AEGIS
Sign in Start free

Legal

Privacy Policy

Last updated: June 10, 2026

AEGIS is an open-source runtime safety layer for AI agents, maintained by Aojie Yuan and operated as a hosted SaaS on aegis.dev. This policy describes what data the hosted service collects, why, and how you control it. Self-hosted installations are out of scope — your data stays on your infrastructure.

1. What we collect

The hosted service collects:

  • Account data — your email, name (optional), org slug.
  • Tool-call traces — the inputs, tool name, and outputs that flow through the gateway. This is the audit you signed up for.
  • Telemetry — error reports and aggregate latency / throughput metrics so we can keep the gateway up.
  • Billing — Stripe processes your payment; we store the Stripe customer + subscription id, not your card.

The marketing site (aegis.dev) uses Cloudflare Web Analytics — no cookies, no per-user tracking.

2. What we do not collect

  • We do not read tool-call traces for our own training data.
  • We do not share traces with anyone other than the providers you explicitly route through (OpenAI / Anthropic / your SIEM).
  • We do not sell user data.

3. Where data lives

Hosted-tier data is stored in our cloud provider in the US (and EU starting in 2027 — opt-in). Backups are encrypted at rest. Stripe handles all card data in their PCI-DSS environment.

4. How long we keep it

  • Free tier: 7-day audit retention.
  • Pro tier: 30 days.
  • Team tier: 90 days.
  • Enterprise: contractual (up to forever).

Account metadata persists while your account is active. On deletion, your traces and account data are purged within 30 days.

5. Your rights

You can:

  • Request a copy of your data — email privacy@aegis.dev.
  • Request deletion of your account and all associated traces.
  • Object to processing (we'll work with you to migrate to self-hosted).
  • Lodge a complaint with your local supervisory authority (EU users) or California AG (CCPA).

6. Sub-processors

We rely on a small list of vendors to operate the hosted service:

  • Cloudflare — edge CDN, marketing site, Workers Builds, Web Analytics.
  • Stripe — payment processing.
  • Resend — transactional email.
  • Sentry — error reporting.
  • Instatus — public status page.

If we add a sub-processor that touches customer data, we'll update this list with at least 30 days notice for enterprise customers.

7. Security

See /security for the technical posture: TLS in transit, AES-256 at rest, RBAC + SCIM + SAML + OIDC for identity, immutable audit log on a Merkle-anchored transparency tree. Vulnerability reports go to security@aegis.dev.

8. Contact

Privacy questions, requests, or complaints: privacy@aegis.dev.

This is the v1 self-drafted policy. Once we engage outside counsel (planned 2026 Q3), this page will be replaced with a professionally-reviewed version. We will not weaken any commitment listed above in that revision.