1. Controller identity and scope
The website identifies Keeptrusts as operating from Barcelona, Catalonia, Spain, but the formal legal operator name, full service address, tax identification number, and any applicable registration details have not yet been supplied for publication. Until those details are published, the controller-identity part of this notice remains incomplete. Privacy questions can be sent to the contact address listed at the end of this policy.
This Privacy Policy explains how Keeptrusts handles personal information when you visit our website, request a demo, create or use an account, or interact with our documentation, console, APIs, and support channels.
Keeptrusts acts as a controller for website analytics, commercial contacts, billing records, support operations, and platform security data. When enterprise customers send prompts, responses, or files through the product under a signed agreement, Keeptrusts processes that information on the customer's behalf as a processor, according to the applicable order form, DPA, or service terms.
2. Information we collect
The information we collect depends on how you use Keeptrusts. Some data is provided directly by you, some is generated by your administrators, and some is collected automatically to operate and secure the service.
- Identity and account data such as name, work email, company, role, authentication settings, and account status.
- Commercial and onboarding data such as contact-sales submissions, deployment preferences, evaluation notes, contract records, and billing contacts.
- Service activity data such as audit events, gateway decisions, configuration changes, support messages, security logs, and usage telemetry.
- Content processed through the platform such as prompts, model responses, files, metadata, and policy decisions, subject to customer configuration and retention settings.
- Website and device data such as IP address, browser details, referral pages, cookie preferences, and interaction data needed for analytics, fraud prevention, and site reliability.
3. How and why we use information
Keeptrusts uses personal information for the purposes and legal bases described below.
- Contractual necessity (Art. 6(1)(b) GDPR): Where you are personally a party to a contract with Keeptrusts, or ask us to take steps before entering one, process the personal information objectively necessary to perform that contract or take those requested steps.
- Legitimate interest (Art. 6(1)(f) GDPR): Where an organization is the customer, authenticate its authorized users, provision and administer workspaces, enforce access control, deliver requested product features, and process business transactions; respond to support tickets, security inquiries, and contact-sales requests; detect abuse, investigate incidents, prevent fraud, and protect the platform and our customers; measure product usage, debug failures, plan capacity, improve product quality, and send operational notices. We assess these interests against the rights and freedoms of affected individuals.
- Consent (Art. 6(1)(a) GDPR): Website analytics via Google Analytics 4 (GA4), which can load directly from the configured measurement ID, an optional Google Tag Manager (GTM) container, and Microsoft Clarity session analytics. These services are activated only after explicit consent through the cookie banner. Your consent choice applies to both keeptrusts.com and docs.keeptrusts.com and can be withdrawn at any time via the Cookie Preferences control in the site footer. No advertising, remarketing, or ad-personalization features are enabled.
- Legitimate interest (Art. 6(1)(f) GDPR): Google Search Console and Bing Webmaster Tools are used to monitor search-engine visibility, indexing status, and crawl performance for keeptrusts.com and docs.keeptrusts.com. These operator-facing tools do not inject client-side scripts into Keeptrusts pages or set cookies from those pages. They provide aggregated search-performance and crawl/indexing reports rather than direct visitor identifiers. To the extent this operational reporting involves personal data, Keeptrusts relies on its legitimate interest in site reliability and optimization.
- Legal obligation (Art. 6(1)(c) GDPR): Retain records required by tax, accounting, anti-fraud, or other applicable laws; respond to lawful government requests.
- Customer instructions (processor role): When Keeptrusts processes prompts, responses, files, or related service data on behalf of an enterprise customer, that customer determines the purposes and legal basis for the processing, and Keeptrusts processes the data under the governing agreement and documented instructions.
- Where permitted and with a separate opt-in, we may send relevant marketing communications. You can opt out at any time using the unsubscribe link in those communications.
4. Sharing and disclosure
We do not publish customer content for advertising purposes. We may disclose information to service providers and subprocessors that help us run the platform, to model providers selected by a customer, to professional advisers, and where required by law.
- Infrastructure, hosting, analytics, support, payment, and email delivery vendors acting under contract, including Google services (Google Analytics 4, Google Tag Manager when configured, and Google Search Console), Microsoft services (Microsoft Clarity session analytics and Bing Webmaster Tools), and cloud hosting providers. The contracting entity depends on the applicable service terms and customer location.
- Third-party AI or storage providers configured by the customer or required by a selected feature path.
- Affiliates, acquisition counterparties, or financing partners involved in a corporate transaction, subject to appropriate confidentiality controls.
- Government authorities, regulators, or courts where disclosure is legally required or necessary to protect rights, safety, or platform integrity.
5. International transfers
Keeptrusts is operated from the European Economic Area (Spain). The applicable transfer mechanism depends on the data's origin, destination, recipient, and governing agreement. For restricted transfers, safeguards may include the European Commission's Standard Contractual Clauses for EEA data, the UK International Data Transfer Agreement or UK Addendum for UK data, and recognized Swiss safeguards or adapted clauses for Swiss data, together with any required transfer assessment.
Personal information may be transferred to the United States (for cloud infrastructure and AI provider routing where configured by the customer) and to other countries where our subprocessors operate. Information about the applicable contractual or other transfer safeguard is available on request by contacting privacy@keeptrusts.com.
For additional information about our approach to transatlantic transfers, see the International Data Transfer Policy page on this website.
Google Analytics 4 data may be processed in the United States and other Google data center locations, subject to Google's data processing terms and, where applicable, Standard Contractual Clauses. Microsoft Clarity session data may be processed in the United States, subject to Microsoft's data processing terms and applicable transfer safeguards. Google Search Console and Bing Webmaster Tools provide aggregated search-performance and crawl/indexing reports without direct visitor identifiers.
6. Retention
Keeptrusts retains personal information only for as long as necessary for the purposes described in this policy or as required by law. The following criteria determine retention periods:
- Account and identity data: retained while the relevant account or organization relationship is active and then according to the applicable account- or organization-closure workflow, security needs, legal obligations, and legal holds. Data is deleted or redacted when the applicable workflow completes unless another documented purpose requires continued retention.
- Contact-sales submissions and commercial records: retained while an inquiry or customer relationship is active and afterward according to follow-up needs, applicable limitation periods, tax or accounting duties, disputes, and legal holds.
- Audit events and gateway decision logs: retention depends on the owning store and deployment configuration. Current managed schemas include 365-day defaults for trail configuration and the gateway-event store, but this is not a universal or self-service customer setting; a governing agreement or operator-managed deployment may define a different period.
- Website analytics data: for standard GA4 properties, user-level and event-level retention is configured to either 2 or 14 months; the applicable property setting governs, subject to consent. Microsoft Clarity playback data is retained for 30 days; labeled or favorited sessions, click data, and heatmap data are retained for 9 months under Microsoft's current Clarity retention documentation.
- Support messages and security logs: retained while a request or incident is active and afterward according to investigation needs, recurrence analysis, applicable limitation periods, legal obligations, disputes, and legal holds.
- Cookie consent preferences: stored in a .keeptrusts.com browser cookie for up to 365 days and mirrored in localStorage as a rendering cache. The cookie may accompany requests to hosts within its configured domain scope.
7. Security
We use technical and organizational safeguards designed for enterprise AI workloads, including encryption in transit (TLS), encryption at rest for sensitive stores (AES-GCM-SIV), role-based access control, audit logging, session controls, and environment isolation. No service can promise absolute security, so incident response and continuous review remain part of our operating model.
8. Your rights
Depending on your location and the role Keeptrusts plays for the relevant data, you may have the following rights under the GDPR and other applicable data protection laws:
- Access: request a copy of the personal information we hold about you.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure: request deletion of your personal information where there is no compelling reason for continued processing.
- Restriction: request that we limit the processing of your data in certain circumstances.
- Data portability: receive your data in a structured, commonly used, machine-readable format.
- Objection: object to processing based on legitimate interest, including direct marketing.
- Withdraw consent: where processing is based on consent (e.g. analytics), you can withdraw consent at any time via the Cookie Preferences control or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Lodge a complaint: you have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, Spain (www.aepd.es), or another competent supervisory authority.
You can submit privacy requests at privacy@keeptrusts.com. We may need to verify identity or organizational authority before completing a request. When Keeptrusts acts as a processor on behalf of an enterprise customer, requests regarding prompts, responses, files, or user activity records may need to be directed to that customer first.
9. Automated decision-making
Keeptrusts does not use personal information for automated decision-making or profiling that produces legal or similarly significant effects on individuals as described in Art. 22 GDPR. Customer-configured gateway policies can combine deterministic rules with model- or service-assisted checks; customers remain responsible for deciding whether and how resulting policy outcomes affect individuals.
10. Data Protection Officer
The operator has not supplied a completed assessment of whether a DPO designation is required under the Article 37 criteria, or any DPO contact details, for publication. The assessment must be based on the nature, scope, context, and purposes of the relevant processing and any applicable legal requirements, rather than organizational growth. Keeptrusts will publish the DPO's contact details if applicable. Until then, direct data protection inquiries to privacy@keeptrusts.com.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated through the website and, where appropriate, by email. The 'Last updated' date at the top of this page reflects the most recent revision.
12. Contact us
If you have questions about this policy, contact privacy@keeptrusts.com. For contract, legal, or security matters, contact legal@keeptrusts.com or security@keeptrusts.com as appropriate.