Privacy Policy
Last updated: 2026-06-01
Thoth-ATO — Privacy Policy
Effective Date (target): June 9, 2026
Summary. We are IntegratedVS LLC. We operate Thoth-ATO, an AI engineering co-pilot. This Privacy Policy explains what personal data we collect, why we collect it, how we share it, how long we keep it, and what rights you have. We have written it to satisfy the disclosure obligations of the EU General Data Protection Regulation, the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act, the California Online Privacy Protection Act, the Delaware Online Privacy and Protection Act, and the U.S. Children's Online Privacy Protection Act. Where one regime is stricter than another, the stricter rule applies to the relevant data and users.
1. Information We Collect
We collect the following categories of personal data:
1.1 Account Information
Provided by you when you sign up or update your profile:
- Name
- Email address
- Hashed password (we never store plaintext passwords; we use bcrypt with a cost factor of 12)
- Profile image (optional)
- Persona selection ("business", "technical", or "security" — used to tune dashboard defaults)
- Organization name and seat assignments (Team and Enterprise tiers only)
1.2 Authentication and Session Data
- Session tokens (cookie-based, signed, HTTP-only, secure)
- OAuth account linkages (provider, provider account id, OAuth scopes granted) for users who sign in via a third-party identity provider
- Email-verification tokens
- Password-reset tokens
- Multi-factor-authentication state (if enabled)
- Last login timestamp, login count
- Device fingerprint (limited — browser user-agent and a session-derived identifier; not a cross-site tracker)
1.3 Usage Telemetry
Generated automatically as you use the Service:
- Cycle metadata: project id, cycle id, phase progression, runtime duration, success/failure status, retry count
- DAG-node execution records: node id, type, dispatch mode, start and end timestamps
- Usage records by
UsageDimension(cycle, node, token, time, heal, skill, parallel_agent, schedule) - Skill invocations
- API key usage (request count, response status, last-used timestamp) for users who issue API keys
- Audit-log entries for security-sensitive events (sign-up, login, password change, billing change, role change, project share, API-key creation/revocation)
1.4 Cycle Inputs and Outputs
When you run a cycle:
- The prompt(s) and inputs you submit
- The artifacts produced (specifications, source code, tests, configurations, verdicts)
- The signed
verdict.jsonrecords that record the cycle's completion state and the cryptographic signatures over its outputs - The MCP audit-log entries that record tool and resource interactions during the cycle
For local cycles invoked through the Plugin on your machine, your prompts and outputs are processed locally; only the metadata enumerated in Section 1.3 is transmitted to us. For remote cycles invoked through the Remote Service, prompts and outputs transit through our infrastructure to the language-model provider you have selected (or the provider we have selected for you, for tiers where provider selection is managed); after the cycle completes, the signed verdict and audit-log entry are retained per Section 7, and prompt/output bodies are not retained beyond what is required to produce the verdict.
1.5 Payment Information
We do not collect or store full payment-card numbers, CVCs, or bank-account details. All payment processing is performed by Lemon Squeezy, our merchant of record. We receive only the transactional metadata necessary to reconcile your Subscription with your Account, including:
- Subscription tier, status, and renewal date
- Last four digits of payment instrument and brand (e.g., "Visa ending 4242")
- Billing country and ZIP / postal code (for tax computation)
- Transaction ids and amounts
1.6 Security and Operational Data
Collected for security, fraud prevention, and reliability:
- IP address (associated with sign-up, login, and security-sensitive actions; truncated or aggregated for analytics)
- Browser user-agent string
- Approximate geolocation derived from IP (country / region level)
- Rate-limit counters
- Server-side error traces (scrubbed of personal data wherever feasible)
1.7 Communications
Records of communications with us, including:
- Support tickets and email correspondence with
[email protected],[email protected],[email protected], and similar addresses - In-product feedback you submit
- Marketing email open/click telemetry (only if you have opted in to marketing emails)
1.8 Sensitive Categories
We do not intentionally collect sensitive categories of personal data, including:
- Special categories under GDPR Article 9: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person's sex life or sexual orientation.
- Sensitive personal information under CPRA (Cal. Civ. Code § 1798.140(ae)): government identifiers (SSN, driver's license, passport), account log-in credentials with passwords, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, the contents of mail/email/text-messages unless the business is the intended recipient, genetic data, biometric information for unique identification, health-condition or health-treatment information, and information about sex life or sexual orientation.
- Protected health information under HIPAA (45 C.F.R. § 160.103).
You should not submit such data as cycle inputs unless you have an executed sectoral addendum (e.g., a Business Associate Agreement for HIPAA). If you do submit such data without an executed addendum, we treat it under the same security controls as other Customer Materials, but we are not a HIPAA Business Associate and the Service is not authorized for protected-health-information processing absent a signed Business Associate Agreement. To request a Business Associate Agreement or other sectoral addendum, contact [email protected].
1.9 Automated Decision-Making and Profiling
The Service produces AI-assisted engineering artifacts. We do not make solely automated decisions producing legal or similarly significant effects on you within the meaning of GDPR Article 22 or analogous provisions. Specifically:
- We do not use AI-generated profiles of you to make eligibility, pricing, employment, credit, insurance, housing, education, government-services, or other consequential decisions about you.
- Our security systems use rule-based and machine-learning anomaly detection to identify abuse, fraud, and compromised accounts. These systems flag activity for human review; they do not autonomously terminate or restrict Accounts without human review for any non-emergency action. Emergency actions (e.g., disabling an account during an active credential-stuffing incident) are reviewed by a human as soon as practicable after the event.
- Where rate-limiting or quota enforcement is automated, the underlying logic is deterministic (Subscription tier + measured usage) rather than profile-based.
- You may contact
[email protected]to obtain information about the logic involved in any automated processing that affects you, the significance of the processing, and the consequences.
2. How We Use Information
We use personal data for the following purposes, each linked to a legal basis in Section 4:
| Purpose | Examples |
|---|---|
| Provide the Service | Authenticate you, run cycles, produce verdicts, deliver outputs to you, enforce quotas, route prompts to the language-model provider you have selected |
| Bill and account | Process Subscription renewals via Lemon Squeezy, reconcile usage, issue receipts, handle refunds, comply with tax law |
| Secure the Service | Detect and block credential stuffing, abuse, denial-of-service, prompt-injection chains, and other malicious patterns; respond to incidents; maintain the signed audit chain |
| Operate reliably | Monitor uptime and latency, debug errors, capacity-plan |
| Improve the product | Aggregate, de-identified analytics on feature usage, error rates, cycle success rates, prompt categories. We do not use your prompts or outputs to train our own foundation models, and we configure upstream language-model providers to opt out of training where the provider offers such an option. |
| Communicate with you | Send transactional emails (account, billing, security), respond to support requests, send service announcements |
| Marketing (only with consent or where permitted by law) | Send newsletters, product-update emails, event invitations; you may unsubscribe at any time |
| Comply with legal obligations | Respond to lawful requests from regulators or courts; preserve evidence for litigation; satisfy tax, accounting, and audit obligations |
| Defend legal claims | Investigate and respond to disputes |
3. What We Do Not Collect
For transparency, here is what we do not do:
3.1 Local Cycles
For cycles executed by the Plugin on your machine, your source code never leaves your machine. The Plugin runs language-model calls using credentials you provide; the only data transmitted to our infrastructure for these cycles is the metadata listed in Section 1.3 (cycle id, phase, duration, success/failure, token-usage counts, error categories — not prompt or output bodies). You can verify this by inspecting the Plugin's network egress; we publish a list of egress endpoints in the Documentation.
3.2 Remote Cycles
For cycles executed by the Remote Service on your behalf:
- Prompts and outputs transit through our infrastructure to the selected upstream language-model provider for the duration required to produce the response.
- After the cycle completes, we retain only the signed
verdict.jsonrecord, the corresponding MCP audit-log entry, and the metadata in Section 1.3. Prompt and output bodies are not stored beyond what the verdict and audit log require for compliance evidence (see Section 7 for retention). - Configuration to retain or not retain prompt/output bodies is selectable per project on the Enterprise tier.
3.3 Categories We Do Not Collect
- We do not sell personal information for monetary or other valuable consideration as defined under CCPA/CPRA.
- We do not share personal information for cross-context behavioral advertising as defined under CCPA/CPRA.
- We do not participate in third-party advertising networks. We display no third-party ads on the Platform.
- We do not scan or index Customer Materials for purposes other than providing the Service to you and maintaining the audit trail.
- We do not sell or share data with data brokers.
- We do not use facial recognition, biometric identifiers, or precise (street-level) geolocation.
4. Legal Bases for Processing (GDPR Article 6)
For users protected by the EU GDPR or UK GDPR, we rely on the following lawful bases. Where a purpose can be supported by more than one basis, we identify the primary basis.
| Purpose (Section 2) | Article 6 Basis |
|---|---|
| Provide the Service | (b) Contract — processing necessary to perform the Agreement with you |
| Bill and account | (b) Contract; and (c) Legal obligation — tax, accounting, anti-money-laundering |
| Secure the Service | (f) Legitimate interests — protecting the Service, our users, and our infrastructure from abuse; a Legitimate Interest Assessment ("LIA") is on file |
| Operate reliably | (f) Legitimate interests — providing a stable Service |
| Improve the product (aggregate, de-identified only) | (f) Legitimate interests — improving the Service; LIA on file |
| Communicate with you — transactional | (b) Contract |
| Communicate with you — marketing | (a) Consent — withdrawable at any time |
| Comply with legal obligations | (c) Legal obligation |
| Defend legal claims | (f) Legitimate interests; (c) Legal obligation where compelled |
You have the right to object to processing based on legitimate interests as described in Section 8.
5. Data Sharing
We share personal data only with the categories of recipients listed below and only as necessary for the purposes in Section 2. We do not sell personal data.
5.1 Subprocessors
We use the following subprocessors. The list is also maintained, with current effective dates and signed-DPA status, at https://thothato.io/legal/subprocessors.
| Subprocessor | Purpose | Region | DPA / Transfer Mechanism |
|---|---|---|---|
| Lemon Squeezy (Lemon Squeezy LLC) | Merchant of record; payment processing, sales-tax / VAT handling, subscription billing | United States | DPA signed; SCCs Module 2 (Controller → Processor) for EU/UK transfers |
| Anthropic (Anthropic, PBC) | Claude language-model API for remote cycles using Anthropic models | United States | DPA signed; SCCs Module 2; Anthropic data-processing addendum incorporates standard contractual safeguards; training opt-out confirmed |
| Google Cloud Platform — Vertex AI (Google LLC) | Gemini language-model API for remote cycles using Google models; Cloud Run, GKE, Cloud KMS, Cloud Logging, Secret Manager for hosting | United States and European Union | Google Cloud DPA + Standard Contractual Clauses; data-residency configurable per Enterprise project |
| OpenAI (OpenAI, OpCo, LLC) | OpenAI language-model API for remote cycles using OpenAI models | United States | DPA signed; SCCs Module 2; API training opt-out confirmed |
| Resend (Resend, Inc.) | Transactional email (account verification, password reset, billing receipts) | United States | DPA signed; SCCs Module 2 |
| Sentry (Functional Software, Inc.) | Error monitoring (scrubbed of personal data wherever feasible) | United States | DPA signed; SCCs Module 2 |
| MongoDB Atlas (MongoDB, Inc.) | Vector database for retrieval-augmented context (Enterprise tier feature flag) | United States; EU region available | DPA signed; SCCs Module 2 |
| Cloudflare (Cloudflare, Inc.) | DDoS protection, edge routing, WAF | Global edge | DPA signed; SCCs Module 2 |
All subprocessors are contractually bound to confidentiality, security, and data-protection obligations no less protective than those we owe you. We notify Enterprise customers in advance of material subprocessor changes through the subprocessor-list page and (for customers who have opted in) by email.
5.2 Service Providers Not Acting as Subprocessors
We may share limited data with professional advisors (lawyers, accountants, auditors) bound by professional confidentiality, and with insurers in connection with claims. These recipients are not subprocessors because they do not process personal data on instructions to deliver the Service.
5.3 Business Transfers
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, personal data may be transferred to the acquiring or successor entity, which will be bound by this Privacy Policy or by terms providing materially equivalent protection. We will notify you of any such transfer that materially affects your data.
5.4 Legal Disclosure
We may disclose personal data when we believe in good faith that disclosure is required to (a) comply with applicable law, legal process, or a lawful request from a government authority; (b) enforce the Agreement; (c) protect our rights, property, or safety, or those of our users or the public; or (d) investigate or prevent fraud, security incidents, or technical issues. Where legally permitted, we will notify the affected user before disclosure.
5.5 With Your Direction
We share personal data with third parties at your explicit direction, including when you connect a third-party integration, share a project with a collaborator, or invoke an external tool via the MCP server.
6. International Transfers
We are headquartered in the United States and our primary processing is in the United States. We also operate in the European Union (Google Cloud europe-west1 and similar regions for Enterprise customers who select an EU data-residency region).
6.1 Transfer Mechanisms
For personal data of users in the European Economic Area, the United Kingdom, or Switzerland transferred to the United States or other third countries:
- Where the recipient is certified under the EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795), the UK Extension to the Data Privacy Framework, or the Swiss-U.S. Data Privacy Framework, we rely on the applicable adequacy decision or equivalent mechanism.
- Otherwise, we rely on the 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller → Processor) or Module 3 (Processor → Processor) as appropriate, supplemented by the UK International Data Transfer Addendum (IDTA) or the UK International Data Transfer Agreement for UK transfers.
- We perform a transfer-impact assessment for each transfer mechanism and implement supplementary technical measures (encryption in transit and at rest, KMS-backed key management, role-based access controls, signed audit chains).
A copy of the SCCs applicable to your transfer is available on request from [email protected].
6.2 EU Representative
If we offer the Service to EU data subjects without an establishment in the EU, we will appoint an EU representative under GDPR Article 27. Contact details for the EU representative, once appointed, will be published here.
7. Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, except where a longer period is required by law or for legitimate business reasons.
| Data Category | Retention | Basis |
|---|---|---|
| Account information (Section 1.1) | Duration of the Account + 30 days after deletion request | Contract performance + buffer for account-recovery and dispute resolution |
| Authentication tokens (Section 1.2) | Active session duration; expired tokens purged within 24 hours of expiration | Security |
| OAuth account linkages | Duration of the Account or until the user unlinks | Contract performance |
| Usage telemetry (Section 1.3) | 24 months (active); aggregated and de-identified thereafter | Service operation, capacity planning, abuse detection |
| Cycle metadata | 24 months in primary store; aggregated thereafter | Service operation, billing reconciliation |
| Cycle inputs and outputs — local cycles | Not retained by us (processed on Customer machine) | n/a |
| Cycle inputs and outputs — remote cycles | Not retained beyond what is required to produce the signed verdict; configurable per project on Enterprise tier | Minimization |
Signed verdicts (verdict.json) + MCP audit-log entries | 7 years from generation | SOC 2 Trust Services Criteria; EU AI Act Article 12 record-keeping; ISO 27001 Annex A.5.34; legal-claim defense |
| Payment metadata (Section 1.5) | 7 years from the calendar year of the transaction | Tax and accounting law (e.g., 26 U.S.C. § 6001; corresponding state and EU member-state laws) |
| Security and operational data (Section 1.6) | 90 days for raw logs; 13 months for security-incident-relevant data | Security incident response; ISO 27001 Annex A.8.15 |
| Support communications (Section 1.7) | 3 years from the last interaction | Service quality, dispute resolution |
| Marketing telemetry | Until consent is withdrawn + 30-day reconciliation buffer | Consent under GDPR Article 6(1)(a) |
| Backups | Cycled out of backup media within 90 days of source-system deletion | Disaster recovery |
Records covered by a litigation hold are retained for the duration of the hold, notwithstanding the foregoing.
8. Your Rights
You have rights regarding your personal data. The specific rights you can exercise depend on the jurisdiction governing your data. We honor the strictest applicable standard.
8.1 GDPR / UK GDPR Rights (Articles 15–22)
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:
- Access (Article 15) — obtain confirmation of whether we process your personal data and a copy of that data.
- Rectification (Article 16) — have inaccurate personal data corrected.
- Erasure / "right to be forgotten" (Article 17) — have personal data deleted in certain circumstances.
- Restriction of processing (Article 18) — have processing limited in certain circumstances.
- Data portability (Article 20) — receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Object (Article 21) — object to processing based on legitimate interests, including direct marketing.
- Not be subject to solely automated decision-making producing legal effects (Article 22) — we do not make solely automated decisions producing legal or similarly significant effects on you. The Service produces probabilistic outputs that you review and decide whether to use.
- Withdraw consent (Article 7(3)) — where processing is based on consent, withdraw it at any time without affecting prior processing.
- Lodge a complaint with a supervisory authority (Article 77).
8.2 CCPA / CPRA Rights
If you are a California resident, you have the right to:
- Right to know what personal information we have collected, the sources, the purposes, and the categories of third parties to whom we have disclosed it.
- Right to delete personal information, subject to legal-retention carve-outs.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing of personal information for cross-context behavioral advertising. As stated in Section 3.3, we do not sell or share personal information for cross-context behavioral advertising.
- Right to limit use of sensitive personal information to the purposes specified in CCPA § 1798.121.
- Right of non-discrimination — we will not discriminate against you for exercising any CCPA/CPRA right.
- Right to designate an authorized agent to exercise these rights on your behalf, subject to identity verification.
8.3 Other Jurisdictions
For users protected by other comprehensive state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and similar), substantially equivalent rights apply and we will honor them.
8.4 How to Exercise
Send a request to [email protected]. We will respond within thirty (30) days for GDPR/UK GDPR requests (extendable by sixty (60) days for complex requests, with notice) and within forty-five (45) days for CCPA/CPRA requests (extendable as permitted by law, with notice). We may need to verify your identity before fulfilling the request; we use the least-intrusive verification consistent with the sensitivity of the data.
8.5 Authorized Agents
You may designate an authorized agent to make a request on your behalf. We will require written authorization (or a power of attorney as required by law) and reasonable identity verification before acting.
9. Cookies and Tracking
We use cookies and similar technologies sparingly.
9.1 Essential Cookies (No Consent Required)
- Session cookie (
session) — signed, HTTP-only, secure - Unverified-account cookie (
unverified) — flags pre-verification state - CSRF protection cookie
- Load-balancer affinity cookie
These cookies are necessary to provide the Service and are not stored beyond their session purpose.
9.2 Functional Cookies (No Consent Required, Strictly Necessary)
- Persona / dashboard preference cookies — store your selected persona and UI preferences
- Locale / time-zone cookies
9.3 Analytics Cookies (Opt-In Only for EU/UK)
For users in the EU/UK, analytics cookies are loaded only after explicit opt-in via the cookie banner. For users in other jurisdictions, analytics may be loaded by default subject to a clear opt-out link in the footer. Analytics are first-party where feasible; if we use a third-party analytics provider, it will be listed in Section 5.1.
9.4 Marketing Cookies
We do not currently use marketing or advertising cookies. If we begin to use any, this Policy will be updated and consent will be obtained where required.
9.5 Do Not Track / Global Privacy Control
We honor the Global Privacy Control (GPC) signal as an opt-out preference signal under CCPA/CPRA. We currently do not respond to Do Not Track (DNT) browser signals because there is no industry consensus on their interpretation.
10. Children
The Service is not directed at children under sixteen (16) and not directed at children under thirteen (13). We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under the applicable age of digital consent without verifiable parental consent, we will delete it promptly. Parents and guardians who believe their child has provided personal data to us should contact [email protected].
The U.S. Children's Online Privacy Protection Act ("COPPA", 15 U.S.C. §§ 6501–6506; 16 C.F.R. Part 312) governs collection of personal data from children under thirteen (13). We are not a child-directed service.
11. Security
We implement administrative, physical, and technical safeguards designed to protect personal data appropriate to the risk.
11.1 Technical Measures
- Encryption in transit: TLS 1.2+ (TLS 1.3 preferred) for all data exchanged between clients, our infrastructure, and subprocessors.
- Encryption at rest: AES-256 with keys managed in Google Cloud KMS with Customer-Managed Encryption Keys (CMEK) for Enterprise-tier data, and Google-managed encryption keys otherwise.
- Signed audit trail: Each cycle produces a
verdict.jsonsigned with Ed25519 keys stored in Cloud KMS; the signature chain provides tamper-evidence over outputs and audit-log entries. - Identity and access: Role-based access control with least privilege; mandatory MFA for all employee access to production; short-lived workload identities for service-to-service auth.
- Network: Private clusters, perimeter controls, Cloudflare WAF and DDoS protection, mTLS between internal services where applicable.
- Logging and monitoring: Centralized logs and metrics with alerting; signed audit chain immutable to operators.
11.2 Organizational Measures
- Security awareness training for all personnel
- Background screening for personnel with production access (where lawful)
- Confidentiality undertakings
- Vendor risk-management program with DPA / SCC tracking
- Incident-response plan with breach-notification procedures aligned to GDPR Article 33 (72-hour controller notification) and applicable U.S. state breach-notification statutes
11.3 Certifications and Frameworks (Target State)
We are targeting SOC 2 Type II attestation. Our control set is mapped to ISO/IEC 27001:2022 Annex A and to the relevant articles of the EU AI Act.
11.4 Breach Notification
If we determine that a personal-data breach has occurred and is likely to result in a risk to your rights and freedoms, we will notify the applicable supervisory authority within seventy-two (72) hours where required by GDPR Article 33, and we will notify affected data subjects without undue delay where required by GDPR Article 34 or applicable U.S. state breach-notification law.
12. Changes and Notification
We may update this Privacy Policy from time to time. We will provide at least thirty (30) days' prior notice of material changes by email to the address associated with your Account or by in-product notification. The "Effective Date" at the top reflects the current version.
Non-material changes (formatting, clarifications, updates to non-substantive references) take effect upon posting.
13. Contact
13.1 General Privacy Inquiries
13.2 Data Protection Officer
A Data Protection Officer's contact details, if and when appointed under GDPR Article 37, will be published at this section.
13.3 EU Representative
GDPR Article 27 representative contact details, once appointed, will be published here.
13.4 Security Reports
[email protected] — please review our coordinated-disclosure policy at https://thothato.io/.well-known/security.txt.
14. Supervisory Authority
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with a supervisory authority. The competent authority is typically the one in the country of your habitual residence, your place of work, or the place of the alleged infringement.
- EU member-state authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- United Kingdom: Information Commissioner's Office (ICO), https://ico.org.uk
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC), https://www.edoeb.admin.ch
If you are in California, you may contact the California Privacy Protection Agency, https://cppa.ca.gov, or the California Attorney General, https://oag.ca.gov/privacy.