← Home · Terms of Service

# AIOS Privacy Policy

**Effective:** 2026-05-19
**Last updated:** 2026-06-09
**Operator:** VISNRY Entertainment LLC (Delaware, USA)
**Contact:** privacy@visnryentertainment.com

This Privacy Policy explains what data AIOS collects, why, how long we
keep it, and what rights you have over it. It applies to anyone who
uses `aios.visnryentertainment.com`, the AIOS API, the AIOS CLI, or
related services ("the Service").

Plain-English summary up front:

- When you commit, the staged files are sent to our servers for critic analysis. The content is evaluated in-memory and immediately discarded — we never write it to disk or store it in any database. We log only the verdict, content hash, filename, and findings.
- The `aios gov:project` command and `aios_govern_session` MCP tool send your **entire codebase** to our servers for session-level analysis. Same rule: processed and discarded, never stored. This is a known limitation we are working to replace with a local-only critic execution model.
- Your email is kept for account management + support, nothing else.
- We don't sell your data. We don't share it with advertisers. We don't track you across sites.
- You can ask for a copy of everything we have about you, or ask us to delete it.

---

## 1. Who we are

The data controller for AIOS is **VISNRY Entertainment LLC**, a Delaware
limited liability company. The operator is reachable at
`privacy@visnryentertainment.com`.

## 2. What we collect

### 2a. Identifying data
- **Email address** — collected at signup. Used to issue your API key and contact you about service issues.
- **IP address + User-Agent** — recorded at signup (for legal audit of ToS acceptance) and at the time of any governance call (for security + rate-limiting). Not used for advertising or cross-site tracking.

### 2b. Authentication data
- **API key hash** (SHA-256). The plaintext key is shown to you once at issuance, never logged in plaintext, never stored on our side.
- **Dashboard session cookie** (`aios_admin` / dashboard session). HttpOnly, Secure, SameSite=Strict, 7-day expiry. Strictly necessary for sign-in; no consent required under EU ePrivacy.

### 2c. Per-governance-call audit metadata
For each file you submit for governance, we record:
- A **SHA-256 hash** of the artifact (not the artifact itself)
- The **filename** (relative path you submitted)
- The **verdict** (PASS / WARN / GATE)
- The **critic domains** that ran
- The **timestamp**
- Your **tenant id** (a stable, internal identifier derived from your account)
- Optional: the **agent name** if your client reports it (e.g., "Claude Code", "Cursor")
- The **call duration** in milliseconds
- **Findings**: rule name, line number, advisory/blocking severity, and a short message
- **Applicability metadata (v5.3+)**: your `aios.config.json` `projectType`, `paths[]` glob entries, and the resolved profile name for the file (one of: `production`, `library`, `local_tooling`, `test_harness`, `data_extraction`, `knowledge_base`, `mixed`). These are configuration values you authored, not source content. Used to apply the profile's gating rules to the verdict.
- **Bypass rationale (v5.3.4+)**: if you bypass a pre-commit gate using `AIOS_PREFLIGHT_BYPASS=1`, the value of `AIOS_PREFLIGHT_REASON` is recorded against your tenant id in the audit ledger so the reason for every bypass is preserved.

### 2d. Push and CLI events
- **Push events** to your repository (timestamp + commit SHA prefix, not the diff). Recorded so the audit chain stays gap-free.
- **CLI version events** when your client self-updates (version transition only).
- **Hook installation/uninstallation events** (`aios doctor`, `aios uninstall`).

### 2e. Voluntary submissions
- **Feedback message content** when you submit feedback through the dashboard widget. Retained alongside its tenant id so we can respond and identify recurring product issues.
- **Override rationale text** when you bypass a verdict using `// aios-allow: <reason>` or the override-request workflow. Stored in your tenant's audit ledger.

### 2f. Aggregated, de-identified analytics
We compute aggregated metrics from the data above for product
improvement and external reporting (to investors, partners). These
metrics use HMAC pseudonyms — they cannot be reversed to a specific
customer. Examples: verdicts-per-day across all customers, average
time-to-first-verdict, retention cohorts, top critics by fires.

**Country-level request aggregates.** We additionally compute
country-bucket aggregates of inbound requests (e.g. "60% of
requests originated from US, 18% from EU") for capacity planning
and to know where customers are concentrated. The country code is
derived **at request time** from the `CF-IPCountry` HTTP header
when present (set automatically by Cloudflare-fronted traffic). The
underlying IP address is **not retained** for this purpose — only
the country code is incremented in an in-process counter, then
discarded. When the country header is absent, the request is
counted as "unknown" rather than resolved via geolocation lookup.
No request-to-country mapping is stored on a per-tenant or
per-request basis.

## 3. What we do NOT store (and what does transit our servers)

These are hard commitments. If we ever change what we store, we will update this Privacy Policy and notify you at least 30 days in advance.

**What transits our servers but is never stored:**
- **Staged file content (pre-commit hook).** At every commit, the full content of your staged files is transmitted to our servers for critic evaluation. The content is processed in-memory and immediately discarded — it is never written to disk, logged, stored in a database, or included in backups. Only the hash, verdict, findings, and filename are retained.
- **Full codebase content (`gov:project` / `aios_govern_session`).** When you use `aios gov:project` or the `aios_govern_session` MCP tool, your entire project's source files are transmitted for session-level analysis. Same rule: processed and discarded, never stored. This flow is flagged as a known architectural limitation being replaced by a local critic execution model in a future version.

**What is never transmitted or stored:**
- **Passwords.** We don't use passwords; auth is API key + magic link.
- **Browser fingerprints, device IDs, cross-site tracking cookies, ad identifiers.**
- **Geolocation lookups against IPs.** We do not perform IP→location lookups, do not run a GeoIP database, do not store any IP-to-location mapping, and do not store per-request country labels. The only geographic signal we use is the aggregate `CF-IPCountry` header bucket described in §2f, which is computed at request time and discarded — see §2f for details.
- **Sensitive personal data** as defined by GDPR Art 9 or CPRA §1798.140: health, biometric, racial, religious, political, sexual-orientation, union-membership data. We have no use for any of this.
- **Children's data.** AIOS is not directed at users under 16. If you believe a minor has signed up, contact privacy@visnryentertainment.com and we will delete the account.

## 4. Why we collect what we collect (legal basis under GDPR Art 6)

| Data | Purpose | GDPR legal basis |
|---|---|---|
| Email, API key hash | Provide the Service (auth, contact) | Art 6(1)(b) — contract |
| Audit metadata (per call) | Provide governance results + chain integrity | Art 6(1)(b) — contract |
| IP / UA at signup | ToS acceptance legal audit | Art 6(1)(c) — legal obligation |
| IP / UA at call time | Security + rate-limiting | Art 6(1)(f) — legitimate interest |
| Aggregated analytics | Product improvement + external reporting | Art 6(1)(f) — legitimate interest |
| Feedback content | Respond + improve product | Art 6(1)(a) — consent (you submitted) |
| Bounce events from Resend webhook | Reject undeliverable signups | Art 6(1)(f) — legitimate interest |

Legitimate-interest balancing has been done: the data is minimal,
the purposes are narrow, and the alternative (no analytics, no
rate-limiting) would either degrade the product or open it to abuse.

## 5. AI components — transparency disclosure

**EU AI Act compliance.** AIOS is not a high-risk AI system: it's a
developer tool with deterministic governance critics that do not make
decisions about individual humans. Two features use AI in a
clearly-disclosed way:

1. **Plain-language critic explanations** (`/api/v1/critic/:name`) —
   pre-written by humans. No AI inference at request time.
2. **Optional LLM intent-evaluation** (`/govern/intent`) — when invoked,
   sends a summary of the AI agent's claimed intent to a third-party
   LLM provider (currently Anthropic Claude). The LLM returns a
   structured opinion on whether the intent matches the diff. This is
   opt-in per request and disclosed in the API documentation.

We do not use customer data to train models. We do not share customer
data with AI providers beyond the in-the-moment evaluation call
described above, and that call sends summarized metadata only — never
your source code.

## 6. Sub-processors

We use the following third-party services to operate AIOS. Each one is
under a data-processing agreement (or industry-standard terms equivalent)
and processes only the data necessary for its role.

| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| **Railway** | Hosting, compute, storage | All customer data we store | AWS us-east region (USA) |
| **Stripe** | Subscription billing (when paid tiers launch) | Email + payment method | USA |
| **Resend** | Transactional email (verification + bounces) | Email address only | USA |
| **Anthropic (Claude)** | Optional LLM intent-evaluation (§5(2)) | Summarized metadata of your intent string | USA |
| **Cloudflare** *(planned)* | DNS + edge cache for landing-page assets | None (public assets only) | Global |

Sub-processor changes require **30 days' prior notice** to active
customers, by email and on this Privacy Policy page.

## 7. How long we keep your data

- **Account email + API key records:** Until you request account deletion (see §10).
- **Audit ledger (per-tenant):** Indefinite while your account is active. The audit chain's value depends on completeness — gaps break the cryptographic provenance guarantee. On account deletion, ledger is purged within 30 days unless retention is required for security incident response or legal obligation.
- **Aggregated analytics (HMAC-pseudonymized):** Retained indefinitely, by design uncoupled from any individual.
- **Signup IP / UA legal-audit record:** 7 years (matches the limitations period for typical online-contract disputes).
- **Feedback message content:** 24 months after submission, then auto-deleted unless you've engaged in an ongoing support thread.
- **Push events / CLI events:** 12 months, then auto-deleted.
- **Bounce records:** 12 months, then auto-deleted (so an old typo'd email could re-attempt eventually).

## 8. Where your data is stored

AIOS production is hosted on Railway in AWS `us-east` (USA). EU users
should be aware that data crosses the Atlantic. For EU-originated data,
we rely on **Standard Contractual Clauses (SCCs)** between us and Railway
and downstream sub-processors.

## 9. Cookies

AIOS uses the following cookies, all strictly necessary and therefore
exempt from ePrivacy consent requirements:

- `aios_session` (dashboard sign-in) — HttpOnly, Secure, SameSite=Strict, 7-day expiry
- `aios_admin` (admin panel access for the operator) — same flags, session-scoped

No marketing, advertising, or cross-site tracking cookies are set on
any AIOS-operated surface. We do not use Google Analytics, Meta Pixel,
or comparable third-party tracking. (We do compute our own usage
metrics from the data already disclosed in §2c — server-side only.)

## 10. Your rights

You have the following rights regardless of your location, and
specifically guaranteed under GDPR (EU), CCPA / CPRA (California),
Colorado Privacy Act, Virginia VCDPA, and similar regimes:

| Right | How to use it |
|---|---|
| **Access** — see what we have about you | `GET /api/v1/account/export` with your API key, or email `privacy@visnryentertainment.com` |
| **Portability** — get your data as JSON | Same as access |
| **Correction** — fix incorrect data | Email `privacy@visnryentertainment.com` |
| **Deletion** — erase everything | `POST /api/v1/account/delete` with your API key + email confirmation, or email `privacy@visnryentertainment.com` |
| **Object / restrict** — limit processing | Email `privacy@visnryentertainment.com` describing the restriction you want |
| **Opt out of sale / sharing** | We don't sell or share data with third parties for cross-context behavioral advertising. No opt-out needed. |
| **Withdraw consent** — for feedback content | Email and ask for feedback-record deletion |
| **Complaint** — to a supervisory authority | EU: your local DPA · California: California Privacy Protection Agency · Other US states: your state's AG office |

We respond within **30 days** to access / portability / deletion
requests, and within **45 days** to other requests, per regulatory
maximums. We will not charge you for these requests except in cases
of clearly excessive or repetitive demand (per GDPR Art 12(5)).

## 11. Security

- All data in transit: TLS 1.2+
- All data at rest: encrypted by Railway's managed infrastructure
- API keys: stored as SHA-256 hashes, plaintext never logged
- Audit ledger: hash-chain integrity, customer can independently verify with `aios verify`
- Account-deletion verification: requires email confirmation
- Incident response policy: `docs/INCIDENT_RESPONSE_POLICY.md`. SEV-1 incidents notified to affected customers within 1 hour of confirmation.

## 12. Children

AIOS is not directed at children under 16. We do not knowingly collect
data from children. If you believe a child has signed up, contact
`privacy@visnryentertainment.com` and we will delete the account.

## 13. Changes to this Policy

We may update this Privacy Policy. **Material changes** (new data
categories, new sub-processors, expanded retention) will be announced:

- By **email to active customers**, at least **30 days** before taking effect
- On this page, with the `Last updated` date refreshed
- In a notice on the dashboard for active sessions

**Non-material changes** (clarifications, fixed typos) take effect
immediately when published here.

## 14. Contact

- **Privacy questions / data-rights requests:** `privacy@visnryentertainment.com`
- **Security disclosures:** `security@visnryentertainment.com` (see also `SECURITY.md`)
- **General support:** `support@visnryentertainment.com`

Postal: VISNRY Entertainment LLC, Delaware, USA. Full address available
on request to active customers.

---

*This Privacy Policy is the authoritative statement of AIOS data
practices. It supersedes any prior privacy statement in
`AIOS_TERMS_OF_SERVICE.md` §5, which now references this document.*