Privacy Policy

Registration requires your name, email, and password. Your password is securely hashed using industry-standard cryptographic algorithms and is never stored as plain text; rate limiting and account lockout protections are in place.

Paid subscribers provide billing and payment information. CraftBot Live does not directly store or have access to your complete credit card numbers or sensitive financial information. All transactions are handled by PCI-DSS compliant third-party payment processors.

Platform communications — messages, feedback, support requests — are encrypted in transit and at rest.

Third-party service connections use OAuth authentication tokens. These tokens are stored using strong encryption, and we do not have access to the underlying content. You maintain full control and can revoke access at any time.

Technical information collected automatically includes operating system, browser version, IP address, device identifiers, and general geographic location (city or region level). This optimizes services and helps prevent security threats.

Usage analytics track pages visited, features used, session duration, and navigation patterns. Analytics processing occurs in aggregate form where possible, with data minimization practices.

For CraftBot Live, agent activity information — task types, execution timestamps, error events — is logged for reliability and debugging, with automatic purging according to our retention schedule.

Strictly necessary cookies are required for basic website functionality such as authentication and security, and cannot be disabled. Functional cookies remember preferences; analytics cookies are aggregated and anonymized. Marketing cookies require explicit consent and can be managed through browser settings.

CraftOS supports integrations with Google, Microsoft, Slack, and others. We request the minimum necessary permissions following the principle of least privilege. You will see permission requests before granting access and can modify permissions at any time.

Types of Data Accessed

Data accessed depends on enabled integrations and authorized permissions and may include calendar events, email content and headers, contact information, document data, profile information, task lists, and messaging platform content.

How Third-Party Service Data Is Used

Data from connected services is used exclusively for enabled features. Our AI agents access and process your data solely to perform the specific tasks you initiate. We do NOT use such data for advertising, model training without consent, selling, unrelated profiling, or any independent purposes.

Sharing of Third-Party Service Data

Data is shared only when necessary: to LLM providers for processing requests, to cloud infrastructure providers under confidentiality agreements, or as required by law. We do NOT sell, rent, or share your third-party service data with advertisers or data brokers.

Storage and Protection

All third-party service data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 encryption. Role-based access controls limit personnel access; tokens are never logged in plain text.

Retention and Deletion

Data is retained only as long as necessary. Task-specific data is processed in memory; cached data purges within 24 hours. Tokens remain until revoked or 30 days after deletion. Integration activity logs are retained for 90 days.

You can delete data by disconnecting integrations, emailing info@craftos.net, or revoking access through third-party security settings. Deletion occurs within 30 days.

CraftBot uses a strict local-first architecture. When self-hosted, absolutely no data is stored on or transmitted to CraftOS servers.

ChromaDB vector databases, user profiles, agent configurations, and all customizations remain locally on your machine. Task instructions, agent actions, conversation history, and all LLM prompts and responses are processed either locally or sent directly to your chosen LLM provider.

There are no hidden data collection mechanisms, no telemetry that captures your usage patterns, and no analytics that monitor your behavior. Privacy is absolute — we cannot access data that never leaves your device.

CraftBot Live is our managed hosting service that runs CraftBot for you on CraftOS infrastructure. Unlike the self-hosted option, your instance state lives on our servers so that your agent stays online and accessible across devices.

When you use CraftBot Live we store the data needed to operate your instance, including: agent configurations and settings, ChromaDB vector databases, agent memory, conversation history, workspace files, and operational metadata such as CPU and bandwidth usage. All instance data is logically isolated per account, encrypted at rest using AES-256, and encrypted in transit using TLS 1.2 or higher.

Task instructions, prompts, and tool calls pass through CraftBot Live infrastructure on their way to a large language model. If you use bring-your-own-key (BYOK), prompts are forwarded directly to your chosen LLM provider under your own account. If you use a paid plan with a managed LLM, prompts are routed through our provider relationships under contractual confidentiality. In both cases CraftBot Live does not retain prompt or response content beyond what is required to execute the task and to surface conversation history back to you.

For operational reasons we may restart, migrate, snapshot, or update instances — for example to apply security patches, rebalance load, or recover from failure. Encrypted backups are taken for disaster recovery and are subject to the retention schedule in Section 5.

You can pause or delete your instance at any time from the dashboard. Deleting an instance permanently removes its workspace, agent memory, and conversation history from active systems within 24 hours; encrypted backups follow the disaster recovery retention window before secure destruction.

We primarily use information to provide, operate, maintain, and improve CraftBot Live and the broader CraftOS platform. This includes authenticating users, managing subscriptions, executing cloud AI tasks, and enabling third-party integrations.

We use contact information to respond to support requests and send service-related notices including security alerts and policy changes. With explicit consent we may send newsletters announcing new features. You can unsubscribe at any time.

Aggregated, de-identified usage data helps us identify improvement opportunities and prioritize development. Importantly, we do not use your personal data, task instructions, prompts, or agent outputs to train our own AI models without your explicit opt-in consent.

We use information to comply with laws, detect fraud and abuse, investigate security incidents, and enforce our Terms of Service.

Third-Party Service Data — Special Commitments: Use is strictly limited to features you enable. No advertising, no model training without consent, no selling, no sharing with data brokers. Data is shared only with LLM providers and essential service providers. You can revoke access at any time.

Trusted vendors assist with our operations. All service providers are carefully vetted and contractually bound to use your data only on our behalf. We do not sell or rent your data.

Cloud feature prompts are sent to your configured LLM provider. Each provider's privacy policy applies independently. Self-hosted CraftBot using a local LLM keeps processing entirely on your infrastructure.

Mergers, acquisitions, or asset sales may transfer information. You will receive notice before your data becomes subject to a different policy, with continued choice offered.

We may disclose information to law enforcement when legally required or to protect rights or safety. We disclose the minimum necessary information and will attempt to notify the user unless legally prohibited.

CraftOS does not sell, rent, lease, or broker your personal information to third parties for their independent commercial use. This commitment is absolute. Our business model is to provide valuable services, not to exploit data.