Skip to main content
← Back to Home

Privacy Policy

Last updated: June 22, 2026

1. Introduction

Truvene ("AI Board of Directors," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share information when you use our service.

2. Who Truvene Is For

Truvene is operated from the United States and is intended for users located in the United States. We do not target our services to, or actively market in, the European Union, the European Economic Area, or the United Kingdom. If you access Truvene from outside the United States, you do so on your own initiative and are responsible for compliance with applicable local laws.

3. Information We Collect

  • Account Information: Email address, name, and authentication credentials when you create an account.
  • Usage Data: Prompts, outputs, selected models, and usage metadata produced while you interact with the service (chat history, council runs, polls, research sessions, and similar product interactions).
  • Uploaded Files & Attachments: Images and PDF documents you choose to upload for use within a chat. For PDF files, we extract the text content so it can be included in your prompt. Uploaded files and any text extracted from them are sent to third-party AI providers (via OpenRouter) to generate your response, on the same basis as your prompts. Do not upload files containing sensitive personal data or other people's confidential information unless you have the rights and a lawful basis to do so.
  • Payment Information: Billing details processed securely through Stripe. We do not store your full credit card number.
  • Operational Logs: Model IDs, token counts, timestamps, credit usage, error/debug metadata, and abuse/security signals (e.g. rate-limit events, admission-control decisions, suspicious patterns). Retained for billing, security, abuse prevention, reliability, and compliance purposes.
  • Technical Data: Browser type, IP address, device information, cookies for service functionality, and first-party attribution data such as referral source or campaign parameters.
  • Personalization Preferences: Optional choices you provide during onboarding — such as your primary use case and whether you use Truvene for work or personal purposes — used to tailor your experience. Provided voluntarily; you can skip them, and they are deleted when you delete your account.

Note on sensitive personal data: You should not submit sensitive personal data (including special categories under GDPR Article 9 — health, biometrics, government IDs, financial account numbers, etc.) unless you have the rights, consent, and a lawful basis to do so. AI outputs may be processed by third-party AI providers to generate your response; do not enter data into Truvene that you would not be comfortable having processed by those providers.

4. How We Use Your Information

  • To provide and improve the AI Board of Directors service.
  • To personalize your experience and understand how Truvene is used — for example, tailoring your first council and analyzing activation by self-reported use case — based on the optional onboarding preferences described above.
  • To process payments and manage your subscription.
  • To send transactional emails (receipts, account updates).
  • To send product lifecycle and update emails (such as onboarding guidance and feature announcements). You can unsubscribe from these at any time using the link in every such email; transactional emails (receipts, security and account notices) will still be sent.
  • To detect and prevent fraud or abuse.

5. AI Model Usage and Training

Your questions and council deliberations are processed through third-party AI models via OpenRouter. Truvene itself does nottrain, fine-tune, or improve any AI models — your inputs are sent to providers solely to generate responses for you, and Truvene does not retain or use them for model training. Each request we send carries the data_collection: ‘deny’ provider directive, which instructs OpenRouter to route only to providers that do not retain prompts non-transiently or use them for model training under OpenRouter’s contractual terms. Provider-side enforcement varies and is governed by each provider’s own privacy policy; opt-out availability and behaviour ultimately depend on the provider.

If you save Custom Instructions (a Shared Context profile, under Settings), that text is stored by Truvene and included with every council run you make while it is enabled — meaning it is transmitted to each AI provider you select on that run, under the same data_collection: ‘deny’ directive described above. You can edit, disable, or clear it at any time in Settings, and it is deleted when you delete your account.

6. Third-Party Services

We use the following third-party services:

  • OpenRouter— LLM gateway / inference. Powers council deliberations by routing your prompts to the AI models you select.
  • Clerk— Authentication. Handles sign-in, sign-up, and session management.
  • Supabase— Secure data storage for your account and conversation history.
  • Stripe— For payment processing and customer billing records. Stripe's privacy policy governs their handling and retention of your payment data.
  • Vercel— Hosting and CDN for the Truvene application.
  • Upstash Redis — Rate-limiting and concurrency controls.
  • Google Workspace — Transactional email (operator notifications via Gmail SMTP).
  • PostHog— We use PostHog for product analytics (page views and feature usage) and limited server-side operational telemetry for billing, refund, webhook, and cron health. Session recording is disabled. You can opt out of analytics by emailing support@truvene.ai.
  • MailerLite— Transactional and lifecycle email. Receives your normalized email address, lifecycle state, and subscription metadata. Processed in the EU/US per MailerLite's data-processing policy.
  • Vercel Analytics — Cookie-less first-party page-view and Web Vitals measurement. No third-party identifiers, no cross-site tracking.
  • Cloudflare Turnstile — Visual bot-deterrence on the signup page, when enabled. The current Clerk-hosted signup flow does not use it as an account-creation enforcement layer.

7. Cookies & Local Storage

We use first-party cookies to keep you signed in, carry your selected plan and offer through signup and checkout, remember how you found us (referral and campaign attribution), and measure product analytics. We do not use third-party advertising cookies. You can opt out of analytics by emailing support@truvene.ai.

We also use your browser's local storage to remember your council configurations, drafts, preferences, and interface state on your device, so the app works smoothly between visits. This local data is cleared when you sign out.

8. Data Retention & Account Deletion

We retain your account data and conversation history for as long as your account is active.

You can delete your account anytime from your billing page (/billing → “More options” → “Delete”). Local browser data deletion is attempted immediately before sign-out. If your browser blocks local storage cleanup, clear site data before using a shared device with another account. Stripe may retain payment and customer records under its own legal, tax, and fraud-prevention obligations. Removal from analytics (PostHog) is processed at the same time as account deletion.

If our automated removal fails, we complete it manually within 30 days.

If you've cancelled and want to fully wipe data, return to /billing (still accessible after cancellation) → “More options” → “Delete”.

9. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Request correction or deletion of your data.
  • Request a portable export of your personal data by emailing support@truvene.ai. We will respond within one month as required by GDPR Article 12(3) (right exercised under Article 20).
  • Withdraw consent where processing is based on consent.
  • Restrict processing while a dispute is being resolved (Art. 18). If you contest the accuracy of your data or the legal basis for our processing, you can ask us to pause processing while we investigate.
  • Object to processing based on legitimate interests (Art. 21). Where we process your data under legitimate interest (e.g. security and fraud prevention), you can ask us to stop. We will honour your request unless we can demonstrate compelling legitimate grounds that override your interests.

10. Children's Privacy

Truvene is not directed to children. You must be at least 18 years old to use the Service, as set out in our Terms of Service. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at support@truvene.ai and we will delete it.

11. California Privacy

We do not sell or share your personal information, and we have not done so in the past twelve months. (“Sell” and “share” have the meanings given under California privacy law; “share” refers to disclosures for cross-context behavioural advertising, which we do not do.)

California residents may exercise the access and deletion rights described in this Policy by contacting support@truvene.ai.

Do Not Track: because there is no industry-standard “Do Not Track” signal, Truvene does not currently respond to Do Not Track browser settings. We do not track you across third-party websites.

12. Contact Us

If you have questions about this Privacy Policy, please contact us at support@truvene.ai.

13. Legal Basis & International Transfers

Data controller: Truvene. For data-protection enquiries, including requests for our registered legal entity name and address, contact support@truvene.ai.

Legal basis under GDPR Article 6, per purpose:

  • Account creation & service delivery — contract performance (Art. 6(1)(b)).
  • Payment processing — contract performance and legal obligation (Art. 6(1)(b) & (c)).
  • Product analytics — legitimate interest (Art. 6(1)(f)) to understand feature usage and improve the service. You can opt out by emailing support@truvene.ai.
  • Security & fraud prevention — legitimate interest (Art. 6(1)(f)).
  • Lifecycle email & transactional email — legitimate interest and contract (Art. 6(1)(b) & (f)).

International data transfers: our subprocessors include OpenRouter, Supabase, Vercel, Stripe, and MailerLite (US-hosted) and PostHog (EU region). When you submit a prompt or upload a file, that content is transmitted via OpenRouter to the AI model providers you select, which may be located in the United States or other countries. Transfers outside the EEA are safeguarded by Standard Contractual Clauses (SCCs) per Art. 46(2)(c).

Supervisory authority: EU and UK users have the right to lodge a complaint with their local data-protection authority (for example, the ICO in the UK).

Automated decision-making: we run a multi-account abuse detector based on hashed payment-method fingerprints. Its results inform manual operator review only — no account is automatically denied or terminated without human review (Art. 22).

Use of prompts for automated decisions about individuals: Truvene does not intentionally use customer prompts to make automated legal, employment, credit, healthcare, insurance, housing, education, immigration, or law-enforcement decisions about individuals. The restricted uses listed in our Terms of Service prohibit customers from using the Service for those purposes.

14. Data Retention

  • Account profile & subscription records — retained while your account is active. When you delete your account, the deletion workflow removes or tombstones local app profile, entitlement, email-contact, and subscription state needed to stop access and provider sync for that account.
  • Chat history (messages, runs) — retained while your account is active unless you delete the chat or delete your account.
  • Uploaded files & extracted text — stored in private storage accessible only through short-lived signed URLs, and retained while the associated chat exists. Deleted when you delete the chat or your account. Abandoned or orphaned uploads are swept automatically.
  • LLM usage ledger — retained 7 years to meet tax and accounting obligations.
  • Webhook event logs — retained as operational evidence for billing, account deletion, provider sync, abuse prevention, and webhook replay safety.
  • Operator audit events — retained indefinitely for fraud and compliance integrity; detached from the deleted user account after account deletion, while non-user operational identifiers needed for fraud, billing, and webhook reconciliation may remain.

Note: age-based retention pruning is a planned follow-up. Current retention is governed by account deletion, explicit chat deletion, and the accounting/compliance needs above.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the “Last updated” date at the top of this page and notify you by email or through the Service. Your continued use of Truvene after the changes take effect constitutes acceptance of the updated Policy.

© 2026 Truvene. All rights reserved.