Privacy

Privacy at Throndar

Effective June 2026

Throndar (a product of TRELYAN) is a governed, multi-model AI you can verify. This page explains, in plain language, what data we handle and the controls you have. We collect only what the product needs, and we do not sell your personal data.

What we collect

Account: your email (via Google sign-in or email + password).

Conversations: the messages you send and the answers you receive, stored so your history, search, and exports work. Each answer carries a post-quantum provenance receipt.

Usage & billing: a credit ledger and order records for payments and accounting.

We do not use your conversations to train models, and there is no advertising tracking.

How your input is processed

Prompts are sent to the governed Throndar model bridge to produce answers. Optional features you trigger:

Voice dictationuses your browser's built-in speech service — on some browsers that means audio is sent to the browser vendor's cloud for transcription. It is not on-device. Don't dictate anything you wouldn't share with your browser vendor.

Attached files are read in your browser and their text is included in your prompt. “Read a URL” fetches the public page you specify on our server and returns its text to your prompt.

The code interpreter runs Python in an isolated in-browser sandbox; the runtime loads once from a public CDN. Artifacts render in an isolated sandbox with no access to your session.

Third parties we rely on

Hosting/CDN (Vercel), database (Supabase), the model bridge, and payment processors (Stripe, NOWPayments, and bank transfer) when you pay. Each processes data only to provide its part of the service. Voice transcription and the code-runtime CDN are described above.

Your rights & controls

From Account → Data & privacy you can export all your data (including a cryptographically signed export) and erase your conversations, saved prompts, and custom instructions. You can also delete or unshare individual conversations at any time.

We retain financial records as required for accounting/compliance even after content erasure.

Security

Connections are encrypted in transit. Every answer is signed with post-quantum signatures (ML-DSA-87, FIPS 204, plus a Falcon-1024 co-signature — FN-DSA, FIPS 206 forthcoming) you can verify yourself at /verify/proof. The web application is designed and assessed against the OWASP Top 10 for LLM Applications and the OWASP ASVS (this is our own assessment, not an OWASP certification).

Talking to an AI

Throndar is an AI system. Every answer is generated by AI models — our governed multi-model council — not by a human, and answers can be incomplete or wrong. We label AI-generated content as such, consistent with AI-transparency rules (including the EU AI Act's Article 50 transparency obligations applying from August 2026). Don't rely on an answer for legal, medical, financial, or other professional decisions without independent verification.

EU & UK users (GDPR)

The data controller is TRELYAN. We process your data on these legal bases: performance of our contract with you (running the service), your consent (optional features you choose to trigger), our legitimate interests (security, fraud prevention, improving the service), and legal obligation (financial records).

You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to lodge a complaint with your local supervisory authority. You can exercise access, export, and erasure yourself from Account → Data & privacy, or by contacting us.

We are hosted in the United States. Where we transfer EU/UK personal data, we rely on appropriate safeguards (such as the EU Standard Contractual Clauses) with our processors.

California users (CCPA/CPRA)

We do not sell or shareyour personal information (as those terms are defined under the CCPA/CPRA), and we do not use it for cross-context behavioural advertising. California residents may request to know, delete, and correct their personal information, and will not be discriminated against for exercising those rights. The categories we collect are described under “What we collect” above.

Children

Throndar is not directed to children. We do not knowingly collect personal data from anyone under 16 (or the minimum age of digital consent in your country). If you believe a child has given us personal data, contact us and we will delete it.

Contact

Questions about your data: reach us through your account, or at privacy@throndar.ai. This policy may be updated; material changes will be reflected here with a new effective date.