changes.

We do not sell your personal data.

The business records you load into Mach33 — your particles, your manifest field values, your files — belong to you and your organization. You own and control them. We process them on your behalf and on your instructions, solely to deliver the service. We do not use your business records for our own purposes.

We keep your account data for as long as your account is active. When you delete a record in the app, it is soft-deleted and then permanently purged after 90 days.

We retain your security and audit logs for as long as you use Mach33 so you keep a complete audit trail of your own data. We use them only to operate and secure the service — never for advertising or sale. The same applies to external-recipient attestations, which are compliance records of who responded and when. We also keep a suppression list of email addresses that have bounced or unsubscribed, so we stop sending to them.

An honest note on closure: today these logs and attestation records are not automatically purged when an account closes. If you want your data deleted, email founder@mach33.app and we will handle it. A self-serve deletion tool is not built yet.

Depending on where you live, you may have rights to access the personal data we hold about you, correct it, delete it, export a copy, or object to certain processing. We honor these rights for everyone, framed by the EU/UK GDPR and the California CCPA/CPRA for customers those laws cover.

To exercise any of these rights, email founder@mach33.app. We do not have a self-serve privacy portal yet, so requests are handled by email. We will verify your identity before acting and respond within the timeframes the applicable law requires.

We protect data with controls that match what we actually run:

Data is encrypted in transit with TLS and encrypted at rest by our database provider, Neon. Passwords are hashed by our authentication layer and are never logged. Integration API keys you store are encrypted with AES-256-GCM. Uploaded files are stored private and are gated on download by organization membership. Tenant data is isolated per organization. We apply a strict Content-Security-Policy, HSTS, and other security headers; we rate-limit requests; and sessions can be revoked.

An honest note on error reports: our server-side error reports are scrubbed to remove personal data. Client-side (browser) error context is limited, but it is not exhaustively scrubbed, so some incidental personal data could appear in a browser error report. We are working to tighten this. No system is perfectly secure, and we cannot guarantee absolute security.

Mach33 is hosted in the United States. Our database runs on Neon in AWS US East, and our hosting and compute run on Vercel in the United States. If you access Mach33 from outside the United States, your data is transferred to and processed in the United States.

Mach33 supports AI nodes, where you connect your own AI provider — such as Anthropic or OpenAI — using your own API key. When you enable an AI node, the specific particle and manifest field values that node reads are sent to the provider you chose, so it can do the work you configured. No data is sent to these providers unless you set up an AI node. See the sub-processors page for details.

Mach33 is a business tool and is not directed to anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, email founder@mach33.app and we will delete it.

We may update this policy as the platform and the law evolve. When we make a material change, we will update the effective date above and, where appropriate, notify you. The current version always lives at this page.

Questions about this policy or your data? Email founder@mach33.app.