Privacy policy
iSystematic Inc. (Winnipeg, Canada) operates the Maxim product. This policy explains what data we collect, what we do not collect, who we share it with, how long we keep it, and how you exercise your rights. We aim for substantive disclosure, not boilerplate.
Operator of record: iSystematic Inc. · Winnipeg, Manitoba, Canada · Contact for privacy requests: maxim.isystematic.com/contact
Scope
This policy covers two surfaces:
- The website at
maxim.isystematic.com(pricing, docs, contact form, checkout, this policy). - The Maxim plugin runtime installed inside your Claude Code (or Desktop / Web / Cowork) session. The plugin runs locally on your machine. It does not phone home, does not transmit your files or code to iSystematic, and does not collect telemetry on your usage.
1. What the website collects
Analytics
The site currently loads two analytics products. We are honest about both:
- Plausible for aggregate page-view metrics and goal events (for example, a "DemoComplete" event when you finish the interactive terminal demo). Plausible is privacy-friendly: no third-party cookies, no cross-site tracking, IP addresses anonymized at ingestion. See plausible.io/data-policy.
- Google Analytics 4 (tracking ID G-894PVMJ910), on the
maxim.isystematic.comwebsite ONLY. Tracks aggregate page-view traffic on the marketing site (pricing, docs, contact, this policy). Uses cookies and may send pseudonymous identifiers to Google. Important: Google Analytics does NOT collect any data from the Maxim plugin itself. Plugin usage, slash commands invoked, agents fired, files read, MCP tools called, voice audio, session memory, compliance findings, NotebookLM activity - none of this ever touches Google Analytics or any other analytics product. The plugin runtime is telemetry-free by design; see Section 2 below for the full "what the plugin does NOT do" list. If you object to GA on the website, install a browser extension that blocks gtag or use a privacy-respecting browser. GA removal is a candidate for a future release; see policies.google.com/privacy.
Contact form
When you submit the contact form, we collect: your message, the email address you provide, your browser user-agent, your operating system, and an approximate location derived from your network request (country + region, not precise GPS). This data is used to route your message and prevent spam. We retain submissions for 90 days. We do not add submitters to any marketing list. You can request deletion at any time via the contact form (subject line: "data deletion request").
Checkout
Purchases for Maxim paid tiers go through Stripe Checkout (Stripe-hosted). iSystematic does not see your card number, CVV, or full billing details. We receive only what Stripe forwards to us for license issuance: your email address, the SKU you purchased, and a Stripe customer ID. Stripe is PCI-DSS Level 1 certified. See stripe.com/privacy.
License issuance
After a successful Stripe purchase, our Cloudflare Worker (per ADR-003) issues an RS256 JWT and emails it to you. The Worker receives: your email address, your purchased SKU, and a one-way hash of your machine fingerprint (computed client-side before transmission, per ADR-003). The Worker stores: your tier grant, the JWT expiry, your hashed fingerprint, and a revocation flag. The Worker does not store your email body, your IP address beyond per-request logs (Cloudflare-side, 30-day retention), or any plugin runtime data.
2. What the Maxim plugin collects (and does not collect)
What stays on your machine
- Filesystem reads. Maxim reads your project files, code, configs, and documentation to do its work (framework citation, drift detection, compliance scanning, voice routing, etc.). All reads are local. No file content is transmitted to iSystematic.
- Session memory. MemPalace stores your session memory in a local SQLite database (default location: per-project under
.claude-sessions-memory/). Cross-session recall is local. No cloud sync unless you explicitly configure one. - Voice (default mode). mxm-voice wraps mbailey/voicemode in local mode: Whisper STT and Kokoro TTS both run on your machine. Audio never leaves your device.
- VAZIR persona TTS. Kokoro TTS only, fully local.
- Compliance audit log. Written locally to
.mxm-skills/compliance-audit.jsonlby the pre-commit hook. Stays on your machine. - CSO auto-loop. Security and PII scanning runs locally before any output is emitted. Findings stay on your machine.
What goes off your machine (and only when you ask)
- License heartbeat. Paid-tier plugins ping the Cloudflare Worker once per day to confirm your JWT has not been revoked. The ping includes only: your JWT (which carries your hashed fingerprint and tier grant) and a timestamp. No project data, no file content, no usage telemetry.
- NotebookLM uploads (opt-in via mxm-notebooklm). When you explicitly invoke a NotebookLM workflow, source files you provide are uploaded to Google's NotebookLM service under your own Google account. The CSO compliance-orchestrator auto-loop scans for PII and regulated content before upload and can block uploads that violate your declared compliance frameworks. Per ADR-018, every NotebookLM operation carries a fragility disclosure: upstream uses undocumented Google APIs. Maxim does not store or proxy this data; the integration is a wrapper over your own NotebookLM access.
- Voice (cloud mode, opt-in). If you explicitly configure mxm-voice for OpenAI cloud STT/TTS, your audio goes to OpenAI per their privacy policy. Local mode is the default; cloud mode requires explicit opt-in.
- External tool integrations per ADR-018 three-layer pattern (community-pack + Maxim skill + MCP wrapper). Each integration ships a fragility disclosure naming the upstream and its data-handling posture. You can audit every external call via the compliance-audit log.
What the plugin does NOT do
- The plugin does not phone home to iSystematic with usage telemetry.
- The plugin does not transmit your file content, code, or project structure to iSystematic.
- The plugin does not track which slash commands you invoke or which agents fire.
- The plugin does not collect performance metrics, crash reports, or error logs centrally.
- The plugin does not load Google Analytics, Plausible, or any other analytics product. The analytics disclosed in Section 1 (Plausible + Google Analytics) run ONLY on the
maxim.isystematic.comwebsite pages you visit in your browser. They do not exist inside the Claude Code / Desktop / Web plugin process. Loading the plugin, calling a tool, dispatching an agent - none of these actions are visible to any analytics product.
This is by design. Maxim's commercial model gates capabilities behind paid packs at the MCP layer via JWT, not behind usage-data extraction. The license heartbeat is the only ongoing network call the paid-tier plugin makes after install.
3. Subprocessors
We share data only with the following subprocessors, each only for the narrow purpose described:
| Subprocessor | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, card data (Stripe-only), billing address |
| Cloudflare | License JWT issuance + site CDN | Email, SKU, hashed fingerprint, per-request IP logs (30d) |
| Vercel | Website hosting | Per-request logs, deployment metadata |
| Plausible | Aggregate analytics (cookie-less) | Anonymized page-view + goal events |
| Google (Analytics) | Aggregate analytics (cookie-based) | Pseudonymous identifiers, page-views, device class |
| Google (NotebookLM, opt-in) | Research synthesis (your Google account) | Sources you explicitly upload via mxm-notebooklm |
| OpenAI (voice cloud mode, opt-in) | Whisper STT / TTS | Audio you record when in cloud mode |
The opt-in subprocessors (NotebookLM, OpenAI cloud voice) are not engaged unless you explicitly enable them. The plugin runs fully offline-capable without any of them.
4. Retention
- Contact form submissions: 90 days, then deleted.
- Stripe customer + purchase records: 7 years (Canadian Revenue Agency retention requirement for sales records).
- License JWT records (hashed fingerprint + tier grant): until you cancel + 30 days for revocation propagation.
- Cloudflare per-request logs: 30 days (Cloudflare-managed).
- Plausible aggregate stats: indefinite (no individual records to delete).
- Google Analytics: 14 months default; we have not lengthened this.
- Plugin-side local data (memory, audit log, voice files): your machine, your control.
5. Your rights
Under PIPEDA (Canada), GDPR (EU/UK), CCPA/CPRA (California), and equivalents, you have the right to: access the personal data we hold about you, request correction, request deletion, request portability, and object to certain processing.
To exercise any of these rights, contact us at maxim.isystematic.com/contact with the subject line "privacy request: [access | correction | deletion | portability | objection]". We respond within 30 days. If we deny or partially deny your request, we explain why and tell you how to escalate (to the Office of the Privacy Commissioner of Canada, or your jurisdiction's equivalent).
You can also revoke license access at any time by cancelling via Stripe. Your JWT will stop validating within 24 hours via the heartbeat revocation mechanism.
6. International transfers
iSystematic Inc. is based in Canada. Our subprocessors are located in: the United States (Stripe, Cloudflare, Vercel, Google, OpenAI), Estonia (Plausible). When personal data is transferred outside your jurisdiction, we rely on the subprocessors' own legal mechanisms (Standard Contractual Clauses for EU transfers, where applicable). If you require a Data Processing Agreement (DPA) for a regulated workflow, request one via the contact form.
7. Compliance frameworks Maxim enforces (for your work)
Separately from how iSystematic handles your data (above), Maxim's plugin enforces 14 compliance frameworks on the work you do with it: GDPR, PIPEDA, UAE-PDPL, HIPAA, PCI-DSS, SOC 2, ISO 27001, ISO 13485, ISO 14971, NIST CSF, EU AI Act, CASL, FINTRAC, WCAG 2.1. When your work touches regulated data, the CSO auto-loop fires automatically and the security-analyst agent reviews. See BSL 1.1 license and ETHICAL_GUIDELINES.md.
8. Changes to this policy
Material changes (new subprocessor, expanded data collection, retention extension) get a version bump and the new effective date at the top. We surface the change in the next Maxim plugin release's CHANGELOG entry under a "Privacy" subhead so existing operators see it. Non-material changes (typo fixes, clarifications) update silently.
Effective 2026-05-20 · v1.3.2.1 · supersedes the v1.0.0 stub. Questions: maxim.isystematic.com/contact