This Privacy Policy explains how Grid Heap, Inc., a Delaware corporation ("Trainshell", "Grid Heap", "Company", "we", "us", or "our"), handles personal information in connection with the Service.
The Service is operated from the United States and delivered through a globally distributed edge network. If you use the Service from outside the United States, your information may be accessed, transferred, and processed in the United States and other jurisdictions where we or our providers operate.
1. Scope and roles
This Policy applies only to Trainshell: the train.sh website, dashboard, APIs, hosted terminal sessions, agent software, storage and compute orchestration, support interactions, and connected development workflows.
We act as controller, operator, or equivalent role for account administration, authentication, security, service operations, compliance, support, billing records, and business records.
We act as processor, service provider, or entrusted party for personal data contained in files, prompts, repositories, datasets, logs, secrets, terminal activity, model artifacts, and other content you submit or direct us to process through the Service ("User Content"), except where we need to use that information for security, legal compliance, billing, abuse prevention, or service protection.
You are responsible for ensuring that your use of the Service and any personal data in User Content has an appropriate legal basis and all required notices or consents.
2. Information we collect
We collect different categories of information depending on which Trainshell features you use. If certain information is required for authentication, security, billing, or the workflow you request, the related feature may not work without it.
| Category | Examples |
|---|---|
| Account data | Name, email address, avatar, provider account ID, and session records. |
| Authentication and integration data | OAuth tokens, token metadata, scopes, repository metadata, codespace metadata, and Google Drive metadata. |
| Configuration data | Provider credentials, SSH keys, secrets, storage definitions, recipes, job settings, and instance settings. |
| User Content | Files, datasets, prompts, command input and output, transfer instructions, job metadata, and generated artifacts. |
| Usage and security data | IP address, browser and device data, request metadata, timestamps, audit records, and bot mitigation signals. |
| Host and agent telemetry | Hostname, operating system, hardware summary, heartbeat data, connection status, and session identifiers. |
| Communications | Support requests, feedback, and account or service communications. |
We collect information from you, your browser or device, connected services, remote environments you connect, and our infrastructure and security providers.
3. User Content and workflow data
User Content remains yours. Trainshell processes it to carry out your instructions: opening terminals, syncing files, mounting storage, routing prompts, invoking agents, creating outputs, and connecting selected providers.
Remote sessions and agent workflows may include command text, terminal output, repository context, model prompts, generated files, and provider responses. We do not intentionally train our own foundation models on User Content, sell User Content, or use it for cross-context behavioral advertising.
4. How we use information
We use personal information to provide, secure, support, and improve Trainshell, to comply with law, and to enforce our agreements. Where applicable law requires a legal basis, we generally rely on contract performance, legitimate interests, legal obligations, and consent where required.
| Purpose | Examples |
|---|---|
| Operate the Service | Authentication, sessions, storage, compute orchestration, remote terminals, agents, jobs, and integrations. |
| Follow your instructions | Access linked repositories or files, run transfers, route prompts, and invoke enabled integrations or providers. |
| Security and abuse prevention | Session validation, rate limiting, bot detection, incident investigation, and service protection. |
| Support and improvement | Troubleshooting, diagnostics, reliability improvements, and product support. |
| Legal and business operations | Compliance, dispute handling, recordkeeping, sanctions or export controls, and protection of rights. |
5. AI features and external providers
Trainshell may route prompts, files, terminal context, logs, or other User Content to AI providers, repository hosts, cloud compute providers, storage providers, and remote environments only when you enable or request the related workflow.
Those providers process information under their own terms and privacy practices. You are responsible for choosing providers that meet your privacy, security, export, procurement, and compliance requirements.
6. Cookies and similar technologies
We use essential cookies, local storage, and similar technologies for authentication, session management, security, bot mitigation, and product preferences. We may use limited website analytics to understand aggregate usage of public pages, but analytics does not include terminal content, files, secrets, or model prompts.
7. Disclosure of information
We disclose personal information only as needed to operate Trainshell, follow your instructions, protect rights and security, or comply with law.
| Recipient | Examples | Purpose |
|---|---|---|
| Infrastructure providers | Hosting, storage, routing, security, bot mitigation, and managed AI infrastructure. | Hosting, storage, routing, security, and core service delivery. |
| Identity and integration providers | GitHub, Google, Apple, Notion, Hugging Face, and Google Drive. | Authentication and customer-enabled integrations. |
| Customer-selected providers | Vast.ai, RunPod, Lambda, Hugging Face, and connected remote environments. | Provisioning, storage, compute, and customer-directed workflows. |
| Professional and legal recipients | Advisers, auditors, insurers, transaction parties, regulators, courts, and law enforcement. | Compliance, corporate transactions, and protection of legal rights. |
8. Retention
We keep personal information for as long as reasonably necessary for the purposes described in this Policy, including to provide the Service, maintain security, resolve disputes, enforce agreements, and comply with law.
- Account records are generally retained for the life of the account and a reasonable period afterward.
- Tokens, credentials, and secrets are retained until revoked, replaced, deleted, or no longer needed.
- Session, host, job, and transfer records may be retained for operational, support, and security purposes.
- Backups and residual copies may remain for a limited period for recovery, fraud prevention, or legal preservation.
9. International transfers
The Service is operated from the United States and delivered through a globally distributed edge network, with globally distributed providers. Personal information may therefore be processed in the United States and other jurisdictions where we, our providers, or your selected services operate.
If you connect external accounts, provision third-party infrastructure, or use external AI, storage, or repository services through the Service, you instruct us to transfer relevant data as needed to perform your request.
Where required, we aim to rely on recognized transfer mechanisms such as standard contractual clauses, the EU-US Data Privacy Framework, the UK Extension and Swiss-US framework, adequacy decisions, certification-based mechanisms, separate consent, or another valid legal basis.
10. Security
We use reasonable technical and organizational measures designed to protect personal information, including access controls, encrypted transport, provider-managed infrastructure protections, and application-layer encryption for selected credentials and secrets.
No system is completely secure. You remain responsible for protecting your own accounts, credentials, remote environments, repositories, and endpoints.
11. Your rights
Depending on applicable law, you may have rights to access, correct, delete, restrict, object to, or port certain personal information, and to withdraw consent where processing depends on consent.
You may also disconnect integrations, revoke tokens through the relevant provider, and delete stored credentials or secrets through the Service where available. We may need to verify identity and authority before responding to a request.
Contact us at legal@gridheap.com to make a privacy request.
12. Children
The Service is not directed to children under 18. If you believe a child has provided personal information to us without authorization, contact us so that we can review and take appropriate action.
13. Service providers and links
Service providers may access personal information only to perform work for us or to support features you enabled. Trainshell may link to third-party websites or services; their handling of information is governed by their own policies.
14. Changes
We may update this Privacy Policy from time to time. We will post the updated version on this page and update the effective date above. If required, we will provide additional notice.
15. Contact
Privacy requests and questions can be sent to legal@gridheap.com. For general company contact, email contact@gridheap.com.