Privacy Policy

Effective Date: March 1, 2026 · Last Updated: March 3, 2026

1. Introduction

Detailed In Design LLC (“Company,” “we,” “us,” or “our”) operates Serenity Security, an AI-powered cyber defense platform for real-time threat detection, investigation, and response. This Privacy Policy applies to:

• The Serenity Security web platform at clothingcorn.com
• The Serenity API and all backend services
• The Serenity-Nano desktop endpoint agent (Windows, macOS, Linux)
• All interactions with the platform, including dashboard, client portal, and support channels

We comply with the Indiana Consumer Data Protection Act (ICDPA), effective January 1, 2026, and proactively extend its protections to all users regardless of jurisdiction as a demonstration of our commitment to data privacy and consumer protection.

2. Definitions

• Personal Data: Information linked or reasonably linkable to an identified or identifiable individual.
• Consumer: An Indiana resident acting in an individual or household context (excludes commercial or employment contexts).
• Sensitive Data: Racial or ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship status, genetic or biometric data, or precise geolocation.
• Security Event Data: Structured telemetry, alerts, cases, and forensic artifacts generated by Serenity’s detection engines or submitted by customers for analysis.
• Device Traffic Data: Network connection metadata, process activity, file-change events, and endpoint telemetry collected by the Serenity-Nano agent on monitored devices.
• Designated Officer: The individual assigned by the customer organization as the sole authorized party with access to Device Traffic Data for the devices under their charge.
• Controller / Processor: Detailed In Design LLC acts as Controller for customer account and visitor data. We act as Processor for customer Security Event Data and Device Traffic Data.

3. Categories of Personal Data Collected

Category	Data Elements	Collection Method
Account Information	Full name, email, company name, phone number	Provided at signup
Payment Information	Billing name and address, payment method type (card details handled exclusively by Stripe)	Subscription setup via Stripe
Usage Data	API call counts, dashboard interactions, feature usage, timestamps, response codes	Automatic during platform use
Security Event Data	Threat alerts, case records, forensic artifacts, MITRE ATT&CK mappings, Decision Artifacts	Generated by Serenity detection engines or customer submission
Device Traffic Data	Network connection metadata (source/destination IPs, ports, protocols, timestamps), process activity, USB device events, file-integrity changes	Collected by Serenity-Nano agent on enrolled devices
Support Data	Support messages, attachments, correspondence	Customer-initiated support contact
Audit Logs	User actions (login, configuration changes, response actions), IP addresses, timestamps	Automatic
Log Data	IP address, user agent, browser type, timestamps, referring URL	Website and API visits

4. Serenity-Nano Endpoint Monitoring & Device Traffic

4.1 What Serenity-Nano Monitors

When deployed on an endpoint, the Serenity-Nano agent continuously monitors the following categories of device activity:

• Network traffic metadata: Source and destination IP addresses, ports, protocols, connection timestamps, DNS queries, and bytes transferred. Serenity-Nano does not perform deep packet inspection on the content of encrypted (TLS/SSL) user traffic.
• Process activity: Running processes, process trees, parent-child relationships, file handles, and command-line arguments associated with security-relevant events.
• File-integrity monitoring: Cryptographic hashes of critical system files and configuration files, with change-detection alerts.
• USB and peripheral events: Device insertion, removal, and data-transfer events for removable storage and peripherals.
• Authentication events: Login attempts, privilege escalation events, and credential-related anomalies detected locally.

4.2 Encryption of Monitored Traffic

All Device Traffic Data collected by Serenity-Nano is protected with multiple layers of encryption:

Layer	Method	Purpose
In Transit	TLS 1.3 with certificate pinning	Protects data while moving from the Nano agent to the Serenity platform
At Rest (Server)	AES-256-GCM encryption	Encrypts all stored Device Traffic Data on Serenity infrastructure
Officer-Scoped Envelope	Per-officer asymmetric key pair (RSA-4096 or ECDSA P-384)	Device Traffic Data is envelope-encrypted with the Designated Officer’s public key; only the Officer’s private key can decrypt

4.3 Designated Officer Access Control

Access to Device Traffic Data is governed by a strict Designated Officer model:

• One officer per device group: Each set of monitored devices is assigned a single Designated Officer by the customer organization’s administrator. Only that officer can view, search, export, or act on the Device Traffic Data from those devices.
• Cryptographic enforcement: Access is not merely role-based; it is cryptographically enforced. Device Traffic Data is envelope-encrypted with the Designated Officer’s public key at the point of collection. Without the corresponding private key - held exclusively by the officer - the data cannot be decrypted by anyone, including Serenity platform administrators and Detailed In Design LLC personnel.
• No backdoor access: Detailed In Design LLC does not maintain a master decryption key, escrow key, or any mechanism to bypass the Designated Officer’s encryption envelope. If the officer’s private key is lost, the corresponding Device Traffic Data is irrecoverable.
• Officer reassignment: If a Designated Officer is reassigned or leaves the organization, the customer administrator may designate a new officer. New data collected after reassignment is encrypted with the new officer’s key. Previously collected data remains accessible only with the original officer’s key unless the officer explicitly re-encrypts and transfers it before departure.
• Audit trail: Every access to Device Traffic Data by the Designated Officer is logged in an immutable audit trail, including timestamp, action performed, and data scope accessed. This audit trail is visible to the customer organization’s administrator for oversight purposes.

4.4 What Serenity-Nano Does Not Do

• Does not capture screenshots, keystrokes, or screen recordings
• Does not read the content of personal emails, messages, or documents
• Does not perform deep packet inspection on encrypted user communications
• Does not access camera or microphone
• Does not transmit Device Traffic Data to any third party
• Does not allow Detailed In Design LLC to view or access Device Traffic Data

4.5 Employee Notification Requirements

Customers deploying Serenity-Nano on employee devices are required, under our Terms of Service, to provide clear written notice to all monitored individuals describing:

• The categories of data collected (as described in Section 4.1)
• The identity of the Designated Officer with access to their device data
• The purpose of monitoring (cyber defense and threat detection)
• Their right to request a summary of data collected from their device, directed to the Designated Officer

5. Purposes of Processing

• Service Delivery: Providing real-time threat detection, forensic investigation, case management, Decision Artifact generation, and endpoint protection through Serenity-Nano.
• Account Management: Account creation, authentication, subscription management, and role-based access control.
• Payment Processing: Processing payments and billing through Stripe.
• Customer Support: Responding to requests, troubleshooting, and incident resolution.
• Security and Fraud Prevention: Detecting security incidents, monitoring API and platform usage patterns, rate limiting, and maintaining comprehensive audit logs.
• Service Improvement: Analyzing aggregated, de-identified data to improve detection models and platform performance. Device Traffic Data is never used for this purpose.
• Legal Compliance: Complying with applicable laws, regulations, and legal processes.
• Communications: Transactional messages (service alerts, security notifications, billing confirmations) only. We do not send marketing communications without explicit opt-in consent.

6. Sensitive Data Processing

We do not intentionally collect Sensitive Data (as defined under the ICDPA) for our own purposes.

However, customer Security Event Data or Device Traffic Data may incidentally contain information that qualifies as Sensitive Data. In such cases:

• The customer acts as Controller and is responsible for obtaining any required end-user consent.
• Detailed In Design LLC acts as Processor.
• Data is processed only for the contracted cyber defense services.
• Data is not used for model training on other customers’ data, advertising, or sale.

Enterprise customers handling Protected Health Information may execute a Business Associate Agreement (BAA).

7. Cookies and Tracking Technologies

Cookie	Type	Purpose	Duration
serenity_session	HttpOnly, Secure, SameSite=Lax	Session authentication	Session / 30 minutes
refresh_token	HttpOnly, Secure, SameSite=Lax	Token refresh	7 days

We do not use analytics cookies, advertising cookies, tracking pixels, or any third-party tracking technologies.

8. Categories of Third Parties and Data Shared

Third Party	Category	Data Shared	Purpose
Stripe	Payment Processor	Billing name, email, payment details	Payment and subscription processing
Hetzner	Cloud Infrastructure	All encrypted server data	Dedicated single-tenant hosting
Cloudflare	Security / CDN	IP addresses, request metadata	DNS, DDoS protection, routing
Let’s Encrypt	Certificate Authority	Domain names only	SSL/TLS certificate issuance

Third parties are contractually required to protect data in accordance with applicable law and our contractual requirements.

9. Data Sales, Targeted Advertising, and Profiling

• We do NOT sell personal data.
• We do NOT use personal data for targeted advertising.
• We do NOT profile consumers for marketing purposes.

Customer Security Event Data and Device Traffic Data are processed exclusively for the contracted cyber defense service. They are not used for model training on other customers’ data, not shared with other customers, and not monetized in any way.

10. Data Retention Periods

Data Category	Retention Period
Account Information	Duration of active account + 30 days after deletion
Payment Information	Stripe’s retention policy; Company retains billing records 7 years for tax compliance
Usage Data	90 days
Security Event Data	Per customer retention policy; default 90 days, configurable up to 7 years (Enterprise)
Device Traffic Data	Per customer retention policy; default 90 days. Designated Officer may purge at any time
Support Data	Duration of active account + 30 days after deletion
Audit Logs (Basic / Professional)	90 days
Audit Logs (Enterprise)	7 years
Log Data	90 days

Upon account deletion, a 30-day grace period allows restoration requests. After 30 days, all personal data associated with the account is permanently deleted. Device Traffic Data is cryptographically shredded (encryption keys destroyed) upon account termination or at the Designated Officer’s request.

11. Data Security

We implement comprehensive technical and organizational security measures:

• Encryption in Transit: TLS 1.2 or higher for all platform communications; TLS 1.3 with certificate pinning for Serenity-Nano agent communications.
• Encryption at Rest: AES-256-GCM for all stored data on dedicated infrastructure.
• Device Traffic Envelope Encryption: Per-officer asymmetric key pairs (RSA-4096 or ECDSA P-384) ensuring only the Designated Officer can decrypt Device Traffic Data.
• API Key Security: SHA-256 hashing; plaintext keys are never stored.
• Session Security: HttpOnly, Secure, SameSite cookies; bcrypt password hashing with per-user salt.
• Rate Limiting: Sliding-window per-tenant rate limiting across all API endpoints.
• Access Controls: Role-based access with least-privilege principle; Designated Officer cryptographic access for Device Traffic Data.
• Audit Logging: Comprehensive, immutable logging of all administrative and security-relevant actions.
• Single-Tenant Deployment: Every customer deploys on fully isolated infrastructure - no shared databases, no shared compute, no shared storage.

No method of electronic storage or transmission is 100% secure. We commit to protecting your data to the best of our ability using industry-leading practices and will notify affected customers within 72 hours of discovering any data breach.

12. International Data Transfers

Customer deployments are provisioned on dedicated infrastructure in the customer’s selected region. Default hosting is provided by Hetzner data centers within the European Union (Falkenstein, Germany and Helsinki, Finland).

We do not transfer personal data outside of the hosting region unless required by a third-party service provider (e.g., Stripe for payment processing). Users accessing the Service from outside the hosting region consent to data transfer to the applicable infrastructure region by using the Service.

13. Your Consumer Rights (Indiana CDPA)

We extend the following rights to all users regardless of state or country of residence:

Right to Access

Confirm whether your data is being processed and access the categories and specific pieces of data collected.

Right to Correct

Correct inaccuracies in your personal data through the dashboard or by submitting a correction request.

Right to Delete

Request deletion of your personal data, subject to exceptions for completing transactions, legal obligations, or exercising legal rights.

Right to Data Portability

Obtain your personal data in a portable, readily usable format (JSON export provided upon request).

Right to Opt Out

Opt out of: (a) data sales, (b) targeted advertising, (c) profiling with legal or similarly significant effects. As stated in Section 9, we do not engage in any of these practices.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your rights under the ICDPA.

14. How to Exercise Your Rights

You may submit privacy rights requests through:

• Email: support@clothingcorn.com with subject line “Privacy Rights Request”
• Portal: Account Profile > Privacy Settings within the Serenity dashboard
• Support Ticket: Submit with category “Privacy”

Verification: We will confirm your identity before fulfilling any request.

Authorized Agents: Permitted with written proof of authorization.

Response Time: Within 45 calendar days of receipt. Extensions will be communicated within 45 days, with total response time not exceeding 90 days.

Cost: No fees unless a request is manifestly unfounded or excessive, in which case a reasonable fee may apply or the request may be declined with explanation.

15. Appeal Process

If a privacy rights request is declined, you may appeal by:

1. Emailing support@clothingcorn.com with subject line “Privacy Rights Appeal” within 30 days of our response.
2. Including the original request, response date, and your reasoning.
3. We will respond within 60 days with a written explanation.

If your appeal is denied and you believe there has been an ICDPA violation, you may file a complaint with:

Office of the Indiana Attorney General
Consumer Protection Division
Indiana Government Center South, 5th Floor
302 West Washington Street
Indianapolis, IN 46204
Website: www.in.gov/attorneygeneral

16. Opt-Out Mechanisms

Opt Out of Data Sales

We do not sell personal data. There is no sale to opt out of.

Opt Out of Targeted Advertising

We do not engage in targeted advertising. We do not display advertisements on our platform.

Opt Out of Profiling

We do not profile consumers in furtherance of decisions that produce legal or similarly significant effects.

Despite the above, we accept formal opt-out requests at support@clothingcorn.com with subject line “Opt-Out Request.” We recognize universal opt-out mechanisms including the Global Privacy Control (GPC) signal.

17. Healthcare Data and HIPAA

Serenity Security is built to HIPAA-compliant standards, including encryption at rest and in transit, access controls, audit logging, and secure data handling procedures.

• A Business Associate Agreement (BAA) is available for Enterprise tier customers.
• Basic and Professional tier customers should not submit Protected Health Information (PHI) without upgrading and executing a BAA.
• Customers are responsible for determining whether their data constitutes PHI.
• BAA requests: support@clothingcorn.com

18. Children’s Privacy

Serenity Security is a business-to-business platform designed for use by organizations and their authorized personnel. It is not directed at individuals under the age of 16.

We do not knowingly collect personal data from children under 16 and will promptly delete such data if discovery occurs. Reports of inadvertent collection should be directed to support@clothingcorn.com.

19. Changes to This Policy

Material Changes: We will provide at least 30 days’ notice before any material change becomes effective, via email to your account address and a prominent notice on the platform.

Non-Material Changes: Formatting corrections and clarifications will be reflected by updating the “Last Updated” date only.

Continued use of the Service after changes become effective constitutes acceptance. If you disagree with any changes, you should discontinue use and request account deletion.

20. Contact Information

Detailed In Design LLC
An Indiana Limited Liability Company

Email: support@clothingcorn.com
Website: clothingcorn.com
Parent Company: detailedindesign.com

For privacy-specific requests, use the subject line “Privacy Inquiry.”

---

© 2024–2026 Detailed In Design LLC. All rights reserved.
© 2024–2026 Serenity Security. All rights reserved.