Privacy Policy

Account data: the email address you sign up with, a hashed password (scrypt — we cannot recover the plaintext), and metadata about your sessions (IP, user-agent) for fraud detection.

Telemetry: heartbeats from your agents include the agent ID, the agent version, an OS / arch tag, and counters (in-flight task count, error counts). No work-task contents are transmitted unless you explicitly ship them to us.

Billing: Stripe handles payment-card data on our behalf. We receive only the subscription metadata (plan, period, status).

• Operate the service: deliver heartbeats, mint + verify licenses, render the customer portal.
• Detect abuse: rate-limit failed logins, flag impossible-time activations, audit administrative changes.
• Send transactional email: receipts, security alerts, password-reset links. We do not send marketing email.
• Comply with law: respond to lawful subpoenas; we publish a transparency report when applicable.

We share data only with the sub-processors required to operate the service:

• Stripe — payment processing.
• Our infrastructure provider — compute, storage, networking.
• Email provider — transactional email only.

A current sub-processor list is available on request.

Our managed cloud runs in US-east today. EU and AU regions are scheduled for 2026. We do not cross-replicate customer data between regions. Self-hosted operators retain full control of data residency — none of your data leaves your infrastructure when you self-host.

Audit log: retained per your plan's audit-retention setting (30 days on Starter, 90 days on Pro, 2+ years on Enterprise). Account data: retained for the lifetime of the account plus 90 days after closure to allow restoration. Heartbeat metadata: rolled up to weekly aggregates after 30 days; raw rows discarded.

You can export your customer + license + audit data at any time by emailingprivacy@digcub-lab.com. You can request deletion of your account and associated personal data; we will complete the request within 30 days unless legal retention requirements apply.

We use exactly one cookie: an HttpOnly + SameSite-Strict session cookie that keeps you signed in. No tracking cookies. No third-party advertising cookies. No analytics fingerprinting.

We'll notify you by email at least 30 days before any material change to this policy. The current version is always available at this URL.