Your data trains your growth,
not our models.
Every audit, journey and copilot answer Thrivio generates is built from your workspace's own context — and stays there. No cross-tenant training. No shared prompt history. No surprises.
- Workspace-isolated
- No cross-tenant training
- You own your outputs
- UK/EU-friendly
Four promises, plain English.
Your AI results stay in your workspace.
Audits, findings, opportunities and copilot answers are gated by row-level security at the database. Not by app code alone.
We don't train foundation models on your data.
Your prompts and uploads aren't used to train Thrivio's or any provider's base models. Full stop.
Every answer is built from your context only.
No shared vector store. No cross-project RAG. Each call assembles a fresh prompt from your project's own knowledge.
Export or delete everything, any time.
Settings → Account gives you one-click export and a 30-day grace deletion flow. No emails, no waiting.
A locked room per workspace.
Isolation isn't a policy we hope the app remembers. It's built into three layers, each independently enforced.
- 01
Workspace membership
Users belong to workspaces via a members table. Every AI-output row roots back to a workspace_id — directly or through its parent project.
- 02
Row-level security in the database
Postgres RLS policies check workspace membership on every SELECT, INSERT, UPDATE and DELETE. Even a buggy query can't return another tenant's rows.
- 03
Per-request AI calls
Each AI call is stateless. No shared vector store, no cross-project RAG, no accumulated prompt history. The context is rebuilt from scratch each time — from your project only.
Only your context. Never someone else's.
When you run an audit, ask the copilot, or generate a briefing, we assemble a fresh prompt from your project's own knowledge: the URL you audited, the goals you set, the notes you wrote. Then we send that prompt to the model best suited for the task via an AI Gateway. The model returns an answer. The prompt is discarded from our side after the response is stored to your workspace.
We log that a call happened — not what it said.
- Workspace ID (for billing & abuse-prevention)
- Model name and token counts (for cost accounting)
- Timestamp and latency
- Whether the call succeeded
- Prompt text
- Response text
- Files you uploaded to the prompt
- Any user identifiers beyond your workspace
The AI request log is admin-only at the database level. Even Thrivio staff need role-gated access to read it.
Every door has a lock and an audit trail.
Share links
Share tokens are single-resource — a token unlocks one audit or one journey and its own child rows, nothing else. Tokens are 24-character random strings and can be revoked instantly from your dashboard.
Admin impersonation
Thrivio staff can only impersonate accounts with an admin role, gated by a security-definer check in the database. Every impersonation session is logged with a reason before the magic link is issued, and sessions auto-return after 30 minutes.
Everything is a click away.
The specific questions we get most.
Talk to a human — not a form.
For formal policy documents, see our Privacy policy and Data processing addendum.