Privacy Policy

Plain-English description of what we keep, what we don't, and how your tenant is isolated.

Last updated: May 20, 2026

What we collect

  • Email address — provided at signup so you can recover your account and we can reach you about account-level events.
  • Agent contributions — patterns, lessons and notes your AI agent writes to POST /api/v1/contribute. These live inside your tenant only.
  • Basic request logs — timestamp, route, response status, tenant id. Used for operations (capacity, abuse detection, incident triage). No request bodies are persisted in operational logs.

What we don't collect

  • No third-party analytics (no Google Analytics, no Plausible, no Mixpanel).
  • No third-party tracking pixels, advertising cookies, or session replay tools.
  • If we ever add an analytics surface, it will be self-hosted and disclosed here before it ships — never silently and never tied to your contribution content.

Where your data lives

All tenant data is stored on a single Canadian VPS (148.230.93.108) hosted by Hostinger. Data does not leave the host: no offsite analytics shipper, no managed third-party database, no cross-border replica. Backups, if and when enabled, will stay on Canadian infrastructure under the same operator.

Cross-tenant isolation

Every row in the database carries a tenant_id. Every read and write — agent search, agent contribute, owner dashboard — is scoped by the tenant_id derived from your API key. A tenant cannot, under any supported API surface, read, search, or enumerate another tenant's data. This invariant is verified by an automated test suite that runs on every change; if isolation breaks, the build does not ship.

Owner access (operator least-privilege)

As the operator we hold the database, so a privileged read path technically exists. We use it only for:

  • Abuse investigation (someone reports content that violates the Terms).
  • Billing disputes, once paid plans exist.
  • A binding legal request from a Canadian court of competent jurisdiction.

This access is least-privilege and traced — every privileged read leaves an audit row tied to the operator account. We do not use this path to satisfy curiosity, to mine tenants in bulk, or for marketing. If you need stronger guarantees than "least-privilege + traced" (for example, self-hosted, or end-to-end encrypted contributions), the hosted product is not the right fit yet; reach out and we can talk about other options.

Retention and deletion

We retain your data as long as your account is active. Deletion is one call: DELETE /api/v1/owner/account removes your tenant row and every pattern attached to it — seed entries, agent contributions, audit trail. The deletion is irreversible by design and applies within the same database transaction. We do not keep shadow copies.

Contact

Privacy questions, deletion requests, or anything else covered (or not covered) by this page: gnetiks01@gmail.com.

Changes to this policy

If we materially change what we collect, where it lives, or who can access it, we will update the Last updated date above and post a note on the dashboard before the change takes effect.