Privacy Policy
Last updated: April 4, 2026 | Effective: April 4, 2026
Data Controller: Global Software Development SRL · legal@progenix.ai
1. Information We Collect
Account data: Email address, name, and profile picture (via Google/GitHub OAuth). Usage data: Tasks created, agent interactions, token consumption, and API calls. Content: Projects, code files, documents, and messages you create through the Service. API keys: Third-party provider keys you configure (encrypted at rest with AES-256-GCM). Technical data: IP address, browser type, and device identifiers collected automatically when you access the Service, used solely for security and abuse prevention.
2. Legal Basis for Processing (GDPR Art. 6)
We process your personal data only where we have a valid legal basis under GDPR Art. 6. The table below maps each processing activity to its legal basis:
| Processing Activity | Legal Basis (Art. 6) | Details |
|---|---|---|
| Account creation & authentication | Art. 6(1)(b) — Contract | Necessary to provide the Service you requested |
| Service delivery (agent task execution) | Art. 6(1)(b) — Contract | Necessary to execute tasks you initiate |
| Billing & payment processing | Art. 6(1)(b) — Contract | Necessary to manage your subscription and payments |
| Transactional email notifications | Art. 6(1)(b) — Contract | Necessary to communicate service status and billing |
| Security monitoring & abuse prevention | Art. 6(1)(f) — Legitimate Interests | Protecting platform integrity and other users; does not override your rights |
| Debugging & error tracking | Art. 6(1)(f) — Legitimate Interests | Improving reliability; data minimised to error context only |
| Audit logging (GDPR accountability) | Art. 6(1)(c) — Legal Obligation | Required to demonstrate GDPR compliance |
| Marketing emails (opted-in) | Art. 6(1)(a) — Consent | Only where you have explicitly opted in; freely withdrawable at any time |
3. How We Use Your Data
We use your data solely to: provide and improve the Service; authenticate your identity; process payments; send transactional notifications (account, billing, security); monitor for abuse and security threats; comply with legal obligations; and — where you have consented — send marketing communications. We do not use your data to train AI models without your explicit consent.
4. Sharing & Disclosure
We do not sell your personal data. We do not share your personal data for cross-context behavioural advertising. We share data only with: (a) AI model providers as necessary to execute agent tasks you initiate; (b) infrastructure and payment sub-processors listed in Section 10; (c) law enforcement or competent authorities where required by applicable law or a valid legal order.
5. Data Minimisation & Purpose Limitation
We collect and process only the personal data that is strictly necessary for the purposes described in this policy (GDPR Art. 5(1)(b) and Art. 5(1)(c)). We do not use your data for purposes incompatible with those for which it was collected. Where we rely on consent as the legal basis, the scope of processing is limited to what you have explicitly authorised. API keys and sensitive credentials you provide are stored encrypted and are accessed only at the point of task execution.
6. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy. Our retention periods are: activity logs — 30 days; token usage — 90 days; learnings, embeddings, skill usage, notifications and processed webhook events — 90 days (notifications and webhook events: 30 days); messages — 180 days; audit logs — 365 days; resolved approvals and archived tasks — 90 days after resolution or archival. Account data (name, email, profile picture) will be deleted within 30 days of account closure. User-generated content (projects, code files) will be deleted within 30 days of account closure or on-demand erasure request. Automated purging is operational and runs daily across all categories listed above; you may also request immediate deletion at any time by contacting privacy@progenix.ai. You can export all your data at any time via Settings or the API.
7. Your Rights (GDPR & Applicable Law)
Under GDPR and applicable data protection law, you have the following rights:
- Access (Art. 15): Export all your data via GET /api/export or Settings.
- Rectification (Art. 16): Update your data through the UI or API.
- Erasure / Right to Be Forgotten (Art. 17): Delete all your data via DELETE /api/export with confirmation, or by contacting privacy@progenix.ai.
- Portability (Art. 20): Download your data in JSON or CSV format at any time.
- Restriction of Processing (Art. 18): Request that we restrict processing of your data while a dispute is resolved — contact privacy@progenix.ai.
- Object to Processing (Art. 21): Object to processing based on legitimate interests or for direct marketing at any time — contact privacy@progenix.ai.
- Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
- Lodge a Complaint (Art. 77): You have the right to lodge a complaint with your national supervisory authority — in Romania: ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, dataprotection.ro). EU residents may also contact their local DPA.
We will respond to all rights requests within 30 days of receipt, as required by GDPR Art. 12(3). To exercise any right, email privacy@progenix.aiwith the subject line "Data Rights Request."
8. Cookies & Local Storage
We use essential cookies only — specifically, a NextAuth session cookie required for authentication. We do not use tracking, advertising, or analytics cookies. Because we use only strictly necessary cookies, consent is not required under the ePrivacy Directive Art. 5(3). The cookie notice displayed on your first visit is informational only — closing or dismissing it does not constitute consent and no consent is recorded. If we introduce non-essential cookies in the future, we will update this policy and provide a full consent mechanism before placing any such cookies.
9. Security
We implement: AES-256-GCM encryption for API keys and sensitive credentials, row-level security in the database, pseudonymisation of personal identifiers in audit logs, rate limiting on all API endpoints, HTTPS everywhere, and regular security reviews. While we take reasonable technical and organisational measures to protect your data, no system is completely secure.
10. Sub-Processors
We work with the following sub-processors. Where required under GDPR Art. 28, we rely on the sub-processor's standard data processing terms or applicable contractual clauses. We are in the process of formalising DPAs with each sub-processor and will update this section upon completion. Current sub-processors:
| Processor | Service | Location | Data Processed |
|---|---|---|---|
| Supabase | Database & authentication | US (AWS) | Account data, usage data, content |
| Railway | Application hosting | US | Application traffic |
| Firebase (Google) | Push notifications | US | Device tokens, notification payloads |
| Stripe | Payment processing | US | Billing details (PCI-DSS compliant; Progenix does not store card data) |
| Sentry | Error tracking | US | Error logs, stack traces (PII scrubbed before transmission) |
| OpenAI | AI model provider (optional) | US | Task inputs/outputs when selected |
| Anthropic | AI model provider (optional) | US | Task inputs/outputs when selected |
| NVIDIA | AI model provider (optional) | US | Task inputs/outputs when selected |
| GitHub | AI model provider & code storage | US | Repository data, task inputs when selected |
We will update this list before adding new sub-processors. You may contact privacy@progenix.ai to request details of the data processing terms applicable to any sub-processor.
11. International Data Transfers
Progenix is operated from Romania (EU). All sub-processors listed in Section 10 are based in the United States. Transfers of personal data from the European Economic Area (EEA) to the United States are governed by one or more of the following transfer mechanisms under GDPR Chapter V:
- EU-US Data Privacy Framework (DPF): Where the sub-processor holds a valid DPF certification recognised by the European Commission under its adequacy decision of 10 July 2023, that certification constitutes the transfer mechanism.
- Standard Contractual Clauses (SCCs): Where a sub-processor does not hold DPF certification, we rely on the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) incorporated into the applicable DPA.
You may request information about the specific transfer mechanism applicable to each sub-processor by contacting privacy@progenix.ai. If you are located in the EEA and believe your data has been transferred in a manner inconsistent with GDPR Chapter V, you have the right to lodge a complaint with ANSPDCP or your local supervisory authority.
12. Children
The Service is not intended for users under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact privacy@progenix.ai and we will delete it promptly.
13. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: Request disclosure of categories and specific pieces of personal information collected about you.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioural advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your California rights, contact privacy@progenix.aiwith subject line "California Privacy Rights Request." We will respond within 45 days. Applicability of CCPA thresholds is subject to ongoing legal review.
14. Data Breach Notification
In the event of a personal data breach, we will notify affected users without undue delay when the breach poses a high risk to their rights and freedoms, as required by GDPR Art. 34. Where required by law, we will notify the competent supervisory authority (ANSPDCP) within 72 hours of becoming aware of the breach (GDPR Art. 33). Notifications will include: the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach.
For security inquiries or to report a vulnerability, contact: security@progenix.ai
15. Changes to This Policy
We may update this policy to reflect changes in our practices or applicable law. We will notify you of significant changes via email or in-app notification at least 30 days before they take effect. Changes that affect your data processing rights or financial obligations require your affirmative acknowledgement before taking effect.
16. Contact & Data Controller
Data Controller: Global Software Development SRL
Trading as: Progenix
Registered Office: Str. Viena nr. 16, Sibiu, jud. Sibiu, 550106, Romania
Trade Register Number: J32/97/2024
CUI: 49436259
Email: legal@progenix.ai
Privacy: privacy@progenix.ai
Website: progenix.ai
Supervisory Authority (Romania): ANSPDCP — dataprotection.ro
16a. Data Protection Officer / Privacy Contact
Name: Iridon Cristian Liviu
Role: Privacy Contact (acting DPO until formal appointment under GDPR Art. 37 is finalised)
Email: gsdevelopment.romania@gmail.com
Data subjects may contact the Privacy Contact directly for any request relating to the exercise of GDPR rights (access, rectification, erasure, restriction, portability, objection) or to lodge a complaint prior to escalating to ANSPDCP.