Legal

Privacy Policy

What we collect, why we collect it, who we share it with, and the rights you have over it. Written in plain English wherever possible.

Effective: Last updated:

  • We collect only what we need to sign you in, run your subscription, and keep the service working.
  • Payments are handled by Stripe. We never see or store your card number.
  • Sign-in is handled by Google. We receive your name, email, and avatar from your account.
  • The desktop app does not send your code, prompts, or terminal output to us. Agent CLIs you install (Claude Code, OpenAI Codex, etc.) talk directly to their providers under their own terms.
  • Crash reports and bug reports are publicly visible on GitHub. Don't paste anything sensitive into them.
  • You can export or delete your account data at any time by emailing [email protected].

This summary is for convenience only. The full text below governs.

1. Who we are

Agent Cohort is operated by B. Dol Technical Consulting, LLC, a limited liability company organised in the Commonwealth of Virginia, United States, trading as “Agent Cohort” (referred to in this policy as “we”, “us”, or “our”).

We are the controller of your personal information for the purposes of this policy. You can reach our privacy contact at [email protected].

2. Scope of this policy

This policy applies to:

  • The Agent Cohort marketing website at agentcohort.ai and its environment subdomains.
  • The Agent Cohort account portal at account.agentcohort.ai (and its environment subdomains).
  • The Agent Cohort desktop application for Windows, macOS, and Linux.
  • Email and other communications you have with us.

It does not apply to third-party agent CLIs, plugins, or services you install or connect through Agent Cohort. Those are governed by the privacy policies of their respective providers (for example, Anthropic for Claude Code, OpenAI for Codex, or the publisher of any plugin you install).

3. Information we collect

3.1 Information you give us

  • Account profile. When you sign in, we receive your name, email address, and profile picture from your identity provider (currently Google). We use this to identify your account and personalise the app.
  • Workspace and team information. If you create or join a team workspace, we store your role within that workspace and the workspace metadata you provide (workspace name, seat allocations, member invitations).
  • Billing details. Payment is processed by Stripe, Inc. We do not receive or store your full card number, CVC, or bank credentials. We do receive transaction metadata (the last four digits, card brand, country, billing email, plan, status, and invoice history) so we can show your subscription state and respond to billing support.
  • Support and enquiries. When you contact support, fill out the enterprise contact form, or open a bug report, we receive whatever you choose to send us, including your name, email, message contents, and any attachments.

3.2 Information we receive automatically

  • Authentication metadata. When you sign in we record session IDs, device identifiers (bound to your installation), IP address, user-agent, and timestamps. These are used for security, abuse prevention, and to let you review and revoke active sessions.
  • Service operational data. When the desktop app or account portal calls our backend we log the request method, route, response code, latency, and a coarse error category. These logs are used to diagnose outages and protect the service from abuse, and are retained for a short period (see §7).
  • Subscription and entitlement state. We store your plan, status (active, trialing, past-due, canceled, etc.), trial expiry, and a record of plugin entitlements that gate paid features.

3.3 What we deliberately do not collect

  • We do not see the contents of your prompts, terminal output, source code, or files on your machine. The desktop app is a local terminal multiplexer; everything you type into Claude Code, OpenAI Codex, or any other agent CLI travels directly between that CLI and its provider.
  • We do not run analytics scripts, trackers, or session replays on the marketing site or account portal.
  • We do not sell your personal information.
  • We do not use your personal information to train AI models.

3.4 Crash reports and bug reports

If you opt in to send a crash report or open a bug report from inside the app, the contents are uploaded to public GitHub repositories (BenDol/Agent-Cohort-Crashes and BenDol/Agent-Cohort-Reports) so they can be triaged in the open. Crash reports include stack traces, app version, OS, and the diagnostic information you elected to attach. Anything you include is publicly readable. Do not paste credentials, customer data, or sensitive paths into a crash or bug report.

4. How we use information

We use the information we collect to:

  • Provide, maintain, and improve the service (authentication, subscription management, plugin entitlement, multi-window sync).
  • Process payments and send invoices and renewal notices via Stripe.
  • Communicate with you about your account, security events, service incidents, billing, and material changes to the service.
  • Detect, investigate, and prevent abuse, fraud, and security incidents.
  • Comply with our legal obligations and enforce our Terms of Service.
  • Send you optional product updates and announcements (only if you have opted in; you can opt out at any time).

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR / UK GDPR:

  • Contract. To provide the service you signed up for, including authentication, subscription, and support.
  • Legitimate interests. To secure the service, prevent abuse, debug operational issues, and improve features. We weigh these interests against your rights and only proceed where the impact on you is proportionate.
  • Legal obligation. To meet tax, accounting, and other regulatory requirements.
  • Consent. Where required by law (for example, optional marketing emails). You can withdraw consent at any time.

6. How we share information

We share personal information only with the parties below, and only as needed to operate the service. We do not sell personal information.

  • Service providers (data processors).
    • Stripe, Inc. for payment processing and subscription billing.
    • Google LLC as the identity provider for sign-in (OAuth).
    • Cloudflare, Inc. for hosting our auth and API services (Workers, KV, R2), DNS, and edge protection.
    • Email delivery providers for transactional email (account notices, billing, support replies).
    • GitHub, Inc. for hosting our public crash-report and bug-report repositories (only data you opt in to upload).
  • Team administrators. If you join a team workspace, the team owner can see your name, email, role, and seat assignment within that workspace.
  • Legal and safety. We may disclose information if required by law (subpoena, court order, valid legal process), to protect the safety of any person, or to investigate suspected violations of our Terms.
  • Successors. If we are acquired, merged, or our assets transferred, your information may transfer with the business. We will notify you and give you reasonable notice before any change in controller.

7. How long we keep information

We keep personal information only as long as we need it for the purposes set out in this policy, unless a longer period is required by law (for example, tax or accounting records).

  • Account profile. While your account is active, and for up to 30 days after deletion to handle reversals and complete in-flight operations.
  • Subscription and billing records. Retained for the period required by applicable tax and accounting law (typically 7 years in the United States).
  • Session and authentication logs. Up to 90 days, except where retained longer for an active security investigation.
  • Support correspondence. Up to 3 years from the last interaction, then deleted or anonymised.
  • Crash and bug reports. Retained on the public GitHub repository indefinitely (or until removed by us or by you on request); we will redact or remove a report on reasonable request.

8. International data transfers

We are based in the United States, and our service providers (Stripe, Google, Cloudflare, GitHub) operate globally. When you use Agent Cohort from outside the United States, your information is transferred to and processed in the United States and other countries where our providers operate.

Where required, we rely on the EU Standard Contractual Clauses, UK International Data Transfer Addendum, or equivalent safeguards to protect data transferred out of the EEA, UK, or Switzerland. Copies are available on request.

9. Your rights and choices

You have rights over your personal information. The exact rights vary by jurisdiction. To exercise any of them, email [email protected]. We will respond within the timeframe required by the applicable law (typically 30 to 45 days).

9.1 Everyone

  • Access: request a copy of the personal information we hold about you.
  • Correction: ask us to fix information that is inaccurate or out of date.
  • Deletion: ask us to delete your account and the personal information associated with it.
  • Export: request your data in a portable, machine-readable format.
  • Communication preferences: opt out of optional marketing email at any time using the unsubscribe link.

9.2 Residents of Virginia (VCDPA)

If you are a Virginia resident, the Virginia Consumer Data Protection Act gives you the right to access, correct, delete, and obtain a portable copy of personal data we hold about you, and to opt out of targeted advertising, sale of personal data, and certain profiling. We do not sell personal data and we do not engage in targeted advertising or profiling that produces legal or similarly significant effects. You may also appeal a denied request by replying to our response email.

9.3 Residents of California (CCPA/CPRA)

California residents have the right to know what categories of personal information we collect and the sources, purposes, and recipients of that information, to request access, correction, and deletion of their personal information, and to opt out of any “sale” or “sharing” (as those terms are defined under the CCPA). We do not sell or share personal information as defined by the CCPA. We will not discriminate against you for exercising any of these rights.

9.4 Residents of the EEA, United Kingdom, or Switzerland (GDPR / UK GDPR)

You have the rights of access, rectification, erasure, restriction of processing, data portability, and to object to processing. You may also lodge a complaint with your local data protection authority. You can withdraw consent at any time where we rely on consent as the legal basis.

10. Email communications and waitlist consent

We send a small number of email types. Each one has a different lawful basis and a different way for you to opt out. This section is the single place that describes them.

10.1 What we send

  • Transactional and service email. Sign-in confirmations, security alerts, billing receipts, subscription state changes, plugin entitlement updates, and replies to messages you send us. These are sent on the basis of contract (we cannot run the service without them) and you cannot opt out while your account is active.
  • The launch email (waitlist). One email when Agent Cohort becomes generally available. Sent only to addresses on the waitlist (see §10.2). Sent on the basis of consent, captured at the moment you joined the waitlist.
  • Material policy or security updates. Advance notice of changes to this Privacy Policy or the Terms of Service that materially affect you. Sent on the basis of legal obligation + legitimate interest; you cannot opt out while your account is active.
  • Optional product updates and announcements. Occasional news about new features, plugins, or behaviour changes. Sent only if you have explicitly opted in inside the account portal. Every such message carries a one-click unsubscribe link; unsubscribing turns off all marketing communications and does not affect the categories above.

10.2 The waitlist signup

The Join-waitlist form on agentcohort.ai captures only your email address. Before we can persist the row our server requires an explicit consent signal:

  • The submit button is disabled until you tick the “I agree to receive email communications from Agent Cohort” checkbox.
  • The browser POSTs a privacy_accepted: true flag alongside the address.
  • The server independently rejects any submission without that flag (HTTP 400). A hand-crafted request cannot bypass the gate.
  • On a successful submission the server stamps the moment of consent and stores it alongside the row so we can answer “when did this user agree” without inference.

We use the waitlist row to send one email at launch, plus, if material, a single advance notice that we are about to send the launch email. We do not send marketing, surveys, or newsletters to waitlist-only addresses. We do not sell, share, or rent the list.

10.3 Withdrawing consent

You can withdraw consent for the launch email or any optional marketing email at any time:

  • Unsubscribe link. Every marketing email (including the launch email when it eventually ships) carries a one-click unsubscribe footer that removes you from future sends.
  • Email us. Send a note to [email protected] from the subscribed address and we will remove the row.
  • Account portal. Once you have an account, the communication preferences screen lets you opt out of optional categories. Transactional / security email remains active while the account is active (see §10.1).

Withdrawal does not affect the lawfulness of processing carried out before withdrawal. We retain the consent timestamp on the original row as the audit signal that consent was given, even after the email itself is unsubscribed or the row is deleted on request.

10.4 Retention

Waitlist rows are retained until the launch notification batch completes, then archived to a notified-only table. You can ask us to delete the row at any time by emailing [email protected]; we will confirm deletion within 30 days. Transactional email logs follow the retention schedule in §7.

11. Cookies and similar technologies

The account portal sets a small number of cookies that are strictly necessary for the service to function, including:

  • A secure, HttpOnly session cookie issued after sign-in to keep you logged in.
  • A CSRF / state cookie used during the OAuth handshake.
  • Lightweight preference cookies (for example, your selected environment) stored locally in your browser.

The marketing site itself sets no cookies and ships no analytics, trackers, or pixels. The only piece of third-party content we load is the Inter and JetBrains Mono web fonts from Google Fonts, which transmits your IP address to Google. Because that transmission is not strictly necessary for the site to function, we ask for consent before it happens:

  • On your first visit a small footer banner asks you to choose Accept or Essential only.
  • Accept permits the Google Fonts request. Your preference is stored locally under agent-cohort:cookie-consent in your browser.
  • Essential only skips the font request entirely; the site falls back to your operating system's default sans-serif and monospace fonts. No third-party network call is made.
  • You can revise your choice at any time by clearing the browser's site data for agentcohort.ai; the banner will reappear on your next visit.

We do not use advertising cookies, tracking pixels, or cross-site analytics on either the marketing site or the account portal. Cloudflare Turnstile is loaded only when you open the waitlist or enterprise contact form, as a proof-of-humanity check; it is a strictly-necessary anti-abuse measure and is not used for any other purpose.

12. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect your personal information, including encrypted transport (TLS) for all traffic, encryption of credentials at rest, scoped service-account credentials, automated dependency scanning, and routine review of access logs. No system is perfectly secure: if you suspect your account has been compromised, contact us at [email protected] immediately. Security-research disclosures are welcomed at the same address; see our security.txt for our coordinated-disclosure policy.

13. Children

Agent Cohort is intended for use by professional and student developers and is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent change. For material changes that reduce your rights or change the purposes for which we process your information, we will give you advance notice through the account portal or by email before the change takes effect.

15. Contact us

Questions, requests, or complaints about this Privacy Policy or our handling of your data:

  • Email: [email protected]
  • Security disclosures: [email protected]
  • Postal: B. Dol Technical Consulting, LLC, Commonwealth of Virginia, United States. (Postal address available on request for verified inquiries.)

If you are an EEA, UK, or Swiss resident and we have not satisfactorily addressed your complaint, you have the right to contact your local supervisory authority.