Legal

Privacy Policy

Effective date: 30 March 2026  ·  State3 Ltd, New Zealand

1. Who we are

State3 Depend is a SaaS product operated by State3 Ltd, a company registered in New Zealand. References to "State3", "we", "us", or "our" in this policy refer to State3 Ltd.

State3 Depend ("the Service") is a dependency intelligence platform that extracts entities and relationships from architecture documents and provides graph-based analysis, impact scoring, and single-point-of-failure detection.

If you have questions about this policy, contact us at privacy@state3.co.nz.

2. Data we collect

2.1 Waitlist registration

When you register interest in early access, we collect:

• Name — so we can address you personally
• Work email address — to notify you when early access opens
• Role — your job function (IT Professional, Consultant, Manager, Developer, AI Agent Developer, or Other)
• AI tool preference (optional) — which AI tool you use most (Claude, ChatGPT, GitHub Copilot, Cursor, Other, or None)

We do not require payment information, a password, or any identity document at the registration stage.

2.2 Account data (at launch)

Once the Service launches and you create an account, we will collect:

• Email address and display name
• Subscription plan and billing information (processed by our payment provider — we do not store raw card numbers)
• AI provider API key — stored encrypted at rest, used only to route document analysis requests on your behalf, never logged or shared

2.3 Usage data

When you use the Service we automatically collect:

• Log data — IP address, browser type, pages visited, timestamps
• Feature usage — which tools you use (graph creation, impact analysis, MCP queries), error events
• Performance data — API response times, error rates

This data is used solely for operating, improving, and securing the Service. It is not sold or used to build advertising profiles.

3. How we use your data

Purpose	Legal basis
Notify you when early access opens	Consent (you registered for this)
Provide and operate the Service	Contract performance
Process payments	Contract performance
Improve product features and fix bugs	Legitimate interests
Send product updates and launch announcements	Consent (you can unsubscribe at any time)
Detect and prevent fraud or abuse	Legitimate interests / legal obligation
Comply with legal obligations	Legal obligation

We will never sell your personal data, use it for targeted advertising, or share it with third parties for their own marketing purposes.

4. BYO AI architecture & document processing

When you upload a document for analysis, the following happens:

• Your browser (or API client) sends the document directly to your configured AI provider — such as OpenAI, Anthropic, or another provider you specify — using the API key you supplied
• Your AI provider returns a structured extraction result (entities, relationships, metadata)
• State3 Depend receives only that structured result — not the original document text
• The structured result is stored as your dependency graph (see Section 5)

Your AI provider's own privacy policy governs how your documents are handled during processing. We recommend reviewing those policies before uploading sensitive or confidential documents. State3 has no ability to access or audit what your AI provider stores.

Your AI API key is stored encrypted using AES-256 at rest. It is transmitted over TLS and used only to make API calls on your behalf. State3 employees cannot view decrypted API keys.

5. Dependency graph storage

Once a document has been analysed, the resulting dependency graph — the set of entities (systems, people, processes, vendors) and relationships (dependencies, integrations, flows) extracted from your document — is stored by State3 on Microsoft Azure infrastructure in the Australia East region.

This graph data may include names of internal systems, team names, vendor names, and structural information about your IT architecture. It does not include the raw text of your source document.

Graph data is:

• Associated with your account and not shared with other users or organisations
• Encrypted at rest (Azure Storage Service Encryption, AES-256)
• Transmitted over TLS 1.2 or higher
• Retained for as long as your account is active, plus a 90-day grace period after account deletion (see Section 8)

6. MCP agent access

State3 Depend provides a Model Context Protocol (MCP) server with up to 20 tools that allow AI agents to query your dependency graph programmatically. Examples include: looking up a system's dependencies, running an impact simulation, or listing single points of failure.

When you enable MCP access:

• You generate an API key scoped to your account's graph data
• Any AI agent or automated workflow holding that key can read (and optionally write) your graph data
• MCP queries are logged for security and audit purposes — these logs include the query type, timestamp, and a hash of the API key, but not the content of query responses
• You can revoke MCP keys at any time from your account settings

You are responsible for securing your MCP API keys and for the behaviour of any agents you authorise to access your graph data.

7. Data sharing and third parties

We share personal data only in the following limited circumstances:

7.1 Service providers (sub-processors)

Provider	Purpose	Location
Microsoft Azure	Cloud hosting, database, storage	Australia East
Payment processor (TBC)	Subscription billing	United States
SendGrid (Twilio Inc.)	Transactional and launch emails	United States
Google LLC (reCAPTCHA)	Bot and abuse protection on the registration form	United States

Our registration form uses Google reCAPTCHA v3 to detect automated abuse. When you submit the form, Google receives standard request metadata (your IP address, user agent, and a bot-likelihood signal) governed by the Google Privacy Policy and Terms of Service.

All sub-processors are bound by data processing agreements and handle data only as instructed by State3.

7.2 Legal requirements

We may disclose data if required by law, court order, or to protect the safety, rights, or property of State3 or others.

7.3 Business transfers

If State3 Ltd is acquired, merges with another entity, or transfers substantially all of its assets, your data may be transferred as part of that transaction. We will notify you by email and/or a prominent notice on the Service before your data becomes subject to a different privacy policy.

8. Data retention

• Waitlist registrations — retained until the product launches and you create an account, or until you ask us to delete your entry, or for a maximum of 24 months from registration if the product does not launch
• Account and graph data — retained for as long as your account is active. On account deletion, data is purged within 90 days except where retention is required by law
• Usage logs — retained for up to 12 months for security and performance monitoring, then automatically deleted
• Encrypted API keys — deleted immediately on revocation or account deletion

9. Security

We implement industry-standard technical and organisational measures to protect your data, including:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest
• Encrypted storage of API credentials
• Role-based access control — State3 team members access only what they need to support the Service
• Regular dependency and vulnerability scanning
• Azure-managed DDoS protection and network isolation

No system is completely immune to security risks. In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law — and no later than 72 hours after we become aware of the breach where required by regulation.

10. Your rights

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — ask us to correct inaccurate or incomplete data
• Deletion — ask us to delete your personal data ("right to be forgotten")
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Withdrawal of consent — unsubscribe from marketing emails at any time using the link in any email we send, or by contacting us

To exercise any of these rights, email privacy@state3.co.nz with the subject line "Data Request". We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

If you are located in the European Economic Area or United Kingdom, you also have the right to lodge a complaint with your local data protection authority.

11. Cookies and analytics

This website currently uses minimal cookies:

• Session cookies — set by the browser to maintain your authenticated session (once accounts are enabled); these expire when you close your browser
• Preference cookies — may be set to remember UI preferences such as theme or language

We do not currently use third-party advertising cookies or fingerprinting technologies. If we introduce analytics or tracking in future we will update this policy and, where required, seek your consent.

12. Children's privacy

State3 Depend is a professional SaaS tool intended for adults in a business context. We do not knowingly collect personal data from anyone under 16 years of age. If you believe a child has provided us with personal information, please contact us at privacy@state3.co.nz and we will promptly delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective date" at the top of this page. For material changes — such as new categories of data collection or new third-party sharing arrangements — we will notify registered users by email at least 14 days before the change takes effect.

Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

14. Contact us

If you have questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact:

• Email: privacy@state3.co.nz
• Website: www.state3.co.nz
• Company: State3 Ltd, New Zealand

← Back to State3 Depend