1. Data Collection & Architecture Unlike typical agencies, we act as a Data Processor for your operational infrastructure. We collect:

• Direct Information: Name, email, and billing details for invoicing.

• Operational Data: Temporary logs of data processed through your automations (e.g., webhook payloads, JSON responses) strictly for error handling and debugging.

• Credentials: API keys and OAuth tokens required to build your system. These are stored using industry-standard encryption or directly within your own platform accounts (Zapier/Make).

2. AI & Large Language Models (Critical Clause) We utilize LLMs (e.g., OpenAI, Anthropic) for data enrichment.

• No Training: We explicitly configure API calls to ensure your proprietary data is NOT used to train public AI models.

• Data Isolation: Client data processed via AI is transient and strictly scoped to the specific automation workflow.

3. Data Retention & Logs

• System Logs: To ensure "Zero-Loss" reliability, we maintain error logs (Resilience Layer) for 30 days. After this period, logs are automatically purged.

• Client Assets: Upon project completion, strictly necessary documentation is retained for warranty purposes. All sensitive API keys are deleted from our local environments.

4. Third-Party Sub-Processors We do not sell data. However, your infrastructure relies on trusted sub-processors. By hiring us, you acknowledge data flows through:

• Automation Platforms: Zapier, Make, n8n.

• AI Providers: OpenAI API, Anthropic API.

• Cloud Infrastructure: Google Cloud Platform, AWS (for custom scripts/hosting).

5. Cookies & Tracking We use minimal tracking (e.g., Google Analytics) solely to understand portfolio traffic. We do not use cross-site tracking pixels for retargeting.

6. Your Rights (GDPR & CCPA) You retain full sovereignty over your data.

• Right to Audit: You may request a report of what data is stored in our debugging logs.

• Right to Erasure: You may request the immediate deletion of all system logs and local credential files upon project termination.

7. Security Measures We employ Zero-Trust principles:

• 2FA (Two-Factor Authentication) on all admin accounts.

• HMAC Signature Verification for incoming webhooks.

• Encrypted storage for local environment variables.

8. Updates As API standards evolve, this policy may change. Active clients will be notified via email of any material changes to data handling practices.