Who is the controller

Good Ventures Lab Inc. (Canada) is the data controller for the DeepTap managed plane. Subprocessors (cloud, KMS, observability, support) act as processors under data-processing agreements that mirror our obligations to you.

What we collect

Account-level data. Company name, billing contact email, billing address, tax registration number where applicable. Used to invoice and to respond to support requests.

Operational data. Per-query metadata: timestamp, tenant id, depth executed, rounds run, cache outcome, firewall verdict counts, latency, credits charged, signed receipt hash. We do not retain query bodies or full response bodies; we retain only the metadata required to bill, audit, and support the customer.

Cache contents. The fact cache stores the structured facts that the pipeline extracts on the customer's behalf. The cache is per-tenant and encrypted at rest. Cache contents are processed solely to serve future queries from the same tenant; we do not analyze cache contents for our own purposes.

Telemetry. Error reports, latency histograms, backend success rates aggregated at the tenant level. Used to operate the service. Not sold and not shared with third parties for advertising.

Marketing site. Standard server-side request logs (IP address, user agent, requested URL) retained for 30 days for security and operational purposes. We do not run third-party analytics scripts on deeptap.ai.

What we do not collect

We do not run third-party advertising trackers. We do not sell or rent any user data. We do not collect biometric, health, or payment-card data. We do not retain raw query bodies beyond the request lifecycle.

Retention

Operational receipts. Retained for the contractual retention window agreed in the order form, default seven years (matches the longest applicable financial-records retention period in our markets). Receipts can be exported and deleted on customer request, except where retention is mandated by applicable law.

Cache contents. Retained until the customer's decay schedule expires the row, or the customer triggers a purge, whichever is sooner.

Account-level data. Retained for the duration of the customer relationship plus seven years after termination for tax and audit purposes.

Server logs. 30 days. Aggregated telemetry. 13 months. Support tickets. Three years from resolution.

Sharing

We share with: cloud infrastructure providers (currently Google Cloud Platform), the search and model backends our customers route through, and government bodies where required by lawful process. We do not sell. We do not share with marketing third parties.

Backend traffic. When a customer's query routes to a search or model backend, the relevant payload passes to the backend so it can produce a response. DeepTap does not retain a copy of the body. The backends operate under their own data-handling policies; the customer is responsible for evaluating them.

Cross-border transfer. Managed plane data is processed in the United States and Canada by default. EU customer data is processed under standard contractual clauses where applicable. Enterprise tier offers sovereign tenancy via partner substrates for customers with data-residency requirements.

Your rights

You may access, correct, export, or delete your personal data by writing to [email protected]. We respond within 30 days. EU residents have additional rights under GDPR; California residents under CCPA/CPRA; Canadian residents under PIPEDA. We honor all of them.

If your data was processed on behalf of a DeepTap customer (i.e., we are a processor and they are the controller), please contact the controller directly. We will assist them in fulfilling their obligations to you.

Updates

Material changes to this policy are announced on the changelog and emailed to billing contacts at least 30 days in advance.

For questions: [email protected].

Last updated 2026-04-26.