We build trust infrastructure for AI agents. The same principle applies to your data: collect the minimum, retain the minimum, share with no one we don’t have to. This page tells you exactly what that means in practice.
This Privacy Policy applies to the marketing website at thirdkey.ai, including the demo-request form, the research index, and the enterprise inquiry pages. It is issued by Tarnover, LLC, a California limited liability company that operates ThirdKey.ai (“we”, “us”, “our”).
It does not govern:
We list every category of personal data we collect. If something is not on this list, we do not collect it.
When you submit your email through the form on the home page or enterprise page, we collect:
That’s it. We do not capture your IP, browser, referrer, or any hidden fields. The submission is appended to a private CSV on the server and sent as a notification to our sales inbox via Resend.
Our hosting provider records standard web-server access logs — IP address, user-agent string, requested path, response code, and timestamp — for security and operational diagnostics. These logs are retained for 30 days and are not joined to any other data.
If you press “Accept” on the cookie banner, Google Analytics 4 sets one first-party cookie and records anonymised pageview events with your IP truncated. We have set Google Consent Mode v2 to default-deny: until you opt in, no analytics cookie is set and no pageview event is sent.
We use the data above only for the purposes below. We do not repurpose data for anything else without separately asking you.
| Data | Purpose | Lawful basis (GDPR) |
|---|---|---|
| Demo email + timestamp | Reply to your demo request, route it to sales | Legitimate interests / consent |
| Server access logs | Detect abuse, debug outages | Legitimate interests |
| Analytics (post-consent) | Understand traffic patterns in aggregate | Consent |
We do not use your data for: behavioural advertising, audience-building, lookalike modelling, model training, or any purpose unrelated to running this website.
We do not sell, rent, or share your personal data for cross-context advertising under any U.S. state law (including the CCPA / CPRA). The only third parties that ever process this data are the service providers we use to operate the site itself:
| Provider | Role | Data they see | Region |
|---|---|---|---|
| Resend, Inc. | Transactional email (demo notifications) | Your demo email + form payload | USA |
| Google LLC (GA4) | Anonymous analytics, post-consent only | Pageviews, IP-truncated | USA / EU |
| Hosting provider | Web serving + access logs | Standard request metadata | USA |
We do not share your data with law enforcement or government agencies unless we receive a binding legal demand (subpoena, warrant, or court order). Where lawful, we will notify you before complying.
| Data | Retention |
|---|---|
| Demo-request emails | Until you ask us to delete, or 24 months of inactivity, whichever comes first |
| Server access logs | 30 days, then permanently deleted |
| GA4 analytics events (post-consent) | 14 months (Google’s shortest available setting) |
| Cookie consent record (browser localStorage) | Until you clear your browser storage |
By default the site sets zero cookies. After you press “Accept” on the consent banner, the following are set:
| Name | Set by | Purpose | Duration |
|---|---|---|---|
| _ga | Google Analytics 4 | Distinguish unique visitors | 13 months |
| _ga_YXY2GGS20Q | Google Analytics 4 | Session state | 13 months |
| tk-consent | ThirdKey (localStorage, not a cookie) | Remember your choice | Until you clear it |
You can withdraw consent at any time by clearing your browser’s site data for thirdkey.ai — the next visit will show the banner again.
Regardless of where you live, we honour the following requests for any personal data we hold about you. Most jurisdictions require us to respond within 30–45 days; we aim for 14.
To make any of these requests, email privacy@thirdkey.ai from the address on file. We may need to verify your identity before acting; we will never use that verification step to collect more data than the request requires.
We apply commercially reasonable technical and organisational measures to protect the data we hold:
If we ever experience a breach affecting your personal data, we will notify you (and any required regulator) within the timeframes mandated by applicable law — typically 72 hours of becoming aware under GDPR.
Found a security issue? Please report it to security@thirdkey.ai. We will acknowledge within two business days and will not pursue good-faith researchers who follow responsible-disclosure practices.
This site is intended for professional and enterprise audiences. We do not knowingly collect personal data from anyone under 16. If you believe a child has submitted information to us, email privacy@thirdkey.ai and we will delete the record.
If you are a resident of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), or any other U.S. state with comprehensive consumer-privacy law, you have the rights listed in §007 above. In addition:
We will update this policy when our practices change. Material changes (anything that broadens what we collect, who we share with, or how long we retain) will take effect no sooner than 30 days after the new effective date is posted, and we will surface a banner on the site for that period. Non-material changes (typo fixes, clarifications) take effect immediately.
The current effective date appears at the top of this page.
For any privacy question, request, or complaint:
See also our Terms of Service.