Privacy Policy

Dominykas Viecas

Terminalo g. 2-3, Siauliai

[email protected]

From your OAuth provider (Google, GitHub, or email signup). Used for account identification and service communications.

A unique identifier from our identity provider. Used internally to link your account to your workspace.

If provided by your OAuth provider. Used for display purposes only.

Whether your subscription is active, your tier, and billing period dates.

A reference linking your account to your Polar.sh billing record.

The subdomain you selected for your workspace.

Container IDs, image versions, resource usage metrics, start/stop timestamps. Used for provisioning, billing, and debugging.

Duration and type of worker container sessions. Used for per-second billing calculation.

Your workspace calls LLM providers directly with your API keys. Request and response content does not pass through our servers. Worker containers also call providers directly using your key, which is passed as an ephemeral environment variable at launch and destroyed with the container.

We do not read, monitor, or analyze your conversations with your AI workspace.

We do not use third-party analytics services, tracking pixels, or behavioral profiling. We do not fingerprint your browser or device.

API keys are stored encrypted in your workspace vault. The plaintext values are never logged, transmitted to our backend in readable form, or accessible to our staff. When passed to worker containers at launch, keys are injected as environment variables and redacted from all log output.

Account data, billing data, and workspace provisioning — necessary to provide the Service you subscribed to.

Platform metadata (container health, resource usage, error logs) — necessary to maintain, secure, and improve the infrastructure. Our interest is balanced against your rights by collecting only operational data, not content.

Retaining billing records as required by tax and financial regulations.

HTTP requests transit through Cloudflare's global network before reaching our servers. Cloudflare does not store request bodies. Cloudflare participates in the EU-US Data Privacy Framework.

When your workspace calls an LLM provider, data is sent to wherever that provider operates. This is your direct relationship — we do not control the destination.

Messages sent through connected channels (Telegram, Discord, etc.) pass through those platforms' infrastructure.

Retained while your account is active. Deleted within 30 days of account closure.

Retained while your workspace is active. After subscription cancellation, your workspace is stopped at the end of the billing period. Data is retained for 30 days to allow reactivation, then permanently deleted.

Ephemeral. Worker containers are destroyed when the task completes or times out. No data from worker sessions is retained on our infrastructure after destruction.

Retained for the period required by applicable tax and financial regulations (typically 7 years).

Application and infrastructure logs are retained for up to 30 days for debugging purposes, then deleted. Logs never contain conversation content, API key values, or workspace file contents.

Each workspace runs in a dedicated container with gVisor runtime sandboxing, restricted syscalls, and isolated networking. Tenants cannot access each other's containers or data.

All connections to the Service use TLS. Internal container-to-backend communication is over isolated Docker networks.

API keys and credentials are encrypted using AES-256-GCM with per-tenant keys. Plaintext values are zeroed from memory when no longer needed.

The platform uses OAuth-based authentication with optional WebAuthn passkeys. Session cookies are HttpOnly and Secure. Per-tenant backend tokens authenticate container-to-backend communication.

SSH access is via Cloudflare tunnel only (no direct SSH). Automatic security updates are applied. All HTTP/HTTPS traffic is restricted to Cloudflare IP ranges.

Maintains your authenticated session after logging in. HttpOnly, Secure, expires when you close your browser or after a set period.

Request a copy of the personal data we hold about you.

Request correction of inaccurate personal data.

Request deletion of your personal data. This includes account data, workspace content, and all associated records.

Request that we limit processing of your data in certain circumstances.

Receive your personal data in a structured, machine-readable format. Your workspace supports data export while active.

Object to processing based on legitimate interest. We will stop unless we demonstrate compelling legitimate grounds.

Lodge a complaint with your local data protection authority. In Lithuania, this is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, vdai.lrv.lt).