DOC // TBX-PRIV-R1·UNCLAS // FOR PUBLIC RELEASE
EFFECTIVE 2026-05-01 · REVIEW 2026-11-01
PRIVACY NOTICE

What we know, what we keep, what we never share.

Tribalogix builds sourcing intelligence for defense and aerospace primes. This notice tells you, in plain language, what data the platform handles — yours, your suppliers’, and the public-record data we ingest. It is written for procurement officers, security officers, and the legal teams that vet us before a pilot.

The short version. No customer data leaves your enclave. No external AI vendors touch your queries. No third-party analytics, no advertising trackers, no foreign data residency. The supplier database is built only from public records of federal business activity — never from your data. All inference runs locally on hardware you control.

Who we are

Tribalogix is a US-registered entity. CAGE 20GE7. Engineering is US-based, with a contract security advisor on retainer. We are privately held and have no institutional investors or third parties with any data-access provision.

What we collect

From you, the customer

  • Authentication identifiers — work email or SSO subject ID. Used to bind a session to an authorized seat. Never shared.
  • Cleared-access intake submissions — when you fill out a contact form or send mail to [email protected], we keep your message and your reply-to address until the engagement is closed plus 18 months for audit.
  • Query payloads, in your enclave only — when you ask the platform a sourcing question, that question is processed inside the deployment you control (air-gap appliance or your VPC). We do not transmit it to Tribalogix-operated infrastructure unless you opt in to a hosted pilot.
  • Pilot-window telemetry, opt-in only — during a paid evaluation, you may consent to anonymous performance metrics (decision latency, query counts, classifier hit rate) so we can tune the system. No NSN, CAGE, or supplier identifier from your queries is included in this telemetry.

Public-record data we ingest (about suppliers, not about you)

To build the supplier database we ingest only public records of federal business activity — entity registrations, public obligation history, and published qualification and compliance status. This is business-entity data about suppliers; none of it is personal data about you or your organization.

These are public datasets. Nothing in them is private to you. We do not augment them with proprietary or non-public information about any company. The specific sources, ingestion pipeline, and normalization schema are proprietary.

How we store and protect data

  • Customer query data: in your enclave only. We never copy it to our infrastructure unless explicitly requested for a hosted evaluation, and only for the duration of that evaluation.
  • Customer authentication metadata: encrypted at rest using AES-256, encrypted in transit using TLS 1.3.
  • Public-record supplier database: hosted in US-region Postgres with row-level access controls. No foreign data residency. No cross-border replicas.
  • Logs of access to customer-facing services: retained 13 months for security and audit, then purged. Logs do not include query payloads.
  • Backups: encrypted, US-only, retained 90 days.

What we never share

  • We never share customer query data with third parties. Period. Not with model vendors, not with cloud providers beyond what is required to run your hosted instance, not with affiliates, not with each other’s customers.
  • We never train AI models on customer data. The local Qwen-3.5 inference layer was fine-tuned on public manufacturing and federal-acquisition corpora. Your queries are inference inputs, never training data.
  • We never sell, rent, or barter any customer or visitor data.

Website cookies and analytics

The marketing site at tribalogix.ai uses one strictly-necessary session cookie for theme preference. Analytics on the marketing site are opt-in. If you consent, we use Google Analytics 4 to understand aggregate visit patterns; if you decline, no analytics scripts execute. You may withdraw consent at any time via the Cookie Preferences link in the site footer. We do not run Mixpanel, Segment, Hotjar, or advertising trackers. We do not embed third-party pixels.

Your rights

  • Access — ask what we have about you. We will respond within 30 days.
  • Deletion — ask us to delete contact-form submissions and authentication identifiers. We will honor the request within 30 days unless we are required to retain the record by an active contract or by U.S. federal record-keeping rules.
  • Correction — tell us if any record we hold is inaccurate. We will correct it within 14 days.
  • Export — request a machine-readable copy of records we hold about you.

Send any of the above to [email protected]. Responses are signed.

Incident notification

If we discover that any customer or visitor data has been improperly accessed, we will notify affected parties within 72 hours of confirmation, with a description of what was accessed, when, and what we’ve done in response. This is faster than most jurisdictions require because we believe defense-grade trust requires defense-grade timing.

Changes to this notice

Material changes are versioned (this is R1) and posted with their effective date. Existing customers are notified by email at least 30 days before a material change takes effect.

Questions about this notice: [email protected]
Tribalogix · CAGE 20GE7 · United States