Effective date: July 8, 2026 · Last updated: July 8, 2026
This Privacy Policy explains how Saluca LLC, a California limited liability company ("Saluca," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with our websites, products, and services. Saluca is a US-based business-to-business (B2B) software-as-a-service (SaaS) provider and software vendor.
Controller identity. For personal information described in this Policy for which Saluca determines the purposes and means of processing, the controller is:
Saluca offers products with fundamentally different data postures. Please read this section first, because it determines whether Saluca receives your data at all.
| Product | Deployment | Does Saluca receive/process your operational data? |
|---|---|---|
| Asphodel | Hosted SaaS operated by Saluca | Yes. Saluca processes and stores Customer Content (AI agent queries and persistent "memory" text) on Saluca's cloud infrastructure (Google Cloud, United States). |
| PEP add-on | Hosted governance layer in front of Asphodel, operated by Saluca | Yes. Same posture as Asphodel. |
| Tiresias-ZT | Self-hosted software you run on your own infrastructure | No — by design. Your governed data stays on your infrastructure. Saluca does not receive or process it. License verification is performed offline (no "phone home"). The only exception is the optional, opt-in Enterprise/MSSP central-control-plane enrollment, which transmits a signed audit trail to Saluca. |
In plain terms: When you use Asphodel (or the PEP add-on), you submit content to Saluca's cloud, and this Policy governs how we handle it. When you run Tiresias-ZT on your own infrastructure, Saluca does not collect your operational or governed data at all — that data never leaves your environment, and we cannot access it. If you opt in to Enterprise/MSSP central-control-plane enrollment, Saluca receives only a signed, tamper-evident audit trail (metadata about governance events), not your underlying governed content.
Where you submit content to a hosted Saluca service (Asphodel, PEP add-on), Saluca acts as a processor (service provider) that handles that content on your behalf and under your instructions. Where we handle account, billing, marketing, and website data for our own business purposes, Saluca acts as a controller. See Section 5 for the details of these roles and how they cross-reference our Data Processing Agreement (DPA).
The table below summarizes the categories of personal information we handle, the sources, and how we act. Details follow.
| Category | Examples | Source | Saluca's role |
|---|---|---|---|
| Account data | Account email (via WorkOS SSO — Google, email, or passkey), optional display name, workspace/tenant identifiers | You / your organization at sign-up | Controller |
| Billing data | Stripe customer ID and subscription ID, plan, billing status (Saluca does not store full payment card numbers) | Stripe, on your transaction | Controller |
| Customer Content (Asphodel / PEP) | AI agent queries; persistent "memory" text you choose to store | You / your users, submitted to the hosted service | Processor (on your behalf) |
| Usage, audit & log metadata | Request/usage metrics, signed tamper-evident audit records, security and diagnostic logs, IP address, timestamps, device/browser metadata | Generated automatically when services are used | Controller (operational logs) / Processor (tenant audit) |
| Marketing & website leads | Name, email, and any details you submit on our website (e.g., waitlist/contact forms), protected by Cloudflare Turnstile and stored in Supabase | You, via our website | Controller |
| Cookies & similar technologies | Essential session/authentication cookies; minimal, privacy-respecting analytics | Your browser | Controller |
When you or your organization create an account, we collect your account email through our authentication provider, WorkOS (supporting Google SSO, email, and passkeys), together with an optional name and the workspace/tenant identifiers that associate you with your organization.
Payments are processed by Stripe. Saluca stores Stripe customer and subscription identifiers and related billing status, but does not collect or store full payment card numbers or equivalent cardholder data — those are handled directly by Stripe.
When you use Asphodel or the PEP add-on, you submit Customer Content — including AI agent queries and persistent "memory" text — which we process and store on your behalf. You control what content you submit. We handle this content as a processor under your instructions and the applicable services agreement and DPA (see Section 5).
Special-category and regulated data. Saluca does not intentionally collect special-category personal data (as defined under GDPR/UK GDPR) or other regulated data. Customers are instructed not to submit special-category, sensitive, or otherwise regulated personal data into the services without an appropriate Data Processing Agreement (and any additional terms) in place.
We generate operational metadata when the services are used, including usage metrics, security and diagnostic logs, IP addresses and timestamps, and signed, tamper-evident audit records that support security, integrity, and tenant governance.
If you submit a form on our website (for example, to join a waitlist or contact us), we collect the information you provide. These forms are protected against abuse by Cloudflare Turnstile, and submissions are stored in Supabase.
As explained in Section 1.1, when you deploy Tiresias-ZT on your own infrastructure, Saluca does not collect your governed or operational data. License verification is offline. Only if you opt in to Enterprise/MSSP central-control-plane enrollment does Saluca receive a signed audit trail.
We use personal information for the following purposes:
We do not use Customer Content to train machine-learning models, we do not use Customer Content for advertising, and we do not sell personal information (see Section 6).
Where GDPR or UK GDPR applies, we rely on the following legal bases:
For Customer Content processed on your behalf, your organization (the customer) is the controller and determines the legal basis; Saluca acts as processor (see Section 5).
Where our roles or these terms conflict with a signed customer agreement or DPA for Customer Content, the signed agreement/DPA controls for that content.
We share personal information only as described below.
We use vetted third parties to provide our services. Each is bound by contract to protect personal information and to process it only as needed to provide their service. Our current sub-processors include:
| Sub-processor | Purpose | Notes |
|---|---|---|
| Google Cloud | Hosting, compute, storage, and database | United States |
| Stripe | Payment processing | Saluca stores identifiers only, not card numbers |
| WorkOS | Authentication / SSO (Google, email, passkey) | |
| Resend | Transactional email | |
| Cloudflare | DNS, CDN, WAF, and Turnstile bot protection | |
| Supabase | Marketing/website leads database |
For the current, authoritative list, see our Sub-processor page. We will provide at least 30 days' advance notice before adding or replacing a sub-processor, as set out in our DPA, so that customers may object.
We may disclose information where we believe in good faith it is necessary to comply with law or valid legal process; to enforce our agreements; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Saluca, our customers, or others.
If Saluca is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to this Policy or a successor policy with equivalent protections. We will notify affected individuals of any such change in ownership or control of personal information as required by applicable law.
Saluca does not sell personal information and does not "share" it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act as amended by the CPRA (and analogous state laws). We do not use third-party advertising or cross-context behavioral advertising tags on our services.
Saluca stores and processes hosted-service data in the United States (Google Cloud). If you access our services from the EU, UK, or elsewhere outside the US, your personal information will be transferred to and processed in the United States.
Where we transfer personal data from the EEA, UK, or Switzerland to the United States, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Addendum to the SCCs. These clauses are incorporated through our Data Processing Agreement and applicable sub-processor agreements. You may request further information about these safeguards by contacting privacy@saluca.com.
We retain personal information only as long as necessary for the purposes described in this Policy, unless a longer period is required or permitted by law.
We maintain administrative, technical, and organizational measures designed to protect personal information, including:
Compliance status. Saluca's SOC 2 examination is in progress. Saluca is not currently SOC 2 certified, and nothing in this Policy should be read as such a claim.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Your rights depend on where you live and our role in processing your data. Where Saluca acts as a processor of Customer Content, please direct requests to the customer (the controller) whose service you use; we will assist that customer as required by the DPA.
Subject to conditions and exemptions, you have the right to: access your personal data; rectify inaccurate data; request erasure; restrict processing; data portability; object to processing (including direct marketing); and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a supervisory authority — in the EEA, your local Data Protection Authority; in the UK, the Information Commissioner's Office (ICO).
Subject to conditions and exemptions, California residents have the right to: know/access the categories and specific pieces of personal information collected; delete personal information; correct inaccurate personal information; opt out of the sale or sharing of personal information (note: Saluca does not sell or share personal information — see Section 6.4); limit the use of sensitive personal information (Saluca does not intentionally collect sensitive personal information for such uses); and to be free from discrimination for exercising these rights. We honor the Global Privacy Control (GPC) browser signal where applicable.
Residents of other US states with comprehensive privacy laws — including, for example, Virginia, Colorado, Connecticut, and Texas — have similar rights to access, correct, delete, and obtain a portable copy of their personal information, and to opt out of certain processing. You may exercise these rights by contacting us at privacy@saluca.com.
Submit requests to privacy@saluca.com. We will verify your identity before responding and will respond within the timeframes required by applicable law. You may use an authorized agent where permitted by law.
Our checkout, dashboard, and website use cookies and similar technologies. These are limited to strictly necessary cookies (for authentication, session management, security, and bot protection via Cloudflare Turnstile) plus minimal, privacy-respecting analytics. We do not use cookies for cross-context behavioral advertising (see Section 6.4).
Where required by applicable law, we present a consent mechanism for any non-essential cookies and honor the Global Privacy Control (GPC) signal.
Our services are business-to-business and are not directed to individuals under 18, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us at privacy@saluca.com and we will take appropriate steps to delete it.
We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date above and provide notice as required by law, which may include email to account holders and/or an in-product notice. Your continued use of the services after an update takes effect constitutes acceptance of the revised Policy, to the extent permitted by law.