Privacy Policy
1. Who we are
Gentrail provides governance, policy-enforcement, and audit-evidence software for enterprise AI agents. This policy covers gentrail.ai (this website), our sales and demo process, and the limited product-related processing described in Section 7. The Gentrail product otherwise runs in your own cloud environment under your evaluation agreement or order form.
Contact: team@gentrail.ai
2. What we collect
You give us: when you request a demo we collect your name, work email, and optionally your role, company, and anything you write in the message box. If you email us or book a meeting, we receive whatever you send.
Automatically: our web server keeps standard access logs (IP address, user agent, pages requested) for security and operations. This website does not set cookies and does not run analytics or advertising trackers.
3. How we use it
- To respond to your demo request and schedule and run the demo.
- To communicate with you about an evaluation or purchase you've expressed interest in.
- To send occasional product updates relevant to your enquiry - every such email identifies us, includes a working unsubscribe, and we stop on request.
- We do not sell personal data, and we do not use it for third-party advertising.
Submitting the demo form lets us respond to your enquiry. For the purposes of Canada's Anti-Spam Legislation, your enquiry creates implied consent for related commercial electronic messages for up to six months; we don't add you to any ongoing marketing list without your express opt-in. Where the GDPR applies (EU/UK visitors), our legal bases are pre-contractual steps you've requested (Art. 6(1)(b)) and legitimate interest in responding to inbound enterprise enquiries (Art. 6(1)(f)).
4. Who processes it for us
| Processor | Purpose | Location |
|---|---|---|
| Formspree, Inc. | Form submission handling | US |
| Google Workspace | Sales mailbox and lead tracking | US/global |
| Slack Technologies | Internal lead notification | US/global |
| Amazon Web Services | Website hosting, server logs | [REGION] |
For transparency: the product's optional AI-assisted features (policy rule extraction, tool classification) can call third-party model APIs such as OpenAI and Mistral - but only using API credentials you supply, under your own provider accounts. Those providers act for you, not for Gentrail, and are not Gentrail processors; see Section 7.
For EU/UK personal data: Google, Slack (Salesforce), and Amazon Web Services hold active EU-U.S. Data Privacy Framework certifications (including the UK Extension and Swiss-U.S. DPF), and Formspree relies on Standard Contractual Clauses under its data-processing terms.
5. Retention
Demo-request records are kept while we have an active conversation with you and for up to [24 months] after last contact, then deleted or anonymized from our active systems, subject to provider backup cycles, security logs, and any legal holds. Server logs rotate after [90 days].
6. How we protect it
Demo-request data is held in access-controlled accounts with multi-factor authentication, visible to authorized Gentrail personnel with a business need for sales, scheduling, support, or launch operations. We apply administrative and technical safeguards proportionate to the sensitivity of business contact data.
7. The product runs in your cloud - your agent data stays there
Gentrail deploys into the customer's own AWS account. Agent traces, policies, violations, and audit evidence are stored and processed inside the customer's environment. In normal operation Gentrail (the company) does not receive, host, or access that data, and licensing is verified locally by cryptographic signature, with no call-home.
Gentrail does not have default access to your environment. Access occurs only through customer-enabled features, customer-created roles, or customer-granted support access: (a) support access you explicitly grant us during an engagement, and (b) the optional cross-account compliance scanner - a broad AWS read-only/security-audit IAM role you create in your own account, which can read infrastructure metadata and configuration details but has no write permissions, gated by an ExternalId you hold, with sessions capped at one hour, revocable at any time. Both are governed by the evaluation agreement or order form, not by this policy.
No AI training on customer data by Gentrail. Gentrail does not use customer content - agent traces, policy documents, rules, violations, or audit evidence - to train Gentrail models. Optional AI-assisted features (policy rule extraction, tool classification) call third-party model APIs - such as OpenAI and Mistral - using API credentials the customer supplies, under the customer's own provider accounts and agreements. Gentrail provides no model service, holds no provider credentials in the customer's deployment, and never receives the content of those calls; the features remain disabled until the customer configures them. The customer's agreements with its model providers govern that processing.
8. Your rights and who's accountable
[NAME] is the person responsible for personal-information protection at Gentrail, covering privacy governance, access requests, complaints, and confidentiality-incident coordination. You may request access to, correction of, or deletion of your personal data, or withdraw consent to further contact, by writing to team@gentrail.ai; we'll respond within 30 days. If you're unsatisfied, you can complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your local supervisory authority.
9. California residents
If the CCPA/CPRA applies to you: in the last 12 months we have collected the categories of personal information described in Section 2 (identifiers and professional information; internet activity in server logs), sourced directly from you via the demo form or email and automatically from server logs, for the purposes in Section 3. We disclose them for business purposes only to the service providers listed in Section 4. We do not sell or share personal information as those terms are defined in the CCPA, and we do not use sensitive personal information beyond what's necessary to respond to you. Retention is described in Section 5. You (or an authorized agent acting for you) may exercise access, deletion, and correction rights via team@gentrail.ai; we'll verify requests against the contact details you used with us, and we don't discriminate for exercising your rights. This section, together with Section 2, serves as our notice at collection.
10. Disclosure required by law; business transfers
We may disclose personal data where required by law, court order, or a lawful request by public authorities, and we'll tell you we did unless legally prohibited. If Gentrail is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction; we'll notify you of any change in ownership or in how your personal data is handled.
11. Automated decision-making; tracking signals; third-party links
We don't make automated decisions about you that have legal or similarly significant effects. Because we do not sell or share personal information or use cross-site tracking, "Do Not Track" and Global Privacy Control signals do not change site behavior. Our site may link to third-party sites; their privacy practices are their own.
12. Not for children
The website and product are for business use; we don't knowingly collect data from anyone under 18.
13. Changes
We'll post changes here with a new effective date. Material changes get a notice on the site.