Back to Home

Privacy Policy

Last updated: April 15, 2026

1. Introduction and Scope

This Privacy Policy ("Policy") governs how Valence AI ("Platform", "we", "us", "our"), a product owned and operated by Virtu Tech Solutions, collects, uses, processes, stores, and safeguards information pertaining to you ("User", "you", "your") in connection with your access to or use of our web application, SDK, API endpoints, and related services (collectively, the "Services").

Valence AI is an application security platform designed to enable development teams to identify security vulnerabilities, monitor runtime risk, and maintain compliance readiness across their software applications.

By accessing or using the Services, you acknowledge that you have read, understood, and consent to the practices described in this Policy. If you do not agree with the terms of this Policy, you must discontinue use of the Services immediately.

2. Information We Collect

2.1 Account Information

  • Name and email address provided during account registration
  • Organization or team affiliation
  • Authentication credentials managed through our identity provider
  • User preferences and notification configuration

2.2 Scan and Security Data

  • Security issue results generated from local or CI scans
  • Runtime telemetry and risk signals transmitted via the Valence AI SDK
  • Custom audit configurations and check definitions
  • Compliance status records and audit history
  • Environment metadata, including staging and production labels

2.3 Usage and Technical Data

  • Usage patterns and interaction data within the Platform
  • Device and browser information: type, OS version, and browser version
  • Application performance data and error logs

Financial Data: Valence AI does not collect, process, or store credit card numbers, bank account details, or any other financial instrument data. Should payment processing be introduced in the future, it will be handled exclusively by PCI-DSS compliant third-party processors, and this Policy will be updated accordingly.

3. SDK and Scanning Data

Important. No Source Code Access: Valence AI operates through local and CI-based scanning combined with runtime reporting. Your source code remains within your own environment at all times. The Platform receives and stores only security issue results, operational telemetry, and runtime context. Application source code is neither transmitted to nor retained by Valence AI.

Upon integration of the Valence AI SDK, security-relevant metadata, including issue fingerprints, severity classifications, affected categories, and runtime event traces, is transmitted to the Platform. All such data is scoped to your project and accessible exclusively to authorized members of your organization.

4. How We Use Your Information

4.1 Service Provision

  • Detection, analysis, and presentation of security vulnerabilities
  • Runtime risk monitoring and alerting through supported integrations
  • Operation of the Valence AI Copilot to deliver contextual, grounded security guidance
  • Generation of compliance reports and audit records
  • User authentication and project-level access management

4.2 Service Improvement

  • Enhancement of detection accuracy and reduction of false positives
  • Development of new features and platform capabilities
  • Maintenance of platform integrity and prevention of abuse
  • Analysis of aggregate usage patterns

4.3 Communication

  • Delivery of critical security alerts and service notifications
  • Product updates and feature announcements
  • Response to user inquiries and support requests

5. Data Controller and Data Processor

For the purposes of applicable data protection legislation, Valence AI operates in the following capacities.

Data Controller

With respect to account information, usage data, and communications, Valence AI acts as the data controller, determining the purposes and means of processing.

Data Processor

With respect to security scan results, runtime telemetry, and project-specific data submitted through the SDK, Valence AI acts as a data processor on behalf of your organization. Processing is performed solely in accordance with your instructions and applicable service agreements.

6. Legal Basis for Processing

We process your personal information only where we have a valid legal basis under applicable law. The following table outlines the legal bases applicable to our processing activities.

Contract Performance

Processing necessary to provide the Services, including account management, security scanning, runtime monitoring, and compliance reporting.

Legitimate Interests

Processing necessary for service improvement, detection accuracy enhancement, platform security, and aggregate analytics, where such interests are not overridden by your data protection rights.

Legal Obligation

Processing necessary to comply with applicable laws, regulations, or enforceable governmental requests.

Consent

Where required, we obtain your explicit consent before processing. You may withdraw consent at any time by contacting us, without affecting the lawfulness of processing prior to withdrawal.

7. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. Disclosure of information is limited strictly to the following circumstances.

5.1 Service Providers

We engage third-party service providers to support the operation of the Platform, including but not limited to cloud hosting, database management, authentication, analytics, and customer support. These providers are bound by contractual obligations to maintain the confidentiality and security of your information and are prohibited from using it for any purpose other than the delivery of the contracted services.

5.2 Legal Requirements

We may disclose your information where required to do so by applicable law, regulation, legal process, or enforceable governmental request, or where necessary to protect the rights, property, or safety of our users, the company, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. You will be notified of any such transfer and any resulting changes to the handling of your information.

8. Data Security and Protection

We implement industry-standard technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

  • Encryption of data in transit (TLS 1.2+) and at rest using AES-256 or equivalent protocols
  • Row-level security policies enforced at the database layer
  • Project-scoped access controls ensuring logical tenant isolation
  • Secure session management with HttpOnly, Secure, and SameSite cookie attributes
  • Periodic security assessments and vulnerability testing
  • Principle of least privilege applied to all internal access

Security Notice: Despite the implementation of robust security measures, no method of electronic transmission or data storage can be guaranteed to be completely secure. You acknowledge and accept the inherent risks associated with the electronic transmission of information.

9. Data Retention and Deletion

We retain your information only for as long as reasonably necessary to fulfill the purposes outlined in this Policy, comply with applicable legal obligations, resolve disputes, and enforce our agreements.

Account Information

Retained for the duration of your account. Upon receipt of a deletion request, account data is purged within 30 calendar days.

Security Scan Results

Retained for the duration of your active account. Historical scan data may be retained in aggregate, de-identified form for trend analysis.

Runtime Telemetry

Event-level runtime data is retained for up to 90 days for active monitoring. Aggregated metrics may be retained for a longer period.

Usage and Analytics Data

Retained for up to 24 months for service improvement and platform optimization purposes.

10. Your Rights and Choices

Subject to applicable law and jurisdiction, you may exercise the following rights with respect to your personal information.

  • Access. Request a copy of the personal information we hold about you.
  • Rectification. Request correction of inaccurate or incomplete information through your account settings or by contacting us.
  • Erasure. Request deletion of your personal information and all associated project data, subject to legal retention obligations.
  • Portability. Request export of your data in a structured, machine-readable format where technically feasible.
  • Restriction. Request restriction of processing in certain circumstances as permitted by applicable law.
  • Objection. Object to processing of your personal information where processing is based on legitimate interests.
  • Account Deletion. Full account deletion may be initiated through the application settings or by submitting a written request to our support team.

To exercise any of the above rights, submit a request to valence@virtutechsolutions.com. All requests will be verified and processed within the timeframe mandated by applicable law.

11. Regional Privacy Rights

11.1 European Economic Area and United Kingdom (GDPR)

Users located in the European Economic Area or United Kingdom are afforded additional rights under the General Data Protection Regulation (GDPR), including the right to lodge complaints with a supervisory authority, the right to withdraw consent at any time, and protections with respect to automated decision-making and profiling. Our legal basis for processing is contract performance, legitimate interests, and, where applicable, your explicit consent.

11.2 California Residents (CCPA/CPRA)

California residents are entitled to rights under the California Consumer Privacy Act and the California Privacy Rights Act (CCPA/CPRA), including the right to know, the right to delete, and the right to opt out of the sale or sharing of personal information. Valence AI does not sell or share personal information as defined under the CCPA/CPRA.

12. International Data Transfers

Your information may be transferred to, stored, and processed in jurisdictions outside your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction. Where such transfers occur, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by relevant data protection authorities, to protect your information in accordance with this Policy and applicable law.

13. Do Not Track Signals

Certain web browsers transmit "Do Not Track" (DNT) signals to websites. As there is currently no universally accepted standard for interpreting DNT signals, the Platform does not alter its data collection or processing practices in response to DNT signals. Should a uniform standard be established, we will reassess this position and update this Policy accordingly.

14. Children's Privacy

The Services are intended exclusively for professional and business use. They are not directed at individuals under the age of 13 (or under 16 in the European Union). We do not knowingly collect personal information from minors. Should we become aware that such information has been inadvertently collected, it will be deleted without undue delay.

15. Changes to This Policy

We reserve the right to modify this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or regulatory obligations. Material changes will be communicated through the Platform or via email, with advance notice provided where required by law.

Continued use of the Services following the effective date of any revisions shall constitute acceptance of the updated Policy. We encourage you to review this Policy periodically.

16. Governing Law

This Policy and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of the jurisdiction in which Virtu Tech Solutions is incorporated, without regard to its conflict of law provisions.

17. Contact Information

For questions, concerns, or requests related to this Privacy Policy or our data handling practices, please direct correspondence to the following.

Email: valence@virtutechsolutions.com

For privacy-related inquiries, please include "Privacy Policy" in the subject line. All inquiries will be acknowledged within 30 days or as required by applicable law.