Privacy Policy
Last updated: June 28, 2026
1. Who We Are
Truvyx (“we”, “us”, “our”) operates the Truvyx platform at truvyx.com — a multi-agent AI evaluation and diagnostic intelligence platform. For the purposes of applicable data protection law, Truvyx is the data controller for personal data collected through this platform.
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have over it. It applies to all users of the platform, regardless of plan.
2. Information We Collect
2a. Account Registration Data
When you create an account via Google OAuth, GitHub OAuth, or email and password, we collect: your email address, display name, and profile image URL (where provided by the identity provider). For email/password accounts, we store a one-way bcrypt hash of your password — your raw password is never stored or transmitted after the initial hash is computed.
2b. Onboarding and Profile Data
During onboarding, you provide your organisation name and a self-identified user type (e.g. AI Engineer, Researcher, Founder). This data is used to personalise your experience and inform product development. Your user type is also shared with our email marketing provider when you subscribe to our mailing list.
2c. Content Data
We store all content you create within Truvyx, including: scenarios, constraints, decompositions, evaluation run configurations and results, root-cause analysis reports, audit records, verifier definitions, monitoring configurations, and any other inputs or outputs you generate using the platform. This content may contain information about AI systems, agent behaviours, or evaluation environments that you choose to define.
2d. Usage and Interaction Data
We log your interactions with the platform, including: pages visited, features used, API endpoints called, timestamps of actions, evaluation run initiation and completion events, and error events. This data is used for service improvement, debugging, abuse detection, and billing verification.
2e. Device and Technical Data
We automatically collect technical data when you access the platform, including: IP address, browser type and version, operating system, referring URL, and session duration. This data is used for security monitoring, performance optimisation, and fraud detection. IP addresses are stored for a maximum of 90 days in access logs.
2f. API Usage Data
When you access Truvyx via the API, we log the API key identifier (not the raw key value), endpoint called, request timestamp, response status code, and approximate data volume. This is used for rate limiting, billing, and security monitoring.
2g. Communications Data
If you contact us by email, we retain the content of that communication and your contact details to respond to your enquiry and for internal record-keeping. We do not use inbound communications for marketing purposes without your consent.
2h. Marketing Interaction Data
If you interact with our marketing communications (emails or advertisements), we may collect data about whether you opened an email, clicked a link, or interacted with a retargeting advertisement. See Section 6 (Cookies and Tracking) for details on how advertising pixels operate.
3. Legal Basis for Processing (GDPR)
If you are located in the EU or EEA, we rely on the following legal bases under the General Data Protection Regulation (GDPR):
- Contract performance — processing your account data, content data, and usage data to provide the platform services you have signed up for.
- Legitimate interests — processing technical and usage data for security, fraud prevention, abuse detection, service improvement, and aggregate analytics. We have assessed that these interests are not overridden by your rights and freedoms.
- Legal obligation — retaining certain records to comply with tax, financial, and regulatory obligations.
- Consent — sending marketing emails and using advertising/retargeting cookies and pixels. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
4. How We Use Your Information
- To create and maintain your account and provide the features of the Truvyx platform.
- To send transactional emails: account verification, password reset, member invitations, evaluation completion notifications, billing receipts, and security alerts.
- To send marketing emails about product updates, new features, events, and offers — only to users who have opted in. You may unsubscribe at any time via the link in any marketing email.
- To run retargeting campaigns on platforms including Meta (Facebook/Instagram) and Google Ads, where you have not opted out of advertising cookies.
- To detect, investigate, and prevent fraud, security incidents, and violations of our Terms of Service and Acceptable Use Policy.
- To enforce our Terms of Service and Acceptable Use Policy.
- To comply with applicable legal obligations, including responding to valid legal process from law enforcement or regulatory authorities.
- To generate aggregated, anonymised analytics to understand how the platform is used and to improve it. This data cannot identify you.
- To communicate with you about changes to the platform, these policies, or your account.
We do not sell your personal data. We do not use your evaluation scenarios, agent outputs, or constraint definitions to train, fine-tune, or evaluate any AI or machine learning model.
5. Third-Party Sub-Processors
We share personal data with the following sub-processors to deliver the service. All sub-processors are contractually required to process data only as directed by us and to implement appropriate technical and organisational security measures.
- Neon — PostgreSQL database hosting (US East region). Stores all account, content, and platform data. Neon is SOC 2 Type II certified.
- Vercel — Application hosting, serverless function execution, and CDN. Processes all web traffic and server-side requests. Vercel is SOC 2 Type II certified.
- Resend — Transactional and marketing email delivery. Receives email address, display name, and user type for marketing list management. You may unsubscribe at any time.
- Google (OAuth) — If you sign in with Google, Google provides your email, name, and profile picture to Truvyx. Google's processing of your sign-in is governed by Google's Privacy Policy.
- GitHub (OAuth) — If you sign in with GitHub, GitHub provides your email and profile data to Truvyx. GitHub's processing is governed by GitHub's Privacy Policy.
- OpenRouter / Groq — LLM inference for AI-assisted features (NL-to-spec generation, inline verifier, RCA suggestions). Only the specific prompt content required for the requested feature is transmitted — your account data, full scenario catalogue, and evaluation history are not shared. Inference providers process this data transiently and do not retain it to train their models under our agreements.
- Meta (Facebook/Instagram) — Advertising pixel and retargeting. Receives hashed event data (page views, registration completions) for the purpose of measuring ad performance and showing Truvyx advertisements to users who have visited our platform. See Section 6 for opt-out instructions.
- Google Ads / Google Analytics — Advertising and analytics. Receives page view and conversion events for ad performance measurement and audience creation. See Section 6 for opt-out instructions.
6. Cookies and Tracking Technologies
Session Cookie
We use a single authentication session cookie (__Secure-authjs.session-token on HTTPS) to keep you logged in. This cookie is strictly necessary for the service to function. It is HttpOnly (inaccessible to JavaScript), Secure (transmitted only over HTTPS), and SameSite=Lax. It expires after 30 days of inactivity. We do not use this cookie for advertising purposes.
Analytics and Advertising Cookies
We use the following third-party tracking technologies for analytics and advertising. These are loaded only if you have not opted out:
- Meta Pixel — a JavaScript tag provided by Meta Platforms that tracks page views and conversion events (such as completing registration). It enables us to measure the effectiveness of Meta advertisements and to build retargeting audiences. Meta may combine this data with data it holds about you from other sources.
- Google Analytics / Google Ads Tag (gtag.js) — measures website traffic patterns and ad conversion events. Google may use this data in accordance with Google's Privacy Policy to personalise advertising across its network.
Opt-Out
You can opt out of advertising cookies at any time by:
- Using your browser's cookie settings to block third-party cookies.
- Installing browser opt-out extensions such as Google Analytics Opt-out Browser Add-on or Facebook Off-Facebook Activity controls.
- Enabling Global Privacy Control (GPC) or Do Not Track in your browser (we honour GPC signals).
- Emailing privacy@truvyx.com to request that we exclude you from retargeting.
Opting out of advertising cookies does not affect your use of the platform. The authentication session cookie cannot be disabled without logging you out.
7. International Data Transfers
Truvyx is operated from the United Kingdom. Our primary data infrastructure (Neon, Vercel) is hosted in the United States. When we transfer personal data from the UK or EU/EEA to the United States or other third countries, we rely on appropriate transfer mechanisms including:
- UK International Data Transfer Agreements (IDTAs) with sub-processors.
- Standard Contractual Clauses (SCCs) approved by the European Commission for EU-to-third-country transfers.
- Transfers to sub-processors certified under the EU-US Data Privacy Framework where applicable.
You may request a copy of the relevant transfer mechanisms by contacting privacy@truvyx.com.
8. Data Retention
- Active accounts: We retain personal data and content data for as long as your account is active.
- After account deletion: All personal data and content data (scenarios, runs, reports, etc.) are deleted within 30 days of account deletion, except where retention is required by law or legitimate business obligation.
- Signed audit records: Cryptographically signed audit records that you have explicitly certified may be retained beyond account deletion if required by your organisation's compliance obligations. We will retain these only upon your written request and for the period you specify, up to a maximum of 7 years.
- Access logs: Server access logs (including IP addresses) are retained for 90 days for security monitoring, then deleted.
- Financial records: Billing and payment records are retained for 7 years to comply with UK tax law.
- Marketing data: Email marketing subscription records are retained until you unsubscribe or request deletion, plus 30 days to process opt-outs through our mailing system.
9. Your Rights
Rights Under GDPR (EU/EEA and UK)
If GDPR or UK GDPR applies to you, you have the following rights:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate or incomplete personal data.
- Right to erasure: request deletion of your personal data where we no longer have a legal basis to retain it.
- Right to restriction: request that we restrict processing of your data in certain circumstances.
- Right to data portability: request a machine-readable copy of the data you provided to us, where technically feasible.
- Right to object: object to processing based on legitimate interests, including direct marketing. We will stop processing for direct marketing immediately upon objection.
- Rights related to automated decision-making: see Section 11.
To exercise these rights, email privacy@truvyx.com. We will respond within 30 days (extendable to 90 days in complex cases, with notice). We may need to verify your identity before processing the request. You also have the right to lodge a complaint with your national data protection authority (e.g. the ICO in the UK: ico.org.uk).
Rights Under CCPA (California Residents)
California residents have the following rights under the California Consumer Privacy Act (CCPA):
- Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
- Right to delete: request deletion of personal information, subject to certain exceptions.
- Right to opt out of sale or sharing: We do not sell personal information. We do share limited data with advertising partners (Meta, Google) for retargeting. To opt out of this sharing, use the opt-out methods in Section 6.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
To submit a CCPA request, email privacy@truvyx.com with the subject “CCPA Request”.
10. Children's Privacy
Truvyx is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact privacy@truvyx.com.
11. Automated Decision-Making
We use automated processing for the following limited purposes: (a) fraud and abuse detection based on account behaviour patterns; (b) rate limiting and quota enforcement. These processes may result in automatic throttling or flagging of accounts.
We do not make decisions that produce significant legal or similarly significant effects on individuals solely by automated means without human review. If you believe an automated decision has incorrectly flagged your account, please contact support@truvyx.com for a human review.
12. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include: TLS encryption for all data in transit, encryption at rest for database storage, HttpOnly and Secure flags on authentication cookies, role-based access controls within the platform, hashed storage of passwords, and API key management controls. For full details, see our Security page.
No security system is impenetrable. We cannot guarantee absolute security of your data. If a security breach occurs that affects your personal data, we will notify you and relevant regulators as required by applicable law.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law. We will notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms. Notifications will be sent to the email address registered to your account and will include: the nature of the breach, the categories and approximate number of individuals affected, the likely consequences of the breach, and the measures we have taken or propose to take to address it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address and by prominent in-app notice at least 14 days before changes take effect. The “Last updated” date at the top of this page indicates the most recent revision. Your continued use of the service after the effective date constitutes your acceptance of the updated policy.
Contact
Data protection and privacy enquiries: privacy@truvyx.com
General support: support@truvyx.com
For UK GDPR purposes, our representative can be reached at the address above. We are not currently required to appoint a Data Protection Officer, but our privacy team handles all data protection enquiries.