Privacy Policy

1. Information We Collect

1.1 Account Information

• Email Address: For account creation, login, and communications
• Name: Display name (optional)
• Password: Stored encrypted using Bcrypt (10+ rounds)
• Authentication Tokens: JWT tokens for session management

1.2 Usage Information

• AI Prompts: Your messages to CreonOS agents
• Generated Code: AI-generated content and self-improvement outputs
• Project Data: Workspace files, project graphs, execution logs
• Feature Usage: Which AI models, agents, and tools you use
• Settings: Theme preferences, editor settings, language preferences

1.3 Payment Information

• Billing Details: Processed securely by Stripe (we do not store card numbers)
• Payment History: Invoices, subscription status, transaction IDs
• Subscription Tier: Free, Pro, or Enterprise plan

1.4 Technical Information

• IP Address: For security and rate limiting
• Browser & Device: User agent, OS, screen resolution
• Cookies: Session cookies, preferences (see Cookie Policy)
• Logs: API requests, error logs (retained 30 days)

2. How We Use Your Information

2.1 Service Delivery

• Provide AI-powered development assistance
• Execute autonomous agents and self-improvement algorithms
• Store and sync workspace data across devices
• Deliver real-time notifications and updates

2.2 Platform Improvement

• Analyze usage patterns to improve AI models
• Identify and fix bugs through error logs
• Develop new features based on user behavior
• Optimize performance and reduce latency

2.3 Communication

• Send account verification emails
• Notify about service updates and new features
• Respond to support requests
• Send security alerts (e.g., unusual login activity)

2.4 Legal Compliance

• Comply with GDPR, UK Data Protection Act, and other regulations
• Respond to legal requests (e.g., subpoenas, court orders)
• Enforce our Terms of Service
• Detect and prevent fraud, abuse, and security incidents

3. Data Sharing and Third Parties

3.1 AI Service Providers

Note: AI providers process data under their own privacy policies. We use Business/Enterprise tiers with strict data retention (30 days max).

3.2 Other Service Providers

• Stripe: Payment processing (see Stripe Privacy Policy)
• Railway: Cloud hosting (SOC 2 Type II certified)
• Cloudflare: CDN and DDoS protection
• Sentry: Error monitoring (anonymized)

3.3 What We Never Do

• ❌ We never sell your personal data to third parties
• ❌ We never share your code with advertisers
• ❌ We never use your private code to train public AI models
• ❌ We never rent your email list for marketing

4. Data Security

4.1 Encryption

• In Transit: TLS 1.3 for all HTTP communications
• At Rest: AES-256 encryption for database and file storage
• Passwords: Bcrypt hashing with 10+ rounds (never stored in plaintext)
• API Keys: Encrypted in database, never logged

4.2 Security Practices

• Regular security audits and penetration testing
• Automated vulnerability scanning (Dependabot, Snyk)
• Rate limiting (100 requests/minute, 1000 requests/hour)
• CSRF protection on all state-changing requests
• Session tokens expire after 30 days of inactivity

4.3 Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you within 72 hours via email and platform notification, as required by GDPR Article 33.

5. Data Retention

5.1 Active Accounts

• Account Data: Retained while your account is active
• Usage Data: Retained for 2 years for analytics
• Logs: Retained for 30 days, then deleted
• Backups: Deleted data may persist in backups for up to 90 days

5.2 Deleted Accounts

• Account data is permanently deleted within 30 days of account deletion
• Anonymized usage statistics may be retained for analytics
• Legal obligations may require retaining certain data (e.g., billing records for 7 years)

5.3 Data Export

Before deleting your account, you can request a full data export in JSON format. Email privacy@creonai.co.uk to request your data export.

6. Your Privacy Rights (GDPR)

6.1 Right to Access (Article 15)

Request a copy of all personal data we hold about you. We will provide this within 30 days in machine-readable format (JSON).

6.2 Right to Rectification (Article 16)

Correct inaccurate or incomplete personal data. You can update most data directly in your account settings.

6.3 Right to Erasure (Article 17)

Request deletion of your account and all associated data. This is irreversible and takes effect within 30 days.

6.4 Right to Data Portability (Article 20)

Export your data in JSON format for transfer to another service.

6.5 Right to Object (Article 21)

Object to processing of your data for marketing purposes. Unsubscribe from emails via the link in any email.

6.6 Right to Withdraw Consent (Article 7)

Withdraw consent for optional data processing (e.g., analytics cookies) at any time.

6.7 How to Exercise Your Rights

Email privacy@creonai.co.uk with your request. We will respond within 30 days. For urgent requests, email dpo@creonai.co.uk (Data Protection Officer).

7. Cookies and Tracking

We use cookies for authentication, preferences, and anonymized analytics. See our Cookie Policy for full details on cookie types, purposes, and how to manage them.

8. Children's Privacy

CreonOS is not intended for users under 13 years old. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@creonai.co.uk and we will delete it promptly.

9. International Data Transfers

Your data may be transferred to and processed in countries outside the UK/EU (e.g., United States for AI processing). We ensure these transfers comply with GDPR through:

• Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
• Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
• Data Processing Agreements (DPAs): With all third-party processors

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes via:

• Email to your registered address
• In-platform notification banner
• Updated "Last Updated" date at the top of this page

Continued use of CreonOS after changes constitutes acceptance of the updated policy.

11. Contact Information

12. Supervisory Authority

If you believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):