Privacy

Draft. The final policy will be reviewed by counsel before public launch. Until then, here’s the operational truth — what we collect, where it lives, and who can see it. Substantive changes will be tracked in this document.

What we collect

• Account. Email + Google profile (name + avatar) when you sign in. Stored in our control-plane database (Neon Postgres, US region).
• Billing. Stripe holds your card; we hold a Stripe customer ID, subscription state, and trial end date. We never see card numbers.
• VM contents.Anything you type, paste, or sync into your private Firecracker microVM (Fly.io) — including OAuth refresh tokens for integrations you connect (Google, GitHub, Discord). These live on a per-user encrypted volume that only you and Fly’s management plane can read.
• Audit log. Significant actions on your account (signup, billing changes, support sessions, OAuth refreshes) are recorded with IP + user-agent. Sensitive values are pattern-redacted before write.

What we don’t collect

• Your refresh tokens. The OAuth broker exchanges tokens during consent and relays them straight to your VM. We never persist them on the control plane. When tokens expire, your VM POSTs the refresh request back to us; we hit the provider with your refresh_token and our broker secret, return the new tokens, and drop both from memory.
• Your conversations with Claude.Those go through Anthropic’s API directly (or via the broker if you chose that mode at signup). We don’t mirror them.
• Behavioral analytics on the cloud-shell SPA. No PostHog, no GA, no session replay.

Who can see what

Operator access to your VM is gated through Fly’s hallpass (the management SSH path) plus an audit-logged support flow that requires a ticket reference and an explicit time window. Routine reads of your VM contents do not happen.

Deletion + export

Email privacy@askrobin.io. We will export your VM’s user-data as an age-encrypted tarball (the same artifact robin export-for-cloud produces) within 7 days, and destroy the machine + volume + control-plane records within 30 days unless you ask us to wait.

Subprocessors

• Vercel (control plane hosting + edge)
• Neon (Postgres)
• Fly.io (per-user microVMs)
• Stripe (billing)
• Resend (transactional email)
• Anthropic (LLM, in API mode)
• Postmark (inbound email parsing)
• Cloudflare (DNS + R2 for snapshots)

Questions: privacy@askrobin.io.