Saluca · Legal

Saluca Privacy Policy

Effective date: July 8, 2026 · Last updated: July 8, 2026

This Privacy Policy explains how Saluca LLC, a California limited liability company ("Saluca," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with our websites, products, and services. Saluca is a US-based business-to-business (B2B) software-as-a-service (SaaS) provider and software vendor.


1. Scope & Who We Are

Controller identity. For personal information described in this Policy for which Saluca determines the purposes and means of processing, the controller is:

1.1 A critical distinction: what Saluca processes vs. what stays with you

Saluca offers products with fundamentally different data postures. Please read this section first, because it determines whether Saluca receives your data at all.

Product Deployment Does Saluca receive/process your operational data?
Asphodel Hosted SaaS operated by Saluca Yes. Saluca processes and stores Customer Content (AI agent queries and persistent "memory" text) on Saluca's cloud infrastructure (Google Cloud, United States).
PEP add-on Hosted governance layer in front of Asphodel, operated by Saluca Yes. Same posture as Asphodel.
Tiresias-ZT Self-hosted software you run on your own infrastructure No — by design. Your governed data stays on your infrastructure. Saluca does not receive or process it. License verification is performed offline (no "phone home"). The only exception is the optional, opt-in Enterprise/MSSP central-control-plane enrollment, which transmits a signed audit trail to Saluca.

In plain terms: When you use Asphodel (or the PEP add-on), you submit content to Saluca's cloud, and this Policy governs how we handle it. When you run Tiresias-ZT on your own infrastructure, Saluca does not collect your operational or governed data at all — that data never leaves your environment, and we cannot access it. If you opt in to Enterprise/MSSP central-control-plane enrollment, Saluca receives only a signed, tamper-evident audit trail (metadata about governance events), not your underlying governed content.

1.2 Customer Content vs. our own data

Where you submit content to a hosted Saluca service (Asphodel, PEP add-on), Saluca acts as a processor (service provider) that handles that content on your behalf and under your instructions. Where we handle account, billing, marketing, and website data for our own business purposes, Saluca acts as a controller. See Section 5 for the details of these roles and how they cross-reference our Data Processing Agreement (DPA).


2. Information We Collect

The table below summarizes the categories of personal information we handle, the sources, and how we act. Details follow.

Category Examples Source Saluca's role
Account data Account email (via WorkOS SSO — Google, email, or passkey), optional display name, workspace/tenant identifiers You / your organization at sign-up Controller
Billing data Stripe customer ID and subscription ID, plan, billing status (Saluca does not store full payment card numbers) Stripe, on your transaction Controller
Customer Content (Asphodel / PEP) AI agent queries; persistent "memory" text you choose to store You / your users, submitted to the hosted service Processor (on your behalf)
Usage, audit & log metadata Request/usage metrics, signed tamper-evident audit records, security and diagnostic logs, IP address, timestamps, device/browser metadata Generated automatically when services are used Controller (operational logs) / Processor (tenant audit)
Marketing & website leads Name, email, and any details you submit on our website (e.g., waitlist/contact forms), protected by Cloudflare Turnstile and stored in Supabase You, via our website Controller
Cookies & similar technologies Essential session/authentication cookies; minimal, privacy-respecting analytics Your browser Controller

2.1 Account data

When you or your organization create an account, we collect your account email through our authentication provider, WorkOS (supporting Google SSO, email, and passkeys), together with an optional name and the workspace/tenant identifiers that associate you with your organization.

2.2 Billing data

Payments are processed by Stripe. Saluca stores Stripe customer and subscription identifiers and related billing status, but does not collect or store full payment card numbers or equivalent cardholder data — those are handled directly by Stripe.

2.3 Customer Content (Asphodel and PEP add-on)

When you use Asphodel or the PEP add-on, you submit Customer Content — including AI agent queries and persistent "memory" text — which we process and store on your behalf. You control what content you submit. We handle this content as a processor under your instructions and the applicable services agreement and DPA (see Section 5).

Special-category and regulated data. Saluca does not intentionally collect special-category personal data (as defined under GDPR/UK GDPR) or other regulated data. Customers are instructed not to submit special-category, sensitive, or otherwise regulated personal data into the services without an appropriate Data Processing Agreement (and any additional terms) in place.

2.4 Usage, audit, and log metadata

We generate operational metadata when the services are used, including usage metrics, security and diagnostic logs, IP addresses and timestamps, and signed, tamper-evident audit records that support security, integrity, and tenant governance.

2.5 Marketing and website data

If you submit a form on our website (for example, to join a waitlist or contact us), we collect the information you provide. These forms are protected against abuse by Cloudflare Turnstile, and submissions are stored in Supabase.

2.6 Self-hosted Tiresias-ZT

As explained in Section 1.1, when you deploy Tiresias-ZT on your own infrastructure, Saluca does not collect your governed or operational data. License verification is offline. Only if you opt in to Enterprise/MSSP central-control-plane enrollment does Saluca receive a signed audit trail.


3. How We Use Information

We use personal information for the following purposes:

We do not use Customer Content to train machine-learning models, we do not use Customer Content for advertising, and we do not sell personal information (see Section 6).


Where GDPR or UK GDPR applies, we rely on the following legal bases:

For Customer Content processed on your behalf, your organization (the customer) is the controller and determines the legal basis; Saluca acts as processor (see Section 5).


5. Our Roles: Controller and Processor

Where our roles or these terms conflict with a signed customer agreement or DPA for Customer Content, the signed agreement/DPA controls for that content.


6. How We Share Information

We share personal information only as described below.

6.1 Service providers / sub-processors

We use vetted third parties to provide our services. Each is bound by contract to protect personal information and to process it only as needed to provide their service. Our current sub-processors include:

Sub-processor Purpose Notes
Google Cloud Hosting, compute, storage, and database United States
Stripe Payment processing Saluca stores identifiers only, not card numbers
WorkOS Authentication / SSO (Google, email, passkey)
Resend Transactional email
Cloudflare DNS, CDN, WAF, and Turnstile bot protection
Supabase Marketing/website leads database

For the current, authoritative list, see our Sub-processor page. We will provide at least 30 days' advance notice before adding or replacing a sub-processor, as set out in our DPA, so that customers may object.

We may disclose information where we believe in good faith it is necessary to comply with law or valid legal process; to enforce our agreements; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Saluca, our customers, or others.

6.3 Business transfers

If Saluca is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to this Policy or a successor policy with equivalent protections. We will notify affected individuals of any such change in ownership or control of personal information as required by applicable law.

6.4 No sale or "sharing" of personal information

Saluca does not sell personal information and does not "share" it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act as amended by the CPRA (and analogous state laws). We do not use third-party advertising or cross-context behavioral advertising tags on our services.


7. International Data Transfers

Saluca stores and processes hosted-service data in the United States (Google Cloud). If you access our services from the EU, UK, or elsewhere outside the US, your personal information will be transferred to and processed in the United States.

Where we transfer personal data from the EEA, UK, or Switzerland to the United States, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Addendum to the SCCs. These clauses are incorporated through our Data Processing Agreement and applicable sub-processor agreements. You may request further information about these safeguards by contacting privacy@saluca.com.


8. Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy, unless a longer period is required or permitted by law.


9. Security

We maintain administrative, technical, and organizational measures designed to protect personal information, including:

Compliance status. Saluca's SOC 2 examination is in progress. Saluca is not currently SOC 2 certified, and nothing in this Policy should be read as such a claim.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.


10. Your Privacy Rights

Your rights depend on where you live and our role in processing your data. Where Saluca acts as a processor of Customer Content, please direct requests to the customer (the controller) whose service you use; we will assist that customer as required by the DPA.

10.1 EEA / UK rights (GDPR / UK GDPR)

Subject to conditions and exemptions, you have the right to: access your personal data; rectify inaccurate data; request erasure; restrict processing; data portability; object to processing (including direct marketing); and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a supervisory authority — in the EEA, your local Data Protection Authority; in the UK, the Information Commissioner's Office (ICO).

10.2 California rights (CCPA / CPRA)

Subject to conditions and exemptions, California residents have the right to: know/access the categories and specific pieces of personal information collected; delete personal information; correct inaccurate personal information; opt out of the sale or sharing of personal information (note: Saluca does not sell or share personal information — see Section 6.4); limit the use of sensitive personal information (Saluca does not intentionally collect sensitive personal information for such uses); and to be free from discrimination for exercising these rights. We honor the Global Privacy Control (GPC) browser signal where applicable.

10.3 Other US state privacy rights

Residents of other US states with comprehensive privacy laws — including, for example, Virginia, Colorado, Connecticut, and Texas — have similar rights to access, correct, delete, and obtain a portable copy of their personal information, and to opt out of certain processing. You may exercise these rights by contacting us at privacy@saluca.com.

10.4 How to exercise your rights

Submit requests to privacy@saluca.com. We will verify your identity before responding and will respond within the timeframes required by applicable law. You may use an authorized agent where permitted by law.


11. Cookies & Tracking Technologies

Our checkout, dashboard, and website use cookies and similar technologies. These are limited to strictly necessary cookies (for authentication, session management, security, and bot protection via Cloudflare Turnstile) plus minimal, privacy-respecting analytics. We do not use cookies for cross-context behavioral advertising (see Section 6.4).

Where required by applicable law, we present a consent mechanism for any non-essential cookies and honor the Global Privacy Control (GPC) signal.


12. Children's Privacy

Our services are business-to-business and are not directed to individuals under 18, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us at privacy@saluca.com and we will take appropriate steps to delete it.


13. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date above and provide notice as required by law, which may include email to account holders and/or an in-product notice. Your continued use of the services after an update takes effect constitutes acceptance of the revised Policy, to the extent permitted by law.


14. Contact Us