Privacy Policy

Effective date: April 30, 2026

1. Overview

This Privacy Policy describes how pail ("we", "us", "our") collects, uses, and shares information when you use the Service. We take privacy seriously. We collect only what we need to operate the Service, and we do not sell your data to anyone.

2. Information we collect

2.1 Account information

When you sign in via GitHub OAuth we receive and store:

  • Your GitHub email address (primary verified email)
  • Your GitHub display name
  • Your GitHub avatar URL
  • A GitHub user ID (used to match returning users)

We do not store your GitHub access token beyond the OAuth exchange. We do not read your repositories, code, or other GitHub data.

2.2 Usage logs

We log API call metadata for each request: timestamp, endpoint path, HTTP method, response status code, and tenant identifier. We do not log request or response bodies. Logs are retained for 90 days and used solely for debugging, abuse detection, and capacity planning.

2.3 Push notification tokens

If you enable browser push notifications, we store the push subscription endpoint and keys provided by your browser. These are used only to deliver notifications from your agent runs. You can revoke them at any time from account settings.

2.4 Billing information

Payment processing is handled by Stripe. We do not store credit card numbers or full payment details. We store a Stripe customer ID and subscription status. Stripe's privacy policy applies to all payment processing.

2.5 Artifact content

When your agent uploads content to pail (files, text, diagrams, etc.) that content is stored on our servers for the duration of its TTL. We access it only to serve it at its URL, to generate OG preview images, and to render it as HTML. We do not analyze or mine artifact content.

3. How we use information

We use the information we collect to:

  • Authenticate you and maintain your session
  • Enforce plan limits and track action quotas
  • Deliver push notifications you have requested
  • Investigate abuse, security incidents, and Terms violations
  • Improve the reliability and performance of the Service
  • Comply with legal obligations

We do not use your data for advertising or sell it to third parties for any purpose.

4. Data processors

We use the following third-party processors to deliver the Service:

  • Cloudflare — DNS, DDoS protection, and TLS termination. Cloudflare may see your IP address and request metadata as part of its proxy service.
  • Resend — Transactional email delivery (account notifications, billing receipts). Resend receives recipient email addresses and message content for the purpose of delivery.
  • Stripe — Payment processing and subscription management.
  • Hetzner Cloud — Server infrastructure. Artifact content and account data are stored on Hetzner servers in Germany (EU).

5. Data retention

We retain your account information for as long as your account is active. Artifacts are retained until their TTL expires or you explicitly revoke them. Usage logs are retained for 90 days. When you delete your account, all personal data associated with your account is permanently deleted within 30 days, except where retention is required by law (e.g., billing records).

6. Your rights (GDPR and CCPA)

If you are located in the European Economic Area, UK, or California, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your personal data. You can exercise this by deleting your account from account settings; deletion is completed within 30 days.
  • Portability: Request an export of your data in a machine-readable format.
  • Objection: Object to processing for legitimate interest purposes.

To exercise these rights, email privacy@thalos.ai. We will respond within 30 days.

7. Cookies and local storage

We use a single session cookie (pail_session) to maintain your logged-in state. This is a strictly necessary cookie; no consent banner is shown. We do not use analytics cookies, tracking pixels, or third-party advertising cookies.

8. Security

We use industry-standard practices including TLS encryption in transit, hashed API keys, and isolated per-tenant storage. No security measure is 100% effective. If you discover a security vulnerability, please disclose it responsibly to security@thalos.ai.

9. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be announced via the blog at /blog. Continued use after changes constitutes acceptance.

10. Contact

Privacy questions: privacy@thalos.ai