Privacy Policy
Last updated: May 2026
We wrote this in plain English. If something is unclear, email support@invistiq.com and we will clarify.
1. What data we collect
Account information
When you sign up, we collect your name, email address, and organization name. That is it. We do not ask for payment information directly; billing goes through Stripe.
Agent event payloads
The signed event spans your AI agent runtime sends to Invistiq (prompts, tool calls, sub-agent delegations, model outputs, human overrides) are stored on your behalf. We verify each Ed25519 signature on ingest, chain the event into your per-organization Merkle log, and persist it to AWS S3 Object Lock. We do not read event payload contents for any purpose other than running the platform.
Compliance metadata
Alongside the signed payload we store derived metadata: event timestamp, span identifier, parent span, model identifier, tool call name, framework tags (Article 12, Colorado AI Act, NIST RMF, ISO 42001, HIPAA, FINRA 17a-4), and the previous-hash link in your Merkle chain. Every record is linked back to its signed source event.
Usage data
We log actions on the platform: logins, logouts, SDK key issue, event ingest (sampled), evidence-pack export, and retention sweeps. These logs support the audit trail feature and help us troubleshoot issues. We also collect browser type and IP address for security purposes.
2. How we use it
- Verifying Ed25519 signatures and chaining events into your Merkle log
- Generating the Annex IV and per-framework evidence packs you request
- Sending transactional emails about your account (password resets, billing receipts, policy updates)
- Responding to support requests
- Improving platform performance and ingest reliability using aggregate, anonymized metrics
- Meeting legal and regulatory obligations
3. What we don't do
- We do not sell your data to anyone, ever.
- We do not share your documents or extracted data with advertisers.
- We do not use your documents or extracted data to train AI models. Your data trains nothing.
- We do not use marketing cookies or behavioral tracking.
- We do not share data between organizations. Each account is completely isolated.
4. Data storage and security
Your files are stored on AWS S3 in the United States with Object Lock enabled, which means files cannot be modified or deleted after upload. Your account data and extracted values are stored in Supabase, also in the US.
All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
Every table in our database has row-level security policies that restrict queries to the organization that owns the data. Even a misconfigured query cannot return data from a different organization.
We maintain an append-only audit log of all key actions. That log cannot be modified or deleted, including by us.
5. Data retention
Active accounts: we retain your data for as long as your account is active.
After cancellation, signed event payloads are retained for the regulatory floor configured on your account (six months minimum for Article 19, ten years for Article 18 technical docs, six years for HIPAA, three to six years for FINRA). Account metadata is deleted ninety days after cancellation.
Signed event payloads are stored immutably under AWS S3 Object Lock. We never modify a signed event after it has been ingested and verified. This is a deliberate design decision for audit integrity.
Early deletion of account metadata is available on request through support. Signed event payloads remain bound to the regulatory floor for the configured retention window.
6. Third-party processors
We use a small number of third-party services to run the platform. Each one receives only the data it needs to do its job.
| Provider | Purpose | Data shared |
|---|---|---|
| AWS S3 | Tamper-evident storage | Signed agent event payloads |
| Supabase | Database and auth | Account data and signed event metadata |
| Vercel | Hosting and delivery | Web traffic (logs, IPs) |
| Stripe | Payment processing | Billing information (handled directly by Stripe) |
| Resend | Transactional email | Email address only |
| Upstash | Rate limiting (Redis) | Hashed request identifiers (no payloads) |
We do not share your data with any other third parties. All processors are contractually bound to use your data only for the services they provide to us.
7. Your rights
You have the right to:
- Access the personal data we hold about you
- Export your signed event payloads and account metadata at any time from the platform
- Correct inaccurate information in your account
- Delete your data by cancelling your account
- Object to any processing you believe is not covered by this policy
To exercise any of these rights, email support@invistiq.com. We respond to all verified requests within 30 days.
8. HIPAA
Invistiq serves healthcare AI customers, including clinical decision support and patient-facing voice AI deployments. We understand that even derived metadata from an AI agent operating in a healthcare setting may touch protected health information (PHI).
We sign Business Associate Agreements (BAAs) with healthcare customers before they send any events that could contain PHI. We do not process PHI without a BAA in place.
If you are a healthcare organization and need a BAA, email support@invistiq.com.
Customers operating in healthcare AI must execute a BAA before sending any events that could contain PHI. Invistiq does not process PHI without a BAA in force.
9. Cookies
We use two categories of cookies:
- Strictly necessary: the authentication session cookie that keeps you logged in, and a CSRF token that protects your account. These cannot be disabled without breaking the platform.
- Functional: cookies that remember small preferences like sidebar state. These are not required.
We do not use marketing cookies, ad tracking, or any cross-site behavioral tracking. See our Cookie Policy for the full list and browser opt-out instructions.
10. Updates to this policy
If we make material changes to this policy, we will notify you by email at least 30 days before the changes take effect. Minor edits (fixing typos, adding clarity) may happen without notice, but will always show an updated date at the top of this page.
Your continued use of the platform after the effective date of a material change means you accept the updated policy. If you disagree, you can cancel your account before the change takes effect.
11. Contact
Questions about this policy or how we handle your data? Email support@invistiq.com. We aim to respond within five business days.