Privacy Policy
The TRW runtime stays local by default, and the marketing site is kept separate from your project data.
Here is exactly what we do and don't collect.
Last updated: June 12, 2026
Your project stays local by default
Project code, learnings, and run artifacts stay local unless you explicitly connect the hosted platform or submit data through the website.
What We Collect
We collect (only when you opt in)
- Usage telemetry — sent only when you enable usage telemetry (
platform_telemetry_enabled, default off). Each event records the tool name, call duration, success status, phase, framework version, agent and session identifiers, a non-reversible hashed installation ID, and a timestamp. Free-text fields are PII-scrubbed and absolute paths are redacted before any event leaves your machine. - Shared learning content — sent only when you separately enable learning sharing (
learning_sharing_enabled, default off, distinct from usage telemetry). When enabled, the learning summary and detail (after PII redaction), its tags, impact score, vector embedding, status, and a hashed source-installation ID are published for cross-project recall. - Recall queries — when usage telemetry is enabled, a recall query you run may be sent (as text plus a vector embedding) to the hosted platform to retrieve relevant shared learnings. Off when telemetry is off.
- Team / backend sync — a connected install can run a background sync loop with the platform. Learning content pushed by this loop (summary and detail, after PII redaction, plus tags, impact, status, and a hashed source-installation ID) is sent only when learning sharing is enabled (
learning_sharing_enabled, default off). Anonymous session-outcome metrics pushed by the same loop are sent only when usage telemetry is enabled (platform_telemetry_enabled, default off). The intelligence pull (receiving shared/team learnings and version hints) sends no project, usage, or learning content. - Feedback you submit — when you explicitly run the
trw_submit_feedbacktool, the category, subject, and message you wrote (license keys, API keys, and credentials redacted), plus basic environment metadata and an optional contact email, are sent to the platform submission portal. This is an explicit, per-invocation user action — nothing is sent automatically. - Version check — a connected install (one configured with a platform URL and API key) periodically asks the platform for the latest available release, authenticated with your API key. No project, usage, or learning data is included in this request.
- Tester program applications — email and optional persona selection submitted via the tester-program application page.
- Account info — email and organization name when you create an account.
We never collect
- Source code, file contents, or codebase data
- Email addresses or API-key/token patterns in telemetry (scrubbed before send)
- API keys, tokens, secrets, or credentials
- Learning content, PRDs, or run notes — unless you explicitly enable learning sharing (default off)
- Raw installation IDs or machine filesystem paths
- Browsing history or data from other apps
The TRW MCP server runs entirely on your machine. Usage telemetry and learning sharing are two independent opt-ins, both off by default, controlled via .trw/config.yaml (platform_telemetry_enabled and learning_sharing_enabled). With the default configuration, a TRW session makes zero outbound telemetry or learning-content requests. Local project state and usage artifacts may still be stored in your workspace as part of normal TRW operation.
First-run embedding model — on first use, TRW may download a local sentence-embedding model (all-MiniLM-L6-v2) from huggingface.co so semantic recall runs entirely on your machine. This is a one-time model download; no project, usage, or learning data is sent in the request. Set TRW_OFFLINE=1 (or disable embeddings with embeddings_enabled: false) to suppress this download.
This marketing website uses Google Analytics and is hosted on AWS. That website analytics surface is separate from your local TRW project data.
How We Use Data
- Improve the hosted platform and framework based on real-world usage patterns
- Contact users about account updates, service announcements, and the tester program
- Provide account services and authentication
- Detect and respond to abuse or security incidents
- Understand how visitors interact with this website (via Google Analytics)
We do not sell your data. We do not use it for advertising.
Data Retention
| Data Type | Retention |
|---|---|
| Telemetry events | 90 days |
| Tester program applications | Until admission decision or opt-out |
| Account data | Duration of account + 30 days after deletion |
| Website analytics | 26 months (Google Analytics default) |
Third-Party Services
- Amazon Web Services (AWS) — Cloud infrastructure for hosting and deployment
- Google Analytics — Website traffic analysis on this marketing site only
- PostgreSQL (self-hosted) — Hosted account, tester-program applications, and platform application data
The TRW MCP server (the tool your agents use locally) operates on your machine. Hosted analytics and website analytics are separate surfaces with separate controls.
Your Rights
- Request a copy of all data we hold about you
- Request deletion of your account and associated data
- Opt out of hosted telemetry collection at any time
- Correct inaccurate personal information
- Lodge a complaint with your local data protection authority
To exercise any of these rights, contact us below. We respond within 30 days.
Contact
For privacy-related questions or data requests:
privacy@trwframework.com