Skip to content
Skip to content
TrustPlane
Privacy

Privacy Policy

Last updated June 10, 2025

TrustPlane, Inc. ("TrustPlane", "we", "us") provides an AI governance platform that runs within your cloud environment. This Privacy Policy describes how we handle personal data when you visit our websites, interact with our sales and support teams, or use the TrustPlane platform and services (collectively, the "Services").

1. Scope

This policy covers personal data processed by TrustPlane in the context of providing the Services to enterprise customers and prospective customers. When we operate the TrustPlane platform inside your VPC/VNet, you remain the controller of customer data and we act as your processor under the Master Subscription Agreement and Data Processing Addendum ("DPA"). This policy does not apply to data that you process within your own instance of the TrustPlane platform.

2. Data we collect

We collect the following categories of personal data:

  • Account & contract data. Names, work email addresses, phone numbers, billing contacts, and contract records provided by you when you request demos, sign agreements, or configure SSO/SCIM.
  • Support & operations data. Ticket metadata, call/chat transcripts, audit logs relating to the Services, and configuration metadata necessary to deliver support and managed updates.
  • Service telemetry. Platform diagnostics (e.g., API latency, error rates) that you enable for troubleshooting. Telemetry excludes content-level payloads by default and respects residency/BYOK controls.
  • Marketing interactions. Website analytics (aggregated and cookie-free by default), campaign responses, and preferences when you subscribe to updates. We do not sell personal data.

3. How we use personal data

  • To provide, secure, and support the Services under our contract with you.
  • To respond to sales, security, and procurement inquiries that you initiate.
  • To maintain our business operations, including billing, accounting, and compliance.
  • To send product updates and event invitations, subject to your marketing preferences.
  • To detect, prevent, or investigate security incidents and abuse.

4. Legal bases for processing (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

  • Performance of a contract to deliver the Services and fulfill support obligations.
  • Legitimate interests for securing our infrastructure, improving the Services, and engaging with enterprise prospects.
  • Consent for optional communications or diagnostics that you opt into.
  • Legal obligations for accounting, tax, and regulatory compliance.

5. Retention

We retain account and contract data for the duration of our agreement and as required by law (typically seven years for accounting records). Support logs and telemetry are retained for up to 180 days unless you request a shorter period via your DPA or security configuration. Platform artifacts (Action Certificates, policy hashes) remain in your environment under your retention policies.

6. Sharing & sub-processors

We limit disclosures to trusted service providers that help us operate the Services (e.g., cloud hosting, customer support, billing). Sub-processors are documented at trustplane.cloud/security/sub-processors and updates will be notified in accordance with your DPA. We may also disclose data to comply with law, enforce agreements, or protect rights. We do not sell or rent personal data.

7. International transfers

TrustPlane is headquartered in the United States. When we transfer personal data from the EEA, UK, or Switzerland to the U.S., we rely on the European Commission’s Standard Contractual Clauses ("SCCs") and the UK Addendum. Signed copies of our DPA and SCCs are available on request via the security contact form.

8. Data subject rights

Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or object to our use of your personal data, and to port data. You also have the right to withdraw consent where processing is based on consent. To exercise your rights, contact us at privacy@trustplane.cloud or submit a request via the security contact form. We will verify your identity before fulfilling requests. If we process data on behalf of a customer, we will notify them so they can respond to your request as the controller.

9. Security

We employ administrative, technical, and physical safeguards to protect personal data, including in-VPC deployment options, customer-managed keys (BYOK/KMS), encryption in transit and at rest, access controls, vulnerability management, and incident response procedures detailed on our Security page. Customers retain control over residency, retention, and key management through platform configuration.

10. Children

The Services are enterprise-focused and not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

11. Changes

We may update this policy to reflect operational, legal, or regulatory changes. We will post updates here, revise the "Last updated" date, and provide advance notice of material changes via email or the TrustPlane admin console.

12. Contact

Questions about this policy or our privacy practices can be sent to privacy@trustplane.cloud, or via postal mail to TrustPlane, Inc., 548 Market St PMB 12345, San Francisco, CA 94104. You may also contact our Data Protection Officer through the security contact form.