Legal

Privacy Policy

Last updated: February 25, 2026

We build security visibility for AI agents. We hold ourselves to the same standard.

Our Position on Your Data

We collect what we need. We protect what we collect. We delete what we don't need anymore. We don't sell anything to anyone.

No ad networks. No data brokers. No tracking pixels from companies that profit from your behavior. We chose every tool in our stack specifically because it doesn't do those things.

What We Collect

When you visit the site

Pages you view, how you navigate, what device and browser you use, and your approximate location at the country level. Our analytics are cookieless. No consent banner required because we don't use cookies.

When you contact us or join a waitlist

Your email address and whatever you choose to tell us. We use this to respond to you and to notify you about products you asked about. Nothing else.

When you complete a scenario

Which scenario, your results, and whether you shared them. We use this to improve the product.

When something breaks

Device and browser information needed to diagnose and fix the error. Retained for 30 days, then deleted.

When you load the page

Our edge security processes your IP address and request metadata to block bots and malicious traffic. This is infrastructure-level protection, not tracking.

How We Protect It

All data is transmitted over TLS. We enforce HSTS across the entire domain. Our infrastructure runs on SOC 2 Type II certified platforms. We use role-based access — the number of people who can access customer data is as small as we can make it.

We don't store what we don't need. Analytics data is purged at 12 months. Error data at 30 days. If you unsubscribe from emails, we remove your address.

We run the same security architecture on our own infrastructure that VANGUARD evaluates in others. Seven layers. No exceptions.

Third Parties

We use a small number of third-party services for analytics, email delivery, error monitoring, content management, hosting, and edge security. Every provider was selected for their security posture and data handling practices. None of them receive your data for their own purposes.

We do not use Google Analytics. We do not use Meta pixels. We do not use any service that monetizes user data.

Your Rights

You can ask us to show you what data we have on you, correct it, delete it, or export it. You can unsubscribe from any email with one click. You can ask us to stop processing your data entirely.

Contact us through our contact page. We respond to every request.

International Transfers

Our infrastructure spans multiple jurisdictions. All cross-border data transfers are covered by contractual protections with our service providers.

Children

Our services are not for anyone under 16. If we learn we've collected data from a child, we delete it immediately.

Changes

If we change this policy, we update the date at the top. We don't hide changes in footnotes.