← back to hackersagent.com

Privacy Policy

Effective 2026-05-17. This page explains what data Hackers Agent ("we", "us") collects when you use app.hackersagent.com and api.hackersagent.com (together, the "Service"), why we collect it, and what your rights are.

1. What we collect

  • Account data. Email, display name, and authentication metadata from your sign-in provider (WorkOS AuthKit, which may relay sign-in via Google OAuth or email/password).
  • Conversation content. The messages you submit to our security agents, the agent responses, and any files or images you attach.
  • Usage telemetry. Pages visited, request timestamps, performance traces (OpenTelemetry), and error events (Sentry). We strip request bodies from traces.
  • Billing data. Our payment processor (Stripe and/or Paddle as Merchant of Record) collects and stores your payment method; we never see card numbers. We retain the processor's customer/transaction IDs, invoice history, and your subscription tier (free, pro, max).
  • Subscription preferences. If you are on the Max plan and you pin individual agents to a specific LLM provider/model via Profile → Custom Agent Models, that per-agent preference is stored on your user record so future chats use the model you chose.
  • Purchase & usage logs (dispute evidence). Each successful charge is recorded in our purchase history alongside the agent invocation IDs and timestamps that consumed the resulting tokens. We also store the Terms-of-Service acceptance timestamp captured when you ticked the click-wrap checkbox at checkout. This bundle is what we submit to the payment processor in chargeback responses to prove the digital service was delivered.
  • Network metadata. IP address, user-agent, and Cloudflare request ID for every API call. Used for abuse detection and audit.

2. Why we collect it

  • To run the Service and respond to your requests.
  • To prevent abuse (rate limiting, anomaly detection on the per-message and per-connection limits documented in our engineering runbooks).
  • To bill you and reconcile payment-processor invoices.
  • To meet legal obligations (e.g. responding to a subpoena, tax records).
  • To improve the Service. We do not sell your data, and we do not use your conversation content to train third-party base models. Your conversations are not surfaced to other users.

3. Where it lives

  • Account + conversations: Google Cloud Firestore (region nam5, multi-region North America).
  • Application logs + traces: Google Cloud Logging and Grafana Cloud (region us-west).
  • Billing: Stripe (United States); Paddle (United Kingdom / United States) where Paddle is the Merchant of Record for your region.
  • Authentication: WorkOS (United States) and Firebase Authentication (United States).

If you access the Service from outside the United States, your data is transferred to and processed in the United States.

4. Retention

  • Conversations: retained for the lifetime of your account. You can delete a session from the Chat History panel at any time; deletion is immediate and irreversible.
  • Admin audit log: 365 days, then auto-deleted via Firestore TTL.
  • Application logs: 30 days in Cloud Logging, 13 months for traces in Grafana Cloud.
  • Billing records: 7 years (US tax law).
  • Purchase & usage dispute logs: 2 years from the transaction date (the chargeback window for digital goods runs up to 540 days; we keep an extra buffer for late arbitration).
  • Account deletion: email support@hackersagent.com. We delete your account, conversations, and audit log entries within 30 days. Billing records are retained per the row above.

5. Sub-processors

We rely on the following third parties to run the Service:

  • Google Cloud Platform — compute, database, logs.
  • Cloudflare — DNS, CDN, WAF.
  • WorkOS — authentication and SSO.
  • Vercel — web frontend hosting.
  • Stripe — payment processing for most regions; PCI card capture and chargeback response.
  • Paddle — Merchant of Record where enabled, with responsibility for tax collection (VAT/GST/sales tax) and remittance in their supported jurisdictions.
  • Sentry, Grafana Cloud, Better Stack — observability.
  • Anthropic, Google AI, OpenAI (via OpenRouter), Groq — LLM inference. Your messages may be sent to these providers; we send only the minimum required for the agent's task. We have configured zero-data-retention with each provider where supported.

6. Your rights

  • Access, correction, deletion, and export — email support@hackersagent.com. We respond within 30 days.
  • If you are an EEA, UK, or California resident, you also have rights under GDPR, UK GDPR, and CCPA respectively. Same email, same response window.
  • To opt out of non-essential cookies, click "Cookie settings" in the banner shown on first visit.

7. Security

We sign every container image with Sigstore, run all internal services with INGRESS_TRAFFIC_INTERNAL_ONLY, isolate per-tenant data with PostgreSQL row-level security, and rotate secrets via Google Secret Manager. We disclose material security incidents affecting your data within 72 hours of confirmed scope.

8. Changes

Material changes to this policy will be announced by email at least 14 days before they take effect. Non-material edits (typos, new sub-processors equivalent to existing ones, formatting) may be made without notice.

9. Contact

Questions: support@hackersagent.com. Legal disputes: support@hackersagent.com.