Privacy Policy

Sovereign AI Gateway is a product of Trango Compute Inc., an Ontario-incorporated Canadian-controlled private corporation (CCPC) with its registered office in Ontario, Canada. References to “we,” “us,” or “our” in this Privacy Policy refer to Trango Compute Inc.

We operate the Sovereign AI Gateway API, compliance portal, and this website (collectively, the “Service”). We are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy law.

Account and billing information. When you register for API access, we collect your name, email address, organisation name, and billing contact information. This information is used to provision your account, issue invoices, and communicate with you about the Service.

API usage metadata. For each API request, we log the following: a unique request identifier, timestamp, your API key identifier (not the key itself), the number of tokens processed, the response latency, and the HTTP status code. We log these fields for billing, rate limiting, audit log generation, and service performance monitoring.

We do not log message content. The content of your API requests — the prompts you send and the responses you receive — is never written to disk, stored in a database, or transmitted to any third party. This is a core architectural guarantee, not merely a policy commitment. Our audit log schema does not have fields for message content, and our inference infrastructure is configured to discard request and response payloads immediately after processing.

Website analytics. We collect standard web server logs (IP address, browser user agent, referring URL, pages visited, and timestamps) when you visit our website. We do not use third-party analytics services such as Google Analytics. Log data is retained for 90 days and used only for security monitoring and capacity planning.

Communications. If you contact us by email, we retain your messages and our replies. We use this information to respond to your enquiries and improve our support.

We use the information we collect for the following purposes:

• Provisioning and managing your API access
• Generating invoices and processing payments
• Producing audit logs and attestation documents as part of the Service
• Monitoring service performance and diagnosing technical issues
• Communicating with you about your account, the Service, and relevant updates
• Complying with applicable legal obligations

We do not sell your personal information. We do not use your information for advertising, behavioural profiling, or any purpose unrelated to operating the Service.

All personal information collected through the Service is stored and processed on infrastructure physically located in Ontario, Canada. We do not use US-based cloud services, US-based databases, or US-based subprocessors in our production data path.

As an Ontario CCPC, Trango Compute Inc. is not subject to the US CLOUD Act (18 U.S.C. § 2713). We cannot be compelled to produce customer data under US law. All data handling is governed by Canadian federal law (PIPEDA) and Ontario provincial law.

We issue cryptographically signed attestation documents confirming these data residency guarantees. These documents are independently verifiable using publicly available cryptographic tools.

We do not share your personal information with third parties except in the following limited circumstances:

• Service providers: We engage Canadian service providers for functions such as payment processing and accounting software. These providers are contractually prohibited from using your information for any purpose other than providing services to us, and operate under PIPEDA-compatible obligations.
• Legal obligations: We may disclose information where required to comply with a valid order issued by a Canadian court or regulatory authority under Canadian law. We will notify you of any such request to the extent permitted by law.
• Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to a successor entity, subject to equivalent privacy protections. We will notify you of any such transfer.

We do not disclose customer information in response to foreign law enforcement requests. As a Canadian CCPC operating exclusively under Canadian law, we have no legal obligation to comply with orders issued by foreign courts or agencies, and we will not do so voluntarily.

We retain account and billing information for the duration of your account plus seven years, as required by Canadian tax and accounting regulations.

API usage metadata (request logs) is retained for 24 months for billing reconciliation and audit log purposes, after which it is permanently deleted.

API request and response content is not retained — it is discarded immediately after processing, as described in Section 2.

Attestation documents are retained indefinitely as part of our compliance records. Copies of documents issued to you are available in your compliance portal.

You may request deletion of your personal information at any time, subject to our legal obligation to retain certain records as described above.

We implement technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration, and destruction. These measures include:

• TLS 1.3 encryption for all data in transit
• Encryption at rest for all stored personal information
• Network egress controls restricting outbound traffic to a defined allowlist of destinations
• Access controls limiting employee access to customer data on a need-to-know basis
• Cryptographic audit logging of all access to production systems

No transmission over the internet or electronic storage is 100% secure. In the event of a data breach affecting your personal information, we will notify you and the Office of the Privacy Commissioner of Canada in accordance with PIPEDA's mandatory breach notification requirements.

Under PIPEDA and applicable Ontario law, you have the right to:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Withdrawal of consent: Withdraw consent to certain uses of your personal information, subject to legal or contractual restrictions.
• Deletion: Request deletion of your personal information, subject to our legal retention obligations.
• Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada if you believe we have violated your privacy rights.

To exercise any of these rights, contact our Privacy Officer at privacy@trango-compute.com. We will respond within 30 days.

Our website uses only essential session cookies required for authentication and security. We do not use advertising cookies, tracking pixels, or third-party analytics services. You can disable cookies in your browser settings, though this may affect certain authenticated features of the compliance portal.

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 30 days before the changes take effect. The “Last updated” date at the top of this page indicates when the current version was published.

For questions about this Privacy Policy or our data practices, contact:

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.