Privacy Policy

Keeptrusts is operated from Barcelona, Catalonia, Spain. Formal business entity registration is in progress; this policy will be updated with full registration details, including company form and tax identification number, when available. In the meantime, the data controller can be reached at the contact details listed at the end of this policy.

This Privacy Policy explains how Keeptrusts handles personal information when you visit our website, request a demo, create or use an account, or interact with our documentation, console, chat workbench, APIs, and support channels.

Keeptrusts acts as a controller for website analytics, commercial contacts, billing records, support operations, and platform security data. When enterprise customers send prompts, responses, or files through the product under a signed agreement, Keeptrusts processes that information on the customer's behalf as a processor, according to the applicable order form, DPA, or service terms.

The information we collect depends on how you use Keeptrusts. Some data is provided directly by you, some is generated by your administrators, and some is collected automatically to operate and secure the service.

• Identity and account data such as name, work email, company, role, authentication settings, and account status.
• Commercial and onboarding data such as contact-sales submissions, deployment preferences, evaluation notes, contract records, and billing contacts.
• Service activity data such as audit events, gateway decisions, configuration changes, support messages, security logs, and usage telemetry.
• Content processed through the platform such as prompts, model responses, files, metadata, policy decisions, and knowledge references, subject to customer configuration and retention settings.
• Website and device data such as IP address, browser details, referral pages, cookie preferences, and interaction data needed for analytics, fraud prevention, and site reliability.

Keeptrusts uses personal information for the purposes and legal bases described below.

• Contractual necessity (Art. 6(1)(b) GDPR): Authenticate users, provision workspaces, enforce access control, route AI traffic, evaluate policy, store audit history, deliver product features requested by the customer, and process transactions.
• Legitimate interest (Art. 6(1)(f) GDPR): Respond to support tickets, security inquiries, and contact-sales requests; detect abuse, investigate incidents, prevent fraud, and protect the platform and our customers; measure product usage, debug failures, plan capacity, and improve product quality; send operational notices and service updates.
• Consent (Art. 6(1)(a) GDPR): Website analytics via Google Analytics 4 (GA4), which is only activated after explicit consent through the cookie banner. You can withdraw consent at any time via the Cookie Preferences control in the site footer.
• Legal obligation (Art. 6(1)(c) GDPR): Retain records required by tax, accounting, anti-fraud, or other applicable laws; respond to lawful government requests.
• Where permitted and with a separate opt-in, we may send relevant marketing communications. You can opt out at any time using the unsubscribe link in those communications.

We do not publish customer content for advertising purposes. We may disclose information to service providers and subprocessors that help us run the platform, to model providers selected by a customer, to professional advisers, and where required by law.

• Infrastructure, hosting, analytics, support, payment, and email delivery vendors acting under contract.
• Third-party AI or storage providers configured by the customer or required by a selected feature path.
• Affiliates, acquisition counterparties, or financing partners involved in a corporate transaction, subject to appropriate confidentiality controls.
• Government authorities, regulators, or courts where disclosure is legally required or necessary to protect rights, safety, or platform integrity.

Keeptrusts is operated from the European Economic Area (Spain). When we transfer personal information to countries outside the EEA, UK, or Switzerland that do not benefit from an adequacy decision by the European Commission, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the primary transfer mechanism.

Personal information may be transferred to the United States (for cloud infrastructure and AI provider routing where configured by the customer) and to other countries where our subprocessors operate. A copy of the applicable SCCs or other transfer safeguards is available on request by contacting privacy@keeptrusts.com.

For additional information about our approach to transatlantic transfers, see the International Data Transfer Policy page on this website.

Keeptrusts retains personal information only for as long as necessary for the purposes described in this policy or as required by law. The following criteria determine retention periods:

• Account and identity data: retained for the duration of the account relationship plus up to 12 months after deletion to support re-activation requests and security investigations.
• Contact-sales submissions and commercial records: retained for up to 3 years from last interaction, or longer where required by tax or accounting obligations.
• Audit events and gateway decision logs: retained according to customer-configured retention windows, with a default of 90 days. Customers can configure shorter or longer periods.
• Website analytics data: retained for up to 14 months (the GA4 default), subject to consent.
• Support messages and security logs: retained for up to 2 years to support ongoing investigations and product improvement.
• Cookie consent preferences: stored locally in your browser (localStorage) and not transmitted to our servers.

We use technical and organizational safeguards designed for enterprise AI workloads, including encryption in transit (TLS), encryption at rest for sensitive stores (AES-GCM-SIV), role-based access control, audit logging, session controls, and environment isolation. No service can promise absolute security, so incident response and continuous review remain part of our operating model.

Depending on your location and the role Keeptrusts plays for the relevant data, you may have the following rights under the GDPR and other applicable data protection laws:

• Access: request a copy of the personal information we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your personal information where there is no compelling reason for continued processing.
• Restriction: request that we limit the processing of your data in certain circumstances.
• Data portability: receive your data in a structured, commonly used, machine-readable format.
• Objection: object to processing based on legitimate interest, including direct marketing.
• Withdraw consent: where processing is based on consent (e.g. analytics), you can withdraw consent at any time via the Cookie Preferences control or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Lodge a complaint: you have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is the Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, Spain (www.aepd.es).

You can submit privacy requests at privacy@keeptrusts.com. We may need to verify identity or organizational authority before completing a request. When Keeptrusts acts as a processor on behalf of an enterprise customer, requests regarding prompts, responses, files, or user activity records may need to be directed to that customer first.

Keeptrusts does not use automated decision-making or profiling that produces legal or similarly significant effects on individuals as described in Art. 22 GDPR. The policy enforcement gateway applies deterministic, rule-based evaluations configured by the customer — it does not autonomously make decisions about individuals.

Keeptrusts has not appointed a Data Protection Officer at this time. As the organization grows, this position will be assessed in accordance with Art. 37 GDPR. For all data protection inquiries, contact privacy@keeptrusts.com.

We may update this policy from time to time. Material changes will be communicated through the website and, where appropriate, by email. The 'Last updated' date at the top of this page reflects the most recent revision.

If you have questions about this policy, contact privacy@keeptrusts.com. For contract, legal, or security matters, contact legal@keeptrusts.com or security@keeptrusts.com as appropriate.