ProvaProva

Privacy Policy

Last updated: May 19, 2026

1. Introduction

Prova Trust, Inc. ("Prova," "we," "us") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, and safeguard information when you use our verifiable AI infrastructure platform.

2. Information We Collect

We may collect the following types of information:

  • Account information: Email address, display name, and authentication tokens used to access the platform.
  • Delegated credentials: Login credentials you voluntarily delegate for data retrieval. These are encrypted in transit, processed exclusively within hardware-secured enclaves (Intel TDX), and provably destroyed after use.
  • Attestation metadata: Cryptographic hashes (including hashes of processed outputs), attestation bundles, timestamps, request status, and verification records associated with processed requests.
  • Usage data: Pages visited, features used, request timestamps, and device/browser information for analytics and service improvement.

3. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the Service
  • Process credential delegations and generate attestation bundles
  • Improve and personalize the user experience
  • Communicate service updates and respond to support requests
  • Comply with legal obligations and enforce our Terms of Use

4. Data Custody — Processing & Attestation Layer

Prova is designed as a processing and attestation layer, not a data custodian for your regulated or enterprise payloads. When you use the Service:

  • During processing: Data you submit or delegate may exist only inside hardware-secured enclaves (Intel TDX) for the duration of the request. Delegated credentials are encrypted in transit, decrypted only in enclave memory, and destroyed after use.
  • What you receive: The full processed result is returned to you in the API response, made available for download in the web portal, stored locally in your browser where applicable, and/or delivered to an optional webhook URL you provide (your infrastructure — e.g. S3, database, or data lake).
  • What we retain server-side: Only a cryptographic hash of your output (e.g. SHA-256 of a canonical serialization), plus attestation proofs and limited operational metadata (such as request status and timestamps). We do not intend to persist full clinical, financial, or other regulated payloads on Prova-operated systems as part of our production architecture.
  • Integrity verification: You may hash your stored copy and compare it to the hash we retain, or independently verify the attestation bundle through our verification endpoints.

You are responsible for retaining, securing, and complying with applicable law for copies of outputs in your environment. Contact us if you need deployment-specific retention details for your account or pilot.

5. Data Security

We employ industry-leading security practices to protect information we process and the metadata we retain. Delegated credentials are encrypted with P-256 ECDH + AES-256-GCM, decrypted only inside Intel TDX hardware-encrypted memory, and destroyed via zeroize-on-drop after processing. We do not store raw credentials beyond the duration of a single request.

6. Data Sharing

We do not sell your personal information. We may share information with third parties only in the following circumstances:

  • With your explicit consent
  • To comply with legal obligations, court orders, or regulatory requirements
  • With service providers who assist in operating the platform, subject to confidentiality agreements
  • In connection with a merger, acquisition, or sale of assets (with prior notice)

7. Cookies & Analytics

We may use cookies and similar tracking technologies to collect usage data and improve the Service. You can control cookie preferences through your browser settings. Essential cookies required for platform functionality cannot be disabled.

8. Data Retention

Server-side, we retain cryptographic output hashes, attestation bundles, and operational metadata for as long as necessary to provide verification, audit, and support services (typically subject to documented retention limits such as periodic expiry of request metadata). Account information is retained while your account is active. Full processed outputs are your responsibility to retain in your systems or browser-local storage. You may request deletion of your account and associated server-side metadata at any time by contacting us.

9. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data, as well as the right to object to or restrict certain processing. To exercise these rights, contact us at the address below.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.

12. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us at privacy@provatrust.com.