Legal

Privacy Policy

This Privacy Policy describes how Tomosu AI (“Tomosu,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with our website, our governance platform, and any related services (collectively, the “Services”). It applies to website visitors, prospects, customers, customer end users, and anyone who otherwise interacts with us.

If you are a customer’s end user (for example, an engineer at a company that uses Tomosu), the customer’s own privacy policies govern how your data is processed within their environment. Where Tomosu acts as a processor on a customer’s behalf, the customer is the controller; please direct rights requests to them in the first instance.

On this page

  1. Scope and roles
  2. Information we collect
  3. How we use information
  4. Legal bases for processing
  5. How we share information
  6. Sub-processors
  7. International data transfers
  8. Data retention
  9. Information security
  10. Your privacy rights
  11. Cookies and tracking
  12. Children’s privacy
  13. AI and model training
  14. Changes to this Policy
  15. Contact us

1. Scope and roles

This Policy applies to personal information we process in our capacity as a controller — for example, when you visit our website, request a demo, sign up for marketing, or apply for a job. Where we process personal information contained in customer data on behalf of a customer, we act as a processor (or service provider under the CCPA), and our processing is governed by the Data Processing Addendum (“DPA”) executed with the customer.

2. Information we collect

The categories of personal information we collect depend on how you interact with us.

2.1 Information you provide

  • Account & identity data: name, business email, business phone, employer, role, password (hashed).
  • Sales & marketing data: information you submit on contact forms, newsletter sign-ups, event registrations, or in response to outreach.
  • Billing data: invoicing details, tax IDs, billing contact, and the last four digits of payment instruments. Full payment card data is collected and stored by our PCI-DSS-compliant payment processor; Tomosu does not store full card numbers.
  • Career applications: resume, work history, references, and right-to-work information you submit through our hiring platform.
  • Support communications: messages, attachments, and call recordings (with notice) shared while requesting support.

2.2 Information collected automatically

  • Device & log data: IP address, browser type and version, operating system, device identifiers, referring/exit URLs, timestamps, and pages viewed.
  • Product telemetry: feature usage, performance, error events, click streams within the Tomosu application, and aggregate session metadata.
  • Cookies & similar technologies: see section 11.

2.3 Information from third parties

  • Identity providers: if you authenticate via Google, Microsoft, Okta, or another single sign-on provider, we receive the profile fields you authorize.
  • Enrichment providers: business contact data sourced from reputable enrichment vendors to support B2B outreach.
  • Customer integrations: where you authorize Tomosu to integrate with a source-control, observability, or ticketing system, we receive the metadata required to operate the Services. Specific scopes are documented in the in-product integration flow and the customer DPA.

2.4 Information we do not collect or process

Tomosu’s default integration posture is metadata-only. By default, we do not ingest the contents of source files, customer secrets, end-user PII captured by your applications, or production database rows. Specific exceptions, if any, are scoped in writing through the customer DPA and require explicit customer authorization.

3. How we use information

  • To provide, operate, secure, and improve the Services, including the Production Reliability Index, the governance lane, and incident-attribution features.
  • To create, administer, and authenticate accounts and to enforce our Terms.
  • To process billing, taxes, and collections, and to maintain financial records.
  • To respond to inquiries, provide customer support, and send service-related notices (e.g., security advisories, maintenance, policy updates).
  • To send marketing communications about products, events, research, and offers, where permitted by law and subject to your opt-out rights.
  • To recruit and evaluate candidates for open roles.
  • To conduct analytics, product research, A/B experimentation, and quality assurance.
  • To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our policies.
  • To comply with legal obligations, enforce our agreements, and exercise or defend legal claims.

5. How we share information

We do not sell personal information, and we do not share it with third parties for cross-context behavioral advertising under the CCPA.

We share personal information in the following limited circumstances:

  • Sub-processors who process personal information on our behalf and under contract (see section 6).
  • Customers and their authorized administrators, in connection with their account, license, or DPA.
  • Professional advisors: lawyers, accountants, auditors, and insurers, under duties of confidentiality.
  • Corporate transactions: in connection with a financing, merger, acquisition, asset sale, reorganization, or insolvency, where the recipient is bound to honor this Policy as to personal information transferred.
  • Legal compliance & safety: where we believe disclosure is required by law, legal process, or regulatory request, or is necessary to protect the rights, safety, or property of Tomosu, our customers, or others.

6. Sub-processors

We engage carefully selected vendors to support the Services. Each sub-processor is bound by a written agreement that requires confidentiality, security, and processing limitations consistent with this Policy and the customer DPA.

An up-to-date list of authorized sub-processors is made available to customers, who may subscribe to advance notice of changes.

7. International data transfers

We may transfer personal information outside your country of residence to jurisdictions where we, our affiliates, or our sub-processors operate. Where required by law, transfers are made under appropriate safeguards, including the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, the Swiss Federal Data Protection and Information Commissioner’s adequacy frameworks, and additional safeguards as appropriate.

8. Data retention

We retain personal information for as long as needed to fulfill the purposes for which it was collected and to satisfy legal, accounting, or reporting obligations. Typical retention periods are summarized below; customer-controlled data is governed by the customer DPA and configured retention.

CategoryTypical retention
Marketing leadsUp to 24 months from last engagement, unless you opt out earlier.
Customer account recordsTerm of the agreement plus 7 years for tax and audit purposes.
Product telemetryUp to 13 months in identifiable form; aggregated thereafter.
Security logsUp to 12 months, longer if required to investigate an incident.
Career applicationsUp to 24 months unless you withdraw consent earlier.
Support communicationsUp to 36 months from case closure.

9. Information security

We maintain a written information-security program designed in alignment with SOC 2 Type II and ISO/IEC 27001. Controls include, without limitation:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
  • Tenant isolation, least-privilege access, and SSO/MFA enforcement on all employee accounts.
  • Role-based access control, secrets management, and key rotation.
  • Continuous vulnerability scanning, dependency monitoring, and quarterly third-party penetration testing.
  • 24x7 monitoring and a documented incident-response plan with notification procedures consistent with applicable law and the customer DPA.
  • Background checks and security training for personnel with access to customer data.
Reporting a vulnerability: please email contact@tomosu.ai. We commit to acknowledging receipt within one business day and to good-faith engagement under our coordinated-disclosure policy.

10. Your privacy rights

Depending on where you live, you may have the following rights, subject to verification and applicable exceptions:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to correct inaccurate or incomplete information.
  • Deletion — request that we delete personal information.
  • Portability — receive your information in a structured, machine-readable format.
  • Restriction or objection — restrict or object to certain processing, including direct marketing.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.
  • No automated decision-making — we do not make decisions producing legal or similarly significant effects about you using solely automated means in connection with our website. Where used inside the Services, the customer determines whether such processing applies and is the appropriate point of contact.
  • Non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise these rights, email contact@tomosu.ai. We may need to verify your identity before responding. You also have the right to lodge a complaint with your supervisory authority; for EEA residents, that is your local data protection authority, and for UK residents, the Information Commissioner’s Office (ICO).

California residents may designate an authorized agent to make a request on their behalf. Information about Tomosu’s collection, use, and disclosure of personal information in the preceding 12 months is summarized in this Policy.

11. Cookies and tracking

We use cookies and similar technologies to operate our website, remember preferences, measure performance, and (with your consent where required) understand how visitors find us.

  • Strictly necessary — required for core functionality (e.g., session, security, load balancing). Cannot be disabled.
  • Functional — remember preferences such as language and region.
  • Analytics — help us understand aggregate traffic and content performance. Used only with your consent in jurisdictions that require it.
  • Marketing — measure the effectiveness of campaigns. Used only with your consent.

You can manage non-essential cookies through the cookie banner on your first visit, the “Cookie Settings” link in the footer, and your browser controls. We honor the Global Privacy Control (GPC) signal as a request to opt out of sale/sharing where applicable.

12. Children’s privacy

The Services are intended for business use and are not directed to children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact contact@tomosu.ai and we will delete it.

13. AI and model training

Tomosu does not train foundation models on customer data. Where we use machine-learning components inside the Services (for example, classifiers used to evaluate AI-generated changes), those components are trained on data we are licensed to use, on data sourced from synthetic or open corpora, or on customer-specific data inside the customer’s tenant where the customer has expressly opted in via the DPA. Customer data is never used to improve the global product without contractual authorization.

14. Changes to this Policy

We may update this Policy from time to time. When we do, we will revise the “Last updated” date at the top, and, for material changes, will notify you via email (where we have one), through the Services, or by posting a prominent notice on our website. Continued use of the Services after the effective date of an updated Policy constitutes acceptance of the updates to the extent permitted by law.

15. Contact us

For privacy questions, requests, or complaints, contact us at contact@tomosu.ai.