Privacy Policy
This Privacy Policy explains how Aiobis ("Aiobis", "we", "us") collects, uses, shares, retains, and protects personal information when you use AlphaProxy — our autonomous AI agent platform, including the AlphaProxy web application, APIs, browser automation, code execution sandboxes, integrations, and related services (the "Service"). It also describes your rights and the choices available to you.
01 Scope of this policy
This policy applies to personal data we process when you visit our marketing site, sign up for or use the Service, communicate with us, or otherwise interact with AlphaProxy. It does not apply to third-party services that you connect to AlphaProxy or that we link to from our Service; those are governed by their own privacy policies.
If you use the Service through an organization (your employer, your customer, or another team), that organization may be a separate controller of certain data and may have its own privacy practices that apply to you.
02 Summary in plain English
- We collect the data needed to authenticate you, run the Service, bill paid plans, and keep the system secure.
- We process the prompts, files, and instructions you give the agent so we can produce a result for you.
- We use established cloud and AI providers — primarily Microsoft Azure, Supabase, E2B, and selected LLM and search providers — to operate the Service.
- We do not sell your personal data, and we do not use your prompts or content to train foundation models for other customers without your explicit opt-in.
- You can sign in with Google or Microsoft using only the minimum identity scopes needed to authenticate you.
- You have rights over your data — you can access, export, correct, or delete it.
03 Personal data we collect
Account and identity data
- Name, email address, profile picture, and the unique provider identifier returned by Supabase, Google, Microsoft, GitHub, or LinkedIn when you sign in.
- Authentication metadata, including session tokens, hashed CSRF tokens, OAuth refresh tokens (where provided), and last-sign-in timestamp.
- Account preferences, plan and entitlement, role, language, and theme.
Billing data
- Plan tier, billing cycle, billing email, billing address (where required for tax), invoice history, currency, and tax identifiers.
- Payment is processed by our payment provider; we do not store full payment card details on our systems.
Customer Content
- Prompts, instructions, chat messages, files, code, screenshots, browser captures, generated artifacts, knowledge entries, memory, projects, scheduled tasks, and skills you create or upload.
- Outputs produced by the agent in response to your inputs.
Connected-service data
- Identifiers, scopes, and metadata for any third-party services you connect (for example, your Google account email, Microsoft tenant identifier, GitHub username).
- Any data the agent retrieves from connected services on your behalf, retained only for as long as needed to complete your task and any session-level features (such as memory or conversation history) that you have configured.
Operational and telemetry data
- Application and audit logs, request and response metadata, model identifiers, token usage, sandbox session metadata, browser session metadata, error traces, performance metrics, and security events.
- Device, browser, and connection metadata: IP address, user agent, locale, time zone, approximate location derived from IP, and device type.
Communications
- Information you submit through support channels, sales inquiries, surveys, or feedback forms.
04 Sources of personal data
We collect personal data:
- Directly from you when you create an account, configure the Service, submit prompts or files, or contact us.
- From identity providers (Supabase, Google, Microsoft, GitHub, LinkedIn) when you choose to sign in via those providers.
- Automatically from your device and browser when you use the Service (for example, IP address, request logs, and telemetry).
- From integrations you connect, on your instruction, when the agent acts on your behalf.
- From service providers who help us operate, secure, and analyze the Service.
05 How and why we use personal data
We use personal data to:
- Authenticate you and operate the Service, including running agent reasoning, sandboxes, browser sessions, memory, knowledge, projects, scheduled tasks, and integrations.
- Send messages to LLM and tool providers strictly as needed to fulfil your requests.
- Provide customer support and respond to your requests.
- Bill paid plans, prevent fraud, and meet tax and accounting obligations.
- Maintain service quality, monitor performance, debug, and improve reliability.
- Detect, prevent, and respond to abuse, spam, malware, and security incidents.
- Comply with applicable laws, lawful requests, and our legal rights and obligations.
- Communicate with you about service updates, security notices, billing, and (where permitted) marketing related to AlphaProxy. You can unsubscribe from marketing at any time.
- Develop new features and improvements in aggregated, de-identified form, except where you have explicitly opted into more.
06 Legal bases (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar laws, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Provide and operate the Service, including running agent tasks at your request | Performance of a contract |
| Process payments and manage billing | Performance of a contract; legal obligation |
| Secure the Service and prevent abuse and fraud | Legitimate interests |
| Improve and develop the Service in aggregated form | Legitimate interests |
| Send service-related communications | Performance of a contract; legitimate interests |
| Send marketing where required | Consent (which you may withdraw at any time) |
| Comply with legal and regulatory obligations | Legal obligation |
| Process special categories of data, where applicable | Explicit consent or another permitted Article 9 ground |
07 Google and Microsoft OAuth data
When you sign in with Google or Microsoft, we receive only a limited identity profile: typically your name, email address, profile image, and a stable provider-issued user identifier. We use this data solely to:
- Authenticate you and create or link your AlphaProxy account.
- Personalize the Service (display name, avatar, language).
- Communicate with you about the Service.
We do not request access to your inbox, calendar, drive, contacts, or other product-level data unless you explicitly enable a feature that requires it. If we add such features, we will request your granular, in-product consent at the time the additional scope is needed, and we will use that data only for the feature you enabled.
You can revoke OAuth access at any time:
- Google: myaccount.google.com/permissions
- Microsoft: account.microsoft.com/privacy/app-access
08 Data generated by autonomous agents
AlphaProxy is an autonomous agent. To complete tasks you give it, the agent may, among other things, run code in isolated sandboxes, browse the public web, capture screenshots, fill forms, call third-party APIs, and read/write files. As a result, additional data may be generated and processed, including:
- Sandbox execution logs, files created in working directories, command outputs, and crash traces.
- Browser session data, including page content fetched, screenshots, cookies set by the visited site, and metadata of pages visited on your behalf.
- API request/response payloads sent to LLM and tool providers in order to complete your tasks.
- Data fetched from third-party services that you have authorized.
This agent-generated data is treated as Customer Content under our Terms of Service. We protect it with the same controls (including encryption, access controls, sandbox isolation, and Azure Key Vault for secrets) and do not sell it.
09 AI models and training
AlphaProxy uses third-party LLM providers (such as Azure OpenAI, OpenAI, Anthropic, Google, and others) to perform reasoning. When you submit a prompt, the relevant content is transmitted to the configured provider strictly to generate a response.
- We contractually require providers to handle your data in accordance with their stated terms and not to retain it for model training where such commitments are available.
- We do not use your prompts, files, or outputs to train foundation models for use by other customers without your explicit opt-in.
- We may use aggregated and de-identified telemetry to monitor reliability, latency, error rates, and to improve internal heuristics, prompts, and skills.
If you are sensitive about transmitting certain data to AI providers, do not include that data in prompts or files submitted to the Service.
10 How we share personal data
We do not sell personal data. We share personal data only as needed to operate the Service or as required by law:
- Sub-processors — vendors that host, secure, monitor, support, or extend the Service. See the next section.
- Authentication providers — Supabase, Google, Microsoft, GitHub, and LinkedIn when you choose to sign in via those services.
- LLM and tool providers — when needed to fulfil your prompts or agent actions.
- Connected services you authorize — only at your direction, and only to perform the task you requested.
- Professional advisors — accountants, auditors, and lawyers under confidentiality.
- Authorities — when required by law, regulation, court order, or to protect rights, safety, and security.
- Corporate transactions — in the context of a merger, acquisition, financing, or asset sale, with appropriate confidentiality and continuity protections.
11 Sub-processors and infrastructure
The Service is hosted primarily on Microsoft Azure. Our key categories of sub-processors include:
| Category | Examples | Purpose |
|---|---|---|
| Cloud hosting, networking, and storage | Microsoft Azure (Azure Container Apps, Cosmos DB, Redis, Blob Storage, Service Bus, Key Vault, AI Search, Application Insights) | Run, scale, secure, and monitor the Service |
| Authentication and identity | Supabase Auth, Google Identity, Microsoft Entra ID, GitHub, LinkedIn | Sign-in, account management, OAuth |
| AI / LLM providers | Azure OpenAI, OpenAI, Anthropic, Google, and other configured providers | Perform agent reasoning at your request |
| Sandbox execution | E2B | Run code and shell commands you direct the agent to run |
| Search and content tools | Tavily, Exa, Brave, and similar configured tools | Web search and content retrieval at your request |
| Payments and billing | Configured payment processor | Subscription, invoicing, fraud prevention |
| Communications and analytics | Email, support, and product analytics tooling | Service messages, support, and aggregated analytics |
An updated list of material sub-processors is available on request via [email protected]. We require sub-processors to commit to data protection obligations consistent with this policy.
12 International data transfers
We and our sub-processors may process personal data in countries other than your own, including the United States and other regions where our infrastructure and providers operate. Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented by additional technical and organizational measures where needed.
13 Data retention
We retain personal data only for as long as needed for the purposes described in this policy and to comply with legal, accounting, and reporting obligations:
- Account data — for the lifetime of your account and a reasonable period afterwards (typically up to 24 months) to permit account recovery, resolve disputes, and comply with law.
- Customer Content — for as long as you keep it in the Service. You can delete chats, projects, files, and memory at any time. After account deletion, residual copies may persist briefly in encrypted backups before they are rotated out.
- Billing records — for the period required by tax and accounting law in the relevant jurisdictions.
- Security and audit logs — for a limited operational window, typically up to 12 months, longer if needed for an active investigation.
- Aggregated and de-identified data — may be retained indefinitely.
14 Security
We use a layered approach to security, including:
- Encryption of data in transit (TLS) and at rest for managed stores.
- Centralized secrets management via Azure Key Vault with managed identities.
- Role-based access controls and least-privilege principles for our personnel.
- Isolated sandbox execution for code and shell commands.
- Network controls, application logging, security monitoring, and incident response procedures.
- Vendor due diligence for sub-processors.
No system is perfectly secure. If you discover a vulnerability, please contact [email protected].
15 Your rights and choices
Depending on where you live, you may have rights to:
- Access the personal data we hold about you.
- Correct inaccurate personal data.
- Delete personal data ("right to be forgotten").
- Restrict or object to certain processing.
- Data portability — receive a copy of your data in a structured, commonly used format.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with a supervisory authority.
- Opt out of marketing communications at any time.
You can exercise many of these rights directly in the product (account settings, chat and project deletion, memory and knowledge controls). For other requests, email [email protected] from the email associated with your account. We may need to verify your identity before acting on a request and may decline requests where permitted by law.
16 Regional disclosures
European Economic Area, United Kingdom, and Switzerland
Our legal bases for processing are described in Section 6. The data controller for personal data processed under this policy is Aiobis. You can contact us at [email protected]. You also have the right to lodge a complaint with the data protection authority in your country of residence.
California (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect, use, share, or sell; to delete personal information; to correct inaccurate personal information; to opt out of the sale or sharing of personal information; and to limit the use of sensitive personal information. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. You may also designate an authorized agent to make a request on your behalf.
Categories of personal information we collect are described in Section 3. Purposes are described in Section 5. Sources are described in Section 4. Disclosures are described in Section 10.
Other US states
Residents of other US states with comprehensive privacy laws (such as Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and others) have similar rights. To exercise them, contact [email protected].
Other regions
Where local laws (for example in Brazil, Canada, Australia, India, Saudi Arabia, the UAE) grant you additional rights, we will honor those rights to the extent required by law.
17 Cookies and similar technologies
We use a small number of cookies and similar technologies to make the Service work and to keep you signed in:
- Strictly necessary — session cookies, CSRF tokens, and Supabase auth tokens used to authenticate and protect requests.
- Functional — preferences such as theme (dark/light mode) and language, stored in your browser's local storage.
- Analytics and performance — limited, aggregated usage and reliability telemetry to understand how the Service is performing.
You can clear cookies and local storage from your browser at any time; doing so may sign you out and reset preferences. We do not use third-party advertising cookies on AlphaProxy.
18 Children
The Service is not directed to, and we do not knowingly collect personal data from, children under 13 (or the higher minimum age required in your jurisdiction). If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.
19 Automated decisions, profiling, and Do Not Track
We do not use AlphaProxy to make decisions producing legal or similarly significant effects about you solely by automated means without human oversight. The agent itself is autonomous within the bounds of the tasks you assign to it; you remain the decision-maker and reviewer of consequential outputs and actions.
Our systems do not currently respond to "Do Not Track" browser signals, but we honor opt-outs as described in Section 15.
20 Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email, in-product notice, or by updating the "Last updated" date and posting the revised policy. Material changes become effective no earlier than fourteen (14) days after notice, except where shorter notice is required by law. Continued use of the Service after the effective date constitutes acceptance.
21 Contact us
If you have questions, requests, or complaints about this Privacy Policy or our data practices, contact us at:
Aiobis — AlphaProxy
Privacy: [email protected]
Legal: [email protected]
Security: [email protected]
Support: [email protected]