Privacy Policy
Last updated: June 6, 2026
What we collect
Account information
When you create an account, we collect:
- Email address — for login, account and security notices, and support and product communication
- Password — if you sign up with email and password, it is securely salted and hashed by our authentication provider. We never see your plaintext password.
- Single sign-on / third-party login — if you sign in through a third-party identity provider, we receive your email address and basic public profile information (such as your name, username, and avatar) from that provider. We don’t receive your password.
- Team name — set by you when creating a team
Billing information
If you subscribe to a paid plan, our payment processor collects and stores your payment information. We receive:
- Your payment-processor customer ID
- Subscription status (active, past due, canceled)
- Current plan and user count
We do not see, store, or handle your credit card number.
Coordination metadata (the heart of the service)
To coordinate AI coding sessions across team machines, we receive:
- HMAC-hashed file paths (not plaintext) — the coordinator sees
h:a3f9b2c1d4e5, neversrc/auth/login.ts - Machine IDs (random UUIDs, not hostnames)
- Agent session IDs (from your AI tool)
- Lease timestamps (acquired, expires, last heartbeat)
- Optionally, AES-encrypted display hints if you’ve enabled them — these let your dashboard show real file names but only browsers with your team’s HMAC key can decrypt them. We can’t.
Analytics
We use a product-analytics provider to track product usage (page views, signup funnel, feature clicks) and a privacy-friendly web-analytics provider for website traffic. These track:
- Page URLs you visit on our domains
- Browser type, viewport size, approximate country
- User actions you take (signup, link team, etc.) keyed to your user ID
We do not collect:
- Your code, file contents, commit messages, or anything proprietary
- Your IP address (our web-analytics provider doesn’t log it; our product-analytics provider drops it at ingest)
- Keystrokes, mouse movements, or session replays
How we use it
We use what we collect to:
- Run the coordination service (the whole point)
- Send billing receipts and service notifications
- Improve the product by seeing which features get used
- Respond to your support requests
- Detect and prevent abuse
- Occasionally email you about the product — updates, new features, onboarding tips, and (rarely) offers related to AgentCollision. Every such email includes a one-click unsubscribe, and opting out never affects account, security, or support messages, which we always need to send.
Who we share with
We only share data with the categories of service provider we need to run the service:
- Authentication & transactional email — stores your email and hashed password and sends account-related emails
- Payments — handles billing for paid plans
- Hosting & infrastructure — runs the coordinator, dashboard, docs, and marketing sites
- Analytics — product-usage and website-traffic metrics
These providers act as our sub-processors under GDPR Art. 28. A current list of the specific named sub-processors is available on request at hello@agentcollision.com.
We never sell your data. We don’t run ads. We don’t share your data with third parties for their marketing purposes.
We may disclose data if required by law (subpoena, court order) or to protect our rights. If this happens, we’ll notify you unless legally prohibited.
How long we keep it
- Account info: until you delete your account
- Billing records: per tax law (typically 7 years in the US)
- Lease state: garbage-collected automatically 30 seconds after your daemon stops pushing
- Audit log: until the team is deleted
- Coordination events (for team analytics): up to 90 days
- Analytics data: up to 12 months, aggregated
Your rights
You can, at any time:
- Access your data — everything we have is visible in your dashboard
- Export your data — contact support for a copy
- Delete your data — Settings → Danger Zone → Delete Account. This removes your account, all team links, and wipes your local session. Team data (other members) is preserved. Billing records are retained per tax law.
- Opt out of analytics — use a browser with Do Not Track enabled, or install a blocker like uBlock Origin
If you’re in the EU/UK, you have additional rights under GDPR including the right to object to processing and to lodge a complaint with a supervisory authority.
Security
We take security seriously:
- All traffic to our services uses HTTPS
- Passwords are securely salted and hashed by our authentication provider; we never see your plaintext password
- Team tokens are SHA-256 hashed at rest. The raw token never touches our database.
- File paths are HMAC-hashed on your machine before transmission
- Display hints use AES-256-GCM encryption with keys that never leave your machine/browser
- Full architectural details are published in our Privacy Model
If you discover a security vulnerability, please email hello@agentcollision.com rather than posting publicly.
Children
AgentCollision is not directed at children under 16, and we don’t knowingly collect their personal information. If you believe a minor has created an account, contact us and we’ll delete it.
International users
AgentCollision is operated from the United States, and our infrastructure providers process data in the United States. If you use the service from outside the US, you understand that your data will be transferred to and processed in the United States, which may have different data-protection laws than your country of residence.
Contact
Questions about privacy? Email us at hello@agentcollision.com.
Changes to this policy
If we make significant changes to how we handle your data, we’ll notify you by email before the changes take effect.