Join Waitlist

Privacy Policy

About this policy

This is the Privacy Policy for TopTechPhoto inc. ("Group" or "us" or "we" or "our" or "Controller"). We are committed to protecting and respecting your privacy in the context of AI governance and provenance. This policy explains how we collect and use personal data and technical metadata you provide or which we collect from you.

If you are from a European Union Member State, please also refer to the section "If you are from a European Union Member State", which includes specific disclosures required under the GDPR and the EU AI Act (2026).

About us

We are a company registered in the United States of America, state of Delaware. Our office is at 641 Lexington Avenue, 14th Floor, New York, New York 10022. For support or privacy inquiries, contact support@toptechphoto.com or privacy@provenyx.com.

How we collect information from you

In addition to standard contact information (name, email, address), Provenyx collects technical data essential for AI governance, including:

Asset Metadata: Cryptographic hashes of assets, file names, version history, and "Approved for AI" status labels.

AI Interaction Data: Identifiers for AI models/agents (e.g., GPT-4o, Claude 3.5) requesting access, system prompts associated with retrieval, and retrieval timestamps.

Policy Logs: Records of which "AI Kits" were accessed, by whom, and under which specific governance rules.

Technical Identifiers: IP addresses, login information, and clickstream data related to your use of the Provenyx Control Plane.

How we use your information

We use your information to provide an "audit-grade" governance layer, specifically:

Governance & Enforcement: To verify that only "Approved" assets are exposed to specific AI models.

Provenance Generation: To generate Provenance Receipts that prove exactly what content an AI used at a specific time.

Compliance Reporting: To help Customers fulfill transparency obligations under the EU AI Act, California SB 942, and Colorado SB 24-205.

Security: To detect unauthorized attempts to bypass AI guardrails or access non-approved context.

Personal information and content

Distinction between Metadata and Content: Provenyx operates on a BYOS (Bring Your Own Storage) model.

  • Content: The actual binary files (images, docs) reside in your storage (S3, Google Drive). Toptechphoto does not view, access, or store this Content except for temporary caching required for processing or during authorized Product Support.
  • Metadata: We store the governance metadata (hashes, policy rules, logs) required to maintain the audit trail.

Customer Responsibility: As the Data Controller, the Customer is responsible for ensuring that any personal data contained within assets marked as "Approved for AI" is processed in compliance with local privacy laws.

Security and storage information

We implement technical and organizational measures aligned with ISO/IEC 42001 (AI Management Systems).

Audit Trail Integrity: Provenance receipts are stored using immutable logging techniques to prevent tampering.

Encryption: All data in transit and at rest within the Provenyx Control Plane is encrypted.

Retention of Data

Account Data: Standard personal data is deleted 3 years after your last interaction.

Compliance Logs: Notwithstanding the above, Provenance Receipts and Audit Logs may be retained for up to 10 years if required by the Customer to satisfy regulatory obligations for "High-Risk AI Systems" under the EU AI Act or similar statutes.

Accessing your information on third-party resources (BYOS)

Provenyx requires access to your information stored on third-party services (Google Drive, Amazon S3, etc.).

Scope: Access is strictly limited to the "AI Kits" or folders you explicitly connect.

No Training: Toptechphoto does not use Customer Content or Metadata to train our own AI models or any third-party models.

Sub-processors

We use the following third-party services to deliver Provenyx:

  • Amazon Web Services / Google Cloud (Infrastructure)
  • Stripe (Payments)
  • Intercom / Hubspot (Support)
  • Sentry / Amplitude (Telemetry)
  • OpenAI / Anthropic / Google Vertex (Optional: Only if you enable specific AI-assisted curation features within Provenyx)

If you are from a European Union Member State

In accordance with GDPR and the EU AI Act (2026):

Legal Basis: Processing is based on the Performance of Contract and Legal Obligation (specifically the requirement for traceability and human oversight in AI systems).

Automated Decision Making: Provenyx acts as a tool to prevent or control automated processes. If Provenyx is used to make decisions that significantly affect individuals, the Customer (as the AI Provider/Operator) is responsible for providing necessary disclosures.

Your Rights: You have the right to access, rectify, or erase your data. However, the "Right to Erasure" may be limited where the data is part of a mandatory AI Traceability Log required by law.

Changes to our Privacy Policy

This policy was last updated in April 2026 to reflect new AI governance standards including the EU AI Act implementation and ISO 42001 alignment.