What data we collect

When you create an account or use the service, we collect:

• Identity data — email address, display name, and hashed password (bcrypt; never stored in plaintext)
• AWS identifiers — AWS Marketplace Customer ID and subscription token, used solely for billing and entitlement verification
• Run configuration data — target endpoint URLs, system-prompt descriptions, and attack-family selections you provide when setting up a red-team run
• Attack & result data — generated attack prompts, model responses captured during testing, scoring verdicts, and evidence snippets included in reports
• Session & quota metadata — session tokens (httpOnly cookies), run counts, entitlement records, and timestamps

How we store and protect it

• All data is stored in Amazon Aurora PostgreSQL running in AWS region ap-south-1 (Mumbai), with AES-256 encryption at rest and TLS 1.2+ in transit
• Database credentials are managed exclusively through AWS Secrets Manager and are never embedded in application code
• The application runs on AWS App Runner; no server-side data leaves the ap-south-1 region
• Passwords are one-way hashed with bcrypt before storage and are never recoverable or transmitted in readable form
• All security-relevant events (sign-ups, logins, subscription changes, run completions) are written to a tamper-protected Amazon CloudWatch Logs group with a mandatory 365-day retention policy

How we use your data

Your data is used exclusively to:

• Deliver and operate the AI red-teaming service you subscribed to
• Display run results and historical reports in your account dashboard
• Track and enforce subscription quotas and entitlements through AWS Marketplace Metering Service
• Maintain security audit logs as required by AWS Marketplace compliance policy

Data sharing

We share data with no third parties for advertising, analytics, or resale. The only external sharing is:

• AWS Marketplace Metering Service — run counts (integers only) are reported for billing purposes, as required by the AWS Marketplace Seller Agreement
• Email delivery — your email address and name are passed to our transactional email provider solely to send account confirmation messages. No marketing emails are sent without explicit opt-in

Retention & deletion

• Account and run data is retained for the duration of your active subscription
• After cancellation or non-renewal, your data is retained for 90 days to allow for dispute resolution or reactivation, then permanently deleted
• Security audit logs are retained for 365 days regardless of subscription status, as required by AWS Marketplace Security Policy
• Aurora automated backups are retained for 7 days for disaster recovery purposes
• To request early deletion, email contact@trampolyneai.com — we will action it within 30 days

Your rights

You may request a copy of the data we hold about you, correction of inaccurate data, or deletion of your account at any time by emailing contact@trampolyneai.com. We will respond within 30 days.

Security incidents

In the event of a breach or unauthorized access affecting your data, we will notify affected users at the email address on file within 72 hours of confirmed discovery. Report security concerns to contact@trampolyneai.com.

Changes to this policy

Material changes will be communicated by email to registered users at least 14 days before taking effect. Continued use of the service after the effective date constitutes acceptance.