Privacy Policy
Last Updated: February 5, 2026
This Privacy Policy describes how Truvant ("Truvant," "we," "us," or "our") collects, uses, and shares information when you use the Truvant command-line tool, the Trust Intelligence Service, the management console, and the truvant.ai website (collectively, the "Service").
We built Truvant as a security tool, and we take data handling seriously. This policy is written in plain English because we believe you should actually understand what happens with your data.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address
- Display name
- Organization name
- Identity provider metadata (provider type, tenant identifier)
This information comes from your OIDC identity provider (Google Workspace, Okta, Azure AD/Entra ID, etc.) during authentication.
1.2 Service Usage Data
When you use the Trust Intelligence Service and management console, we collect:
- Scan metadata: Package names, versions, risk scores, finding categories, finding counts, and timestamps. This is metadata about what was scanned and what was found — not the source code itself.
- Trust intelligence requests: Remote MCP endpoint URLs you submit for trust scoring, along with the resulting trust scores, TLS configurations, publisher information, and tool classifications.
- Policy configurations: Security policies and command rules you define for your organization, including allow/deny lists and threshold settings.
- Audit event data: Command execution decisions (allowed/blocked), the binary name, matched policy rule type, timestamps, hostname, and the calling agent identity. This data is reported by the Truvant agent when you opt into fleet monitoring.
- Inventory data: MCP servers, plugins, and skills detected on monitored hosts, along with their versions and risk scores.
1.3 Technical and Usage Data
We automatically collect:
- CLI version and operating system
- Feature usage patterns (which commands are run, how frequently)
- Error reports and crash logs
- IP address (for rate limiting and abuse prevention; not stored long-term)
- Browser type and device information (for the management console and website)
1.4 Cookies and Similar Technologies
The truvant.ai website and management console use:
- Session cookies: Required for authentication. These expire when you close your browser or after your session timeout.
- Authentication tokens: Stored in your browser's local storage to maintain your login session.
We do not use third-party tracking cookies, advertising cookies, or social media pixels.
2. Information We Do NOT Collect
This is important, especially for a security tool:
- Source code: The Truvant CLI performs all scanning locally on your machine. Your source code, repository contents, file contents, and scanned artifacts are never transmitted to our servers. Scan results sent to the Trust Intelligence Service contain only metadata (package names, finding summaries, scores) — not code.
- Credentials and secrets: If the CLI's secrets scanner detects hardcoded credentials in a scanned package, the finding metadata reports the presence and type of the secret (e.g., "AWS access key detected at line 42") — not the secret value itself.
- Command output: The Truvant shim command interception layer logs policy decisions locally on your machine. The actual output of executed commands is not captured or transmitted.
- Identity provider passwords: We authenticate via OIDC redirect. Your password is entered directly with your identity provider. We never see or store it.
3. How We Use Your Information
We use the information we collect to:
- Provide the Service: Deliver trust scores, enforce policies, display dashboards, and manage your organization's security posture
- Improve the Service: Analyze usage patterns to prioritize features, fix bugs, and improve detection accuracy
- Maintain security: Detect and prevent abuse, unauthorized access, and fraudulent activity
- Communicate with you: Send account-related notifications, security alerts, and (with your consent) product updates
- Comply with legal obligations: Respond to legal requests and enforce our Terms of Service
We do not sell your data. We do not use your data for advertising. We do not share your scan metadata or trust intelligence data with other customers.
4. How We Share Your Information
We share your information only in the following circumstances:
4.1 Within Your Organization
If you are part of an organization on Truvant, administrators of your organization can see:
- Your account information (name, email)
- Audit events from hosts you manage
- Scan results and trust scores associated with your activity
- Policy compliance status
This is by design — Truvant is an organizational security tool.
4.2 Service Providers
We use the following categories of service providers to operate the Service:
| Provider Category |
Purpose |
Data Shared |
| Cloud infrastructure (AWS) |
Hosting, compute, storage, database |
All service data (encrypted at rest and in transit) |
| Identity providers |
Authentication |
OIDC tokens and user profile data |
| Payment processor |
Billing |
Payment information (we do not store credit card numbers) |
| AI model providers (AWS Bedrock) |
Trust Intelligence research agent |
Remote MCP endpoint URLs and metadata submitted for analysis |
4.3 Legal Requirements
We may disclose your information if required by law, subpoena, court order, or government request. We will notify you of such requests unless legally prohibited from doing so.
4.4 Business Transfers
If Truvant is acquired, merged, or sells substantially all its assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.
5. Data Retention
We retain your information as follows:
| Data Type |
Retention Period |
| Account information |
Duration of your account, plus 90 days after deletion |
| Scan metadata and trust scores |
Duration of your subscription, plus 90 days |
| Audit event data |
12 months from event date, or duration of subscription (whichever is longer) |
| Policy configurations |
Duration of your subscription, plus 30 days |
| Technical/usage data |
12 months |
| Trial data (after downgrade without conversion) |
30 days after trial expiration |
After the retention period, data is deleted or anonymized. Anonymized, aggregated data (e.g., "X% of scanned MCP servers have high-severity findings") may be retained indefinitely for product improvement and research purposes.
6. Data Security
We protect your data through:
- Encryption in transit: All data transmitted between the CLI, your browser, and our servers uses TLS 1.3
- Encryption at rest: Data stored in our databases and object storage is encrypted using AES-256
- Access controls: Production data access is limited to authorized personnel with a business need
- Infrastructure security: Our services run on AWS with security groups, private subnets, and IAM role-based access
- Authentication: All API access requires OIDC-based authentication with short-lived tokens
No system is 100% secure. If we discover a data breach that affects your information, we will notify you within 72 hours in accordance with applicable law.
7. Your Rights and Choices
7.1 All Users
Regardless of where you are located, you have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate personal data
- Deletion: Request deletion of your personal data (subject to retention requirements)
- Export: Request your data in a portable, machine-readable format (JSON)
- Withdraw consent: Opt out of non-essential communications at any time
To exercise these rights, email privacy@truvant.ai. We will respond within 30 days.
8. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 16, we will delete that information promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on truvant.ai/privacy with a new "Last Updated" date
- Sending an email to the address associated with your account (for material changes)
Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes.
10. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
Truvant
Email: privacy@truvant.ai
Website: https://truvant.ai
For data subject access requests (GDPR, CCPA): privacy@truvant.ai