This Privacy Policy describes how Adjuro, Inc. ("Adjuro," "we," "us," or "our") collects, uses, and discloses information about you when you visit our website at adjuro.ai, use our application programming interfaces, software development kits, command-line tools, or any related services (collectively, the "Services").
By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.
1. Who we are
Adjuro is a Delaware corporation operating an infrastructure service that issues, transmits, and verifies cryptographically-signed compliance receipts for artificial intelligence agent actions, including but not limited to outbound voice calls placed through third-party platforms.
Contact:
- General inquiries: hello@adjuro.ai
- Privacy inquiries: privacy@adjuro.ai
- Security disclosures: security@adjuro.ai
2. Information we collect
2.1 Information you provide directly
When you create an Adjuro tenant account, integrate the Adjuro API, or communicate with us, we collect:
- Account information. Your name, email address, company name, billing address, and phone number.
- Authentication credentials. API key cryptographic hashes (we do not store API keys in plaintext; only a SHA-256 hash of each key suffix is retained for verification purposes).
- Payment information. Processed through Stripe, Inc. Adjuro does not store full payment card details; we retain only the Stripe customer identifier and the last four digits of payment methods for billing reconciliation.
- Support communications. Records of your support tickets, emails, and conversations with our team.
2.2 Information collected through your use of the Services
When you make API requests to Adjuro, we collect and process:
- Receipt request metadata. Agent identifiers, brand attribution, jurisdiction codes, consent identifiers (as opaque strings you supply; we do not interpret their content), campaign identifiers, scope declarations, timestamps, nonces, and event-type classifications.
- Cryptographic artifacts. Issued JSON Web Signatures (JWS), public keys, transparency log entries, and Merkle tree proofs. These are the core product output and are retained for the audit period described in Section 6.
- Operational telemetry. Request timestamps, response status codes, latency measurements, and error logs. This data is used for service reliability, capacity planning, and incident response.
- IP addresses and user agents. Collected at the API gateway for rate limiting, fraud prevention, and security operations.
2.3 Information about call recipients
Adjuro is designed to minimize collection of information about the consumers whom our customers call. Specifically:
- We accept HMAC-SHA256 hashes of recipient phone numbers (referred to as
callee_hashin our API). We do not collect, store, or process the underlying recipient phone numbers themselves. - The HMAC salt is generated server-side at tenant onboarding, stored encrypted at rest, and never returned to the tenant or any third party.
- We cannot reverse-engineer the recipient phone number from the hash. Only the tenant who originally hashed the number can map it back to a specific recipient using their own customer relationship management system.
- We do not receive or process call audio, transcripts, or call content. We receive only metadata about the call event and webhook acknowledgments of call completion.
2.4 Information from third-party voice-agent platforms
When you integrate Adjuro with platforms such as Vapi, Retell, or Bland for AI voice agent operations, we receive webhook event payloads from those platforms reporting call lifecycle events. These payloads contain:
- Call identifiers, status updates, ended-reason codes, and the metadata you injected at call creation time
- We do not receive the audio of calls, the transcripts of conversations, or the content of consumer interactions
2.5 Information from cookies and similar technologies
The adjuro.ai website uses essential cookies for session management and security. We do not currently use advertising cookies, third-party tracking pixels, or behavioral analytics services on our customer-facing surfaces. If this changes, we will update this Privacy Policy and obtain consent as required by applicable law.
3. How we use information
We use the information described above for the following purposes:
- To provide the Services. Issuing signed receipts, maintaining the transparency log, performing receipt verification, generating audit packets, and operating the API infrastructure.
- To authenticate and authorize. Verifying tenant API keys, enforcing rate limits, preventing unauthorized access, and maintaining the integrity of the receipt-issuance system.
- To bill and account. Calculating subscription charges, overage usage, and reconciling payments with Stripe.
- To support and communicate. Responding to inquiries, providing technical assistance, sending service announcements, and notifying customers of changes to the Services.
- To improve and develop. Analyzing aggregate, anonymized usage patterns to improve product reliability, latency, and feature design. We do not use individual customer data to train machine learning models.
- To comply with law. Meeting our obligations under applicable laws and regulations, including TCPA, GDPR, UK GDPR, CCPA, and applicable state privacy laws.
- To maintain the evidentiary integrity of receipts. Receipts and their associated metadata are designed to support court-admissible evidence under Federal Rule of Evidence 901 and equivalent standards. As a result, we retain receipt-related data for a longer period than typical operational data. See Section 6.
We do not sell personal information. We do not use customer data for advertising or marketing purposes outside of our own service-related communications.
4. How we disclose information
We disclose information only in the limited circumstances described below:
4.1 Service providers
We share data with third-party service providers who help us operate the Services, bound by data processing agreements that require them to use the data only on our behalf:
- Amazon Web Services (AWS). Hosting, AWS Key Management Service (KMS) for cryptographic operations, and storage.
- Supabase. Managed Postgres database services.
- Stripe. Payment processing.
- Cloudflare. DNS, content delivery, and DDoS protection.
- Loom and similar communication tools. Customer support and demos.
A current list of subprocessors is maintained at adjuro.ai/subprocessors. We will notify you of material changes to this list.
4.2 Public transparency log
A fundamental product feature of Adjuro is the public transparency log, accessible at log.adjuro.ai. This log contains:
- Receipt identifiers (opaque tokens, not linked to consumer phone numbers)
- Issuance timestamps
- Signing key identifiers
- Daily signed Merkle tree roots
The transparency log is intentionally public so that any third party (compliance auditors, defense attorneys, regulators) can verify the integrity of issued receipts independently. Information published to the transparency log is permanent and cannot be removed.
4.3 Legal disclosures
We may disclose information if required to do so by law, legal process, or governmental request, including in response to a subpoena, court order, or regulatory inquiry. Where legally permitted, we will provide affected customers with notice before disclosure.
4.4 Business transfers
If Adjuro is acquired by, merges with, or transfers assets to another company, your information may be transferred as part of that transaction. The acquiring entity will be bound to honor this Privacy Policy or an equivalent successor policy.
4.5 With your direction
We will share your information with third parties at your explicit direction, such as when you request that an audit packet be transmitted to your defense counsel or compliance auditor.
5. Cross-border data transfers
Adjuro's infrastructure is currently hosted in the United States (AWS us-east-1 region). If you are located in the United Kingdom, the European Economic Area, or another jurisdiction with cross-border data transfer restrictions, your information will be transferred to and processed in the United States.
For transfers from the UK and EEA, we rely on:
- Standard Contractual Clauses approved by the European Commission
- The UK International Data Transfer Addendum
We are evaluating expansion to UK and EU hosting regions and will update this section when those options become available.
6. Data retention
We retain information for the following periods:
| Category | Retention period |
|---|---|
| Account and contact information | Relationship + 7 years |
| Receipt JWS payloads and signing metadata | 7 years from issuance |
| Transparency log entries | Permanent |
| Operational logs (info level) | 30 days |
| Operational logs (warn level) | 60 days |
| Operational logs (error and critical level) | 180 days |
| Audit-trail logs (receipt issuance events) | 7 years |
| Webhook event records (for replay prevention) | 24 hours |
| API request logs | 90 days |
| Billing and tax records | 7 years |
The 7-year retention period for receipt-related data is a deliberate product commitment. Adjuro receipts are designed to support TCPA defense workflows, and the longest applicable statute-of-limitations period for TCPA class actions is 4 years federal plus jurisdictional extensions; we retain for 7 years to provide a margin of safety for our customers.
After the applicable retention period, we delete or anonymize the data, except where longer retention is required by law or by the permanent nature of the transparency log.
7. Your privacy rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Right to access. Request a copy of the personal information we hold about you.
- Right to rectification. Correct inaccurate or incomplete information.
- Right to deletion. Request deletion of your personal information, subject to our retention obligations and the permanent nature of the public transparency log.
- Right to portability. Receive your data in a structured, machine-readable format.
- Right to restriction. Restrict the processing of your information in certain circumstances.
- Right to object. Object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent. Where processing is based on consent, withdraw consent at any time.
To exercise these rights, contact privacy@adjuro.ai. We will respond within the timeframes required by applicable law (typically 30 days under GDPR and UK GDPR, 45 days under CCPA).
Important limitations:
- Information published to the public transparency log cannot be deleted, as the integrity of the log depends on its append-only structure. Receipt identifiers in the log are opaque tokens that do not directly identify any individual.
- Information retained for legal-compliance or evidentiary-integrity purposes (Section 6) may not be deletable until the retention period expires.
If you are located in California, the United Kingdom, the European Economic Area, or another jurisdiction with statutory privacy rights, additional information about exercising your rights is available at adjuro.ai/privacy-rights.
8. Security
Adjuro implements technical and organizational security measures appropriate to the sensitivity of the data we process:
- All data in transit is encrypted using TLS 1.3 or higher.
- All data at rest is encrypted using AES-256.
- Cryptographic signing operations use AWS Key Management Service Hardware Security Modules (HSMs) with FIPS 140-2 Level 3 certification.
- API authentication uses cryptographic credentials hashed with SHA-256; no plaintext credentials are ever stored.
- Access to production systems is restricted to authorized personnel with multi-factor authentication.
- We maintain a documented incident response plan and conduct regular security reviews.
We do not currently hold SOC 2, ISO 27001, or HIPAA Business Associate Agreement certifications. SOC 2 Type 1 attestation is on our 2026-2027 roadmap and will be pursued when customer demand and revenue justify the audit cost.
If you become aware of a security vulnerability, please report it to security@adjuro.ai. We do not currently operate a paid bug bounty program but will publicly credit responsible disclosures in our release notes.
9. Children's privacy
The Adjuro Services are not directed to children under the age of 16, and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 16, we will delete it. If you believe we have collected information from a child, please contact privacy@adjuro.ai.
10. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by:
- Updating the "Last updated" date at the top of this policy
- Sending notice to the email address associated with your tenant account, where material changes affect existing customers
- Posting a notice on our website at adjuro.ai for at least 30 days
Continued use of the Services after the effective date of any update constitutes your acceptance of the revised Privacy Policy.
11. Contact us
If you have questions about this Privacy Policy or our privacy practices, contact:
Adjuro, Inc.
Privacy team: privacy@adjuro.ai
General inquiries: hello@adjuro.ai
Security disclosures: security@adjuro.ai
[Postal address to be added upon incorporation]
For UK and EEA data subjects, we will appoint a UK GDPR representative and an EU GDPR Article 27 representative within 90 days of our first UK or EEA customer; contact details will be added to this policy at that time.