Privacy Policy

This Privacy Policy describes how Agent Xero LLC, a Wyoming limited liability company and part of the Agentic Secure Group ("Agent Xero," "we," "us," or "our"), collects, uses, shares, and protects personal information in connection with the VibeBox platform and related services (the "Service"). By using the Service, you consent to the practices described in this Policy.

1. Information We Collect

1.1 Information You Provide

• Account information: Email address, display name, organization affiliation, and authentication tokens provided during authentication via Cloudflare Access.
• Billing information: Payment method details, billing address, tax identification, and transaction history processed by Stripe. Agent Xero LLC does not directly store full credit card numbers.
• Support communications: Information you provide when contacting us for support, including message content, attachments, and metadata.
• Feedback and input: Any suggestions, ideas, or feedback you submit regarding the Service.

1.2 Information Collected Automatically

• Infrastructure telemetry: CPU utilization, memory usage, disk I/O, network throughput, container resource consumption, process metadata, and system load metrics for each workspace.
• Network metadata: Connection timestamps, IP addresses (or cryptographic hashes thereof), port numbers, protocol types, bandwidth consumption, DNS query metadata, Tailscale device identifiers and status, and connection durations.
• Session data: SSH session start/end times, session durations, authentication method, client fingerprints, terminal metadata, and connection source information.
• Usage analytics: Feature usage patterns, API call volumes, command frequency distributions, workspace lifecycle events, provisioning metrics, error rates, and user interaction patterns.
• Security signals: Authentication attempts (successful and failed), privilege escalation events, file integrity changes to system files, anomalous network patterns, intrusion detection alerts, and threat indicators.
• Log data: Request timestamps, HTTP methods, paths, query parameters, response status codes, response times, user agent strings, referrer headers, and error details collected for security monitoring, performance optimization, and audit logging.
• Device information: SSH client fingerprints, Tailscale device identifiers, browser or client type, operating system, and device characteristics.
• Billing and metering data: Compute time, storage consumption, bandwidth usage, overage calculations, and any other metrics used for billing, capacity planning, and service optimization.

1.3 Derived and Aggregated Data

We may create aggregated, anonymized, or de-identified data from the information we collect. Such derived data is not considered personal information and may be used by Agent Xero LLC for any lawful purpose, including product development, benchmarking, analytics, research, and marketing, without restriction or obligation to you.

2. How We Use Information

We use collected information for the following purposes:

• To provision, operate, maintain, secure, and improve the Service.
• To process billing transactions, manage subscriptions, and enforce payment obligations.
• To authenticate users, enforce access controls, and manage identity.
• To send transactional communications (invitations, certificate expiry, trial status, billing alerts, security notifications, and service announcements).
• To detect, investigate, prevent, and respond to security threats, fraud, abuse, and violations of our Terms of Service and Acceptable Use Policy.
• To monitor Service performance, diagnose technical issues, and optimize infrastructure.
• To generate aggregated analytics, usage reports, and benchmarks to improve the Service.
• To comply with legal obligations, respond to lawful requests, and enforce our agreements.
• To conduct internal research and development for product improvement.
• To protect the rights, property, and safety of Agent Xero LLC, the Agentic Secure Group, our users, and the public.

3. How We Share Information

We do not sell your personal information. We share information as follows:

• Service providers: We use third-party providers to operate the Service, including Cloudflare (authentication, CDN, DNS, compute), Fly.io (workspace infrastructure), Tailscale (networking), Stripe (billing), Resend (transactional email), and others. These providers process data on our behalf under contractual data protection obligations.
• Agentic Secure Group affiliates: We share information with entities within the Agentic Secure Group for operational, administrative, security, product development, and business purposes.
• Legal compliance and protection: We may disclose information when required by law, subpoena, court order, or other governmental authority; when we believe in good faith that disclosure is reasonably necessary to protect our rights, property, or safety, or that of the Agentic Secure Group, our users, or the public; to investigate or prevent potential violations; or to cooperate with law enforcement.
• Business transfers: In connection with any merger, acquisition, financing, reorganization, bankruptcy, receivership, dissolution, or sale of assets involving Agent Xero LLC or the Agentic Secure Group, your information may be transferred to the acquiring or surviving entity, which will be bound by this Privacy Policy.
• With your consent: We may share information in other circumstances with your explicit consent.

4. Data Retention

• Active accounts: We retain account data, usage data, and telemetry for the duration of your subscription and for a reasonable period thereafter.
• Cancelled accounts: Workspace data is preserved for 30 days after cancellation, then permanently deleted. Account metadata (email, billing history, usage records) is retained for up to 7 years for legal, tax, compliance, and dispute resolution purposes.
• Audit and security logs: Retained for a minimum of 90 days, and may be archived for up to 3 years for security forensics and compliance purposes.
• Telemetry and analytics: Aggregated and anonymized telemetry may be retained indefinitely.
• Terminated accounts (breach): Data may be deleted immediately upon termination for Terms violation, or retained as necessary for legal proceedings.

5. Data Security

We implement technical and organizational measures designed to protect your data, including:

• Tenant-isolated infrastructure with per-tenant Fly.io 6PN private networks.
• Tailscale zero-trust networking with deny-by-default ACLs.
• Short-lived Ed25519 SSH certificates for authentication (no passwords).
• Encryption in transit (TLS 1.3) for all connections.
• Cloudflare Access for identity verification and session management.
• IP address hashing in audit logs where applicable.
• R2 presigned URLs with time-limited access for connection bundle delivery.
• Regular security monitoring, intrusion detection, and incident response procedures.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot and do not guarantee absolute security of your data, and you acknowledge that you provide information at your own risk.

6. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information, including the right to access, correct, delete, restrict processing, or receive a portable copy of your data. To exercise any such rights, contact us at privacy@agent-xero.com. We will respond within 30 days, or such longer period as permitted by applicable law. We may require verification of your identity before processing requests, and we reserve the right to deny requests that are unreasonable, repetitive, or technically impractical, or where an exemption applies under applicable law.

7. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and other jurisdictions where our service providers operate. These jurisdictions may have different data protection laws than your home jurisdiction. By using the Service, you explicitly consent to such international transfers and processing of your personal information.

8. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at privacy@agent-xero.com and we will promptly delete it.

9. Do Not Track

The Service does not respond to "Do Not Track" browser signals. Our data collection practices are described in this Privacy Policy and apply uniformly.

10. Changes to This Policy

We may update this Privacy Policy from time to time at our sole discretion. We will use reasonable efforts to notify you of material changes via email or a prominent notice on the Service. Your continued use of the Service after any update constitutes your acceptance of the updated policy. If you do not agree with a change, you must stop using the Service.

11. Governing Law

This Privacy Policy is governed by the laws of the State of Wyoming, United States, consistent with the governing law provision in our Terms of Service.

12. Contact

For privacy-related inquiries:

Agent Xero LLC
Part of the Agentic Secure Group
Privacy inquiries: privacy@agent-xero.com
General inquiries: legal@agent-xero.com