Privacy Policy

Last updated: February 12, 2026

This Privacy Policy describes how Proxifai ("Company," "we," "us," or "our") collects, uses, shares, and protects personal information when you use our platform, website, and services (collectively, the "Service"). This policy applies to all users worldwide, including those in the European Economic Area (EEA), the United Kingdom (UK), California, and other jurisdictions with specific privacy requirements.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, and authentication credentials when you create an account (via Keycloak or other identity providers)
  • Profile Information: Any additional information you add to your profile, such as display name, avatar, or preferences
  • Payment Information: Billing address, payment method details (processed by our third-party payment processor; we do not store full credit card numbers)
  • Content and Code: Source code, task descriptions, project data, documentation, and other content you submit through the Service
  • Communications: Information you provide when contacting us for support or other inquiries

1.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, task execution history, agent interaction logs, and timestamps
  • Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences
  • Log Data: Server logs including access times, referring URLs, and error logs
  • Cookies and Similar Technologies: See our Cookie Policy for details

1.3 Information from Third Parties

  • GitHub and Other Integrations: When you connect third-party services, we receive data such as your username, email, repository names, issues, pull requests, and commit data as authorized by you
  • Authentication Providers: Basic profile information from your identity provider (e.g., Keycloak, OAuth providers)

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provide, operate, and maintain the Service, including AI agent task execution, code generation, code execution, and project management features
  • Account Management: To create and manage your account, authenticate you, and provide customer support
  • Billing: To process payments, track usage, and manage billing
  • Service Improvement: To analyze usage patterns, diagnose technical issues, and improve the Service's functionality and performance
  • AI Model Improvement: We may use aggregated and anonymized data to improve our AI models and service quality. We do not use Your Content (code, task descriptions) to train third-party AI models without your explicit consent
  • Communications: To send you service-related notifications, security alerts, billing information, and (with your consent) marketing communications
  • Security: To detect, prevent, and address fraud, abuse, security threats, and technical issues
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes
  • Safety and Trust: To enforce our Terms of Service and Acceptable Use Policy, and to protect the rights and safety of our users and third parties

3. Legal Basis for Processing (EEA/UK Users)

If you are in the EEA or UK, we process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the Service you requested (account management, service delivery, billing)
  • Legitimate Interests: Processing necessary for our legitimate interests, including service improvement, security, and fraud prevention, where such interests are not overridden by your rights
  • Consent: Processing based on your consent, such as marketing communications or optional analytics. You may withdraw consent at any time
  • Legal Obligation: Processing necessary to comply with applicable laws

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

  • Service Providers: With third-party vendors who assist us in operating the Service (hosting, payment processing, analytics, customer support). These providers are contractually obligated to protect your data and use it only for the purposes we specify. See our Sub-processors List for details
  • Third-Party Integrations: When you connect third-party services (e.g., GitHub), information is shared as necessary to enable the integration
  • AI Processing: Your task descriptions and code may be processed by third-party AI providers to execute agent tasks. We ensure appropriate data processing agreements are in place with these providers
  • Legal Requirements: When required by law, subpoena, court order, or governmental regulation
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity
  • With Your Consent: For any other purpose with your explicit consent

5. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws.

For transfers of personal data from the EEA, UK, or Switzerland, we rely on:

  • EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Other appropriate safeguards as required by applicable law

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law. Specifically:

  • Account Data: Retained while your account is active. After account deletion, we retain data for up to 30 days for backup/recovery, then delete it
  • Usage and Log Data: Retained for up to 12 months for analytics and security purposes
  • Billing Records: Retained for up to 7 years as required by tax and financial regulations
  • Your Content (Code/Tasks): Deleted within 30 days of account termination or upon your request
  • Communications: Retained for up to 3 years for support history and quality assurance
  • AI Agent Logs: Retained for up to 12 months for security, compliance, and debugging purposes. Where applicable law requires longer retention (e.g., EU AI Act minimum 6-month log retention for deployers of high-risk AI systems), we will retain logs accordingly

7. Automated Decision-Making

7.1 How We Use Automated Processing

The Service involves automated processing of your data, including AI agent task execution, code generation, and code execution. These activities are performed to deliver the Service you have requested and do not constitute automated individual decision-making that produces legal effects concerning you.

7.2 Your Rights Regarding Automated Decisions (GDPR Article 22)

If you are in the EEA or UK, you have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you. Where such processing occurs, you have the right to:

  • Obtain human intervention from us
  • Express your point of view
  • Contest the decision

If you use the Service to make automated decisions about third parties, you are responsible for complying with GDPR Article 22 and equivalent requirements in other jurisdictions, including providing individuals with the right to human review.

7.3 California Residents (CCPA/CPRA Automated Decision-Making Technology)

If you are a California resident, you have the right to receive notice and opt-out of the use of automated decision-making technology (ADMT) where it is used to make significant decisions about you, as defined under CCPA/CPRA regulations. We do not currently use ADMT to make significant decisions about individual users. If this changes, we will update this policy and provide the required notice and opt-out mechanisms.

8. Your Rights

8.1 All Users

You have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete personal information
  • Delete your account and associated personal data
  • Export your data in a machine-readable format
  • Opt out of marketing communications

8.2 EEA/UK Users (GDPR)

In addition to the above, you have the right to:

  • Restrict Processing: Request that we limit the processing of your personal data
  • Object to Processing: Object to processing based on legitimate interests
  • Data Portability: Receive your personal data in a structured, commonly used, machine-readable format
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal effects, as described in Section 7
  • Lodge a Complaint: File a complaint with your local data protection authority

8.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know: Request disclosure of the categories and specific pieces of personal information we have collected
  • Delete: Request deletion of your personal information
  • Correct: Request correction of inaccurate personal information
  • Opt Out of Sale/Sharing: We do not sell or share personal information as defined by the CCPA
  • Opt Out of ADMT: Opt out of automated decision-making technology for significant decisions, where applicable
  • Non-Discrimination: Exercise your rights without discriminatory treatment

To exercise any of these rights, contact us at [email protected]. We will respond within the timeframes required by applicable law (30 days for GDPR, 45 days for CCPA).

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Access controls and multi-factor authentication mechanisms
  • Regular security assessments, penetration testing, and monitoring
  • Employee access limited to those who need it to perform their duties
  • Incident response procedures for data breaches, including notification within timeframes required by applicable law (48 hours under our DPA, 72 hours under GDPR, 24 hours for early warning under NIS2 where applicable)
  • Container and sandbox isolation for code execution environments
  • Network segmentation between tenant environments

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly. If you believe we have inadvertently collected such information, please contact us at [email protected].

11. Third-Party Links and Services

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access through or in connection with the Service.

12. Data Processing Agreement

If you use the Service to process personal data of third parties (e.g., your customers' data), you may be a data controller and Proxifai acts as a data processor. In this case, our Data Processing Agreement governs our processing of such data. Contact [email protected] to request a signed copy.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website, updating the "Last updated" date, and, where required by law, sending you an email notification. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy. For material changes, we will provide at least 30 days' notice where legally required.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Proxifai
TBD
TBD
TBD
Email: [email protected]

EU Representative (GDPR Article 27)

If we are not established in the European Union but process personal data of EU residents, our appointed EU representative is:

TBD
TBD
Email: TBD

Data Protection Officer

For data protection inquiries, you may also contact our data protection point of contact at: [email protected]