1. Information we collect
1.1 Information you provide to us
When you create a Phronesis customer account, you provide:
- Account information: name, email address, billing contact information, organization name (where applicable)
- Payment information: processed exclusively by our payment processor Stripe, Inc. Phronesis does not store payment card numbers, bank account numbers, or credit card verification values. We retain only the Stripe customer identifier and high-level transaction metadata necessary for billing reconciliation.
- Authentication credentials: email address and password (or single sign-on identity), API keys we issue to you, JSON Web Tokens (JWTs) generated for authenticated sessions
- Communications: content of support requests, feedback submissions, and other voluntary communications with Phronesis
For autonomous-agent customers using the Hermes contract surface, we additionally collect:
- Agent payment authorization: Google Agent Payments Protocol (AP2) signed mandates including Intent Mandate and Cart Mandate Verifiable Credentials, persisted to our audit-trail substrate per Sacred Invariant #7 attribution discipline
1.2 Information we collect automatically
When you use the Phronesis platform, we automatically collect:
- Usage telemetry: API request timestamps, endpoint paths, response codes, request payload sizes, response payload sizes
- Forecast metadata: which forecast templates you request, which verticals (V#1 Energy through V#8 Robotics) and archetypes you query, frequency of queries, total queries per billing period
- Cost-attestation records: the per-call inference cost incurred for each forecast you request (typically $0.0084 to $0.0151 per forecast at standard cost-attestation curve), persisted to the Phronesis Plutus ring meter event substrate for billing
- Diagnostic information: rate-limiting events, circuit-breaker triggers, error responses, escalation route signals to the Iris ring (Phronesis customer relations substrate)
- Cookies and similar technologies: minimal session cookies for authentication state only. Phronesis does not use third-party advertising cookies or cross-site tracking technologies.
1.3 Information we do NOT collect
Phronesis does NOT collect:
- Protected Health Information (PHI): Phronesis V#3 Healthcare vertical operates exclusively under HIPAA Safe Harbor enforcement code-layer rules per the Themis-Healthcare substrate. We do not process individually identifiable health information.
- Customer underlying business or financial data: Phronesis processes the forecast queries you submit, but does not collect or store the underlying business datasets, financial records, or strategic plans you may use to inform your queries.
- Children's personal information: the Phronesis platform is not directed to children under 13. We do not knowingly collect personal information from children under 13.
- Sensitive personal information categories without explicit consent: Phronesis does not collect biometric identifiers, precise geolocation, racial or ethnic origin data, religious or philosophical beliefs, or genetic data.
2. How we use your information
2.1 To provide the Phronesis platform service
- Authenticate your access to the Hermes contract surface and platform features
- Mint forecasts in response to your queries and persist them to the canonical Mnemosyne ledger
- Charge your account for subscription fees and per-call usage at agreed pricing
- Send you transactional communications about your account (billing notices, security alerts, service updates)
- Provide customer support in response to your inquiries
2.2 To improve the Phronesis platform
- Analyze aggregated, anonymized usage telemetry to understand platform performance and identify areas for improvement
- Validate forecast calibration accuracy against ground-truth resolution windows (the Phronesis verified-correctness moat)
- Tune forecast prompt templates and archetype designs through the AutoResearch substrate (governed by canonical-correctness guards in the Themis substrate; subject to per-tenant isolation; planned Sprint 6+ activation)
- Detect and prevent fraudulent or abusive use of the platform
2.3 To comply with legal obligations
- Maintain financial records as required by federal and Colorado state tax law (typically seven years post-cancellation)
- Respond to lawful requests from regulators and law enforcement
- Enforce the Phronesis Terms of Service
3. How we share your information
3.1 Service providers we share with
| Provider | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Stripe, Inc. | Payment processing, tax automation, agentic commerce settlement | Payment information, billing contact, transaction metadata | stripe.com/privacy |
| Anthropic PBC | Large language model inference for forecast minting | Forecast query content + model invocation metadata; no customer-identifying information beyond what is necessary for inference | anthropic.com/legal/privacy |
| Replit, Inc. | Cloud infrastructure hosting (Hermes Reserved VM production runtime) | Platform telemetry data only; no customer-content data persisted at hosting layer beyond Mnemosyne ledger | replit.com/site/privacy |
| Cloudflare, Inc. (transitioning from ZenBusiness Inc.) | Domain registration, DNS, and CDN services for sustainablefinancepartner.com | Public domain registration metadata only; HTTP request metadata at CDN edge | cloudflare.com/privacypolicy |
Phronesis does not sell, rent, or trade your personal information to third parties for their direct marketing purposes.
3.2 Legal disclosures
We may disclose your information if required by law (subpoena, court order, regulatory request) or to protect the rights, safety, or property of Phronesis, our customers, or others. We will notify you of any legal request for your information unless prohibited by law.
3.3 Business transactions
If Phronesis or Sustainable Finance Partners, LLC undergoes a merger, acquisition, financing, sale of assets, or similar transaction, your information may be transferred to the successor entity. We will notify you in advance of any such transfer that materially affects how your information is processed.
4. Data retention
- Active account data: retained for the duration of your active customer relationship with Phronesis
- Post-cancellation account data: retained for seven (7) years after account cancellation per accounting and tax compliance requirements; thereafter deleted or fully anonymized
- Transactional financial records: retained per applicable federal and Colorado state tax law (typically seven years)
- Forecast ledger entries: retained indefinitely as part of the Phronesis verified-correctness audit trail (the Mnemosyne canonical persistence substrate); customer identifying information is anonymized at the time of account cancellation while preserving the underlying forecast data and calibration history
- Support communications: retained for three (3) years for quality assurance and recurring-issue identification
- Diagnostic and telemetry data: retained for ninety (90) days at full granularity; aggregated for indefinite retention in anonymized form
5. Your rights
5.1 California residents (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect about you and how we use it
- Access the specific pieces of personal information we have about you
- Delete your personal information, subject to legal retention requirements
- Correct inaccurate personal information
- Opt-out of sale or sharing of your personal information (Phronesis does not sell or share personal information for cross-context behavioral advertising)
- Limit use of sensitive personal information (Phronesis does not collect sensitive personal information beyond what is necessary for service provision)
- Non-discrimination for exercising your CCPA/CPRA rights
5.2 Colorado residents (Colorado Privacy Act)
If you are a Colorado resident, you have the right to:
- Confirm whether Phronesis is processing your personal data
- Access your personal data
- Correct inaccurate personal data
- Delete your personal data, subject to legal retention requirements
- Data portability in a structured, commonly used, machine-readable format
- Opt-out of processing for purposes of targeted advertising, sale, or profiling in furtherance of decisions producing legal or similarly significant effects (Phronesis does not engage in any of these activities)
5.3 How to exercise your rights
To exercise any of the rights above, contact Phronesis support at the email address published on the Sustainable Finance Partners website Contact page. Include:
- The nature of your request (access, deletion, correction, etc.)
- Sufficient information to verify your identity as the data subject
- The specific data or processing activity your request concerns
We will respond to verified requests within forty-five (45) days as required by applicable law. We may extend this period by an additional forty-five days if reasonably necessary, with notice to you.
6. Security
Phronesis maintains technical and organizational measures appropriate to the sensitivity of the information we process:
- Encryption in transit: all communications with the Hermes contract surface and between Phronesis substrate components use industry-standard TLS encryption
- Encryption at rest: customer data is encrypted at rest in the Mnemosyne canonical persistence layer and at the Replit Reserved VM cloud infrastructure layer
- Payment card data: never touches Phronesis systems; processed directly by Stripe under PCI DSS Level 1 compliance
- API key management: Phronesis-issued API keys can be rotated by you at any time via your account settings; suspected key compromise should be reported to support immediately
- Per-tenant isolation: Phronesis substrate enforces strict per-tenant isolation; cross-tenant data access is architecturally prevented at the boundary publish layer (Sacred Invariant #8)
- Backup and disaster recovery: triple-redundancy backup of the Mnemosyne canonical ledger (operational substrate plus version-controlled snapshots plus offline archive)
- Two-factor authentication: required for all customer accounts at the human-SaaS surface; AP2 cryptographic mandates required for autonomous-agent customers
No system is perfectly secure. We will notify affected customers and applicable regulators of any data breach as required by Colorado HB 18-1128 and other applicable breach notification laws (typically within seventy-two hours of discovery for material breaches affecting personally identifiable information).
7. International data transfers
Phronesis operates from the United States. Customer data is stored at US-based cloud infrastructure (Replit Reserved VM in AWS US regions; Stripe US data centers; Anthropic US-based inference). Customers located outside the United States who access the Phronesis platform consent to the transfer and processing of their information in the United States.
Phronesis does not currently offer EU-located data residency or processing. Customers subject to GDPR or other regional data protection regimes should evaluate whether US-based processing meets their compliance requirements before subscribing.
8. Cookies and tracking
Phronesis uses minimal cookies:
- Authentication session cookies to maintain your logged-in state on the platform; these are essential to service operation and cannot be opted out of without losing platform access
- No third-party advertising cookies
- No cross-site tracking technologies
- No analytics services that cross-reference your activity with other websites
Phronesis does not respond to "Do Not Track" browser signals because we do not track users across websites in the first place.
9. Third-party links
The sustainablefinancepartner.com website and Phronesis platform may contain links to third-party websites or services (Stripe, Anthropic, etc.). This Privacy Policy applies only to Phronesis-operated properties. We are not responsible for the privacy practices of third-party websites or services. Please review the privacy policies of any third-party services you visit.
10. Changes to this Privacy Policy
Phronesis may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to active customers by email at least thirty (30) days prior to the effective date of the change. We will also post the updated Privacy Policy at sustainablefinancepartner.com with an updated "Last Updated" date.
Continued use of the Phronesis platform after the effective date of an updated Privacy Policy constitutes acceptance of the updated terms.
11. Contact us
For privacy-related questions, requests, or complaints:
Sustainable Finance Partners, LLC, DBA Phronesis
1944 Hudson Street
Denver, CO 80220
United States
Email: contact email per Sustainable Finance Partners website Contact page
For Colorado residents: you may also contact the Colorado Attorney General's office at coag.gov.
For California residents: you may contact the California Attorney General's office at oag.ca.gov.