Privacy Policy

Account & identity data

When you register, we collect your email address, a display name, and your authentication credential (password hash or OAuth provider token). If you subscribe to a paid plan, our payment processor (Stripe) collects and holds your billing details; we store only the last-four digits, card brand, and a non-reversible customer token.

Usage & telemetry data

To operate the platform and detect anomalies, we collect:

• Agent start/stop events, execution durations, and error codes
• API request metadata: endpoint, HTTP status, latency, and IP address
• Dashboard interactions (page views, feature clicks) via a self-hosted analytics instance
• Browser type, OS, viewport, and referring URL for each web session

Telemetry is aggregated and retained at the row level for 90 days, then summarised into aggregate buckets for capacity planning.

Agent connection data

When you connect an integration (GitHub, Slack, Google Workspace, a database, or any other connector), we store the OAuth token or API key you provide, encrypted at rest using AES-256-GCM with keys managed in a hardware-backed key vault. We store the scopes you granted, the connection timestamp, and the last successful use timestamp. We do not store the full content of messages, files, or records your agent reads unless you explicitly enable a persistent memory module.

We use the information described above to:

• Provision and operate your agents. Runtime credentials, connection tokens, and configuration are read by the agent sandbox at execution time. No human operator reads these values; access is logged and audited.
• Detect and respond to incidents. Error rates, latency spikes, and unusual usage patterns trigger automated and human-reviewed alerts. This requires access to aggregated telemetry, not workload content.
• Improve the platform. Aggregated, anonymised usage statistics inform roadmap decisions. We never use individual workload content for product analytics.
• Communicate with you. We send transactional email (deployment confirmations, billing receipts, security notices). You can opt out of product update emails at any time in your account settings.
• Enforce our Terms of Service. In cases of suspected abuse, we may review metadata (not content) to investigate and, if warranted, suspend or terminate an account.

ServeMy.ai supports Bring Your Own inference — you supply an API key or a private endpoint (Anthropic, OpenAI, Amazon Bedrock, Together AI, a self-hosted vLLM instance, or any OpenAI-compatible API). The following commitments apply unconditionally:

• We do not train on your data. The prompts your agents send and the responses they receive are never used to fine-tune, train, or evaluate any ServeMy.ai model or product. This applies to both managed inference and BYO inference routes.
• Your keys are encrypted and scoped. BYO API keys are encrypted at rest (AES-256-GCM) and in transit (TLS 1.3). Keys are decrypted only inside the isolated agent runtime, in memory, for the duration of a single invocation. We never log decrypted key values.
• Managed inference is privacy-equivalent. When you use our managed inference pool (Anthropic, OpenAI models served through our account), the same no-training commitment applies. We negotiate zero-retention data agreements with our inference providers.
• You can delete keys at any time. Revoking a connection in the dashboard immediately removes the encrypted token from all systems, including backups, within 30 days via our key-tombstoning process.

We do not sell your personal data. We share data with third parties only to the extent necessary to operate the Service:

We may disclose data when required by law, subpoena, or to protect the rights and safety of users or third parties, after giving you notice where legally permitted.

We retain personal data only as long as necessary for the purposes described in this policy, or as required by law.

• Account dataHeld for the life of your account, then deleted within 30 days of closure.
• Billing recordsRetained for 7 years to comply with tax and financial regulations.
• Agent telemetry (row-level)90 days, then aggregated and anonymised.
• Aggregated analyticsUp to 3 years, in bucketed form only.
• Connection tokensDeleted immediately upon revocation, purged from backups within 30 days.
• Audit logsRetained for 12 months, then archived for compliance for an additional 24 months.

To request deletion of your account and all associated personal data, go to Settings → Account → Delete account or contact privacy@servemy.ai. We will complete the deletion within 30 days and confirm via email.

Security is a first-class engineering priority. Key measures include:

• TLS 1.3 in transit; AES-256-GCM at rest for all credentials and PII
• Hardware-backed key management (AWS KMS with CMKs)
• Isolated per-agent runtime sandboxes with least-privilege network policies
• Role-based access control and mandatory MFA for all internal staff
• Automated vulnerability scanning and quarterly third-party penetration tests
• SOC 2 Type II program (in progress; report available under NDA for enterprise customers)

For a full account of our security practices, vulnerability disclosure program, and incident response process, see our Security page .

ServeMy.ai is headquartered in the United States. By default, agent runtimes and data are hosted in us-east-1 (AWS US East, Virginia).

If your account is on a Pro or Fleet plan, you may pin your agent runtimes and associated telemetry storage to an alternative region (currently: eu-west-1 Ireland, ap-southeast-1 Singapore). Data pinned to the EU region does not leave EU data centres, and we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for any cross-border transfers that may remain necessary for account administration.

For customers subject to the EU General Data Protection Regulation (GDPR), we act as a Data Processor for agent workload data and as a Data Controller for account and billing data. Our Data Processing Agreement (DPA) is available upon request at privacy@servemy.ai.

Depending on where you are located, you may have the following rights with respect to your personal data. We honour these requests without requiring you to pay a fee.

To exercise any of these rights, email privacy@servemy.ai with “Privacy Request” in the subject line and describe your request. We may ask you to verify your identity before processing.

We use a minimal set of cookies. We do not use third-party advertising cookies or cross-site tracking cookies.

You can block or delete cookies via your browser settings. Blocking the session cookie will prevent dashboard access.

We may update this policy as the platform evolves. When we make material changes we will:

• Post the revised policy at this URL with an updated effective date.
• Send an in-app banner notification to all active accounts.
• For significant changes affecting rights or data sharing, send an email at least 14 days before the changes take effect.

Continued use of the Service after changes become effective constitutes acceptance of the revised policy.

For privacy inquiries, data subject requests, or to request our DPA, reach us at:

If you are located in the European Economic Area and believe we have not handled your request satisfactorily, you have the right to lodge a complaint with your local supervisory authority (in Ireland, the Data Protection Commission: dataprotection.ie).