Privacy Policy

Last Updated:March 7, 2026

1. Data Ownership

Your data belongs to you. Always.Everything you create, store, or process using Solace — your evidence bundles, your recipes, your credentials, your workflow outputs — is yours. We make no claim of ownership over your data, now or ever. You can export it, delete it, or move it elsewhere at any time.

2. What We Collect

Account Information

When you create an account, we collect:

• Email address (via Firebase Auth — Google, GitHub, or email/password login)
• Display name (optional)
• Account creation date and tier (Free, Pro, Enterprise)
• Device registration information (device name, OS, client version)

Usage Metrics (Anonymized)

To improve the platform, we collect anonymized usage metrics:

• Number of tasks run per session (no task content, no outputs)
• Aggregate token counts for billing (not linked to content)
• Error rates and crash reports (no user data included)
• Feature usage frequency (which commands are used most)

These metrics are anonymized before storage and cannot be linked back to individual users or their work.

Payment Information (via Stripe)

Billing is handled entirely by Stripe. We collect:

• Subscription tier and billing cycle
• Credit balance and transaction history (amounts, dates)
• Stripe customer ID (for managing your subscription)

We never store raw card numbers, CVVs, or full payment credentials. Stripe handles all payment processing and card data under their own PCI-compliant infrastructure.

3. What We Do NOT Collect

This is equally important. We are designed to not see these things:

• Your API Keys (BYOK):If you bring your own Anthropic, OpenAI, or Together.ai key, it is stored encrypted locally using AES-256-GCM in~/.solace/vault/. It never leaves your machine. We cannot see it.
• Browsing Data:What websites you visit, what pages your browser automation touches — none of this is sent to us.
• Recipe Outputs:The results of your tasks (email summaries, LinkedIn drafts, reports) stay on your computer unless you explicitly enable cloud sync.
• Evidence Contents:Your evidence bundles — the cryptographic audit trails of your agent runs — are stored locally by default. We see only metadata if you choose to sync.
• Email or Message Contents:We never read or store your emails, Slack messages, calendar data, or LinkedIn activity.
• Behavioral Profiles:We do not build models of your behavior. We do not profile you for advertising. We have no ads business.

4. Encryption Standards

• At Rest:AES-256-GCM for all encrypted local storage (vault, credentials, tokens)
• In Transit:TLS 1.3 for all communication between your device and solaceagi.com
• Evidence Chains:SHA-256 hash-chained, tamper-evident, append-only records
• Cloud Vault (optional):End-to-end encrypted — we never hold unencrypted keys

5. Data Retention

Retention periods depend on your membership tier:

• Free Tier:Local storage only. Evidence retained for 30 days on your device (you control deletion). No cloud retention.
• Starter ($8/month):Cloud evidence retained for 30 days. You can delete at any time via dashboard or API.
• Pro ($28/month):Cloud evidence retained for 90 days. You can delete at any time via dashboard or API.
• Team ($88/month):Cloud evidence retained for 1 year. Team-admin can manage deletion.
• Enterprise ($188/month):Custom retention periods negotiated per contract. Includes 365-day default with SOC2 audit trail.

After the retention period, data is permanently deleted. We do not archive deleted data.

6. Data Export

You can export all your data at any time. No waiting period, no support ticket required:

• Via API: GET /api/v1/export/my-datareturns a ZIP archive of all your account data, evidence bundles, and settings
• Via Dashboard:Account Settings → Export My Data
• Format:JSON + CSV (human-readable, machine-parseable)
• Timeline:Exports are generated immediately for accounts under 1 GB

7. Third-Party Services

We use a minimal set of third parties, each with a specific purpose:

• Stripe (Payments):Processes all subscription and credit payments. Stripe stores your payment credentials under PCI DSS compliance. We receive only a customer token. Stripe's privacy policy:stripe.com/privacy
• Together.ai (Managed LLM — optional): If you choose the Managed LLM option (not BYOK), your prompts are routed through Together.ai to run Llama 3.3 70B. Together.ai processes these requests in transit; they do not store your data or use it for training. This option is only active if you explicitly select Managed LLM in your account settings.
• OpenRouter (Managed LLM fallback — optional): Used as a fallback for the Managed LLM option. Same terms as Together.ai — no data stored, no training on your data.
• Firebase Auth (Google): Handles account login via Google, GitHub, or email. Google's privacy policy applies to the authentication event. We receive only your user ID and email.
• Google Cloud Run / Cloud Storage: Our backend infrastructure. Your cloud-synced data (if enabled) resides in Google Cloud Storage, encrypted at rest using AES-256-GCM before upload.

We do not use advertising networks, data brokers, or analytics platforms that track individuals.

8. GDPR Rights

If you are in the European Economic Area, you have the following rights:

• Right to Access:Request a copy of all personal data we hold about you
• Right to Rectify:Correct inaccurate or incomplete personal data
• Right to Delete (Right to be Forgotten):Request deletion of your personal data. We will delete your account and all associated data within 30 days of request.
• Right to Data Portability:Receive your data in a structured, machine-readable format
• Right to Object:Object to processing of your personal data for certain purposes
• Right to Restrict Processing:Request that we limit how we use your data

To exercise any of these rights, emailprivacy@solaceagi.com. We respond within 30 days.

9. Your Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know:You can request what personal information we collect, use, disclose, and sell
• Right to Delete:You can request deletion of your personal information
• Right to Opt-Out of Sale:You have the right to opt out of the sale of your personal information
• Right to Non-Discrimination:We will not discriminate against you for exercising your CCPA rights

Do Not Sell or Share My Personal Information

We do not sell your personal information. We never have and we never will.

Solace AGI does not sell, rent, trade, or share your personal information with third parties for their marketing purposes. We do not participate in data broker networks. We have no advertising business. Our revenue comes from subscriptions and managed LLM usage, not from your data.

If you wish to exercise any CCPA right or have questions, contact us atprivacy@solaceagi.com. We respond within 45 days as required by CCPA.

10. Cookie Policy

We useessential cookiesfor core functionality plusoptional analytics cookiesyou can reject at any time via the cookie banner. No advertising cookies. No cross-site tracking.

• Essential cookies:Keep you logged in, store authentication tokens, remember language and display settings (always on)
• Functional cookies:Enable enhanced features like saved preferences (optional)
• Analytics cookies:Help us understand how visitors use the site so we can improve it (optional, anonymized)

We do not use Google Analytics, Facebook Pixel, Mixpanel, Hotjar, or any other behavioral tracking tool. There are no third-party tracking cookies on this site.

11. Children's Privacy (COPPA Compliance)

Solace is designed for users aged13 and older. In compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect, use, or disclose personal information from children under 13.

• An age verification check is presented on first use of Solace Browser
• If we discover that a user under 13 has created an account, we will promptly delete the account and all associated data
• We do not target advertising to children and have no advertising business

If you believe a child under 13 has provided us with personal information, contact us atprivacy@solaceagi.comand we will delete it immediately.

12. Changes to This Policy

We may update this privacy policy as Solace evolves. If we make material changes that affect your privacy rights, we will:

• Notify you by email at least 30 days before the change takes effect
• Ask for your consent if the change reduces your privacy protections
• Maintain a version history of this document

We will never reduce your privacy rights without explicit consent.

13. Contact Us

Questions, concerns, or data requests:

• Email: privacy@solaceagi.com
• Data Protection Officer:Available upon request for Enterprise accounts
• Response Time:We respond to all privacy inquiries within 5 business days