Privacy policy

Onyx Labs is operated by Onyx Management, LLC. This Privacy Policy explains how we collect, use, and protect your personal information when you visit our website, contact us, or work with us during an engagement.

1. Information we collect

We collect information you provide directly to us, such as when you submit an inquiry, evaluate a potential engagement, or contact us for support. This may include:

• Name and contact information (email address, phone number)
• Company name, role, and team size
• Portfolio and engagement context (firm, AUM range, portfolio companies, objectives, materials shared for the work)
• Communications you send to us
• User preferences and settings

Information collected automatically

When you access our website, we automatically collect certain information, including:

• Log information (IP address, browser type, access times, pages viewed)
• Device information (hardware model, operating system, unique device identifiers)
• Usage data (pages visited, actions taken, time spent on pages)
• Approximate location (based on IP address)

2. Cookies and tracking

We use a minimal set of essential cookies required for core site functionality and security. We do not use advertising cookies, and we do not sell or share your information for cross-site advertising. You can instruct your browser to refuse cookies, though some parts of the site may not function as intended.

3. How we use information

• Respond to inquiries and evaluate fit for Onyx Labs services
• Deliver, manage, and improve engagements and the work product they produce
• Operate, secure, and improve our website
• Send technical notices, updates, and support messages
• Analyze usage patterns to improve our content and structure
• Detect, investigate, and prevent fraudulent or unauthorized activity
• Comply with legal obligations and protect our rights

4. Information sharing and disclosure

We do not sell your personal information. We may share information in the following circumstances:

• Service providers: third-party vendors who perform services on our behalf, such as cloud hosting, databases, communications, and AI model processing.
• Legal requirements: when required by law, regulation, or legal process.
• Business transfers: in connection with a merger, acquisition, or sale of assets.
• Protection of rights: to protect the rights, property, or safety of Onyx Labs, our clients, or the public.
• With your consent: at your direction or with your permission.

5. Third-party services

Our website and engagements rely on a small number of trusted providers. We are not responsible for the privacy practices of third parties and encourage you to review their policies. Providers we may use include:

• Cloud infrastructure providers (Vercel, Supabase) for hosting and managed databases
• AI processing providers (Anthropic, and optionally OpenAI) for drafting, classification, and reasoning features
• Payment processors (Stripe) where billing applies
• Email and collaboration platforms (e.g., Microsoft Graph, Google APIs) where connected during an engagement

6. Data security

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Application-level encryption of sensitive credentials
• Role-based access controls and multi-factor authentication
• Audit logging of administrative and data-access events
• Security headers (HSTS, CSP, X-Frame-Options) on all responses

No method of transmission or storage is completely secure. While we use commercially reasonable safeguards, we cannot guarantee absolute security.

7. International data transfers

Your information may be transferred to and processed in countries other than your country of residence, which may have different data protection laws. When we transfer personal data outside the European Economic Area (EEA), we put appropriate safeguards in place, such as Standard Contractual Clauses approved by the European Commission.

8. Data retention

We retain personal information only as long as necessary to fulfill the purposes described here, including to satisfy legal, accounting, or reporting requirements. When determining the retention period we consider the nature and sensitivity of the data, the purposes of processing, applicable legal requirements, and our legitimate business interests.

9. Your rights and choices

Depending on your location, you may have rights to:

• Access a copy of the personal information we hold about you
• Correct inaccurate or incomplete information
• Delete your personal information
• Port your data in a machine-readable format
• Restrict or object to certain processing
• Withdraw consent where processing is based on consent

To exercise these rights, contact us. We respond within the timeframe required by applicable law.

For California residents (CCPA)

California residents have additional rights, including the right to know what personal information is collected, used, or shared; the right to delete it; the right to opt out of its sale; and the right to non-discrimination for exercising these rights. We do not sell personal information as defined under the CCPA.

For EEA residents (GDPR)

If you are located in the European Economic Area, you have additional rights under the GDPR, including the right to lodge a complaint with your local data protection authority.

10. Children's privacy

Our services are not intended for individuals under 18, and we do not knowingly collect their personal information. If we learn that we have, we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page, revise the "Last updated" date, and, for significant changes, provide additional notice where appropriate.