Privacy Policy
Last updated: February 7, 2026
1. Data Controller
Agenticcus is operated from Austria under European data protection law. For questions about data processing, contact us at contact@agenticcus.ai.
2. Our Core Privacy Principles
- No AI training on your data β We never use your conversations, prompts, or uploaded files to train, fine-tune, or improve any AI model. Your interactions are yours alone.
- No personal data storage beyond what's necessary β We store only what is technically required for account management, billing, and service delivery.
- No selling or sharing of data β Your data is never sold, licensed, or shared with third parties for marketing or profiling purposes.
- No tracking or behavioral profiling β We do not use advertising cookies, analytics trackers, or behavioral profiling tools.
- Data minimization by design β We collect and retain only the minimum data necessary to deliver the service.
3. Data We Collect
- Account Data: Email address, display name, hashed password (bcrypt), registration date. Required for authentication and account management.
- Billing Data: Token balance, subscription tier, transaction history. Payment card details are processed exclusively by Stripe β we never see or store card numbers, CVVs, or bank details.
- Technical Logs: Anonymized IP addresses (truncated after 30 days), timestamps, selected AI model per request, error codes. Used solely for abuse prevention and service reliability.
How we handle your conversations: Chat messages are stored in your personal chat history so you can return to previous conversations β this is a core feature you control. You can delete any chat session at any time via the chat sidebar. Uploaded files are temporarily stored for processing and deleted after the session ends.
Safety & abuse monitoring: To protect our platform, our users, and the broader community, we retain conversation logs for a limited period of up to 90 days for security and safety review purposes. This is standard industry practice (consistent with how Anthropic, OpenAI, and Google handle AI service data) and is based on our legitimate interest under GDPR Art. 6(1)(f). This retention serves exclusively the following purposes:
- Detecting and preventing prompt injection attacks and system abuse
- Identifying attempts to generate illegal, harmful, or prohibited content
- Investigating security incidents and protecting other users
- Resolving billing disputes and service quality issues
- Complying with law enforcement requests when legally required
After the 90-day retention period, conversation logs are automatically and permanently deleted. Flagged content related to active security investigations may be retained longer as required by applicable law. We do not use your conversations for model training, marketing, profiling, or any commercial purpose beyond delivering your requested AI response.
4. How We Use Your Data
- Processing payments and managing subscriptions β Token purchases, subscription billing, and invoicing via Stripe.
- Sending service-related notifications β Password reset emails, email verification, and account security alerts. We never send marketing or promotional emails unless you explicitly opt in.
- Fraud prevention and abuse detection β Rate limiting, anomalous usage detection, and preventing unauthorized access to protect you and other users.
5. Data Storage, Infrastructure & EU-Strict Mode
All user account data, billing records, and technical logs are stored exclusively on our EU-based servers in Prague, Czech Republic (vshosting datacenter), within the European Union. This data never leaves EU jurisdiction.
EU-Strict Mode (User-Configurable)
Agenticcus offers two operating modes. You choose which one applies to you:
- EU-Strict Mode (enabled): All AI inference runs exclusively on our local GPU infrastructure in the EU. Zero data is transmitted to any third-party provider. No prompts, responses, or metadata leave European servers. Recommended for EU citizens and users handling sensitive data.
- Default Mode: Enables access to cloud AI providers (Anthropic, OpenAI, Google) for additional model selection. When you use a cloud model, your prompt is transmitted to the respective provider's API (which may be located outside the EU). Even in Default Mode, Agenticcus applies data sanitization β stripping identifiable metadata before forwarding requests β and all transmissions use TLS 1.3 encryption in transit. Cloud providers process your request under their own privacy policies and do not receive your account information, email, or billing data.
You select your preferred mode in Settings. Agenticcus does not make this choice for you β you configure the service according to your own requirements and applicable local laws.
Security Measures
- TLS 1.3 encryption for all data in transit
- Encrypted storage for sensitive credentials (AES-256)
- Password hashing with bcrypt (never stored in plaintext)
- JWT authentication with short-lived access tokens
- UFW firewall with deny-by-default policy
- Rate limiting on all API endpoints
- No source code, database, or internal services exposed to the public internet
6. Third-Party Providers
When using cloud AI models (Default Mode only), your prompt is sent to the model provider:
- Anthropic (Claude models) β US-based. Privacy Policy
- OpenAI (GPT models) β US-based. Privacy Policy
- Google (Gemini models) β US-based. Privacy Policy
- fal.ai (Image/video generation) β US-based. Privacy Policy
- Stripe (Payment processing) β US/EU. Privacy Policy
- Resend (Transactional email) β US-based. Privacy Policy
- Sentry (Error monitoring) β US/EU. Privacy Policy
These providers only receive the data necessary to fulfill the specific request (e.g., your prompt text for AI inference, your email address for password reset). They never receive your full account profile, billing information, or chat history. In EU-Strict Mode, no data is sent to any of these providers except Stripe (for payment processing, which is required regardless of mode).
7. Your Rights Under GDPR
As a user, you have full control over your data:
Exercise these rights directly in Settings β Data & Privacy, or by emailing contact@agenticcus.ai. We respond to all requests within 30 days as required by GDPR.
8. Data Retention
- Account data: Retained until you request deletion. Upon deletion, all data is permanently removed within 30 days.
- Chat sessions: Visible in your chat history for the duration of your account. You may delete individual sessions at any time via the sidebar. Server-side safety logs are retained for up to 90 days for abuse prevention and then automatically deleted.
- Payment records: Retained for 7 years as required by Austrian tax law (BAO Β§132).
- Technical logs: IP addresses anonymized after 30 days. Aggregated, non-personal statistics retained indefinitely.
9. Cookies
We use only essential cookies required for authentication (JWT session token) and user preferences. We do not use tracking cookies, third-party analytics, advertising pixels, or any form of cross-site tracking. No cookie consent is required for essential cookies under GDPR, but we provide a consent banner for transparency.
10. Age Requirement
Agenticcus requires users to meet the minimum age of digital consent in their jurisdiction (e.g., 14 in Austria per Β§4 DSG, 16 in Germany, 13 in the US under COPPA). By registering, you confirm that you meet the applicable age requirement in your country. We do not knowingly collect data from users below the applicable minimum age.
11. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. Significant changes will be communicated via email or an in-app notification. The "Last updated" date at the top reflects the most recent revision.
12. Contact & Supervisory Authority
For privacy-related inquiries: contact@agenticcus.ai
Supervisory authority: Austrian Data Protection Authority (DatenschutzbehΓΆrde), Barichgasse 40-42, 1030 Vienna, Austria. dsb.gv.at