This Privacy Policy describes how Proyecta Labs, Inc. ("Proyecta," "we," "us," or "our") collects, uses, shares, and protects information when you access or use our websites, applications, APIs, and services (collectively, the "Services").
By using the Services, you agree to the collection and use of information as described in this Privacy Policy. This Privacy Policy should be read together with our Terms of Service.
1. Information We Collect
We collect the following categories of information:
1.1 Information You Provide
- Account information: Name, email address, organization name, and profile data
- Billing and payment information: Processed by Lemon Squeezy (Sold Through Link, LLC) as our merchant of record; we do not store complete payment card numbers
- Support requests and communications: Messages, feedback, and correspondence you send to us
- Configuration settings and preferences: Your customizations, API keys, and integration configurations
1.2 Content and Usage Data
When you use the Services, we may process:
- Inputs: Prompts, code, data, and files submitted to the Services
- Outputs: AI-generated code, responses, and other content produced by the Services
- Usage metrics: Request volume, timestamps, feature usage, and session data
- Logs and diagnostic data: Error logs, performance data, and operational information, excluding full AI-generated outputs except where stored as part of user conversation history
1.3 Technical and Device Information
- IP address and approximate geolocation
- Browser type and version
- Operating system
- Device identifiers
- Cookies and similar tracking technologies (see Section 5)
1.4 Third-Party Service Data
When you connect Third-Party Services (such as GitHub, Slack, or Linear), we receive:
- Authentication tokens and access credentials
- Profile information from those services
- Repository and project data you authorize us to access
1.5 Data in Applications You Build
When you build and publish an application using the Services (a "Published Application"), that application may collect, store, or process the personal data of its own end users (for example through authentication, forms, or commerce). With respect to that end-user data, you are the controller and Proyecta and its hosting subprocessors (including Convex) act as your processor. You are responsible for providing your own privacy notice to your end users and for the obligations described in Section 28.3 of our Terms of Service. If we receive a data-subject request directly from an end user of your Published Application, we will forward or redirect it to you as the responsible controller and will not action it directly absent your instruction. Customers requiring a data processing agreement covering end-user data may request one at legal@proyecta.dev.
2. How We Use Information
We use information to:
- Provide, operate, and maintain the Services
- Process requests and generate AI outputs
- Monitor usage, performance, and reliability
- Prevent abuse, fraud, and security incidents
- Communicate with you about the Services, including service announcements
- Provide customer support and respond to inquiries
- Comply with legal obligations
- Enforce our Terms of Service and protect our rights
2.1 AI Model Training
By default, Proyecta does not use your Content (code, prompts, or data) to train or fine-tune AI models.
Your Content is processed solely to deliver responses within your sessions. To generate those responses, inputs are transmitted to third-party AI model providers (Anthropic and Google) for transient processing; their use of data is governed by their respective API terms and data policies, which you should review independently.
2.2 Aggregated Analytics
We may use aggregated, de-identified usage data (such as feature adoption rates, error frequencies, and performance metrics) to improve the Services. This data cannot be used to identify you or reconstruct your Content.
2.3 Access by Authorized Personnel
Authorized Proyecta personnel may access Content, including prompts and generated outputs, solely as necessary to provide customer support, debug issues, maintain service reliability, or comply with legal obligations. Access is restricted by role-based controls and subject to confidentiality obligations.
2.4 Legal Basis for Processing (GDPR)
For visitors and users in the European Economic Area, United Kingdom, and Switzerland, we rely on the following legal bases under Article 6 of the General Data Protection Regulation:
| Purpose | Legal Basis |
|---|---|
| Provide, operate, and maintain the Services (account creation, authentication, code execution, AI inference) | Performance of a contract — Art. 6(1)(b) |
| Process customer prompts, code, and project context to generate AI outputs | Performance of a contract — Art. 6(1)(b) |
| Process billing and payment information through our merchant of record | Performance of a contract — Art. 6(1)(b) |
| Communicate service announcements, security notices, and account-related messages | Performance of a contract — Art. 6(1)(b) |
| Provide customer support and respond to inquiries | Performance of a contract — Art. 6(1)(b) |
| Monitor service performance, reliability, and availability (server-side logs, error monitoring) | Legitimate interests — Art. 6(1)(f); ensuring operational stability |
| Prevent abuse, fraud, security incidents, and unauthorized access | Legitimate interests — Art. 6(1)(f); protecting the Services and our users |
| Enforce our Terms of Service and protect our legal rights | Legitimate interests — Art. 6(1)(f) |
| Aggregated, de-identified product analytics derived from server logs | Legitimate interests — Art. 6(1)(f); improving the Services without identifying individuals |
| Cookie-based product analytics in EEA/UK/Switzerland and other strict-consent jurisdictions | Consent — Art. 6(1)(a); the Analytics category, collected via our cookie banner and revocable in account settings |
| Cookie-based advertising and marketing measurement (ad-platform pixels and conversion APIs) | Consent — Art. 6(1)(a); the separate Marketing & Advertising category, collected via our cookie banner and revocable in account settings |
| Marketing communications to new prospects | Consent — Art. 6(1)(a) |
| Marketing communications to existing customers regarding similar products | Legitimate interests — Art. 6(1)(f); with the right to opt out of any individual message |
| Compliance with legal obligations (tax records, lawful requests, regulatory reporting) | Legal obligation — Art. 6(1)(c) |
| Business transfers (merger, acquisition, asset sale) | Legitimate interests — Art. 6(1)(f); preserving operational continuity |
You may exercise your right to object to processing based on legitimate interests by contacting privacy@proyecta.dev. Where processing relies on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
2.5 Automated Decision-Making
AI Agents within the Services make automated decisions about code generation, modification, and review. These decisions do not produce legal effects or similarly significant effects on you within the meaning of GDPR Article 22, because you retain full control over whether to accept, reject, or modify AI Agent outputs before they affect your repositories, production systems, or other consequential outcomes. If you believe an automated decision has adversely affected you, contact support@proyecta.dev.
3. How We Share Information
3.1 Service Providers (Subprocessors)
We share information with service providers who process data on our behalf, including:
- AI model providers: Anthropic and Google (for inference and image generation)
- Cloud hosting and infrastructure: Google Cloud Platform
- Logging and monitoring: For operational visibility and debugging
- Analytics: For usage analysis and service improvement
- Payment processing: Lemon Squeezy (Sold Through Link, LLC), our merchant of record (billing, tax collection and remittance, refunds, and chargebacks)
These providers process data solely to provide services to Proyecta and are contractually obligated to protect it. A current list of subprocessors is published at /subprocessors. This list may change from time to time as we update our infrastructure; see our Subprocessors page for notice-of-change procedures.
3.2 Legal and Compliance
We may disclose information if required to:
- Comply with applicable law, regulation, subpoena, or legal process
- Respond to lawful requests from public authorities, including law enforcement or national security requirements
- Enforce our Terms of Service or protect the rights, safety, or property of Proyecta, users, or others
- Detect, prevent, or address fraud, security, or technical issues
3.3 Business Transfers
If Proyecta is involved in a merger, acquisition, bankruptcy, or asset sale, information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Services of any change in ownership or uses of your information.
3.4 With Your Consent
We may share information with third parties when you have given us explicit consent to do so.
4. Data Retention
We retain information only for as long as necessary to:
- Provide the Services
- Meet contractual obligations
- Comply with legal requirements
- Resolve disputes and enforce agreements
Retention periods vary based on data type:
- Account information: Retained for the duration of your account, plus a reasonable period thereafter for legal and operational purposes
- Usage logs: Generally retained for 90 days for operational purposes
- Conversation history (including prompts and generated outputs): Stored as part of your account data and retained until deleted by you or until account termination, subject to your workspace settings, plan tier, and applicable legal requirements
- Billing records: Retained as required by tax and financial regulations (typically 7 years)
Upon account termination, your data is retained for a limited period in accordance with our retention schedule and then deleted, except where legal obligations require longer retention. To request a copy or deletion of your personal data, contact privacy@proyecta.dev.
5. Cookies and Tracking Technologies
We use cookies and similar technologies to operate the Services, maintain authentication and session state, remember your preferences, and — where you consent — measure usage so we can improve the Services (the Analytics category) and measure the effectiveness of our marketing (the separate Marketing & Advertising category). In jurisdictions that require opt-in consent, these two categories are controlled independently: you can enable one without the other, and refusing is as easy as accepting.
For the complete inventory of cookies we set, the third parties involved, their purposes and durations, and your choices for accepting all, rejecting all, or managing categories individually, see our Cookie Policy.
You may also control cookies through your browser settings; disabling essential cookies may prevent you from signing in or using significant portions of the Services.
6. Data Security
We implement reasonable administrative, technical, and organizational measures designed to protect information against unauthorized access, loss, misuse, or alteration, including:
- Encryption at rest and in transit (TLS 1.2+)
- Role-based access controls
- Audit logging
- Periodic vulnerability assessments and security testing
- Isolated Runtime Environments for code execution
- Employee security training and access restrictions
However, no system is 100% secure, and we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials and for any activity under your account.
6.1 Breach Notification
We will notify you of security breaches involving your personal data within 72 hours of discovery, where feasible, or sooner where required by applicable law. Notification will include the nature of the breach, types of data affected, mitigation steps taken, and recommended actions.
7. Your Rights and Choices
Depending on your location, you may have rights to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate personal information
- Deletion: Request deletion of your personal information, subject to legal exceptions
- Portability: Receive your data in a structured, machine-readable format
- Restriction: Request that we restrict processing of your information
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent, withdraw that consent at any time
- Marketing opt-out: Unsubscribe from marketing communications at any time
To exercise these rights, contact privacy@proyecta.dev. You can manage your analytics and marketing-cookie consent, your marketing-email preferences, and your profile information directly in your account settings; we handle all other requests (access, deletion, portability, restriction, and objection) on request via privacy@proyecta.dev. We will respond without undue delay and in any event within one month of receipt where required by applicable law (extendable by up to two further months for complex or numerous requests, with notice to you within the first month). We may need to verify your identity before processing requests. If you are in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local data protection supervisory authority.
Residents of the EU/EEA may also submit privacy requests through our appointed EU representative's portal at https://app.prighter.com/portal/proyecta. See Section 10 for representative details.
8. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the CCPA/CPRA:
- Right to Know: Request the categories and specific pieces of personal information collected, sources, purposes, and third parties with whom we share it
- Right to Delete: Request deletion of your personal information, subject to legal exceptions
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: We do not sell your personal information. If we share personal information for cross-context behavioral advertising, you may opt out by contacting privacy@proyecta.dev
- Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information to what is necessary to provide the Services
- Non-Discrimination: We will not discriminate against you for exercising your privacy rights
Categories of Information Collected: Identifiers (name, email, IP address), professional information (GitHub profile, organization membership), internet activity (usage logs, conversation history), geolocation (approximate, from IP), and inferences (usage patterns).
9. International Data Transfers
Proyecta is based in the United States. Your information may be transferred to and processed in the United States and other countries where our service providers operate.
For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on:
- the EU-US Data Privacy Framework (including its UK Extension and the Swiss-US Data Privacy Framework), for transfers to recipients certified under it
- Standard Contractual Clauses (SCCs) approved by the European Commission, for transfers to recipients that are not certified, together with supplementary technical and organizational measures where appropriate
- Other lawful transfer mechanisms as applicable
Copies of applicable SCCs are available upon request.
10. EU Representative
Because Proyecta Labs, Inc. is established in the United States but processes personal data of individuals located in the European Union, we have appointed the following representative under Article 27 of the EU GDPR as your point of contact for data subjects in the European Union (EU):
EU Representative (GDPR Art. 27) — iuro Rechtsanwälte GmbH t/a Prighter Schellinggasse 3, 1010 Vienna, Austria Online intake form: https://app.prighter.com/portal/proyecta
You may contact this representative with any questions about how we handle your personal data or to exercise your rights under the EU GDPR. You may also contact us directly using the details in Section 14.
11. Children's Privacy
You must be at least 13 years old to use the Services. We do not knowingly collect personal information from anyone under 13, and the Services are not directed to children under 13. If we learn that we have collected personal information from a person under 13, we will delete it promptly; if you believe someone under 13 has provided us with personal information, contact privacy@proyecta.dev.
If you are between 13 and the age of majority in your jurisdiction, you may use the Services only with the consent and involvement of a parent or legal guardian, as described in Section 2.4 of our Terms of Service.
12. Data Processing Agreement
Customers who act as a data controller and require a Data Processing Agreement (DPA) under GDPR or other applicable law — including builders responsible for their Published Application's End-User data (see Section 28.3 of our Terms of Service) — may request one that supplements this Privacy Policy with additional data protection obligations. Contact legal@proyecta.dev for more information.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will provide at least 30 days' notice of material changes via email or in-product notification.
Continued use of the Services after the effective date of changes constitutes acceptance of the revised Privacy Policy. If you do not agree to modified terms, you must stop using the Services and terminate your account.
14. Contact Information
If you have questions or requests regarding this Privacy Policy, please contact us:
- Privacy inquiries: privacy@proyecta.dev
- Legal inquiries: legal@proyecta.dev
- Security concerns: security@proyecta.dev
- General support: support@proyecta.dev
Proyecta Labs, Inc. 2803 Philadelphia Pike, Suite B 1708, Claymont, DE 19703, United States
powered by Prighter