This Privacy Policy explains how Truveil ("we", "us", "our") collects, uses, and protects information when you use our AI agent accountability platform across all our product surfaces.
Quick summary: We collect what is necessary to run the service. We do not sell your data. We do not use your AI agent logs to train models. You can delete your account and data at any time. Where you use our advisory tools without an account, we still respect your right to request data deletion.
1. Truveil Product Surfaces
Truveil is offered through two product surfaces. Each has a distinct data flow, and this Policy applies to both.
| Surface |
What it does |
Account required |
| Dashboard and SDK |
Instrument your AI agents at runtime with our software development kits. Logs, decisions, and audit trails are stored under your account for accountability scoring and audit reports. |
Yes |
| Advisory |
Compliance design copilot for AI agent governance, accessible through our Custom GPT for ChatGPT, our MCP server for Claude, and our authenticated REST endpoints. Returns regulatory citations, build-stage guidance, and jurisdictional briefs. |
No (Custom GPT, when accessed through the GPT Store), Yes (MCP and REST, which require an API key) |
2. Information We Collect
Account Information (Dashboard and SDK users)
When you sign up, we collect your email address and a password (stored only as a cryptographic hash, never as plain text). Optionally, you may provide your name and organisation.
AI Agent Data (Dashboard and SDK users)
When you use the Truveil SDK to log AI agent decisions, we collect:
- The actions and decisions your agent makes
- Risk classifications and metadata (timestamps, agent names, project names)
- Context details you choose to include in logs
Advisory Query Data (Advisory users)
When you use Truveil's Advisory surface (Custom GPT, MCP, or REST), we process the queries you submit so our advisory tools can return relevant regulatory citations and design guidance. Specifically:
- The natural-language query you submit (forwarded to our routing classifier)
- Optional structured fields you provide (e.g., target jurisdictions, build descriptions)
- API key (for MCP and REST authentication; not collected from Custom GPT users who access through the GPT Store)
- Timestamps, request volume, and tool-selection metadata for service operation and abuse detection
For Custom GPT users accessing Truveil through ChatGPT, your queries first pass through OpenAI's infrastructure before reaching Truveil. OpenAI's data handling for ChatGPT is governed by OpenAI's privacy policy, which Truveil does not control.
Usage Information
We collect technical information about how you use Truveil's web dashboard, including IP address, browser type, device information, pages visited, and feature usage. This helps us improve the service and detect abuse. Custom GPT users do not directly interact with the Truveil dashboard, so this data is not collected from them through that surface.
Payment Information
If you subscribe to a paid plan, payment processing is handled by our payment provider (Stripe or Razorpay). We do not store your full credit card details. We retain only billing records and the last four digits of the card for invoicing.
3. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the Truveil service across both product surfaces
- Process advisory queries and return regulatory citations and design guidance
- Generate audit reports based on your AI agent logs (Dashboard and SDK users)
- Process payments and manage subscriptions
- Send service-related communications (account verification, billing, security alerts)
- Send product updates and announcements (you can opt out of marketing emails)
- Detect, prevent, and address fraud, abuse, or security issues
- Comply with legal obligations
4. Legal Basis for Processing (GDPR)
If you are in the European Economic Area, United Kingdom, or other jurisdictions with similar laws, we rely on the following legal bases:
- Contract: Processing necessary to provide the Service to Dashboard and SDK users who have signed up
- Legitimate interests: Operating the Advisory surface (including for Custom GPT users without an account), improving the service, security, and fraud prevention
- Consent: Marketing communications and optional features; you can withdraw consent at any time
- Legal obligation: Tax records, regulatory compliance
5. How Truveil Processes Your Data
Truveil's product is built around a deterministic core, with language layers handling natural-language input and output where applicable.
Dashboard and SDK: Audit Report Generation
For Dashboard and SDK users, audit reports are generated in two layers:
- Deterministic core: Risk classification, gap detection, accountability scoring, and failure type identification are performed by rule-based algorithms designed by our engineering team. These produce consistent, reproducible results.
- Language layer: To translate technical findings into plain-language reports, we use an enterprise-grade large language model from Anthropic (Claude). The AI handles natural language generation only, not the audit logic itself.
Advisory: Query Handling
For Advisory users (Custom GPT, MCP, REST), query handling differs by access surface:
- Custom GPT users: Your query is processed by OpenAI (ChatGPT) before being routed to Truveil's classifier. OpenAI's data handling is governed by its own privacy policy. Truveil receives only the structured tool call (e.g., the query and any jurisdiction parameters).
- MCP and REST users: Your query is sent directly to Truveil's classifier with no third-party language-model intermediary at the input stage.
- Truveil's classifier: Routes the query to the appropriate advisory tool based on intent. The classifier is rule-based and does not use a third-party LLM.
- Truveil's advisory tools: Return regulatory citations and design guidance from our curated framework library. The library is grounded in the public text of EU AI Act, NIST AI RMF, ISO/IEC 42001, India DPDP Rules 2025, DIFC Regulation 10, and Singapore MGF-GenAI.
Subprocessor Data Protections
Both Anthropic and OpenAI provide enterprise-grade data protections that we rely on for our processing:
- No use of your data to train AI models (per Anthropic's commercial terms; OpenAI's terms apply through ChatGPT)
- Data retention limited to the duration necessary to generate the response
- Industry-standard encryption in transit
- SOC 2 Type II certified processing infrastructure
6. Subprocessors
We use the following subprocessors to deliver the service. Each is bound by a data processing agreement and confidentiality terms.
- Anthropic (United States): Language-layer processing for audit report generation
- OpenAI (United States): Language-layer processing for Custom GPT user queries (applicable only when users access Truveil through ChatGPT)
- Supabase (United States, EU): Database and authentication infrastructure
- Cloudflare (United States): Hosting and content delivery
- Render (United States): API and proxy infrastructure
- Stripe and Razorpay: Payment processing
- Email service providers: Transactional and marketing communications
This list reflects our subprocessors as of the last updated date above. We will notify users of material changes in advance where required by applicable law.
7. How We Share Your Information
We do not sell your personal information or AI agent logs.
We share information only with:
- Subprocessors listed above, who help us operate the service. All are bound by confidentiality and data protection agreements.
- Legal authorities if required by law, court order, or to protect rights, safety, or property.
- Business transfers: If Truveil is acquired or merged, your information may transfer to the new entity (you will be notified).
8. Data Security
We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. However, no system is perfectly secure, and we cannot guarantee absolute security.
If a data breach occurs, we will notify affected users and relevant authorities within 72 hours where required by law.
9. Data Retention
Retention periods depend on the product surface and the type of data:
- Personal account data (Dashboard and SDK users) is deleted within 30 days of account closure
- AI agent logs (Dashboard and SDK users) are deleted within 30 days of account closure
- Advisory queries from authenticated MCP and REST users are retained for service operation, abuse detection, and quality improvement; they are deleted within 90 days of receipt unless required for an active investigation or legal hold
- Custom GPT query data is not retained by Truveil beyond the duration of the request, since OpenAI handles user identification and conversation state on its side
- Billing records are retained for 7 years for tax and accounting compliance
- Anonymised usage analytics may be retained indefinitely
10. Your Rights
You have the right to:
- Access the information we hold about you
- Correct inaccurate information
- Delete your account and associated data
- Export your data in a portable format
- Object to certain types of processing
- Withdraw consent for processing based on consent
- Lodge a complaint with a supervisory authority
To exercise these rights, contact us at info@truveil.app. We will respond within 30 days. Custom GPT users without a Truveil account may also request deletion of any query data we hold by contacting the same address.
11. International Data Transfers
Your information may be transferred to and processed in different jurisdictions depending on where our cloud infrastructure providers and subprocessors operate. We use appropriate safeguards including Standard Contractual Clauses where applicable to protect international data transfers.
12. Children's Privacy
Truveil is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us information, contact us immediately for deletion.
13. Cookies and Tracking
We use minimal cookies on the Truveil dashboard, only those necessary for authentication and session management. We do not use third-party advertising or analytics cookies that track you across the web. The Custom GPT and MCP surfaces do not place cookies on your device, since they are accessed through their respective host platforms.
14. Region-Specific Notices
For California Residents (CCPA/CPRA)
You have the right to know what personal information we collect, request deletion, opt out of sale (we do not sell), and not be discriminated against for exercising these rights.
For Indian Residents (DPDP Act 2023)
We process your personal data in accordance with the Digital Personal Data Protection Act, 2023. You have the right to access, correct, delete, and grievance redressal.
For European Residents (GDPR)
You can contact our data controller at info@truveil.app. You also have the right to lodge a complaint with your local data protection authority.
15. Changes to This Policy
We will notify Dashboard and SDK users of material changes via email or in-app notice at least 30 days before they take effect. Custom GPT users will see updated policy references in the GPT's Privacy Policy URL field; we recommend periodic review when continuing to use the service.
16. Contact Us
For privacy questions or to exercise your rights:
Email: info@truveil.app
© 2026 Truveil. All rights reserved.