Privacy Policy - ThirdKey

Website: https://thirdkey.ai
Owner: Tarnover, LLC, a California Limited Liability Company

This Privacy Policy describes how Tarnover, LLC (“we”, “us”, “our”) collects, uses, shares, and protects personal and organizational data in connection with its ThirdKey service (“Service”) at https://thirdkey.ai.

We are committed to data privacy, enterprise-grade security, and compliance with industry standards, including SOC 2, to protect our customers and their users.

1. Scope of This Policy

This Privacy Policy applies to:

Users accessing the Service via the API, CLI, SDK, or web portal
Visitors to our website
Enterprise clients and developers using our platform

2. Data We Collect

A. Account Information

When you register for ThirdKey, we collect:

Name, email address, organization
Billing and payment details (processed securely via third-party provider)

B. API Usage Data

We log metadata associated with API calls for security, billing, and audit purposes, including:

API key used
IP address
Timestamps
Request/response metadata
Model routing and usage statistics

Note: We do not retain the raw contents of user prompts or model responses unless explicitly enabled by the user for debugging or observability features.

C. Device & Technical Data

When accessing our portal or tools, we may collect:

Browser type and version
Operating system
Access times
Referrer and session data (via analytics)

3. Use of Data

We use collected data to:

Operate and maintain the ThirdKey Service
Enforce security policies and detect misuse
Provide audit logs and usage reports to customers
Support compliance with SOC 2 and other frameworks
Invoice and process payments
Improve product quality, performance, and reliability

We do not sell or rent user data.

4. Data Retention

We retain personal and organizational data only as long as necessary for:

Service delivery and support
Contractual and legal obligations
Security investigations
Audit and compliance purposes

You may request deletion of your account or data at any time, subject to retention requirements.

5. Enterprise Controls

For enterprise customers, we offer:

Data residency and retention customization
Detailed audit logs
Single Sign-On (SSO) and RBAC support
API usage isolation per team/project
Optional prompt and response logging with opt-in

6. Third-Party Services

We may use SOC 2 or GDPR-compliant third-party providers for:

Cloud infrastructure
Authentication and identity management
Payment processing
Model inference (e.g., AWS, Azure, OpenAI)

These services are contractually required to meet our security and privacy obligations.

7. Security and Compliance

We follow industry best practices to safeguard your data:

SOC 2 Type II controls implemented and audited
Role-based access and least privilege principles
TLS encryption in transit
Encrypted secrets management
Secure audit logging with immutability options
Regular penetration testing and internal reviews

Customers may request our latest security whitepaper or SOC 2 report under NDA.

8. Your Rights and Choices

You have the right to:

Access your data
Request corrections or deletion
Export usage data (via API or request)
Manage logging preferences
Close your account

Enterprise clients may request data processing addendums (DPA) or custom controls.

9. Data Transfers

We are based in the United States. By using the Service, you consent to data transfer to the U.S. and other jurisdictions where our subprocessors operate, subject to adequate protections and compliance frameworks.

10. Children’s Privacy

Our Service is intended for enterprise and professional use only. We do not knowingly collect information from children under 13 or from individuals not legally allowed to use the Service.

11. Policy Updates

We may update this Privacy Policy from time to time. Changes will be posted on this page with a revised effective date. Material changes may be announced via email or platform notices.