Last updated: June 17, 2026
Tirmira is built for people who handle sensitive documents — contracts, leases, financials, client files. This page explains, in plain language, how we protect them. It describes our principles and the standards we use, not the internal details that would only help an attacker.
Everything happens inside the European Union. The AI analysis runs on a French provider's EU infrastructure; hosting and email are EU-based too. There are no US providers in the path your documents travel, and your documents are never used to train AI models. Our subprocessors are named in our Privacy Policy.
Your original file is never kept: its text is extracted and the file is discarded right away, with a hard 24-hour maximum enforced automatically. The resulting analysis lives in your dashboard for 7 days and then deletes itself — or instantly, the moment you press Delete. Deleting your account erases everything immediately, with no backup copy kept. And our EU AI provider (Mistral) runs under Zero Data Retention: it never stores or logs your document text or its analysis — once the result is produced, nothing of yours remains at the subprocessor either.
Every connection is protected with TLS (the padlock in your browser). Your analyses are stored encrypted at rest using AES-256-GCM, a current industry-standard cipher.
Passwords are hashed with argon2id (a modern, memory-hard algorithm). Two-factor authentication is available on every account and required on the Starter and Pro plans — with no SMS and no third-party service; the codes stay between your device and our EU server. You can sign out of every device in one click, and sessions are short-lived so a forgotten login doesn't stay open indefinitely.
Each uploaded file is processed in an isolated, network-isolated sandbox with no access to encryption keys or to any other customer's data — so even a maliciously crafted document stays contained. Your analyses are only ever returned to you, the signed-in owner; there is no shared pool and no cross-customer mixing.
There is no visitor tracking, no advertising, and no behavioural profiling — we don't build a picture of you, and we never sell data. Account and billing records are kept only as long as legally required. The people and tools that build Tirmira develop and debug using synthetic test data only; they do not have access to your documents or analyses.
If you believe you've found a security issue, we want to hear about it. Email hello@tirmira.com (see also our security.txt). We welcome responsible disclosure and will work with you in good faith.
We design to be GDPR-safe by design, name every subprocessor in our Privacy Policy, and offer a Data Processing Agreement (countersigned on request). Analyses are AI-generated and for informational purposes only; they are not legal, financial, or professional advice — always verify with a qualified professional.