Legal
Privacy Policy
Last updated May 24, 2026
1. Who We Are
The TrustekAI platform (the "Service") is operated by Innovenses Pty Ltd, an Australian proprietary company headquartered in Melbourne, Victoria, trading as TrustekAI ("TrustekAI", "we", "us", "our"). This Privacy Policy explains how we handle personal information collected through trustekai.com, the authenticated application, our APIs, and related communications. Questions about this Policy can be sent to privacy@trustekai.com. Our role under data-protection law is described in Section 2.
2. Our Role: Controller and Processor
We act in two distinct capacities, and your rights differ accordingly: (a) Controller — for personal information about you that we collect directly to operate the Service: account contact details, authentication metadata, billing information, support correspondence, and product analytics about how you use the Service. (b) Processor — for "Customer Data" that you, your end users, or your AI agents transmit to or through the Service (telemetry, traces, prompts, model outputs, evaluation results, evidence rows). We process Customer Data only on the documented instructions of the customer organisation that operates the workspace, under the terms of our Data Processing Addendum at /dpa. Where the substance of this Policy and the DPA differ on the handling of Customer Data, the DPA prevails. This Policy primarily describes our practices as a controller. Section 7 describes our practices as a processor.
3. Scope of This Policy
This Policy applies to the marketing website (trustekai.com), the authenticated TrustekAI application, our REST APIs, the TypeScript SDK, transactional communications we send you, and the endpoint and browser extension agents we distribute. It does not apply to third-party services you choose to integrate (for example, the models and tools your AI agents call), nor to information collected by sub-processors under their own controller relationships with you.
4. Information We Collect
We collect the following categories of personal information: (a) Account information you provide — name, work email, organisation name, role, and authentication credentials. If you sign in with Google or GitHub, we receive the basic profile fields those providers return for the scopes you authorise (typically name, email, avatar URL, and provider-issued user ID); we do not receive your password. (b) Workspace and project metadata you configure — agent names, project descriptions, policy and blueprint definitions, API key labels (the key material itself is hashed at rest and never stored in plaintext). (c) Customer Data routed through the Service — telemetry events, traces, prompts, model outputs, evaluation results, incident records, and compliance evidence. We process this strictly as a processor on your behalf (see Section 7). (d) Usage and product analytics — pages viewed, features used, API calls, latency, error rates, and similar information generated when you interact with the Service. (e) Device and diagnostic data — IP address, browser type and version, operating system, time-zone, language, referrer, and crash diagnostics generated by Sentry-style error capture (with PII filtered where reasonably practicable). (f) Support and sales communications — messages you send to privacy@trustekai.com, sales@trustekai.com, support channels, and similar interactions. (g) Billing information — for paid plans, the contact and tax details required to issue an invoice. Card numbers are processed by our payment provider; we receive only the last four digits and brand for receipts. We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not use Customer Data to train foundation models. We do not maintain advertising profiles about you.
5. How We Use Information
We use personal information to: • Provide, secure, operate, and improve the Service, including detecting and preventing abuse, fraud, and security incidents; • Authenticate you, enforce session and rate limits, and maintain audit logs of administrative actions; • Communicate with you about your account, security advisories, scheduled maintenance, and material product updates; • Send transactional emails (invitations, magic-link sign-in, exported reports, billing receipts); • Send infrequent product updates and announcements to administrators (you can opt out of non-essential mail at any time); • Respond to your requests for support, sales, or legal correspondence; • Comply with legal obligations (record-keeping, tax, regulator requests, lawful process); • Establish, exercise, or defend legal claims. We do not use Customer Data for any purpose other than providing the Service to the customer on whose behalf it was submitted (see Section 7).
6. Legal Bases (EU / UK GDPR)
Where the EU General Data Protection Regulation or the UK GDPR applies, we rely on the following legal bases: • Contract performance — providing the Service to you (or to your employer) under our Terms of Service or a Master Services Agreement. • Legitimate interests — securing the Service, preventing abuse, maintaining the integrity of audit trails, conducting limited product analytics, and operating our business. We balance these interests against your rights and apply safeguards (data minimisation, access controls, retention limits). • Legal obligation — record-keeping, tax, regulatory reporting, and responses to lawful process. • Consent — where we ask for it explicitly (for example, optional marketing email). You may withdraw consent at any time without affecting prior lawful processing. We do not rely on consent for activity that is necessary to operate the Service you have requested.
7. Customer-Provided Content (Our Processor Role)
Customer Data — telemetry, traces, prompts, model outputs, evaluation results, incidents, and evidence — is processed strictly as a data processor on behalf of the customer organisation that submitted it. Specifically: • We process Customer Data only on the customer's documented instructions, which are captured in the Service configuration and the executed DPA. • We do not use Customer Data to train, fine-tune, or otherwise improve foundation models, our own models, or any third-party model, except where the customer has explicitly opted in in writing. • We do not profile end users of the customer's AI agents for any purpose unrelated to the Service the customer has configured. • Where Customer Data contains personal information of the customer's end users, the customer is the controller and is responsible for the lawful basis, transparency, and rights handling for those individuals. • Data subjects whose personal information appears in Customer Data should direct requests to the relevant customer organisation in the first instance; we will assist that organisation in fulfilling the request as required by the DPA. The DPA at /dpa governs sub-processor obligations, international transfers, breach notification, audit rights, and deletion at end of services for Customer Data.
8. AI Vendors and Model Inference
Some Service features (chat, policy generation, judge evaluations, sentinel analysis) call third-party large-language-model APIs operated by Anthropic and, optionally, OpenAI. When you invoke such a feature, the request body — which may include text you have authored or Customer Data the feature operates on — is transmitted to the relevant vendor under the contractual terms summarised below. • Both vendors are engaged under enterprise terms that prohibit use of API inputs and outputs to train their models. • Retention by the vendor for abuse-monitoring is limited per the vendor's API terms (typically up to 30 days, shorter on request for eligible enterprise accounts) and is not used for model training. • Vendors are listed on the canonical sub-processor register at /subprocessors with current hosting region and data categories. • Customers on the Enterprise plan can disable specific AI vendors, restrict features to a single approved vendor, or bring their own API keys (BYOK) so that inference runs against the customer's own vendor account. Features that do not require model inference do not transmit data to these vendors.
9. Sharing of Personal Information
We share personal information only as follows: (a) Sub-processors — third parties that provide infrastructure, communications, observability, and email-delivery services necessary to operate the Service. Each sub-processor is bound by contractual obligations equivalent to those in our DPA. The complete, canonical list (vendor, purpose, hosting region, data categories) is published at /subprocessors and updated with at least 30 days' notice of additions. (b) Authorities and legal process — when required by applicable law, court order, or lawful regulatory request, or where necessary to investigate, prevent, or respond to suspected illegal activity, fraud, or threats to the security or integrity of the Service. Where lawful, we challenge overbroad requests and notify the affected customer. (c) Professional advisers — our auditors, accountants, and legal counsel, under duties of confidence. (d) Corporate transactions — in connection with a merger, acquisition, financing, or sale of all or substantially all of our assets. Any acquirer will be bound by commitments at least as protective as those in this Policy for previously-collected personal information. We do not sell personal information, do not share personal information for cross-context behavioural advertising, and do not disclose personal information for the targeted-advertising activities of third parties.
10. International Transfers
We are an Australian company. Our primary hosting region is Australia for customers on the Australia data residency tier; other customers may select hosting in the European Union or the United States (see /subprocessors for current options). Some sub-processors are located in the United States, the European Union, or other jurisdictions. Where personal information is transferred across borders we rely on appropriate safeguards: • EU and UK transfers — the European Commission's Standard Contractual Clauses (Modules 2 or 3 as applicable) and the UK International Data Transfer Addendum. • EU-US transfers — where the recipient is certified, the EU-US Data Privacy Framework, including the UK Extension and the Swiss-US framework where relevant. • Australian transfers — disclosure to overseas recipients complies with Australian Privacy Principle 8 of the Privacy Act 1988 (Cth), including contractual commitments that the recipient handle the information consistently with the Australian Privacy Principles. Transfer-impact assessments are available to enterprise customers on request.
11. Data Retention
Account information is retained while your account is active and for up to thirty-six (36) months after closure to meet legal, tax, and audit obligations. After that period it is deleted or irreversibly de-identified. Customer Data is retained for the window specified in the customer's subscription — typically 30, 90, or 365 days for telemetry and traces, and seven (7) years for compliance evidence rows. On termination, Customer Data is exportable for thirty (30) days and is then deleted from primary systems within sixty (60) days; encrypted backups are purged on the next regularly-scheduled rotation, within at most thirty-five (35) days thereafter. Aggregated and de-identified data (which cannot reasonably be re-associated with you) may be retained indefinitely for product improvement. Where law requires a longer retention period (for example, tax records or law-enforcement preservation orders), we retain the relevant information for the required period and then delete it.
12. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorised access, alteration, disclosure, or destruction. Current measures include: • Encryption in transit (TLS 1.2 or higher) for all customer-facing endpoints; • Encryption at rest (AES-256) for the primary database and object storage; • Hashed storage of API keys and passwords (never stored in plaintext); • Role-based access control with least-privilege defaults and mandatory multi-factor authentication for production access; • Audit logging of administrative actions, retained for seven (7) years; • Quarterly access reviews of production systems; • Annual penetration testing by an independent third party; • Separation of customer workspaces enforced by organisation-scoped queries on every API route. No system is impenetrable. We cannot guarantee absolute security, but we are committed to investigating and remediating issues responsibly. Suspected vulnerabilities can be reported to privacy@trustekai.com; we operate under a coordinated-disclosure policy and do not pursue researchers who act in good faith within its terms.
13. Your Rights — General
Subject to applicable law and to verification of your identity, you have the right to: • Access — request a copy of the personal information we hold about you; • Correct — ask us to fix information that is inaccurate or incomplete; • Delete — ask us to delete information, subject to legal retention obligations; • Restrict or object — ask us to restrict or object to certain processing, including processing based on our legitimate interests; • Portability — receive certain information in a structured, commonly-used, machine-readable format; • Withdraw consent — where consent is the legal basis, withdraw it without affecting prior lawful processing; • Lodge a complaint — with a competent supervisory authority (see Sections 14 and 15). To exercise a right, contact privacy@trustekai.com. We will respond within the period required by applicable law (one calendar month under the EU and UK GDPR, extendable by two further months for complex requests; 45 days under the CCPA/CPRA, extendable once by 45 days; reasonable time under the Australian Privacy Act). We do not charge a fee for routine requests but may charge a reasonable fee for manifestly unfounded or excessive requests. Where personal information appears in Customer Data, the relevant customer organisation is the controller; please direct your request to that organisation. We will assist the customer as described in Section 7.
14. Your Rights — California Residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you additional rights. We disclose the following for the preceding 12 months: Categories of personal information collected — identifiers (name, email, IP address, organisation, provider-issued IDs), commercial information (subscription history), internet activity (usage and product analytics), professional information (role/title), and inferences drawn from the above to operate the Service. We collect sensitive personal information only as needed to authenticate you (account credentials) and do not use it for purposes outside the limits in Cal. Civ. Code § 1798.121. Sources — directly from you, from authentication providers you connect, and automatically from your interactions with the Service. Purposes — as described in Section 5. Disclosures for a business purpose — to sub-processors listed at /subprocessors, to professional advisers, and to authorities as described in Section 9. We do not sell personal information and do not share personal information for cross-context behavioural advertising. Your rights — to know, access (including a portable copy), correct, delete, limit the use of sensitive personal information, and opt out of sale or sharing. You may also designate an authorised agent. We will not discriminate against you for exercising these rights. Global Privacy Control — we honour browser signals that communicate an opt-out preference, such as the Global Privacy Control (GPC), as a valid opt-out of sale and sharing where applicable to the browser context in which the signal is received. To exercise a right, email privacy@trustekai.com from the address associated with your account or use the in-product "Privacy request" form. We verify identity using account-control signals (the email on file plus a one-time code) and, where the request is sensitive, additional attestations.
15. Your Rights — Australian Residents
If you are an Australian resident, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to our handling of your personal information. • APP 1 (open and transparent management) — this Policy, the DPA, and the sub-processor register are the open-and-transparent documents covering our practices. • APP 6 (use and disclosure) — we use and disclose personal information only for the primary purpose for which it was collected and related secondary purposes you would reasonably expect, except where authorised by law. • APP 8 (cross-border disclosure) — addressed in Section 10. • APP 11 (security) — addressed in Section 12. • APP 12 / 13 (access and correction) — exercisable as described in Section 13. Notifiable Data Breaches scheme — we comply with Part IIIC of the Privacy Act and will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of any eligible data breach as required, in addition to our 72-hour contractual breach-notification SLA to customers (see Section 17). Complaints — if you have a privacy complaint, please contact privacy@trustekai.com first so that we can investigate and respond within thirty (30) days. If you are not satisfied with our response, you may lodge a complaint with the OAIC at oaic.gov.au.
16. Automated Decision-Making and AI Sentinels
We do not make decisions about you (the user of our Service) that produce legal or similarly significant effects based solely on automated processing within the meaning of Article 22 of the GDPR. The Service includes "Sentinel" AI agents that analyse Customer Data to detect drift, PII exposure, cost anomalies, security threats, and compliance gaps. Where these agents process personal information contained in Customer Data: • The customer organisation is the controller and is responsible for the legal basis, transparency, and any rights-handling obligations toward the affected individuals; • Sentinel outputs are surfaced to human reviewers; the Service does not autonomously enforce binding decisions against end users without a human-configured policy doing so; • Customers can configure suppression rules, scope limits, and human-in-the-loop review thresholds for each sentinel. If you are an end user of a customer's AI agent and want to understand the decision-making applied to you, contact the customer organisation in the first instance.
17. Personal Data Breach Notification
For incidents affecting Customer Data, we notify the affected customer without undue delay and in any case within seventy-two (72) hours of becoming aware of a personal data breach, as required by our DPA. Notifications include the nature of the breach, the categories and approximate number of affected data subjects and records, likely consequences, and the measures taken to address the breach. For incidents affecting personal information for which we are the controller (for example, account credentials), we notify affected individuals where required by law without undue delay and consistent with the EU/UK GDPR, the CCPA, and the Australian Notifiable Data Breaches scheme. Suspected or confirmed breaches can be reported to privacy@trustekai.com.
18. Cookies and Similar Technologies
The marketing website uses essential cookies and similar storage for session management, security (including CSRF protection), and load balancing. The authenticated application uses cookies and browser storage strictly to operate the Service — authentication tokens, organisation/workspace context, UI preferences, and in-product diagnostics. We do not use third-party advertising cookies, cross-site tracking pixels, or analytics that profile you across unrelated sites. We do not place cookies that require consent under the EU ePrivacy Directive beyond those strictly necessary for the Service you have requested, except where a cookie banner is presented and your choice is recorded. We honour the Global Privacy Control (GPC) signal as described in Section 14. We treat browser "Do Not Track" signals as advisory; because we do not engage in tracking that would be limited by DNT, no change to our behaviour is required. You can clear cookies through your browser settings; doing so will sign you out and reset in-product preferences.
19. Children's Privacy
The Service is intended for use by organisations and their adult personnel. It is not directed to individuals under sixteen (16) years of age, and we do not knowingly collect personal information from children. If you believe we may have collected personal information from a child, contact privacy@trustekai.com and we will delete the information promptly.
20. Accessibility
Our accessibility commitments — including the standards we target, how to report a barrier, and our response timelines — are published at /accessibility. Privacy requests can be submitted in alternative formats on request to privacy@trustekai.com.
21. Changes to This Policy
We may update this Policy from time to time. The current version is always available at this URL, and the "Last updated" date at the top reflects the effective date. Material changes will be notified to active customers by email and by an in-product notice at least thirty (30) days before they take effect. Non-material changes (clarifications, typographical corrections, address updates) take effect on posting. Prior versions are available on request to privacy@trustekai.com.
22. Contact and Complaints
Privacy contact — questions, rights requests, and complaints can be sent to privacy@trustekai.com. Postal address — Innovenses Pty Ltd, Melbourne, Victoria, Australia. The current registered office is available on the Australian Securities and Investments Commission (ASIC) register. Supervisory authorities — where you have the right to lodge a complaint with a supervisory authority, you may contact: the Office of the Australian Information Commissioner (oaic.gov.au) for Australian residents; the data-protection authority in your country of residence or alleged infringement for EU residents; the Information Commissioner's Office (ico.org.uk) for UK residents; or the California Privacy Protection Agency (cppa.ca.gov) for California residents. We encourage you to contact us first so that we can attempt to resolve the matter directly.
Questions about this document can be sent to privacy@trustekai.com.