Privacy Policy

1. Who we are

Veirox ("we", "us") is operated by Veirox Contributors. Our principal contact is hello@veirox.com. The Veirox service is hosted at veirox.com.

2. What we collect

Account information

• Your email address and password (stored hashed via argon2id).
• Organization name and slug.
• Profile information you optionally provide (name, avatar).
• If you enable MFA: TOTP secret (encrypted at rest with Fernet) or WebAuthn credentials.

Usage data

• Sessions you initiate and the prompts / agent outputs they produce.
• Tasks you create, schedule, or run.
• Webhook events received on your behalf (subject to our redaction rules — see §6).
• API calls you make, including timestamps, IPs, and User-Agent headers.
• Connector enrollment and command-execution logs.

Integrations

• OAuth tokens for Google, Microsoft, Slack, Jira, Confluence (encrypted with the project's vault key).
• Repository URLs and credentials you configure.
• Webhook signing secrets (HMAC) you configure.

What we don't collect

• We don't sell your data. Period.
• We don't profile you for advertising.
• We don't read your private repository contents unless you explicitly grant access.
• We don't train AI models on your data without explicit opt-in.

3. How we use your data

• Provide the service — run the agent, deliver notifications, enforce quotas, bill you.
• Improve the product — aggregated, anonymous metrics on tool usage and error rates.
• Security — detect abuse, prevent fraud, audit access.
• Comply with law — respond to lawful requests; preserve audit logs.

4. Who we share data with

We use a small set of subprocessors. The subprocessor list is the canonical, current source. Highlights:

• Anthropic — agent inference (your prompts and the agent's outputs are sent to Anthropic's API).
• Stripe — billing (we never see your card number).
• DigitalOcean — hosting infrastructure.
• Cloudflare — DNS and DDoS protection (no application data passes through).

We don't sell data to third parties. We don't share data with governments unless legally compelled, and we publish transparency reports of any such requests.

5. Your rights (GDPR / CCPA)

You have the right to:

• Access the data we hold about you (Article 15 GDPR).
• Correct inaccurate data (Article 16 GDPR).
• Erase your data ("right to be forgotten", Article 17 GDPR).
• Port your data to another service (Article 20 GDPR).
• Object to processing (Article 21 GDPR).
• Opt out of "sale" (CCPA) — though we don't sell.

File a Data Subject Request from the Console at /settings/security, or via the CLI: veirox governance dsr create --subject-email you@example.com --request-type erasure. We respond within 30 days.

6. Retention

Per-org configurable retention periods are enforced for sessions, tasks, audit logs, webhook events, and stored files. Defaults:

• Sessions: 90 days
• Audit logs: 365 days (immutable, partitioned)
• Webhook events: 30 days
• Files: until deleted by you or your retention policy

Configurable from /console/<org>/settings/governance. PII redaction rules can be applied at write time.

7. Security

See our Security & Compliance page for the full posture. Highlights:

• Encryption in transit (TLS 1.3) and at rest (per-org Fernet vault key).
• Argon2id password hashing.
• MFA (TOTP + WebAuthn).
• Append-only audit log with monthly partitioning.
• Session revocation epoch + JWT blocklist.
• Three-layer tenant verification on every Connect command.

Report a vulnerability: security@veirox.com or see /.well-known/security.txt.

8. Children

Veirox is not directed at children under 16. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.

9. Changes to this policy

Material changes are announced 30 days in advance via email to org owners. Non-material changes (clarifications, typo fixes) are tracked in this page's git history.

10. Contact

• General: hello@veirox.com
• Privacy / DPO: legal@veirox.com
• Security: security@veirox.com