Privacy Policy

Effective Date: May 25, 2026

This Privacy Policy describes how AI OS Orchestration Lab ("we", "us", "our") collects, uses, and protects your information when you use the AI OS platform ("Service"). We are committed to protecting your privacy and being transparent about our data practices.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address — used for account identification, login, and essential communications.
• Payment information — processed and stored exclusively by Stripe. We receive only a customer ID, subscription status, and plan type. We never see or store your credit card number.

1.2 Usage Data

We automatically collect:

• Server access logs — IP address, request timestamp, URL path, HTTP method, response status, and user agent. These are retained for 90 days for security and debugging purposes.
• Feature usage — which agents you run, skill executions, and general usage patterns. This is used to improve the Service and is not shared with third parties.

1.3 Information We Do NOT Collect

• We do not read, store, or log the content of your API calls to third-party providers (Anthropic, xAI, DeepSeek, etc.).
• We do not access the contents of your knowledge vault, agent outputs, or generated artifacts.
• We do not store your third-party API keys. They are held in your server's environment variables and are never transmitted to us.
• We do not use cookies for advertising or third-party tracking.

2. How We Use Your Information

• Account management — authenticating your login, managing your subscription, processing payments through Stripe.
• Service delivery — routing requests, maintaining session state, providing dashboard access.
• Security — detecting unauthorized access, rate limiting, abuse prevention.
• Communication — subscription confirmations, billing receipts, service announcements, and security alerts. We do not send marketing emails without your explicit opt-in consent.
• Service improvement — understanding aggregate usage patterns to prioritize features and fix issues.

3. Cookies

We use a single essential cookie:

• ai-os-session — An HTTP-only session cookie that authenticates your login. It contains a random token (not your email or personal data), expires after 30 days, and is required for dashboard access. No third-party cookies are used.

4. Data Sharing

We do not sell, rent, or trade your personal information. We share data only in these limited circumstances:

• Stripe — Your email and payment details are shared with Stripe to process subscriptions. Stripe's privacy policy governs their handling of this data.
• Legal requirements — We may disclose information if required by law, court order, or governmental regulation.
• Business transfer — In the event of a merger, acquisition, or sale of assets, your information may be transferred. You will be notified via email before your data is subject to a different privacy policy.

5. Data Storage & Security

• Account data is stored on our server infrastructure with encryption at rest.
• All connections use TLS (HTTPS) encryption in transit.
• API endpoints are protected by authentication, rate limiting, and input validation.
• Access logs are retained for 90 days, then automatically purged.
• Session tokens are cryptographically random and stored server-side.

While we implement industry-standard security measures, no method of electronic storage is 100% secure. We cannot guarantee absolute security.

6. Your Rights

You have the right to:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request correction of inaccurate data.
• Deletion — Request deletion of your account and all associated data. Upon request, we will delete your data within 30 days, except where retention is required by law.
• Export — Export your data (vault contents, agent definitions, configurations) at any time while your subscription is active.
• Objection — Object to processing of your data for specific purposes.

To exercise these rights, contact us at the email address below.

7. Data Retention

• Account data — retained while your account is active and for 30 days after deletion request.
• Access logs — retained for 90 days.
• Payment records — retained by Stripe according to their policies and applicable tax/financial regulations.
• Vault and agent data — stored on your server instance. Deleted when you remove it or 30 days after account termination.

8. International Users

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

For users in the European Economic Area (EEA) or United Kingdom, we process data under the legal basis of contract performance (providing the Service you subscribed to) and legitimate interests (security, service improvement).

9. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete that information promptly.

10. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to active subscribers at least 30 days before taking effect. The "Effective Date" at the top of this page indicates when the policy was last revised.

12. Contact

For privacy-related questions, data requests, or concerns, contact us at:

privacy@ai-os.dev