Privacy Policy

NeverTrust.ai ("we", "us", or "our") is committed to protecting your personal information and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy applies to information collected through our website at nevertrust.ai (the "Site"), the NeverTrust.ai network agent software (the "Agent"), the web portal (the "Portal"), the Public Scanner, and any related services (collectively, the "Services").

NeverTrust.ai is an AI agent security company based in Australia. We provide network-layer security tools that help organisations monitor and control AI-related network traffic.

For privacy enquiries, you may contact our Privacy Officer at: [email protected]

We only collect personal information that is reasonably necessary for our functions and activities. The types of personal information we may collect include:

3.1 Account Information

When you create an account or register for the waitlist, we collect:

• Email address: required for authentication and communications
• Full name: displayed in your profile and to team members
• Organisation name: required to create or join an organisation
• Job title: optional, helps us understand your role (waitlist)
• Use case description: optional, helps us understand your security needs (waitlist)

3.2 Device Information

When the Agent is installed and enrolled on a device, we collect:

• Device hostname: identifies the device within your organisation
• Operating system: name and version (e.g., macOS 15.3, Ubuntu 24.04)
• Agent version: the installed software version
• Device username: optional, the logged-in user on the device
• IP address: recorded when the Agent communicates with the Portal
• Last seen timestamp: when the device last contacted the Portal

3.3 Network Traffic Metadata

Security event data collected includes:

• URLs and hostnames: of intercepted AI service requests
• HTTP methods and paths: of intercepted requests
• ML classification scores: threat probability scores for prompt injection, data exfiltration, and agentic behaviour
• Threat signals: specific patterns or indicators detected
• Policy decisions: whether traffic was allowed, cautioned, or blocked
• Event type: the category of security event (e.g., prompt inspected, injection blocked)
• Scan snippets: short excerpts from flagged content for audit review (can be disabled per-organisation via configuration)

3.4 Public Scanner Data

When you use the Public Scanner:

• Submitted text: the content you submit for scanning (up to 200KB)
• IP address: hashed (SHA-256) before storage for rate limiting
• Feedback: agree/disagree votes and optional comments on scan results

Submitted text and feedback may be stored as training data to improve our ML models. Text is deduplicated by content hash.

3.5 Information Collected Automatically

When you visit our Site, we may automatically collect certain technical information, including:

• IP address and general geographic location (country/region level)
• Browser type and version
• Pages visited and navigation patterns
• Referring URL
• Date and time of access

This information is collected through Vercel Analytics and Google Analytics 4, as described in Section 9.

3.6 Sensitive Information

We do not intentionally collect sensitive information (as defined in the Privacy Act), including health information, racial or ethnic origin, political opinions, or similar categories. Please do not submit such information through our Services.

We use personal information collected from you for the following purposes:

• Service delivery: to provide, operate, and maintain the Services, including device enrolment, security monitoring, policy enforcement, and audit logging
• Account management: to manage your account, organisation membership, and team permissions
• Security operations: to detect, investigate, and respond to security threats on behalf of your organisation
• Product improvement: to improve our ML models, detection accuracy, and overall service quality
• Communications: to send you service-related notifications, security alerts, product updates, and support responses
• Waitlist management: to record your interest and notify you when access is available
• Legal compliance: to comply with applicable laws, regulations, and legal process
• Site analytics: to understand how visitors use our Site and improve its content and performance

We will not use your personal information for purposes other than those set out above without your consent, unless permitted or required by law.

5.1 Third-Party Service Providers

We may disclose your personal information to third-party service providers who assist us in operating and delivering our Services. These providers are required to handle your information in accordance with this Privacy Policy and applicable law. Current third-party providers include:

• Supabase Inc.: database hosting, user authentication, and file storage (based in the United States)
• Vercel Inc.: website and application hosting, edge functions, and analytics (based in the United States)
• Upstash Inc.: Redis caching for rate limiting (based in the United States)
• Resend Inc.: transactional and marketing email delivery (based in the United States)
• Google LLC: website analytics via Google Analytics 4 (based in the United States)

When personal information is disclosed to overseas recipients, we take reasonable steps to ensure those recipients do not breach the APPs in relation to that information. However, under APP 8.1, you acknowledge that if such a recipient breaches the APPs, that entity will not be covered by the Privacy Act and you may not have recourse under the Privacy Act.

5.2 Organisation Administrators

If you are a member of an organisation using our Services, your organisation's administrators may have access to device information, security events, and audit logs associated with devices enrolled under that organisation. This data is available through the Portal dashboard.

5.3 Required Disclosures

We may also disclose personal information where required or authorised by law, including to law enforcement agencies or regulators, or to enforce our legal rights.

5.4 Business Transfers

If we merge with, are acquired by, or sell substantially all of our assets to a third party, personal information held by us may be transferred to that third party. We will notify you of any such transfer and any choices you may have regarding your information prior to the transfer completing.

5.5 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their own marketing or commercial purposes.

We use the following data to train and improve our machine learning models:

• Public Scanner submissions: text submitted to the Public Scanner is stored as training samples. Submissions are deduplicated by content hash and labelled with classification results.
• User feedback: agree/disagree votes and comments on scan results are used to improve model accuracy.
• Curated datasets: we use internally curated and publicly available datasets for model development.

By submitting your email address through our waitlist form or creating an account, you consent to receiving communications from us about our Services, including launch notifications, product updates, and information relevant to AI agent security.

All marketing emails will include an unsubscribe mechanism. You may opt out of marketing communications at any time by clicking "unsubscribe" in any email we send you or by contacting us at [email protected]. Opting out of marketing communications will not affect our ability to send you transactional or service-related communications.

We comply with the Spam Act 2003 (Cth) in all email communications.

We take reasonable steps to protect the personal information we hold from misuse, interference, and loss, and from unauthorised access, modification, or disclosure. Our security measures include:

• Encryption of data in transit using TLS/HTTPS
• Encryption of data at rest in our database infrastructure
• SHA-256 hashing of API keys and enrolment tokens (plaintext never stored)
• HMAC-signed session cookies with 4-hour expiry
• Rate limiting on all API endpoints to prevent abuse
• Row-level security policies in the database to enforce data isolation between organisations
• Restricted internal access to production data

While we implement these safeguards, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of your information.

In the event of a data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with our obligations under the Notifiable Data Breaches scheme.

Our Site uses the following analytics services:

• Vercel Analytics: privacy-preserving analytics that does not use cookies to track individual users across sessions
• Google Analytics 4: website analytics that may use cookies and similar technologies to collect usage data. Google Analytics data is subject to Google's Privacy Policy

We use authentication cookies (session cookies) to maintain your logged-in state when using the Portal. These are functional cookies necessary for the service to operate.

If we introduce additional tracking technologies in future, we will update this Privacy Policy and implement an appropriate consent mechanism.

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, including:

• Account data: retained while your account is active, and deleted within 30 days of account closure or organisation deletion
• Waitlist data: retained until you request deletion, withdraw consent, or until we determine the information is no longer needed
• Security event data: audit events are retained in accordance with your organisation's plan and applicable legal requirements
• Device data: retained while the device is enrolled and deleted when the device is removed from your organisation
• Public Scanner data: training samples are retained indefinitely for model improvement; IP hashes are retained for rate limiting purposes only
• Analytics data: retained in aggregated, non-identifiable form indefinitely for product improvement purposes

When personal information is no longer required, we will take reasonable steps to destroy or de-identify it in a secure manner. Organisations that are soft-deleted are permanently purged after 30 days.

Under the Australian Privacy Principles, you have the following rights in relation to your personal information:

• Access: you may request access to the personal information we hold about you
• Correction: you may request that we correct personal information that is inaccurate, incomplete, or out of date
• Deletion: you may request that we delete your personal information where we no longer have a lawful basis for holding it. You can also delete your account directly through the Portal.
• Withdrawal of consent: where we process your information based on consent, you may withdraw that consent at any time
• Data export: you may request a copy of your audit event data through the Portal (where available under your plan)

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within a reasonable timeframe and in any event within 30 days. We may need to verify your identity before processing your request.

12.1 TLS Interception

The Agent creates a device-local certificate authority (CA) to inspect encrypted HTTPS traffic to AI services. The CA private key is generated on-device and never leaves the device. The Agent only intercepts traffic to known AI provider endpoints and does not perform blanket surveillance of all network traffic.

12.2 Data Minimisation

The Agent is designed with data minimisation principles:

• Response body content is never transmitted to the Portal
• Event payloads are sanitised with strict size limits (4KB per string, 50 items per array)
• Scan snippets (short excerpts of flagged content) can be disabled via organisation configuration
• Failed event deliveries are spooled locally (up to 50MB) and retried, then discarded

12.3 Employee Privacy

If the Agent is deployed on your device by your employer, your employer (as the data controller) is responsible for notifying you about the Agent's operation and obtaining any required consents. Your employer's organisation administrators can view security events and device information through the Portal. Contact your employer's IT or privacy team for information about their policies.

If you believe we have handled your personal information in a manner inconsistent with the Privacy Act or the APPs, we encourage you to contact us first so we can address your concerns:

Email: [email protected]

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If you are not satisfied with our response, or if we have not responded within 30 days, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992

Our Site may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to read their privacy policies before providing any personal information.

Our Site and Services are not directed at children under the age of 15, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us and we will promptly delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the effective date at the top of this page.

If we make changes that significantly affect how we handle your personal information, we will notify you by email or through the Portal prior to the changes taking effect.

For any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact us: