Privacy Policy
Effective June 12, 2026 · Last updated June 12, 2026
Short version: We collect what we need to run the service — email, name, a hashed password, your apps, audit log, billing IDs. We don't sell data, don't train AI on your code or notes, don't share with advertisers. Stripe sees billing; Cloudflare sees encrypted traffic; Linode hosts our servers. You can export or delete your data any time. If you're in the EU, UK, or California, you have specific rights listed below — email
[email protected] to exercise them.
1. Who we are
Escalation Tech ("we", "us") operates Escalation Host (ai.escalation.tech). We are the data controller for the personal data described below. Contact: [email protected].
2. What we collect, why, and how long we keep it
| Category | Purpose | Legal basis (GDPR) | Retention |
|---|
| Email, full name (optional), company (optional), password hash |
Account identity + login |
Contract |
Account lifetime + 30 days |
| IP of last login + session |
Security, abuse detection |
Legitimate interest |
14 days session window; IP logged 30 days |
| API key prefixes + SHA-256 hashes |
Authenticate agent calls |
Contract |
Until you revoke; raw key never stored |
| Apps + deploys + tarball metadata |
Operate hosting service |
Contract |
Until you delete app / account |
| Persistent notes |
Agent cross-session memory |
Contract |
Until you delete |
| Runtime + build logs |
Debugging + incident detection |
Contract / legitimate interest |
Per-plan (see service catalog) |
| Audit log |
Show you what your agents did |
Contract / legitimate interest |
12 months rolling |
| Stripe customer ID, subscription ID |
Billing |
Contract / legal obligation |
Account lifetime + 7 years (tax records) |
| Support emails |
Help you |
Contract / legitimate interest |
3 years from last contact |
3. What we don't collect
- Card numbers (Stripe collects + handles; we see only customer/subscription IDs).
- Behavioral tracking data — no advertising cookies, no analytics tag third parties, no fingerprinting.
- Your prompts to your AI assistant — we never see them.
- Real-time biometric, health, or precise-location data.
4. What we don't do with what we collect
- We don't sell your data. Not in the standard sense, not under the CCPA expanded definition, not for "share" purposes either.
- We don't train AI models on your code or notes. Aggregate non-identifying telemetry (e.g., "deploys per day") may inform product decisions but never trains a model.
- We don't share with advertisers. We don't run ads.
- We don't profile you for automated decisions with legal effect. The platform makes operational decisions (rate-limit triggers, abuse detection) but does not make decisions about you that have legal or similarly significant effects within the meaning of GDPR Article 22.
5. Sub-processors
Companies we share data with strictly to deliver the service. The current list with effective dates is at /legal/subprocessors. Material additions get 30-day advance notice; you may terminate within that window if you object to a new sub-processor.
6. International data transfers
We process data primarily in the United States (Linode data centers). If you are located in the European Economic Area, the United Kingdom, or Switzerland, we transfer your data to the US under appropriate safeguards (Standard Contractual Clauses or successor mechanisms; UK IDTA where applicable). Sub-processors maintain their own transfer mechanisms — see the sub-processor list.
7. Encryption + security
- TLS in transit, always.
- Optional libsodium sealed-box body encryption on top of TLS so even our edge layer (Cloudflare) cannot read sensitive payloads. Discoverable at
/.well-known/ai-host-crypto.json.
- Env vars are AES-GCM encrypted at rest with per-container key binding.
- API key secrets are stored only as SHA-256 hashes; raw values are shown once at creation and never persisted.
- Passwords use a salted bcrypt-class hash (cost factor ≥10).
- Security incidents that affect your personal data are notified to you within 72 hours of confirmation, per applicable law.
8. Cookies
We use only essential cookies (PHPSESSID for authenticated sessions, CSRF token cookies on forms). We do not use analytics, advertising, or tracking cookies. See the Cookie Policy for the full list.
9. Your rights under GDPR (EU/EEA + UK)
If you are in the EU, EEA, UK, or Switzerland, you have these rights regardless of where we process your data:
- Access — get a copy of the data we hold about you
- Rectification — fix inaccuracies
- Erasure ("right to be forgotten") — delete your data, subject to legal-retention limits
- Restriction — pause processing while a dispute is resolved
- Portability — receive your data in a machine-readable format (we already offer this via the REST API)
- Objection — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent
- Lodge a complaint with your local supervisory authority (e.g., your national DPA)
Exercise any right by emailing [email protected] from your account email. We respond within 30 days (extendable by 60 in complex cases, with notice).
10. Your rights under CCPA / CPRA (California)
If you are a California resident, you have these rights:
- Right to know what categories of personal information we collect, the sources, the purposes, and to whom we disclose it (see §2 above)
- Right to delete personal information we collected, subject to legal-retention limits
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising; no opt-out is necessary
- Right to limit use of sensitive personal information — we do not use sensitive PI for inferred-attribute or similar purposes
- Right to non-discrimination — we will not retaliate for exercising any of these rights
Exercise these rights by emailing [email protected]. We may verify your identity by asking you to confirm from your account email or respond to a magic-link verification.
11. Children
The service is not directed to children under 13 (or under 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, email [email protected] and we'll delete it.
12. Changes to this policy
Material changes are sent to your account email at least 30 days before they take effect. Non-material changes (typo fixes, contact-info updates, clarifications) may be made without notice. The current version is always at this URL with the "Last updated" date at the top.
13. Contact
Privacy questions, rights requests: [email protected]
Other contact: [email protected]
Postal: Escalation Tech, Chicago, IL, USA (request a specific mailing address by email)