Legal
Privacy Policy
Artifacta Inc. — incorporated in the State of Texas, United States
Last updated: 2026-04-13
Artifacta is an artifact store built for AI agents and the developers who build them. This policy explains what we collect, why, and what we do with it. Plain English, no tricks.
Operational status: privacy@artifacta.io and support@artifacta.io are live for privacy requests and general support. PostHog (or similar product analytics) is not in use until we add the vendor to §6, expand §9, and bump Last updated.
1. Scope & governing law
This policy applies to the Artifacta services (web app at app.artifacta.io, API, CLI, and related infrastructure). Texas law governs this policy except where mandatory consumer-privacy laws of your U.S. state or country apply. Disputes are subject to the exclusive jurisdiction and venue of the state and federal courts located in Texas, consistent with our Terms of Service (and any arbitration clause added there).
2. Who controls what (accounts vs. content)
- Account, billing, and service operation. Artifacta Inc. decides how we use personal information needed to run accounts, authentication, billing, security, and support. In GDPR terms, we act as a controller for that processing (where the GDPR applies).
- Artifacts and metadata you upload. You choose what to store. You are responsible for having the right to upload that material and for not uploading others’ personal data without a lawful basis. We process stored content to provide the storage service you asked for. If we sign a written enterprise agreement that names your organization as controller for specific processing, that agreement governs for those services.
3. What we collect
- Account data (human signup). Email address and hashed password (managed by Supabase Auth). If you sign in with GitHub OAuth, GitHub shares with us (via Supabase) what you authorize — typically your GitHub username and public profile name; we do not request additional GitHub scopes beyond what the login flow requires. If you sign in with Google OAuth, Google shares with us (via Supabase) what you authorize — typically your Google profile email address and display name; we do not request additional Google scopes beyond
openid,email, andprofile. - Account data (AI agent signup). Email address, optional display name, and data needed to complete agent verification (Hatcha): challenge identifiers, your submitted answers, and short-lived signed tokens. This verification runs on Artifacta’s own servers (see §5); we do not send challenge content to a separate “Hatcha cloud” operated by Monday.com for processing.
- API keys. We generate keys with the prefix
ak_live_. We only store a SHA-256 hash of the key; the plaintext is shown once at creation and never again. - Artifacts you upload. File bytes, filename, content type, size, content hash, and any metadata keys/values you attach. Stored in Cloudflare R2 under a tenant-isolated key path.
- Usage telemetry. Request counts, storage consumed, download link activity, and rate-limit state — used to enforce plan quotas and operate the service.
- Billing data (Pro only). Stripe customer ID, subscription status, and payment-failure timestamps. We do not receive or store your card number, CVC, or bank details — Stripe handles those directly.
- Server logs. Standard request logs (IP address, user agent, endpoint, status code, timestamp) retained for operations and abuse prevention.
4. How we use it
We use your data to run the product: authenticate you, verify agent signups, store and retrieve artifacts, enforce plan limits, bill subscriptions, fix bugs, and investigate abuse. We do not train AI models on your artifacts, sell your data, or share it with advertisers.
Lawful bases (summary for GDPR-style frameworks): core service and billing → contract; security, abuse prevention, and minimal operational logging → legitimate interests; marketing cookies or emails (if any in the future) → consent where required.
5. AI agent verification (Hatcha) — where it runs
Agent signup uses the open-source Hatcha libraries (@mondaycom/hatcha-server on the server and related client packages). Challenge generation, answer verification, and token signing execute on Artifacta infrastructure (the same Next.js application hosted on Vercel as the web app). A shared server secret (HATCHA_SECRET) signs verification tokens; Monday.com does not receive your challenge prompts or answers as part of this flow. Monday.com is the origin of the software, not a data processor for those API calls.
6. What we share (sub-processors)
We share personal data only with service providers we need to operate the product:
| Vendor | Purpose | Data touched |
|---|---|---|
| Supabase | Database + authentication; magic-link and auth-related email (e.g. sign-in links, confirmations) are sent through Supabase — we do not use a separate provider for those messages | Account data, API key hashes, tenant/workspace rows, email for delivery |
| GitHub (optional) | OAuth identity provider when you choose “Sign in with GitHub” | OAuth tokens and profile identifiers per GitHub’s flow |
| Google (optional) | OAuth identity provider when you choose “Sign in with Google” | OAuth tokens and profile identifiers per Google’s flow (scopes limited to openid, email, profile) |
| Cloudflare R2 | Artifact blob storage | Artifact file bytes, filenames |
Cloudflare Workers (dl.artifacta.io) | Public download link redirects | The link id in the URL; our Worker loads link and artifact fields (e.g. tenant id, content hash, filename, content type) from our database to build a short-lived presigned redirect to R2. Our Worker code does not implement separate product analytics. Cloudflare may still process standard edge request metadata (IP address, user agent, timestamps) on its network. |
| Stripe | Subscription billing | Email, customer ID; payment details held by Stripe |
| Vercel | Hosting for the web app (including Hatcha API routes and server logs) | Request metadata, logs |
| Railway | API server hosting | Request metadata, logs |
| Resend | Transactional email (e.g. waitlist, product notifications) other than Supabase-managed auth email | Email address |
We do not share your data with anyone else except when legally compelled (valid subpoena, court order) or to protect the service from imminent harm.
International transfers: Sub-processors may process data in the United States and other regions where they operate. For personal data transferred from the EEA, UK, or Switzerland, we intend to rely on appropriate safeguards such as the EU Standard Contractual Clauses (and UK Addendum where applicable). We do not currently offer a self-serve clickwrap DPA; enterprise customers may request a DPA as we formalize that program.
We may publish a dedicated sub-processor list page; this table should stay in sync with that list. If we add product analytics (e.g. a vendor such as PostHog), we will list them here and update the Cookies, analytics & tracking section.
7. Data retention
- Artifacts you delete are soft-deleted immediately (hidden from the API) and hard-deleted from R2 by a background job after 30 days.
- Deleted accounts enter a 7-day grace period: API keys and download links stop working immediately; after 7 days, the account, artifacts, and API keys are permanently removed (subject to legal holds).
- Server logs are retained for up to 90 days for operational and security purposes unless a longer hold is required.
- Billing records are retained as required by tax and accounting law (often seven years in the U.S.).
8. Your rights
If you are in the EU/UK (GDPR / UK GDPR) or California (CCPA/CPRA), you may have rights to access, correct, export, or delete personal data, and to object to or restrict certain processing. You can manage many artifacts via the CLI or dashboard; for account-level export or erasure, contact us at §10.
We do not “sell” or “share” personal information for cross-context behavioral advertising as defined under the CCPA/CPRA (and we do not run ad pixels today).
EU / UK visitors: We do not have an establishment in the EU or UK and do not specifically target those markets; anyone may still sign up. GDPR-style rights may apply to personal data we process about EU/UK residents regardless. Whether we must appoint an EU or UK representative under Article 27 depends on factors such as regular and systematic monitoring or large-scale sensitive processing. You may lodge a complaint with your local supervisory authority.
9. Cookies, analytics & tracking
- Today: The web app sets only authentication cookies required by Supabase Auth (httpOnly, Secure, SameSite=Lax). We do not run third-party analytics scripts, ad pixels, or marketing trackers in the product yet.
- Stripe Checkout and the Stripe Customer Portal set their own cookies on Stripe-hosted pages while you complete billing.
- Future (likely third-party product analytics): We may use a provider such as PostHog (or similar) for product analytics (e.g. funnels, feature usage, performance). That would involve cookies or SDKs that send event data to the vendor. If we add this, we will update this policy, name the vendor in §6, and obtain consent or opt-out as required by applicable law (including EU/UK ePrivacy/GDPR and U.S. state laws). We will not enable new trackers silently without a new Last updated date and appropriate notice.
10. Contact
Artifacta Inc.
5900 Balcones Drive, Ste 100
Austin, Texas 78731
United States
- Privacy / data requests: privacy@artifacta.io (live)
- Support: support@artifacta.io (live)
11. Children
The service is not directed at children under 13 (or 16 where a higher age applies). We do not knowingly collect personal information from children. If you believe we have, contact privacy@artifacta.io.
12. Security
We use industry-standard measures appropriate to our stage: encryption in transit (HTTPS), access controls, tenant isolation in the application and database, and hashed API keys. No method of transmission or storage is 100% secure; we work to improve protections over time.
13. Changes
We will post updates here and revise the “Last updated” date. Material changes that affect how we use personal data may require additional notice (e.g. email or in-app banner) depending on law and what changed.
14. Breaches
If we become aware of a breach affecting personal data, we will notify affected users and regulators as required by applicable law. We do not commit to a specific timeline in this policy beyond legal requirements.