1. Introduction
TrustChain AI ("we," "our," or "us") operates an AI compliance middleware platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services. Please read this policy carefully.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your name, email address, organization name, and profile photo (via Clerk authentication). We do not store passwords — authentication is handled by Clerk.
2.2 Usage Data
We collect metadata about API requests routed through our proxy, including: timestamp, provider (OpenAI/Anthropic/Gemini), model name, token counts, compliance score, action taken, and request latency. We store a SHA-256 hash of prompts for deduplication — we do not store raw prompt text.
2.3 Compliance Scan Logs
Our compliance engine scans prompt and response content for PII, security threats, and policy violations. Violation metadata (rule triggered, severity) is stored in audit logs. Detected PII patterns are redacted before storage.
2.4 Billing Information
Payment processing is handled by Stripe. We store your Stripe Customer ID and subscription status. We never store raw card numbers.
2.5 Technical Data
We collect IP addresses, user agents, and HTTP headers for security and rate-limiting purposes.
3. How We Use Your Information
We use collected information to: (a) provide and maintain the TrustChain AI service; (b) process API requests through the compliance engine; (c) generate audit logs and compliance reports; (d) bill for usage and manage subscriptions; (e) improve our compliance rules and detection models; (f) respond to support requests; (g) send transactional notifications (account alerts, billing receipts).
4. Data Retention
- Audit logs are retained for 90 days on the Free plan, 1 year on Starter/Growth, and indefinitely on Enterprise.
- Incident records are retained until manually deleted or your account is closed.
- Account data is deleted within 30 days of account closure.
- Backups may persist for up to 90 additional days after deletion.
5. Data Sharing
We do not sell your data. We share information only with: (a) Infrastructure providers: Supabase (database), Clerk (authentication), Stripe (billing), Upstash (rate limiting) — each bound by their own DPA; (b) LLM Providers: your prompts are forwarded to the AI provider you configure (OpenAI, Anthropic, or Google). We act as a processor on your behalf; (c) Legal requirements: if required by law, court order, or to protect our rights.
6. GDPR Rights (EU/EEA Users)
If you are located in the EU/EEA, you have the right to: access your personal data, correct inaccurate data, request erasure ("right to be forgotten"), restrict processing, data portability, and object to processing. To exercise these rights, email
privacy@trustchain.ai.
7. CCPA Rights (California Users)
California residents may request disclosure of personal information collected, request deletion, and opt out of sale of personal information (we do not sell personal information). Contact:
privacy@trustchain.ai.
8. Security
We implement industry-standard security measures: AES-256-GCM encryption for all stored provider credentials, TLS 1.3 in transit, Row Level Security (RLS) on all database tables, HMAC-SHA256 hashed API keys, rate limiting, and regular security audits. However, no system is 100% secure.
9. International Transfers
Your data is stored on servers in the United States (Supabase). By using TrustChain AI, you consent to this transfer. For EU users, we rely on Standard Contractual Clauses (SCCs) where required.
10. Children
TrustChain AI is not directed at individuals under 18. We do not knowingly collect personal information from children.
11. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be notified via email or an in-app banner. Continued use after changes constitutes acceptance.
12. Contact
For privacy-related questions:
privacy@trustchain.aiTrustChain AI, Inc. — 1 AI Compliance Plaza, San Francisco, CA 94105