Privacy Policy
Effective date: July 1, 2026 · Last updated: July 4, 2026
1. Introduction
This Privacy Policy explains how Delta 3 Core Tech LLC (“Delta3CoreTec”, “we”, “us”) collects, uses, discloses, and protects personal data in connection with the CritPath AI schedule-risk platform and related services (the “Service”). CritPath AI is a web-based SaaS platform for schedule risk management — Critical Path Method (CPM), Monte Carlo simulation, Theory of Constraints (TOC), decision gates, and an AI copilot. Each signup creates its own organization (tenant); the creator is the owner and may invite teammates.
2. Who we are
The data controller is:
- Entity: Delta 3 Core Tech LLC
- Registered address: 1500 W Main St #41, Carrboro, NC 27510-9998
- General contact: support@delta3coretec.com
- Privacy / data protection contact: privacy@delta3coretec.com
If you use the Service as a member of an organization created by your employer or another administrator, that organization is generally the controller of the project, schedule, and team data within its tenant, and we act as a processor on its behalf for that content.
3. Data we collect
- Account data — name, email, hashed password.
- Authentication / security data — 2FA/MFA secrets and recovery codes, session tokens, login timestamps, IP address.
- Organization / membership data — organization name, role, team membership, invitations.
- Project & schedule content — projects, tasks, schedules, estimates, risks, decision gates, notes, and any text you enter.
- Resource contact details — teammate / resource names, emails, and phone numbers you enter for task-assignment notifications.
- AI prompt & context data — prompts and relevant schedule context sent to AI features.
- Billing data — subscription tier, seat count, AI usage metering, billing identifiers (card data is handled by Stripe).
- Usage & telemetry — feature usage, log data, device/browser type, approximate location from IP, error diagnostics.
- Marketing / waitlist data — email, optional name and company.
We do not intentionally collect special-category personal data, and the standard Service is not intended for protected health information (PHI) or other regulated data (see Section 6).
4. How we use personal data
- provide, operate, maintain, and secure the Service;
- authenticate users and enforce multi-tenant access controls and 2FA/MFA;
- run the scheduling, risk, and AI copilot features you request;
- send transactional and notification messages (task-assignment email/SMS, security alerts, account emails);
- process subscriptions, meter AI usage, and bill through our payment processor;
- monitor, debug, prevent abuse of, and improve the Service;
- comply with legal obligations and enforce our Terms of Service.
5. AI processing and LLM sub-processors
When you use AI features, the prompts you submit and the relevant schedule context needed to answer them are transmitted to third-party large language model (LLM) providers — Anthropic (Claude API) and Google (Gemini API) — to generate a response. This content is processed by those providers under their own terms and privacy policies. We send only what is needed to fulfil your request.
AI output may be inaccurate, incomplete, or misleading. AI suggestions — including dates, probabilities, and risk assessments — must be reviewed by a qualified human before you rely on them. We provide no warranty as to the accuracy of AI output. See the Terms of Service for the full AI disclaimer.
6. Regulated data (HIPAA / SOC 2 / 21 CFR Part 11)
The standard Service is not intended or authorized for protected health information (PHI) under HIPAA or other regulated data. HIPAA Business Associate Agreements (BAAs), SOC 2 Type II, and 21 CFR Part 11 capabilities are Enterprise-tier roadmap items requiring a separate written Enterprise agreement and, for PHI, an executed BAA. Do not submit regulated PHI to the standard Service.
7. Sub-processors
- Anthropic — AI features (Claude API) — processes prompts and schedule context submitted to AI features — United States.
- Google (Gemini API) — AI features (Gemini API), including text embeddings for retrieval — United States.
- Stripe — payment processing and billing — United States.
- Railway — backend application hosting and managed PostgreSQL database — United States.
- Vercel — frontend application hosting — United States.
- Twilio — SMS / text notifications (when notification features are enabled and phone numbers are provided) — United States.
- Mailgun (Sinch Mailgun) — transactional and notification email — United States.
Our application database (PostgreSQL with pgvector) is hosted via our hosting provider above. We may update this list as the Service evolves.
For customers whose use of the Service is subject to the GDPR or similar laws, our Data Processing Agreement governs our processing of personal data on your behalf, incorporates this sub-processor list, and includes the EU Standard Contractual Clauses for international transfers.
8. Cookies and similar technologies
We use a small number of strictly necessary cookies and browser storage items (session and authentication tokens, and interface preferences). We do not currently use third-party advertising cookies. See the Cookie Notice for details and controls.
9. How we share and disclose data
We do not sell personal data. We disclose personal data only:
- to sub-processors listed in Section 7, acting on our instructions;
- within your organization, according to members’ roles;
- for legal reasons — to comply with law or protect rights, safety, and the Service;
- in a business transfer (merger, acquisition, financing, or sale of assets), subject to this policy;
- with your consent or at your direction.
10. International data transfers
We are based in State of North Carolina, United States and our sub-processors are primarily located in the United States. If you access the Service from outside that country (including the EEA, UK, or Switzerland), your personal data may be transferred to and processed in countries that may not provide the same level of data protection as your home jurisdiction. Where required, we rely on appropriate safeguards such as the EU Standard Contractual Clauses. Contact privacy@delta3coretec.com for more information.
11. Data retention
We retain personal data for as long as your account/organization is active and as needed to provide the Service. When you delete your account from within the Service, deletion takes effect immediately (you are signed out and the account is disabled) and is followed by a 30-day recovery window — signing back in during that window cancels the deletion. After the window ends, we permanently delete or anonymize the personal data on a scheduled purge, except where we must retain it to comply with legal, tax, accounting, or security obligations (for example, security audit logs and billing records), resolve disputes, or enforce agreements. Your email address is not released for re-use until the purge completes.
12. Security
- passwords stored using a strong one-way hash (never in plaintext);
- optional two-factor authentication (2FA/MFA);
- encryption in transit (TLS) and encryption at rest via our hosting and database providers;
- role-based, tenant-isolated access controls;
- payment card data handled exclusively by Stripe.
No method of transmission or storage is completely secure.
13. Your rights
GDPR / UK GDPR (EEA, UK, Switzerland)
- Access, rectification, erasure, and portability/export of your data;
- restriction of and objection to certain processing;
- withdraw consent where processing is based on consent;
- lodge a complaint with your local supervisory authority.
CCPA / CPRA (California)
California residents may request to know, access, delete, and correct their personal information, and to opt out of any “sale” or “sharing”. We do not sell personal information and will not discriminate against you for exercising these rights.
How to exercise your rights
You can exercise access, portability, and erasure directly from within the Service (Settings → Your Data & Account): “Export my data” downloads the personal data linked to your account as JSON, and “Delete my account” schedules permanent deletion with a 30-day recovery window — signing back in during the window cancels it. Deletion is confirmed with your password (and second factor, if enrolled).
What deletion covers depends on your role. A member of an organization erases their personal account data only — the organization’s project, schedule, and team content is tenant data controlled by that organization and is not affected (direct requests about it to the organization, as its controller). The sole owner of an organization closes the workspace: the organization and all of its data enter the same 30-day window and are then permanently deleted. An owner with other active members is asked to transfer ownership or remove the other members first.
For anything else — or if you cannot access your account — contact privacy@delta3coretec.com. We will verify your identity before acting.
14. Children
The Service is intended for business and professional users and is not directed to children. We do not knowingly collect personal data from anyone under the age of 16 (or the higher minimum age in your jurisdiction, e.g., 18 where applicable). If you believe a child has provided us personal data, contact privacy@delta3coretec.com.
15. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version with a revised “Last updated” date and, for material changes, provide additional notice where required. Continued use after an update constitutes acceptance of the revised policy.
16. Contact
- Privacy / data protection: privacy@delta3coretec.com
- General support: support@delta3coretec.com
- Postal: Delta 3 Core Tech LLC, 1500 W Main St #41, Carrboro, NC 27510-9998