Privacy Policy
1. Overview
This Privacy Policy explains how Guardia AI collects, uses, stores, and protects information when you use the Guardia AI compliance scanning platform ("Service"), available via Microsoft Azure Marketplace or directly at app.trustguardia.com.
We are committed to protecting your data. This policy is written in plain language โ we describe exactly what we collect and what we do with it.
2. Information We Collect
2.1 Account and Subscription Information
When you purchase and activate the Service, we collect:
- Your email address (from Azure Marketplace purchase data)
- Your Azure Active Directory tenant ID and object ID
- Your selected subscription plan
- Activation timestamp and subscription status
2.2 Azure Credentials
To scan your Azure environment, you provide a Service Principal with read-only access. We collect and store:
- Azure tenant ID
- Service Principal client ID
- Service Principal client secret (encrypted at rest)
- Azure subscription IDs you designate for scanning
These credentials are used solely to authenticate API calls to Microsoft Azure on your behalf. They are never shared, sold, or used for any purpose other than executing your compliance scans.
2.3 Azure Resource Metadata (Scan Data)
When a scan runs, we query and temporarily process:
- Azure resource names, IDs, types, and locations
- Azure ML workspace configurations
- Azure Cognitive Services and OpenAI instance properties
- RBAC role assignment metadata
- Azure Policy assignment data
- Diagnostic settings configurations
We do not access: storage content, application code, model weights, personal data of your end users, or Azure Key Vault secrets.
2.4 Scan Reports
We store compliance reports generated by your scans, containing aggregated compliance scores, findings mapped to Azure resource IDs, AI-generated remediation guidance (on eligible plans), and timestamps. Reports are retained per your plan tier and deleted automatically upon expiry or cancellation.
2.5 Usage and Technical Data
We collect limited technical data: API request timestamps and HTTP status codes (no request body content), scan counts for quota enforcement, and Container App health metrics. We do not use cookies, tracking pixels, or behavioral analytics.
3. How We Use Your Information
| Data | Purpose |
|---|---|
| Account info | Manage subscription, authenticate API access, send service communications |
| Azure credentials | Execute compliance scans on your designated subscriptions |
| Scan data | Generate compliance reports, enforce plan-level framework access |
| Usage data | Enforce monthly scan quotas, monitor service health |
We do not sell your data, use it for advertising, train AI models on your resource data, or share it with other customers.
4. Data Sharing
4.1 Microsoft Azure Infrastructure
Your data is processed on Microsoft Azure (Container Apps, Azure Container Registry). Microsoft acts as a data processor under their Data Processing Agreement.
4.2 OpenAI (AI Enrichment โ opt-in only)
If you enable AI-powered enrichment, finding descriptions from your scan reports are sent to OpenAI's API to generate remediation guidance. This includes only Azure resource types and compliance finding descriptions โ no credentials, no PII, no resource content.
4.3 Legal Requirements
We may disclose information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of Guardia AI, our customers, or the public.
4.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, customer data may be transferred to the successor entity under the same privacy protections.
5. Data Security
- Encryption in transit โ All communication uses TLS 1.2 or higher
- Encryption at rest โ Azure credentials and API keys stored encrypted; API keys stored as SHA-256 hashes
- Tenant isolation โ Each customer's data is logically isolated
- Least privilege โ Service Principal has read-only access (Reader role) โ Guardia AI cannot modify Azure resources
- No persistent credential logging โ Azure credentials are never written to application logs
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Scan reports โ Free Trial | 7 days |
| Scan reports โ Starter | 30 days |
| Scan reports โ Professional | 90 days |
| Scan reports โ Enterprise | 365 days |
| Azure credentials | Until subscription cancellation |
| Account metadata | 90 days after cancellation |
| Technical/usage logs | 30 days |
7. Your Rights
Depending on your location, you may have the following rights:
- Access โ Request a copy of the data we hold about you
- Correction โ Request correction of inaccurate data
- Deletion โ Request deletion of your data ("right to be forgotten")
- Portability โ Request scan reports in machine-readable JSON format
- Restriction โ Request that we restrict processing of your data
- Objection โ Object to certain processing activities
EU/UK residents: Rights provided under GDPR and UK GDPR.
California residents: Rights provided under CCPA/CPRA.
To exercise any right, contact privacy@trustguardia.com. We respond within 30 days.
8. Data Deletion
To delete your account and all associated data:
- Cancel your subscription via Azure Marketplace
- Email privacy@trustguardia.com with subject: "Data Deletion Request"
- Include your Azure Marketplace subscription ID
We will permanently delete all your data within 30 days and provide written confirmation.
9. International Data Transfers
The Service is hosted on Microsoft Azure (default: East US). If you are located in the EU or UK, your data may be processed in the United States. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify active customers of material changes by posting the updated policy with a new "Last Updated" date and sending an email notification to your subscription address.
11. Contact Us
Privacy questions: privacy@trustguardia.com
Security vulnerabilities: security@trustguardia.com
General contact: contact@trustguardia.com