Tigunny
Initializing System...
Conflux Platform now available — Deploy your first agent free →
Tigunny

Legal

Privacy Policy

Effective 2026-04-29

Effective date: 2026-04-29 Last updated: 2026-04-29

1. Introduction

This Privacy Policy explains how Tigunny LLC ("Tigunny", "we", "our", or "us"), a Texas limited liability company with its principal place of business at the address listed in Section 12, collects, uses, discloses, and protects information when you use the Conflux multi-agent AI platform and any related websites, APIs, or services (collectively, the "Services").

By using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services. This Policy is incorporated into our Terms of Service.

2. Information We Collect

2.1 Information you provide

  • Account information: name, email address, organization name, role, password (stored only as a bcrypt hash).
  • Profile and configuration: tenant settings, agent configurations, workflow definitions, marketplace template authorship.
  • Billing information: billing email, billing address, and payment method tokens (payment card details themselves are collected and stored by Stripe — Tigunny does not see or store full card numbers).
  • Content you submit: prompts, files, instructions to agents, marketplace template contributions, support requests, and any other content you upload or submit to the Services.

2.2 Information collected automatically

  • Usage data: pages visited, features used, agent invocations, API requests, response sizes, latency.
  • Device and log data: IP address, user-agent string (parsed by ua-parser-js), timestamps, request/response metadata.
  • Cookies: session cookies (__Secure-authjs.session-token) for authenticated sessions, MFA cookies during step-up verification, and a small number of strictly-functional preference cookies. We do not currently use third-party advertising cookies.

2.3 Information from third parties

  • OAuth sign-in: if you sign in with Google or GitHub, we receive your email address and a stable account identifier from that provider, scoped to the OAuth grant you authorize.
  • Payment processor: Stripe returns subscription state, payment-method tokens, and billing-status events.

2.4 AI-specific categories

When you interact with Conflux agents, we process additional categories specific to AI orchestration:

  • Prompts and conversation context routed to inference engines.
  • Generated content produced by agents (text, images, audio).
  • Audit log entries that hash-chain every governance event, agent decision, model call, and material write the platform performs.
  • Memory and embeddings stored in our vector database to give agents long-running context, scoped to your tenant.

3. How We Use Information

We use the information described above to:

  • Provide and operate the Services (account management, agent execution, workflow orchestration, voice and meeting features, the Conflux marketplace).
  • Bill subscriptions and process payments through Stripe.
  • Authenticate you and protect your account (MFA via TOTP, session management, hash-chained audit logging).
  • Operate the platform's governance review pipeline (Drake adversarial review, Bishop commercial review, Talina security review, Ratchet execution).
  • Send transactional and operational communications (account, billing, governance events, security notices) via SendGrid.
  • Detect, investigate, and prevent abuse, fraud, and security incidents.
  • Improve the Services, debug issues, and develop new features.
  • Comply with legal obligations and respond to lawful requests.

We do not sell your personal information, and we do not use Customer Data to train foundation models.

4. Third-Party AI Providers

Conflux is a sovereign-first platform: most inference runs on-premise on Tigunny-controlled servers using locally hosted Ollama models (gemma4, qwen2.5-coder, deepseek-r1, nomic-embed, tigunny-llama). On-premise inference does not transmit Customer Data to any third party.

When a request is escalated — for example, when a Tier-2 or Tier-3 agent is invoked, or when Bishop authorizes a premium escalation — we may route the request through one of the following providers:

  • Anthropic, PBC — Claude API (claude-sonnet-4-6 standard escalation; claude-opus-4-7 premium escalation).
  • Google LLC — Gemini API for image generation.
  • ElevenLabs Inc. — text-to-speech synthesis (only when an agent is configured with voice).
  • Deepgram Inc. — speech-to-text transcription for meeting and voice features.

All escalations are routed through our LiteLLM gateway and the Aegis egress perimeter so that the routing decision and the data leaving the perimeter are auditable.

5. Subprocessors

We engage the following subprocessors to process Customer Personal Data on our behalf:

Provider Purpose Data categories Region
Anthropic, PBC Claude API escalation inference Prompt content, conversation context United States
Google LLC (Gemini) Image generation Text prompts United States
ElevenLabs Inc. Text-to-speech Short text fragments United States
Deepgram Inc. Speech-to-text Audio recordings United States
Google LLC (OAuth) Optional Google sign-in Email, account ID United States
GitHub, Inc. (OAuth) Optional GitHub sign-in Email, account ID United States
Twilio Inc. (SendGrid) Transactional email Recipient address, message body United States
Microsoft Corporation (Teams Webhook) Operational notifications Notification text United States
Stripe, Inc. Subscription billing Payment-method tokens, billing email/address United States
Google LLC (Maps Platform) Interactive maps in marketing UI Map viewport, request metadata United States

In addition, the U.S. General Services Administration's SAM.gov public opportunities API is queried in a read-only direction by our Scout agent; no Customer Data is sent in those queries.

We may engage additional subprocessors from time to time. The subprocessor list above is the current, authoritative list as of the effective date of this Policy. Changes will be reflected here when they occur.

6. Data Security

Tigunny invests heavily in protecting Customer Data:

  • Secrets management. All third-party credentials, OAuth tokens, signing keys, and integration secrets are stored in a self-hosted HashiCorp Vault instance with AES-256-GCM encryption at rest and Shamir's Secret Sharing for unseal. Application code references Vault paths; raw secret values are never written to application logs, database columns, or audit records.
  • Hash-chained audit log. Every material event (agent decision, governance gate, sprint publication, knowledge-graph write, model call) is recorded in cce_audit_log with a prev_hash / curr_hash linkage so the chain is tamper-evident.
  • Egress security perimeter. All outbound HTTP from agents flows through Aegis Gate, which enforces per-domain allow/block policies and per-session credential injection so agents never hold long-lived credentials.
  • RBAC and tier isolation. Agents and skills are tier-bound (Tier 0 sovereign through Tier 3 escalated); higher-tier capabilities require explicit governance approval and are logged.
  • Customer isolation (IsoScope). Tenant data is scoped at the database and vector-store layers so one tenant's data is not accessible to another tenant's agents.
  • Encryption in transit. All public traffic is served over TLS. Internal east-west traffic between containers is bound to private Docker networks.
  • Authentication. Passwords are stored as bcrypt hashes; multi-factor authentication is supported via TOTP (otplib + qrcode).

No security control is perfect. We continually improve our controls and disclose material security incidents in accordance with applicable law.

7. Data Retention

  • Customer Data is retained for the duration of your subscription plus thirty (30) days, after which it is deleted from primary stores. Backups expire per our backup-rotation schedule.
  • Audit log entries are retained as required by applicable regulatory and contractual obligations, and may be retained longer than thirty days for tamper-evidence and compliance purposes.
  • OAuth tokens issued by third-party identity providers are deleted on subscription cancellation or on user-initiated disconnect.
  • Vector memory scoped to your tenant is deleted on tenant deletion in accordance with the same thirty-day window above.

You may request earlier deletion at any time (see Section 8).

8. Your Rights

8.1 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation and equivalent UK and Swiss laws:

  • Right of access (Art. 15) — request a copy of your personal data.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion subject to retention obligations described in Section 7.
  • Right to restriction (Art. 18) — limit how we process your data while a dispute is resolved.
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests, including profiling.
  • Right not to be subject to automated decision-making (Art. 22) — Tigunny does not make legally significant decisions about you using solely automated processing.

To exercise any of these rights, contact info@tigunny.com. You also have the right to lodge a complaint with your local supervisory authority.

8.2 California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you the following rights:

  • Right to know what personal information we collect, the sources, the purposes, and the third parties with which we share it.
  • Right to delete personal information we have collected from you.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing. Tigunny does not sell your personal information and does not share it for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising any of the above.

To exercise these rights, contact info@tigunny.com. We will verify your identity before fulfilling the request, in accordance with CPRA verification requirements.

9. International Data Transfers

We are headquartered in the United States, and our subprocessors listed in Section 5 also process data in the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the Standard Contractual Clauses adopted by the European Commission (and the UK International Data Transfer Addendum where applicable) under Article 46 GDPR. We perform transfer impact assessments as required.

10. Children's Privacy

The Services are not directed to, and we do not knowingly collect personal information from, children under the age of eighteen (18). The Services are not intended for individuals subject to the U.S. Children's Online Privacy Protection Act (COPPA). If you believe a child under 18 has provided us with personal information, please contact info@tigunny.com and we will take steps to delete the information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make a material change, we will update the Effective date at the top of this page and, where required by law, provide additional notice (for example, by email to your account address). Your continued use of the Services after the updated effective date constitutes acceptance of the revised Policy.

12. Contact

Questions, requests, or complaints about this Privacy Policy or our data handling practices:

  • Email: info@tigunny.com
  • Mailing address: Tigunny LLC, 10601 Clarence Dr, Frisco, TX 75033, United States

Tigunny LLC is a Service-Disabled Veteran-Owned Small Business (SDVOSB) and Texas Historically Underutilized Business (HUB) certified.

Sister document: Terms of Service

Back to Home