Throva Request walkthrough

Legal

Privacy Policy

Effective date: April 25, 2026

1. Information We Collect

We collect the following categories of information.

1.1 Account and authentication data

Collected by Auth0 on our behalf and returned to us as claims:

  • Auth0 user ID (sub)
  • Email address and email-verified flag
  • Display name, nickname, and profile picture (if provided)
  • Last updated timestamp from the Auth0 profile

1.2 Business profile data

Collected during onboarding, walkthroughs, or pilot setup:

  • Business name, website URL, business type, industry
  • Offer summary, service area, target audience, brand voice, brand tone, marketing goals, and guardrail preferences

1.3 Customer and lead data

Data you enter or import about your own customers, leads, and prospects — including names, email addresses, phone numbers, company names, interaction history, and notes. You are the controller of this data; Throva acts as processor. For data processing questions, contact privacy@throva.ai.

1.4 Billing data where enabled

The marketing site does not collect payment-card data. If billing is enabled for a paid pilot or subscription, we collect billing contact metadata and invoice status needed to administer the account; card data is handled directly by the payment processor.

1.5 Workspace input and generated content

  • Drafts, messages, tasks, approvals, notes, and workspace context you choose to provide.
  • AI prompts and context derived from your workspace so the service can draft, summarize, classify, or route work.
  • Connected-integration credentials and data only if you explicitly enable that integration for your workspace.

1.6 Usage, device, and log data

  • IP address, device type, OS, app version, and build metadata (collected for security, rate limiting, and debugging).
  • Event logs (feature usage, request timestamps, error traces, and OpenTelemetry spans when enabled).
  • Approval-queue events, agent execution events, and audit-trail entries.

2. How We Use Information

We use the information we collect to:

  • Provide, operate, secure, and improve the Service.
  • Authenticate you, control access to your workspace, and enforce approval and guardrail rules.
  • Run AI agents on your behalf, including drafting, summarizing, routing, and queuing work scoped to your workspace.
  • Administer pilot access, billing, and account operations.
  • Send operational emails (transactional notifications, receipts, security alerts) via AWS SES.
  • Detect, investigate, and prevent abuse, fraud, and violations of these policies or applicable law.
  • Comply with legal obligations and enforce our Terms.

We do not sell your personal information, and we do not use Customer Content to train AI models that serve other customers.

If you are in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR / UK GDPR:

  • Contract — processing necessary to provide the Service you signed up for.
  • Legitimate interests — securing the Service, preventing abuse, operating analytics at aggregated level, and improving the platform.
  • Legal obligation — tax, accounting, anti-money-laundering, and law-enforcement requests.
  • Consent — where required, for example before connecting an optional integration or before certain marketing emails.

You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

4. Third-Party Subprocessors

We use the following subprocessors to operate the Service. Each is bound by contractual confidentiality and security obligations. This list is maintained as the public version for the pre-launch service.

Subprocessor Purpose Data categories Location
Amazon Web Services (AWS) Compute (ECS), media storage (S3), transactional email (SES), database hosting, CloudWatch logs All Customer Data in transit and at rest us-east-1
Anthropic (via AWS Bedrock) AI inference for drafting, summarization, routing, and workspace assistance Prompts and context derived from Customer Content AWS Bedrock region (US)
Auth0 (Okta) Authentication, session management, JWT issuance Email, name, auth metadata US

Optional integrations are added to this list as they become available for the pre-launch service.

5. Data Retention

We retain data as follows (subject to legal holds):

  • Active workspaces — retained while the account is active.
  • After account termination — retained 30 days to allow export, then deleted or irreversibly anonymized.
  • Billing records — retained for 7 years to comply with tax and accounting rules.
  • Security and audit logs — retained 90 days for forensic and fraud-prevention purposes.
  • Backups — encrypted backups are rotated on a rolling window of 35 days; deletion requests are honored in live systems immediately and purged from backups as the rotation completes.

6. Your Rights

Depending on where you live, you may have rights to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete data ("right to erasure")
  • Export data in a portable, machine-readable format
  • Object to or restrict certain processing
  • Withdraw consent for processing based on consent
  • Lodge a complaint with a supervisory authority

GDPR / UK GDPR — residents of the EEA, UK, or Switzerland may exercise the rights above. You may also contact a supervisory authority in your country.

California (CCPA / CPRA) — California residents have the right to know, delete, correct, and opt out of sale or share of personal information. Throva does not sell or share personal information for cross-context behavioral advertising. Submit requests to privacy@throva.ai.

Other US states (VA, CO, CT, UT, TX, and similar comprehensive privacy laws) — residents may have rights to access, delete, correct, port, and opt out of targeted advertising and the sale of personal information. Throva does not engage in targeted advertising or sell personal information. Submit requests to privacy@throva.ai.

To exercise any right, email privacy@throva.ai. We will verify your identity before honoring the request and will respond within 30 days.

7. Cookies and Tracking

The marketing site at throva.ai uses no third-party advertising cookies. The authenticated web app uses:

  • Auth0 session storage — the app can be configured to cache auth state in localStorage for convenience; defaults to memory-only.
  • Essential local storage — for the offline-first SQLite database, checklist state, and user preferences.

We do not use third-party advertising, retargeting, or cross-site tracking cookies. You can control or clear cookies and local storage through your browser or device settings.

8. International Data Transfers

Throva's infrastructure primarily operates in the United States (AWS us-east-1). If you are in the EEA, UK, or Switzerland, your data may be transferred to and processed in the United States. Where such transfers occur, we rely on the Standard Contractual Clauses (module as appropriate) and, where available, the EU-U.S. Data Privacy Framework, plus supplementary measures such as encryption in transit and at rest.

9. Security Measures

We maintain technical and organizational measures including:

  • Encryption in transit (TLS) for all client-server communication.
  • Encryption at rest for databases, media in S3, and OAuth-token storage (per-workspace key material).
  • Auth0-based authentication with MFA available; admin access gated by ADMIN_USER_IDS allow-list.
  • Role-scoped access inside the workspace; least-privilege principle for server-side components.
  • Network isolation via AWS security groups; IAM task roles for ECS services (no long-lived access keys in production).
  • Rate limiting, honeypot fields on public forms, and CORS origin validation.
  • Append-only audit trail for AI-executed actions and approvals.
  • Automated backups with encryption and tested restore procedures.

Additional detail is available on our security page. SOC 2 and equivalent attestations are planned.

10. Children's Privacy

The Service is a B2B product for business operators and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact privacy@throva.ai and we will delete it.

11. Changes to this Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or in-app at least 30 days before they take effect.

12. Contact

Privacy questions or data-subject requests: privacy@throva.ai. General support: support@throva.ai. Postal address: Throva, Inc., PO Box 910933, San Diego, CA 92191.

EU/UK representative: Throva does not currently maintain an EU establishment. If you are an EU/UK data subject, you may contact us at privacy@throva.ai; we will appoint an Article 27 representative if and when required.