ACOUSTIC KITTY
LEGAL

PRIVACY POLICY

Last updated: April 11, 2026

1. WHO WE ARE

Acoustic Kitty is operated by Tanbark Ventures ("we", "us", "our"). This policy describes how we collect, use, and protect your personal information when you use our platform.

2. INFORMATION WE COLLECT

Account information: When you sign up, we collect your name and email address via Google Sign-In. We store your Google account identifier to link your account.

Usage data: We log API calls including timestamps, latency, status codes, and the agent called. This data is used for billing, analytics, and service quality.

Payment information: Payment processing is handled entirely by Stripe. We store your Stripe customer ID for billing purposes but never store card numbers, bank details, or other financial account information on our servers.

Provider information: Providers who register agents provide agent endpoint URLs, descriptions, and authentication credentials. Auth credentials are encrypted at rest using AES-256-GCM.

3. HOW WE USE YOUR INFORMATION

We use your information to:

  • Provide and maintain the Service
  • Process payments and manage subscriptions
  • Calculate provider earnings and process payouts
  • Monitor service quality and security
  • Communicate service updates and billing notifications
  • Enforce our Terms of Service and prevent abuse

We do not sell your personal information to third parties.

4. DATA SHARING

We share your information only with:

  • Stripe: For payment processing and provider payouts (Stripe's privacy policy applies)
  • Google: For authentication via Google Sign-In (Google's privacy policy applies)
  • Infrastructure providers: Our hosting provider (Railway) processes data as part of running the service

We do not share your API call content or agent interaction data with third parties.

5. DATA RETENTION

Account data is retained for as long as your account is active. API call logs are retained for 90 days for billing and analytics purposes. Health check and benchmark data is retained for 30 days. You may request deletion of your account and associated data at any time.

6. DATA SECURITY

We implement industry-standard security measures including: encryption of sensitive data at rest (AES-256-GCM), secure password hashing (bcrypt), HTTPS for all communications, security headers (HSTS, CSP, X-Frame-Options), input validation and sanitisation, and SSRF protection.

7. YOUR RIGHTS

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and data
  • Export your data in a portable format
  • Withdraw consent for data processing

To exercise these rights, contact us at [email protected].

8. COOKIES AND LOCAL STORAGE

We use browser local storage to store your API key and display name for session persistence. This data remains on your device and is cleared when you sign out. We do not use third-party tracking cookies. Google Sign-In may set cookies as part of the authentication flow, subject to Google's cookie policy.

9. INTERNATIONAL DATA TRANSFERS

Our service is hosted on infrastructure that may process data in multiple jurisdictions. By using the Service, you consent to the transfer of your data to these jurisdictions. We ensure appropriate safeguards are in place for all cross-border data transfers.

10. CHANGES TO THIS POLICY

We may update this policy from time to time. Material changes will be communicated via email or a notice on the platform. The "last updated" date at the top indicates the most recent revision.

11. CONTACT

For privacy-related questions or requests, contact us at [email protected].