/ privacy

Privacy Policy

Version: v3.1 Effective date: 2026-05-07 Last updated: 2026-05-11

Scope. This Privacy Policy covers the marketing and documentation website at agent-swarm.dev (the "Site") and the Agent Swarm Cloud platform at cloud.agent-swarm.dev (the "Cloud Service"). Together, the Site and the Cloud Service are the "Service."

This Privacy Policy explains how Desplega Labs, S.L. ("we," "us," "our," "Desplega Labs," or the "Company") collects, uses, and protects information when you use the Service.

The Company acts in different roles depending on the data:

Data Controller for account, billing, security, marketing, and analytics data we collect about you as a customer or visitor.
Data Processor for the data your agents ingest, generate, and store inside the Cloud Service on your instruction (your "Customer Data"). You are the controller of that data. See Section 5 and Section 6.

1. Data Controller and Contact

Desplega Labs, S.L., a Spanish private limited company (sociedad de responsabilidad limitada) with registered office in Barcelona, Spain, registered at the Registro Mercantil de Barcelona, CIF B27645381 (the "Company", "Desplega Labs", "we", "us", "our").

Contact for privacy questions, GDPR rights, complaints, and all other inquiries: contact@desplega.sh
Postal address for legal notices: Desplega Labs, S.L., Barcelona, Spain. For service of formal legal notices, contact contact@desplega.sh to request the current registered-office address.

A Data Protection Officer has not been appointed; if Spanish counsel determines one is required under LOPDGDD/GDPR, the contact will be added here.

2. Information We Collect

2.1 Account Information

When you sign up through Clerk (our authentication provider), we receive and store:

Your name and email address
Clerk user ID and organization ID
Organization name and membership details
Authentication metadata (login timestamps, IP addresses of authentication events)

2.2 Billing Information

When you subscribe through Stripe (our payment processor), we store:

Stripe customer ID and subscription ID
Subscription status, plan, and billing-cycle metadata
Billing address and tax identifiers if you provide them
Invoices and payment-history references

We do not store your card number, bank account, or other payment instruments. These are handled directly by Stripe under its own privacy policy.

2.3 Agent Configuration and Activity Data (Customer Data)

When you operate swarms through the Cloud Service, we host and process on your behalf:

Swarm and agent configuration (roles, names, system prompts, tools, schedules)
Agent activity (task logs, messages, memory entries, file events, hook events)
Files and content generated by your agents and stored on the Service's shared and personal disks
Usage and resource-consumption metrics (machine uptime, token counts, request counts, billing-relevant events)

This data lives in per-tenant databases on the virtual machines and servers we provision for you. With respect to this category, we act as a data processor on your behalf — see Section 5.

2.4 Integration Data

If you connect third-party services to your swarm (Slack, GitHub, GitLab, Linear, AgentMail, custom MCP servers, etc.), we store on your behalf:

OAuth credentials and refresh tokens, encrypted at rest using AES-256-GCM
The minimum installation metadata required to operate each integration (workspace name, organization name, channel/repo identifiers, account email)
Messages, events, files, and other payloads delivered to your swarm by those services on your instruction (e.g., a Slack message that triggers a task, a GitHub webhook that opens an issue, an email received by an AgentMail inbox)

We process integration data solely to operate the Service on your behalf. The third-party services themselves are not Desplega sub-processors — they are services you connect under your contracts and credentials. See Section 6, Group C.

2.5 Model and AI Provider Data

When your agents call AI providers (Anthropic / Claude API, OpenAI, OpenRouter, Codex, OpenCode, or any other provider you configure), the prompts and outputs of those calls travel to that provider under that provider's terms, using your API keys. We act only as a passthrough for the credentials you provide. We do not retain a separate copy beyond what your swarm stores in its own logs and memory. Those AI providers are not Desplega sub-processors. See Section 6, Group C.

2.6 Technical Data

We collect minimal technical data to operate the Service:

IP addresses (logged by our infrastructure providers)
Browser type, version, and standard HTTP headers
Error logs, traces, and crash reports

2.7 Analytics and Cookies

The Site uses Plausible (privacy-friendly, cookieless) and PostHog for product/visitor analytics so we can understand how the marketing site is used.
The Cloud Service dashboard uses PostHog to capture product-analytics events (page views, feature usage, sign-up funnel events) so we can measure reliability and usability.
Sentry captures error and crash reports across the Service.
Authentication uses Clerk session cookies; the dashboard sets a small number of functional cookies (e.g., sidebar_state).

We do not run cross-site advertising trackers, ad-network retargeting, or social-media trackers. See the cookie table in Section 4.

2.8 Communications

If you contact us by email, fill out a form, or reply through Slack/email integrations operated by us, we retain the content of those communications and the email addresses involved for support and recordkeeping.

3. How We Use Your Information

We use the information we collect to:

Operate the Service — provision infrastructure, run your agent swarms, deliver integration events, and display data in the dashboard.
Process billing — manage subscriptions, charge invoices, handle taxes, and send receipts through Stripe.
Authenticate users — verify identity and protect accounts via Clerk.
Provide support — respond to questions, troubleshoot incidents, and communicate maintenance.
Maintain security — detect and prevent unauthorized access, fraud, abuse, and platform abuse.
Improve the Service — understand usage patterns and reliability through analytics.
Comply with law — meet our legal, accounting, tax, and commercial-registry obligations under Spanish and EU law.

We do not:

Use your data or your Customer Data to train AI models (ours or anyone else's).
Serve advertising.
Build cross-site profiles for marketing.
Sell or share your personal information with third parties for their independent purposes.

4. Legal Basis for Processing (GDPR / LOPDGDD)

We are subject to the EU General Data Protection Regulation 2016/679 ("GDPR") and the Spanish Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales ("LOPDGDD"). Our legal bases:

Activity	Legal basis
Operating the Cloud Service for paying customers	Contract performance (Art. 6(1)(b))
Operating the Site (marketing pages, docs)	Legitimate interest in running our business (Art. 6(1)(f))
Billing, accounting, tax records	Legal obligation (Art. 6(1)(c)) — Spanish Commercial Code, General Tax Law, VAT regulations
Security, fraud prevention, abuse detection	Legitimate interest (Art. 6(1)(f))
Product analytics on the Site and dashboard	Legitimate interest (Art. 6(1)(f)) — opt-out available; see Section 8
Marketing emails to existing customers about similar services	Legitimate interest with opt-out
Marketing emails to non-customers	Consent (Art. 6(1)(a))

You can object to processing based on legitimate interest at any time at contact@desplega.sh.

4.1 Cookies and Similar Technologies

Cookie / token	Purpose	Set by	Type
Clerk session cookies (`__session`, etc.)	Authentication	Clerk	Strictly necessary
`sidebar_state`	Remembers sidebar open/closed	Cloud Service	Functional
Plausible (no cookie)	Cookieless analytics	Plausible	Analytics (no personal data)
`ph_*` (PostHog)	Product and visitor analytics	PostHog	Analytics
Stripe cookies (during checkout/portal)	Fraud prevention and payment processing	Stripe	Strictly necessary

We do not use advertising or retargeting cookies, cross-site tracking cookies, or third-party social-media trackers.

EU/UK visitors will see a cookie banner on first visit allowing you to accept or reject non-essential cookies, in line with the Spanish Ley 34/2002 de Servicios de la Sociedad de la Información (LSSI) and the ePrivacy Directive.

5. Our Role: Controller vs. Processor

We act in two different capacities, and the GDPR rules differ between them. Spanish counsel should validate this split.

Controller — for data we collect about you as a customer or visitor. This includes account information (Section 2.1), billing information (Section 2.2), technical data (Section 2.6), analytics (Section 2.7), and communications with us (Section 2.8). For this data, this Privacy Policy governs.
Processor — for the Customer Data your agents ingest, generate, and store on the Cloud Service (Sections 2.3, 2.4, and 2.5). Here, you are the controller and we process on your documented instructions for the sole purpose of operating the Service.

A separate Data Processing Addendum (DPA), including the EU Standard Contractual Clauses where applicable, is available on request at contact@desplega.sh.

6. Sub-Processors

We engage two groups of sub-processors who process personal data on our behalf, under our instructions, and pursuant to a written data-processing agreement (Art. 28 GDPR). A third group consists of user-configured integrations, which are NOT Desplega sub-processors. The distinction is legally significant — see Group C below.

6.1 Group A — First-party infrastructure & service providers (Desplega-controlled)

These are the processors we use to run the platform. They are required for the Service to function.

Provider	Role	Data processed	Region	Transfer mechanism
Clerk	Authentication / identity	Account profiles, session metadata	United States	SCCs and EU–US Data Privacy Framework (verify DPF certification at publication)
Stripe	Billing and payments	Customer profile, payment metadata, invoices	United States / Ireland	SCCs / DPF (verify)
Convex	Application database / backend platform	Account, swarm, billing, integration metadata	United States	SCCs (verify hosting region and DPA)
Vercel	Web hosting and edge runtime	Web requests for the dashboard and Site	United States (with global edge)	SCCs / DPF (verify DPF certification)
Hetzner	Server hosting and compute infrastructure for swarms	Customer swarm runtime data	Germany (EU)	EU-EU; no cross-border transfer mechanism required

6.2 Group B — Analytics & error tracking (Desplega-controlled, telemetry)

Provider	Role	Data processed	Region	Transfer mechanism
Plausible	Privacy-friendly product analytics	Anonymized, cookieless event data	Germany / Estonia (EU)	EU-EU; GDPR-aligned
Sentry	Error monitoring and crash reporting	Stack traces, sanitized request metadata	United States (EU region available — verify which deployment is in use)	SCCs / DPF (verify)
PostHog	Product analytics / session intelligence	Pseudonymized usage events	United States or EU (verify deployment region and whether IP/event anonymization is enabled)	SCCs / DPF if US deployment

Group A and Group B together form Desplega's controlled sub-processor stack. Per GDPR Art. 28(2)–(4), we will publish updates to the sub-processor list and give Customers reasonable advance notice of material additions or replacements in Group A or Group B. The current list will be maintained at cloud.agent-swarm.dev/legal/subprocessors (to be published).

6.3 Group C — User-configured integrations (NOT Desplega sub-processors)

The third-party services your swarm interacts with — including but not limited to Anthropic / Claude API, OpenAI, OpenRouter, Slack, GitHub, GitLab, Linear, AgentMail, and any other LLM, model provider, MCP server, or tool you connect — are services you select and connect using your own accounts, contracts, and API credentials.

For those services:

Desplega does not have a controller/processor relationship with you in respect of those services.
Desplega does not execute DPAs with those vendors on your behalf. You are responsible for entering into any required data-processing terms directly with them.
Desplega acts only as a passthrough for the API keys, OAuth tokens, and content the customer instructs the Service to send to those vendors.
You are solely responsible for compliance, billing, acceptable use, intellectual-property clearances, and any data-protection consequences of using those services.

Use of those services is governed by their own terms and privacy policies. We are not liable for their availability, behavior, output, or policy changes (see the Terms and Conditions).

7. Data Retention

7.1 Active Accounts

We retain account, configuration, and billing data for as long as your subscription is active. Agent runtime data persists on your provisioned infrastructure (VMs, storage) as long as those resources exist.

7.2 After Cancellation or Suspension

When a subscription ends:

Swarm machines are stopped at the end of the billing period (or, where partial-period cancellation triggers a pro-rata refund, immediately upon refund processing).
Runtime data remains for a grace period of up to 28 days to allow re-subscription, export, or migration to self-hosting.
After the grace period, we may tear down the infrastructure and delete associated agent data. We will attempt to send a reminder email before deletion.

7.3 Account Metadata, Billing Records, and Statutory Retention

Account metadata (org IDs, user IDs, subscription history, integration metadata, audit logs) is retained for up to 24 months after account closure to handle disputes, comply with accounting/tax obligations, and prevent fraud. Mandatory retention periods under Spanish law apply notwithstanding deletion requests:

Commercial books, accounts, supporting documents, invoices: 6 years (Art. 30 Spanish Commercial Code / Código de Comercio).
Tax records (VAT, corporate income tax): 4 years from accrual (Art. 66 General Tax Law / Ley General Tributaria), extendable per anti-fraud rules.
Stripe invoices and underlying payment records are retained for the period required by applicable Spanish and EU tax law.

Spanish counsel must validate the exact retention periods and any LOPDGDD-specific obligations.

7.4 Backups

Infrastructure backups follow our underlying providers' schedules. We do not currently maintain independent application-level backups of customer agent runtime data beyond what exists on the live infrastructure. Where providers retain residual copies in backups beyond deletion, those copies expire on the provider's schedule.

7.5 Logs

Operational logs (application errors, infrastructure logs, security events) are retained for up to 90 days and then deleted or anonymized.

8. Your Rights (GDPR / LOPDGDD)

Subject to applicable law, you have the rights to:

Access — receive a copy of the personal data we hold about you.
Rectification — correct inaccurate personal data.
Erasure / Deletion — request deletion of your personal data, subject to limited exceptions (e.g., billing and tax records we must keep by law — see Section 7.3).
Portability — receive your data in a structured, machine-readable format. The Agent Swarm runtime is open-source under the MIT License; you may self-host and we will assist with export of your runtime data.
Restriction — restrict our processing while a request is pending.
Objection — object to processing based on legitimate interest, including direct marketing.
Withdraw consent — where processing is based on consent.
Not be subject to automated individual decision-making producing legal or similarly significant effects (Art. 22 GDPR).
Lodge a complaint with the Spanish supervisory authority (Agencia Española de Protección de Datos, www.aepd.es) or your local EU data-protection authority.

8.1 Digital Rights Under LOPDGDD

In addition, Spanish residents enjoy the digital rights recognized in Title X of the LOPDGDD, including the right to digital disconnection in the labour environment, the right to digital education, and rights connected to the use of the Internet.

8.2 How to Exercise Your Rights

Email contact@desplega.sh. We will respond within 30 days (extendable in accordance with Art. 12(3) GDPR). We may need to verify your identity before fulfilling a request.

8.3 International Transfers

Several Group A and Group B sub-processors process data in the United States. International transfers from the EEA, United Kingdom, or Switzerland are protected by:

Standard Contractual Clauses (SCCs) — incorporated into our agreements with non-adequate-country sub-processors.
EU–US Data Privacy Framework (DPF) — relied on for sub-processors that are certified, where applicable.
Supplemental measures (encryption in transit, encryption at rest for sensitive secrets) where appropriate.

Spanish law does not change the GDPR transfer regime — these are EU-wide rules.

8.4 California (CCPA / CPRA) and Other US States

If you are a California resident, you have the rights to know, delete, correct, and opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as defined by the CCPA/CPRA. If you reside in another US state with a comprehensive privacy law (Colorado, Connecticut, Virginia, Utah, Oregon, Texas, etc.), submit requests to contact@desplega.sh and identify your state.

9. Data Residency

Your data may be stored in multiple locations depending on the service:

Agent infrastructure (Hetzner): Germany (EU). Region selection at swarm creation may be available in the future; today, EU-only.
Account, billing, and configuration metadata (Convex): United States.
Authentication (Clerk): United States.
Billing (Stripe): United States and EU (Ireland) regional infrastructure.
Web hosting (Vercel): United States with global edge.
Analytics (Plausible, PostHog, Sentry): see Section 6.

If you require strictly EU-only processing, contact us at contact@desplega.sh before subscribing so we can confirm whether the current configuration meets your requirements.

10. Data Security

We apply commercially reasonable technical and organizational measures, including:

Encryption in transit: TLS for all communications between users, the dashboard, and provisioned infrastructure.
Encryption at rest: sensitive secrets (API tokens, OAuth credentials, integration keys) are encrypted using AES-256-GCM before storage. Underlying provider storage is encrypted at rest by default.
Tenant isolation: each swarm runs on dedicated virtual machines or servers, with separate databases and storage paths per tenant.
Access controls: infrastructure access is restricted to authorized personnel under role-based access controls. Production access is logged.
Least privilege: sub-processors receive only the data necessary to perform their function.
Secret rotation: OAuth tokens and webhook signing keys are rotated on a regular schedule.
Vulnerability management: dependencies are monitored for known CVEs.

No system is perfectly secure. While we use commercially reasonable measures, we cannot guarantee absolute security.

If we become aware of a personal-data breach affecting you, we will notify you and the Agencia Española de Protección de Datos (or other competent supervisory authority) as required by applicable law (within 72 hours of awareness where required by GDPR Art. 33).

11. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us at contact@desplega.sh and we will delete it.

12. Automated Decision-Making

We do not make automated decisions producing legal or similarly significant effects on you without human involvement (Art. 22 GDPR). Your AI agents may produce outputs that affect downstream systems you control; you remain responsible for reviewing those outputs.

13. Changes to This Policy

We may update this Privacy Policy. For material changes, we will:

Post the updated policy on the Service and update the "Last updated" date.
Notify you by email at the address associated with your account at least 30 days before changes take effect.

Continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact Us

For privacy questions, GDPR-rights requests, complaints, or any other inquiry:

Email: contact@desplega.sh
Postal: Desplega Labs, S.L., Barcelona, Spain.
Spanish supervisory authority: Agencia Española de Protección de Datos — www.aepd.es.