Legal
Privacy Policy
Effective date: April 4, 2026
The short version:
- —The CLI collects no data by default. It runs entirely on your machine.
- —The Website collects only what it needs: basic usage telemetry.
- —We do not sell your data. We do not use your configurations to train AI models.
- —You can request deletion of your data at any time.
- —We are GDPR and CCPA conscious. If you are in the EU or California, your additional rights are described below.
1. Data Controller
This Privacy Policy is issued by Saero AI, a company registered in the Republic of the Philippines ("Saero AI," "we," "us," or "our"). Saero AI is the data controller for personal data collected through xcaffold.com and the xcaffold Platform.
For privacy inquiries, contact our Data Protection Officer (DPO) at [email protected].
2. What This Policy Covers
This Policy covers two distinct products with very different data profiles:
xcaffold CLI
Open-source, runs entirely on your local machine. By default, the CLI collects no telemetry, sends no data to Saero AI servers, and does not require authentication. When you run xcaffold commands, your .xcaf blueprint files and generated provider directories stay on your disk.
xcaffold Website
A cloud service (xcaffold.com). Requires an account. Processes your agent configurations, team membership, and usage telemetry to provide agent configuration management, usage analytics, and team administration services. This section of the Policy primarily describes the Website.
3. Data We Collect on the Website
3.1 [Removed] 3.2 [Removed]
The core function of the Website is synchronizing and governing agent configurations across your team. To do this, we store:
- —.xcaf blueprint files you upload or sync to the Website
- —Compiled provider directory structures derived from your .xcaf blueprint files
- —project.xcaf.state hashes used for drift detection
- —Agent, skill, and rule definitions you upload or manage through the Website
- —Metadata about your configurations (name, created date, last modified, team membership)
Your configuration files may incidentally contain references to your codebase structure (e.g., file paths, module names referenced in agent instructions). We treat this data as confidential and process it solely to deliver the Platform services.
3.3 Usage Telemetry
To operate and improve the Website, we collect:
- —Feature usage events (e.g., "sync initiated," "drift alert triggered," "quality assessment run")
- —API request metadata (endpoint, response time, HTTP status code) — not request bodies
- —Agents Under Management (AUM) count for billing and telemetry dashboards
- —Error logs and crash reports (stack traces, not user content)
- —Session metadata (browser type, operating system, approximate geographic region)
3.4 Payment Data
The Platform does not currently process payments. When billing is activated, payment processing will be handled by a third-party payment processor. This section will be updated to describe the specific processor and data practices at that time.
3.5 Communications
If you contact us via email or submit a support ticket, we retain that correspondence to respond and to improve our support quality.
4. How We Use Your Data
Service Delivery. To provide the Website features you have contracted for: agent configuration management, usage analytics, and team administration.
Authentication. To verify your identity via GitHub OAuth and maintain your session securely.
Product Improvement. Aggregate, anonymized usage telemetry helps us understand which features are most used and where users encounter friction. We do not use your configuration content for this purpose.
Security and Abuse Prevention. To detect and prevent unauthorized access, fraud, and misuse of the Website.
Legal Compliance. To comply with applicable laws, respond to lawful requests from authorities, and enforce our Terms of Service.
Support. To respond to your support requests and diagnose technical issues.
No AI Training. We do not use your configuration files, agent definitions, or any content you upload to train machine learning models — ours or third parties'. Your intellectual property stays yours.
5. Who We Share Data With
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
Service Providers
We use sub-processors (e.g., cloud hosting, payment processing, error monitoring) who process data on our behalf under data processing agreements. These providers may not use your data for their own purposes.
Your Organization
If you use the Website under a Team or Enterprise account, your organization's administrators can see your account information, your synced agent configurations, and your usage activity within that workspace. This is the core team governance function of the Website.
Legal Requirements
We may disclose data if required by law, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of Saero AI, our users, or the public.
Business Transfers
If Saero AI is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
6. Data Storage and Retention
6.1 Where Data is Stored. Platform data is stored on cloud infrastructure located in the United States and, for Enterprise customers with data residency requirements, in the region specified in their Order Form. Data may be processed by sub-processors in additional jurisdictions in accordance with applicable data transfer mechanisms (e.g., Standard Contractual Clauses for EU data).
6.2 Retention Periods.
| Data Type | Retention |
|---|---|
| Account data | Until account deletion + 30 days |
| Agent configuration files | Until deletion or 90 days after account cancellation |
| Usage telemetry (event logs) | 24 months rolling |
| API access logs | 12 months |
| Billing records | 7 years (tax compliance requirement) |
| Support correspondence | 3 years |
| Anonymized, aggregated analytics | Indefinite |
7. Security
We implement industry-standard security measures to protect your data, including:
- —TLS 1.2+ encryption for all data in transit
- —AES-256 encryption for sensitive data at rest (OAuth tokens, API keys)
- —Role-based access controls limiting internal data access to personnel who require it
- —Automated drift detection applied to our own infrastructure configurations
- —Regular security reviews of authentication and authorization flows
No security system is impenetrable. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of discovery, as required by applicable law including GDPR and the Philippine Data Privacy Act (RA 10173).
8. Your Rights and Choices
You have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
Request a copy of the personal data we hold about you.
Request that we correct inaccurate or incomplete data.
Request deletion of your personal data ("right to be forgotten"). We will delete your data within 30 days of a valid request, subject to legal retention requirements.
Request your data in a machine-readable format (JSON export of your account and configuration data).
Object to processing of your personal data for direct marketing or based on our legitimate interests.
Request that we restrict processing of your data while a dispute is under review.
Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
9. EU and UK Residents — GDPR
9.1 Legal Basis. If you are in the EU or UK, we process your personal data on the following legal bases under GDPR:
- —Contract performance: processing necessary to deliver the Website services you subscribe to (Art. 6(1)(b))
- —Legitimate interests: security monitoring, fraud prevention, and aggregate analytics, where our interests are not overridden by your rights (Art. 6(1)(f))
- —Legal obligation: billing record retention and breach notification requirements (Art. 6(1)(c))
- —Consent: marketing communications, where separately requested (Art. 6(1)(a))
9.2 International Transfers. When we transfer personal data from the EU/EEA to our servers or sub-processors outside the EEA, we do so using Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards.
9.3 Supervisory Authority. You have the right to lodge a complaint with your local data protection authority. For a list of EU supervisory authorities, visit edpb.europa.eu.
9.4 Data Processing Agreements. Enterprise customers who process EU personal data through the Website may request execution of a GDPR-compliant Data Processing Agreement (DPA) at [email protected].
10. California Residents — CCPA / CPRA
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA provides you the following additional rights:
- —Know what personal information we collect, use, disclose, or sell
- —Delete personal information we have collected, subject to certain exceptions
- —Opt out of the sale or sharing of personal information — we do not sell or share personal information as defined under CCPA
- —Non-discrimination for exercising your CCPA rights
- —Correct inaccurate personal information
- —Limit use and disclosure of sensitive personal information
To exercise these rights, email us at [email protected] with "CCPA Request" in the subject line. We will verify your identity before processing the request and respond within 45 days.
Do Not Sell or Share. Saero AI does not sell or share (as defined under CCPA/CPRA) your personal information to or with third parties for cross-context behavioral advertising or monetary consideration.
11. Philippine Data Privacy Act (RA 10173)
Saero AI operates under and complies with the Philippine Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations. As a Philippine entity processing personal data, Saero AI:
- —Registers with the National Privacy Commission (NPC) for processing operations involving personal data exceeding 1,000 records
- —Maintains a Data Protection Officer (DPO) responsible for ensuring compliance with RA 10173
- —Processes personal data only on lawful bases (consent, contract, legitimate interest, legal obligation)
- —Notifies the NPC and affected individuals within 72 hours of a personal data breach
- —Respects the rights of data subjects to access, correction, erasure, and data portability
12. Cookies and Tracking
The Platform uses cookies for two purposes: (1) essential cookies required for authentication and security, and (2) analytics cookies from PostHog, which are loaded only after you grant consent via the cookie consent banner. We do not use third-party advertising cookies or tracking pixels.
| Cookie | Purpose | Duration |
|---|---|---|
| session | Authenticates your logged-in session | 7 days |
| csrf_token | Protects against cross-site request forgery | Session |
| xcf_preferences | Stores UI preferences (theme, layout) | 1 year |
| ph_* | PostHog analytics — tracks feature usage and session behaviour (loaded only with consent) | Up to 1 year |
13. Children's Privacy
The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under 18, we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) or via a prominent notice on the Website, at least 14 days before the changes take effect. The "Effective date" at the top of this page always reflects the current version. Your continued use of the Website after the effective date constitutes acceptance of the updated Policy.
Contact and Complaints
For privacy questions, data subject requests, or to report a concern:
Saero AI — Data Protection Officer
Republic of the Philippines
Email: [email protected]
If you are not satisfied with our response, you have the right to lodge a complaint with the National Privacy Commission of the Philippines (privacy.gov.ph), your EU supervisory authority, or the California Privacy Protection Agency, as applicable.