What we collect. What we don't. Why.

2026-05-18 — first published draft.

We store the data you sign into your library: documents you upload, Ctrls you sign, invocations they produce, and the cryptographic receipts that prove they happened. All of it lives in your org's dedicated database; we never co-mingle org data.

We do not sell data. We do not train foundation models on your documents, your Ctrls, or your invocations. We do not enable third-party advertising or analytics that touch invocation content.

At every tier you can bring your own LLM API keys. Your model spend bills directly from your provider; tokens never pass through any account we hold. Anthropic, OpenAI, Google, OpenRouter all supported.

Every invocation produces an Ed25519-signed receipt anchored in a hash-chained transparency log. Auditors — yours or external — can verify the entire chain offline against a published root hash. We can't hide receipts after the fact, and neither can you.

US-East by default. EU-West and APAC available on Enterprise with a DPA. Per-org encryption at rest; per-tenant keys on Enterprise.

Vercel (hosting), Neon (Postgres), Anthropic / OpenAI / Google (when your BYOK uses them), Resend (transactional email), Upstash (rate limiting). Full current list available on request.

Email privacy@ctrlai.com for the full DPA, subprocessor list, or any specific question. For data deletion requests, write to the same address; we respond within five business days.