Privacy Policy | Snaga — AGI Ready | Local-First AI Coding Agent

In short: We collect only what we need to run the platform, we never sell your data, and we give you full control over your personal data.

This Privacy Policy describes how Gliese LLC ("we", "us", "our"), with development services by Gliesereum Ukraine LLC, collects, uses, and protects personal data when you use the Snaga platform, APIs, and related services (the "Platform").

We comply with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the EU AI Act (Regulation (EU) 2024/1689), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

1. Data Controller

In short: Gliese LLC decides how your data is used. Gliesereum Ukraine LLC helps us build and run the platform.

Gliese LLC (United States) is the data controller for personal data processed through the Platform. Gliesereum Ukraine LLC (Ukraine) acts as a data processor, providing development and operational services under a contractual data processing agreement.

Contact: privacy@gliesereum.com

2. Data We Collect

In short: We collect your account details, how you use the platform, and the content you create — nothing more.

2.1 Account Data

When you register or sign in, we collect:

Email address and display name;
Authentication tokens (JWT, OAuth) — we never store passwords directly;
Organization and tenant information;
Billing and subscription details (if applicable).

2.2 Usage Data

We automatically collect:

IP address, browser type, and device information;
Pages visited, features used, and interaction patterns;
API request metadata (endpoints, timestamps, response codes);
Agent run metrics (duration, token counts, cost — never prompt content).

2.3 Agent and Workspace Data

When you use the Platform, we process:

Agent configurations (system prompts, tool definitions, model settings);
Session and conversation data (messages, tool call inputs and outputs);
Knowledge base files you upload to workspaces;
Run traces, logs, and evaluation results.

2.4 Data Processed by Your Agents

Your AI agents may process personal data belonging to third parties (your end users, customers, etc.). In this scenario, you are the data controller for that data, and we act as a data processor on your behalf. You are responsible for having a lawful basis for processing and for respecting data subject rights. See our Data Processing Agreement for details.

3. Legal Basis for Processing (GDPR, Article 6)

In short: We process your data because we need it to run the service, keep it secure, follow the law, or because you gave us consent.

We process personal data based on:

Contract performance (Art. 6(1)(b)) — to provide and deliver the Platform services you signed up for;
Legitimate interest (Art. 6(1)(f)) — for security, fraud prevention, analytics, and service improvement;
Legal obligation (Art. 6(1)(c)) — to comply with applicable laws;
Consent (Art. 6(1)(a)) — for optional features, marketing communications, and non-essential cookies.

4. How We Use Your Data

We use your data to:

Provide, maintain, and improve the Platform;
Authenticate users and manage access control;
Process agent runs and route requests to LLM providers;
Monitor system health, security, and abuse prevention;
Generate anonymized, aggregated analytics;
Send transactional notifications (run failures, billing alerts);
Comply with legal obligations and enforce our Terms of Use.

We never use your content, prompts, or agent outputs to train AI models. Your data is processed solely to deliver the Platform services.

5. Third-Party LLM Providers

In short: When your agents run, prompts go to the LLM provider you chose, using your own API keys. We do not keep copies.

When your agents execute runs, prompts and inputs are sent to your selected LLM provider (e.g., OpenAI, Anthropic, Google). These transmissions use your own API keys. We act as a technical intermediary and do not retain copies of prompts or model responses beyond the session or run scope.

Each LLM provider has its own privacy policy and data processing terms. You are responsible for reviewing and accepting those terms. We recommend:

Enabling data opt-out or zero-retention options offered by your LLM provider;
Avoiding sending sensitive personal data (health, financial, biometric) to LLM providers without appropriate safeguards;
Reviewing GDPR adequacy decisions or standard contractual clauses for cross-border transfers.

6. AI-Specific Transparency (EU AI Act)

In short: We are transparent about how AI works on our platform and what your responsibilities are as someone deploying AI agents.

In accordance with the EU AI Act (Regulation (EU) 2024/1689):

System purpose: The Platform enables building and deploying AI agents for business automation, customer interaction, and data processing.
Automated decision-making: Agents may make or assist with decisions. If you deploy agents that make significant decisions affecting individuals, you must implement human oversight mechanisms.
Training data: We do not train AI models. Models are provided by third-party LLM providers.
Logging and accountability: The Platform maintains run traces, audit logs, and feed events for transparency and accountability.
Risk classification: You are responsible for assessing whether your specific agent deployment falls under high-risk categories (Annex III) and ensuring compliance accordingly.

7. Data Sharing and Recipients

In short: We share data only with the partners needed to run the service. We never sell your data to anyone.

We share personal data only with:

Gliesereum Ukraine LLC — development and operational support (data processor, bound by a DPA with EU standard contractual clauses);
LLM providers — as directed by you through your agent configurations;
Infrastructure providers — cloud hosting, CDN, and database services (sub-processors, each bound by a DPA);
Law enforcement — only when required by a valid legal process.

We do not sell personal data. We do not share data with data brokers or advertisers.

8. International Data Transfers

In short: Your data may be processed in the US and Ukraine. We use standard legal safeguards to protect it during transfer.

Data may be transferred to and processed in the United States and Ukraine. For transfers from the EEA/UK, we rely on:

EU-US Data Privacy Framework (where applicable);
Standard Contractual Clauses (SCCs) approved by the European Commission;
Supplementary technical and organizational measures (encryption in transit and at rest, access controls, pseudonymization).

9. Data Retention

In short: We keep your data only as long as needed. Most operational data is automatically deleted within 30 days.

Account data: retained while your account is active and for 90 days after deletion;
Session and run data: retained for 30 days by default (configurable per plan);
Feed events: retained for 30 days (automatically deleted via TTL);
Audit logs: retained for 12 months for security and compliance;
Workspace files: retained until you delete them or your account is terminated;
Billing records: retained as required by tax and accounting laws (typically 7 years).

10. Your Rights

In short: You have full control over your personal data. You can access, correct, delete, or export it at any time.

10.1 GDPR Rights (EEA/UK Residents)

Under GDPR, you have the right to:

Access your personal data (Art. 15) — request a copy of everything we hold about you;
Rectify inaccurate data (Art. 16) — correct any errors in your personal data;
Erase your data (Art. 17) — ask us to delete your personal data ("right to be forgotten");
Restrict processing (Art. 18) — limit how we use your data in certain circumstances;
Data portability (Art. 20) — receive your data in a structured, machine-readable format and transfer it to another service;
Object to processing (Art. 21) — opt out of processing based on our legitimate interest;
Not be subject to automated decisions (Art. 22) — refuse decisions made solely by automated processing that have legal or significant effects on you;
Withdraw consent at any time (Art. 7(3)) — without affecting prior processing;
Lodge a complaint with your local data protection supervisory authority.

10.2 CCPA/CPRA Rights (California Residents)

Under California law, you have the right to:

Know what personal information we collect, the sources, the business purpose, and with whom we share it;
Delete your personal information from our systems;
Opt out of the sale or sharing of personal information — we do not sell your data, so there is nothing to opt out of;
Non-discrimination — we will never penalize you for exercising your privacy rights;
Correct inaccurate personal information;
Limit use of sensitive personal information to what is necessary for the service.

10.3 How to Exercise Your Rights

Email us at privacy@gliesereum.com with your request. We will respond within 30 days (GDPR) or 45 days (CCPA). We may ask you to verify your identity before processing your request.

You can also reach us through our contact page.

11. Security

In short: We use industry-standard encryption, access controls, and monitoring to keep your data safe.

We implement appropriate technical and organizational measures, including:

TLS 1.3 encryption for all data in transit;
AES-256 encryption for data at rest;
Role-based access control (RBAC) with principle of least privilege;
API key hashing — keys are never stored in plaintext;
Audit logging of all administrative and security-relevant actions;
Regular security assessments and dependency scanning;
Tenant isolation — your data is logically separated from other tenants.

12. Cookies and Tracking

In short: We use one essential cookie for authentication. No ads, no trackers.

The Platform uses essential cookies for authentication (snaga_auth_token, HttpOnly, Secure). We do not use third-party advertising cookies or cross-site tracking pixels.

For full details, see our Cookie Policy.

13. Children's Privacy

The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via the Platform or email at least 30 days before they take effect. The "Last updated" date at the top always reflects the most recent revision.

15. Data Protection Officer

For data protection inquiries, contact our Data Protection Officer at: privacy@gliesereum.com

16. Contact

Gliese LLC (USA) — Data Controller
Gliesereum Ukraine LLC (UA) — Data Processor / Development
Email: privacy@gliesereum.com