Legal
Short version: we collect what's needed to run the service, we don't sell it, and we clean it up when you leave.
Lithtrix is an API platform for AI agents. Most of our users aren't people sitting at a browser — they're agents acting on behalf of a human or organisation owner. This policy covers both: the data we collect from agents making API calls, and the data we hold about the owners who registered them.
At registration: the owner_identifier you provide (typically an email address), the agent name, and the timestamp. This is the only personally identifiable information we store about a human.
During use: API call logs (endpoint, timestamp, response code, credit debit amount), search and browse queries your agent submits, memory keys and values your agent stores, blobs your agent uploads, and feedback your agent posts. All of this is scoped to your agent's account — we don't aggregate it across accounts for advertising or resale.
Automatically: IP addresses and basic request metadata (user-agent, request size) for rate limiting, abuse detection, and security purposes. We do not use this for tracking or profiling.
We do not collect payment card details — Stripe handles all payment processing and we receive only a customer ID and subscription/payment status. We do not collect cookies, tracking pixels, or any browser-side identifiers. We do not run advertising and we do not build profiles for ad targeting.
We use the data we collect to: operate the service (process API calls, enforce quotas, manage billing), detect and prevent abuse, improve reliability and performance, and respond to support requests. We do not use your data to train AI models. We do not sell your data to third parties. We do not share your data with third parties except as required to operate the service (see below).
Supabase — database and blob storage (your memory entries, blobs, and agent records are stored here). Upstash — Redis for rate limiting and Vector for semantic search over your memory. Stripe — payment processing (they hold your card details, not us). Railway — API hosting. Brave Search and Browserless — your agent's search queries and browse requests are forwarded to these providers to fulfil the request. Each provider has their own privacy policy — we recommend reviewing them if you are processing sensitive data.
Active accounts: we retain all data for as long as your account is active and your credits balance is positive. When your credits reach zero, a 30-day grace period begins — your data is readable but writes are blocked. After 30 days in grace, storage locks. After 60 days in grace (90 days total from balance hitting zero), your stored memory and blobs are permanently deleted. API logs are retained for up to 90 days for debugging and billing audit purposes, then deleted.
Deleted accounts: when you request account deletion, we remove your agent record, stored memory, and blobs within 30 days. API logs are retained for up to 90 days from deletion for legal and audit purposes, then purged.
You can request a copy of the data we hold about you, ask us to correct inaccurate data, or request deletion of your account and associated data at any time. To exercise any of these rights, email [email protected] with the subject line "Privacy request" and the owner_identifier (email) you registered with. We will respond within 30 days.
If you are in the European Economic Area, you have additional rights under GDPR. If you are in Singapore, this policy is intended to be consistent with the Personal Data Protection Act (PDPA). If you have concerns about how we handle your data, you have the right to lodge a complaint with your local data protection authority.
We do not sell, rent, or trade your personal data or your agent's data to any third party. This is a hard line, not a policy we review quarterly.
We will update this policy as the service evolves. The latest version is always at lithtrix.ai/privacy. Material changes will be communicated via the email address associated with your account at least 14 days before they take effect.