· · · ·
access
data · privacy · 2026-05-01

Privacy Policy.

auriglyph collects a limited set of personal data solely to evaluate access requests submitted through the sovereign disclosure gateway. This page describes what is collected, why, and how it is handled.

Effective: 2026-05-01Controller: Mikhail Kostan, Colombia · [email protected]Contact: [email protected]
01

Who we are

auriglyph is the trading name of Mikhail Kostan, an individual researcher and engineer resident in Colombia (the "Lab"). We operate the website at auriglyph.com and the disclosure gateway located at /access/. Mikhail Kostan is the data controller for any personal data submitted through these services and can be reached, including on data-protection matters, at [email protected].

02

What we collect and why

We collect personal data only when you voluntarily submit an access request through the NDA gateway. The fields collected and their purpose are:

  • Legal name (first and last) — to identify the submitting individual and verify institutional authority.
  • Work email address — to communicate eligibility decisions and issue counter-signed documents. Free-domain submissions are not processed.
  • Phone number (optional) — provided at your discretion; used only if you request it as a secondary contact channel.
  • Organisation name and title/role — to assess institutional qualification and the submitter's authority to bind the organisation.
  • Jurisdiction — required for governing-law determination under the bilateral NDA.
  • Institutional type and stated interest — to scope the evaluation and determine which artefacts may be relevant to your request.
  • The content of your request — the message your email client composes is sent to us and retained in our mailbox as received.

The website runs no analytics, sets no tracking cookies, and loads no third-party scripts; it does not log your browsing or device. Your access request is delivered to us by email — and, as with any email, the message carries standard transport metadata (including the originating IP address and mail-routing headers) added by your own email client and provider and by the systems that relay it. We do not generate this metadata but necessarily receive it with the message, and it is retained with the email. We do not control the data practices of your email provider or any intermediary mail service.

03

Legal basis for processing

Processing is based on:

  • Legitimate interests — evaluating access eligibility, protecting proprietary artefacts, and maintaining a verifiable audit trail for contractual obligations.
  • Contractual necessity — once an NDA is counter-signed, processing is necessary to fulfil the agreement and administer the access relationship.
  • Legal obligation — retention of certain records may be required by applicable law.
04

How your request reaches us and how it is held

When you submit a request, your browser composes an email to [email protected] containing the details you entered. The website does not hash, encrypt, or otherwise transform this data on your device, and stores nothing in cookies, localStorage, or client-side state after the email is handed off. Once sent, your request is received and retained as an ordinary email in our mailbox and our email provider's systems. Email is not an end-to-end encrypted channel; we apply no additional encryption of our own, so do not include secrets or confidential payloads in your request. Access to the mailbox is limited to the operator and any authorised reviewer.

We do not use automated decision-making or profiling. Every request is read and assessed by a human before any response is issued.

05

Retention

Data submitted through the gateway is retained for as long as the associated NDA remains in force, plus any additional period required by applicable law or the terms of the NDA itself (typically up to 36 months after expiry). Submissions that do not result in a counter-signed NDA are retained for a maximum of 12 months from submission date to allow for re-evaluation, then securely deleted. You may request earlier deletion (see §07).

06

Third-party sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. Data may be disclosed:

  • To legal counsel, solely for the purpose of reviewing or countersigning the bilateral NDA;
  • To infrastructure providers (hosting, storage) under appropriate data-processing agreements and with access limited to the minimum necessary;
  • As required by law, regulation, or valid court order — with prior notice to you where legally permitted.
07

Your rights

Depending on your jurisdiction, you may have the right to access, correct, erase, or restrict processing of your personal data; to object to processing; and to data portability. To exercise any of these rights, write to [email protected] with the subject line Privacy request and a description of your request. We will respond within 30 days.

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the supervisory authority in your jurisdiction.

08

Cookies and tracking

This site does not use analytics cookies, advertising cookies, or any third-party tracking scripts. No telemetry is collected from visitors. Session state within the NDA gateway is maintained in memory only and is not persisted beyond the browser session.

09

Changes to this policy

Material changes to this policy will be posted at this URL with an updated effective date. If changes affect how we process data you have already submitted, we will notify you directly at the email address provided.

Questions or requests: [email protected] · response within 30 days. © 2026 auriglyph.

© 2026 auriglyph · all rights reservedsealed cores · public evidence · controlled access