AI Privacy

Your data trains your growth,
not our models.

Every audit, journey and copilot answer Thrivio generates is built from your workspace's own context — and stays there. No cross-tenant training. No shared prompt history. No surprises.

  • Workspace-isolated
  • No cross-tenant training
  • You own your outputs
  • UK/EU-friendly
The 60-second version

Four promises, plain English.

Your AI results stay in your workspace.

Audits, findings, opportunities and copilot answers are gated by row-level security at the database. Not by app code alone.

We don't train foundation models on your data.

Your prompts and uploads aren't used to train Thrivio's or any provider's base models. Full stop.

Every answer is built from your context only.

No shared vector store. No cross-project RAG. Each call assembles a fresh prompt from your project's own knowledge.

Export or delete everything, any time.

Settings → Account gives you one-click export and a 30-day grace deletion flow. No emails, no waiting.

How isolation actually works

A locked room per workspace.

Isolation isn't a policy we hope the app remembers. It's built into three layers, each independently enforced.

Workspace membershipRow-level securityPer-request AI
  1. 01

    Workspace membership

    Users belong to workspaces via a members table. Every AI-output row roots back to a workspace_id — directly or through its parent project.

  2. 02

    Row-level security in the database

    Postgres RLS policies check workspace membership on every SELECT, INSERT, UPDATE and DELETE. Even a buggy query can't return another tenant's rows.

  3. 03

    Per-request AI calls

    Each AI call is stateless. No shared vector store, no cross-project RAG, no accumulated prompt history. The context is rebuilt from scratch each time — from your project only.

What we send to AI models

Only your context. Never someone else's.

When you run an audit, ask the copilot, or generate a briefing, we assemble a fresh prompt from your project's own knowledge: the URL you audited, the goals you set, the notes you wrote. Then we send that prompt to the model best suited for the task via an AI Gateway. The model returns an answer. The prompt is discarded from our side after the response is stored to your workspace.

Shape of every AI call
system: Thrivio audit instructions
context: your project's knowledge only
user: your specific question
→ No other tenant's data, ever.
What we log

We log that a call happened — not what it said.

We do record
  • Workspace ID (for billing & abuse-prevention)
  • Model name and token counts (for cost accounting)
  • Timestamp and latency
  • Whether the call succeeded
We don't record
  • Prompt text
  • Response text
  • Files you uploaded to the prompt
  • Any user identifiers beyond your workspace

The AI request log is admin-only at the database level. Even Thrivio staff need role-gated access to read it.

Sharing & impersonation

Every door has a lock and an audit trail.

Share links

Share tokens are single-resource — a token unlocks one audit or one journey and its own child rows, nothing else. Tokens are 24-character random strings and can be revoked instantly from your dashboard.

Admin impersonation

Thrivio staff can only impersonate accounts with an admin role, gated by a security-definer check in the database. Every impersonation session is logged with a reason before the magic link is issued, and sessions auto-return after 30 minutes.

FAQ

The specific questions we get most.

Still have questions?

Talk to a human — not a form.

For formal policy documents, see our Privacy policy and Data processing addendum.

security@thrivio.ai