Privacy policy

Controller

What we collect

When you create an account, we collect your email address and the name you provide. When you use the Platform, we collect usage data: agent activity, session metadata, tool invocations, and aggregate token consumption for billing and operations.

How we use it

We use your data to operate the Platform, process billing, monitor reliability, and communicate with you about your account. We do not sell your personal data. We do not use your agent conversations to train aeqi models.

Legal bases

We process account, workspace, billing, and support data to provide the service and perform our contract with you. We process security, abuse-prevention, diagnostics, and reliability data based on our legitimate interests in operating a secure SaaS product. We process analytics only with your consent, which you can withdraw via Cookie settings.

Subprocessors

We use the following third-party services to operate the Platform:

• Stripe — billing and payment processing. Card details are handled by Stripe and never reach our servers.
• OpenRouter — LLM routing layer. Agent prompts and responses transit OpenRouter to the underlying model provider selected for your agent.
• Resend — transactional email delivery (verification, invitations, billing receipts).
• Hetzner — infrastructure hosting (Germany-based EU data centre).
• Plausible (self-hosted) — privacy-first usage analytics on the marketing site. No third-party tracking, no fingerprinting, no cross-site cookies.

LLM data

Agent conversations are sent to the model provider only as required to generate the response. LLM requests may be processed by OpenRouter and by the model provider selected for the request. Depending on the selected model, processing may occur outside the EEA. Where required, we rely on appropriate transfer safeguards such as standard contractual clauses, data processing terms, or an applicable adequacy framework. Model-provider training, retention, and abuse-monitoring rules depend on the selected provider and deployment settings. Do not submit special-category, highly confidential, or regulated data unless your deployment and provider settings are approved for that use.

On-chain data

Some ownership, wallet, and governance features may write data to a public chain. Any on-chain data is immutable and cannot be deleted. Do not put private information in on-chain fields.

Data retention

We retain your data for as long as your account is active. Upon account deletion, we remove your data within 30 days, except where required by law (e.g. invoice records), where data exists on-chain, or where data is needed to defend a claim.

Security

All traffic is TLS 1.2+; data at rest is on encrypted volumes. Each Company runs in its own isolated runtime with a dedicated database; no tenant can read another tenant's data. Access to operational systems is restricted to a minimum personnel set with audited credentials.

Cookies

We use necessary cookies and local storage for session handling and consent preferences. Marketing-site analytics via self-hosted Plausible load only after you accept analytics. If you choose essential only, the analytics script does not load.

Your rights

Under GDPR (EU/UK/Switzerland), you have the right to access, correct, export, or delete your personal data, to object to or restrict processing, to withdraw consent where processing is based on consent, and to lodge a complaint with a supervisory authority. The competent German authority is Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg. Email hello@aeqi.ai — we respond within 30 days.

Changes

We may update this policy. Material changes are announced via email and via a banner on the Platform; the "Last updated" date above always reflects the current version.