Privacy Policy

This Privacy Policy explains what personal information RWX-TEK INC ("Jettson", "we") collects when you use jettson.dev and the Jettson Service, how we use it, who we share it with, and the rights you have over it. This policy applies to all users worldwide and includes specific provisions for the EU, UK, California, Nevada, and other jurisdictions where required.

1. Scope and definitions

This policy covers our processing of personal data when you visit jettson.dev, create an account, use the Service, or contact us. "Personal data" means information that identifies you or could reasonably be linked to you.

When you use Jettson to run agents on behalf of your own users, we generally process that data as a processor on your behalf; you are the controller. The terms of that relationship are covered by the Data Processing Agreement.

2. What we collect

Account data — name, email, hashed password, profile photo if provided, organization, billing address.

Billing data — payment method tokens, transaction history, invoice records, tax identifiers. Card numbers are stored by Stripe; we never see them in full.

Usage data — API calls, agent invocations, agent durations, memory writes, console actions, plan tier, quota consumption. We use this for billing, monitoring, abuse detection, and product improvement.

Agent execution data — the prompts you submit, the memory you store, the outputs your agents produce, files written to agent workspaces during a run. This is your Content and is your data.

Technical / device data — IP address, user-agent, referrer, language preference, approximate location derived from IP, device fingerprint signals used for fraud prevention.

Communications — emails you send to us, support tickets, feedback surveys.

Cookies and similar technologies — see the Cookie Policy for details.

Consent metadata — when you accept the Terms or the cookie banner, we record the timestamp, IP, the policy version accepted, and your choices for marketing and cookie categories.

We do not intentionally collect special categories of personal data (race, religion, health, biometrics, sexual orientation, etc.) and the Acceptable Use Policy prohibits using the Service to process such data without specific prior written approval.

3. How we collect it

• Directly from you — when you sign up, fill in your profile, configure billing, or submit Content.
• Automatically — through cookies, server logs, and product telemetry generated while you use the Service.
• From third parties — Stripe (payment status), Google (if you sign in with Google), and our infrastructure providers (technical metadata about service usage).

4. Why we process it and the legal basis

| Purpose | Legal basis (GDPR / UK GDPR) | | --- | --- | | Create and operate your Account | Contract | | Run agents and store your memory | Contract | | Process payments | Contract; legal obligation | | Send service emails (verifications, security alerts, billing notices) | Contract; legitimate interest in operating the Service | | Send product updates and marketing | Consent (opt-in at signup or settings) | | Detect fraud, abuse, and security incidents | Legitimate interest in protecting the Service | | Improve and develop new features | Legitimate interest | | Comply with law and respond to legal process | Legal obligation |

For California residents and other CCPA-covered users, equivalent purposes and rights are described in Section 9 below.

5. Who we share it with

We share personal data with the following categories of recipients:

• Sub-processors — third-party service providers we use to deliver the Service. The current list is at /sub-processors.
• Payment processor — Stripe processes payments; see Stripe's privacy policy.
• Authentication provider — Firebase Authentication / Google for sign-in and Account security.
• AI inference providers — Anthropic and OpenAI process the prompts and contexts sent through their APIs to power agent reasoning. They are contractually restricted from training on data routed through our API path.
• Compute / hosting providers — Vercel (web), Fly.io (agent containers), Google Cloud (Firestore database).
• Email delivery provider — for transactional and (with consent) marketing email.
• Professional advisors — auditors, lawyers, accountants, where reasonably necessary and under confidentiality.
• Law enforcement / regulators — where required by valid legal process or to protect rights, safety, or property.
• Acquirers — in the event of a merger, acquisition, or asset sale, your data may be transferred subject to this policy.

We do not sell your personal data and we do not share it for cross-context behavioral advertising as defined under the CCPA.

6. International transfers

Jettson operates from the United States. If you access the Service from the EU, UK, Switzerland, or elsewhere, your data will be transferred to and processed in the United States. Where required, we rely on the EU Standard Contractual Clauses (SCCs) and equivalent safeguards in our agreements with sub-processors. You can request a copy of the SCCs by emailing customertek@rwxtek.com.

7. How long we keep it

| Category | Retention | | --- | --- | | Active Account data | Life of the Account | | Account data after deletion | Up to 90 days (grace period for accidental deletion), then hard-deleted | | Billing and tax records | 7 years (legal obligation) | | Agent execution logs | 90 days | | Memory (long-term store) | Until you delete it or close the Account | | Security and abuse logs | Up to 24 months | | Marketing communications data | Until consent is withdrawn | | Consent records | 7 years (proof of consent obligation) |

8. Your rights (GDPR / UK GDPR)

If you are in the EU, UK, or another jurisdiction granting equivalent rights, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Correct — ask us to fix inaccurate data.
• Delete — request erasure ("right to be forgotten"), subject to retention required by law.
• Portability — receive your data in a structured, machine-readable format.
• Restrict — ask us to limit our processing.
• Object — object to processing based on legitimate interest, including direct marketing.
• Withdraw consent — at any time, where processing is based on consent.
• Lodge a complaint — with your local data protection authority. We would appreciate a chance to address concerns first.

To exercise any right, email customertek@rwxtek.com. We will respond within thirty (30) days. We may ask you to verify your identity before completing the request.

9. California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, the sources, the purposes, and the categories of recipients.
• Delete your personal information, subject to legal exceptions.
• Correct inaccurate personal information.
• Opt out of the "sale" or "sharing" of personal information. Jettson does not sell or share personal information as those terms are defined under California law. We honor the Global Privacy Control (GPC) signal as an opt-out preference signal.
• Limit use of sensitive personal information — we do not use sensitive personal information for purposes outside those permitted by CCPA without your consent.
• Non-discrimination — we will not discriminate against you for exercising any of these rights.

Categories of personal information collected in the last 12 months map to the categories enumerated above in Section 2: identifiers, customer records, commercial information, internet/network activity, geolocation (approximate, IP-derived), and professional information. We share these categories only with the recipient categories in Section 5.

To exercise California rights, email customertek@rwxtek.com with subject "CCPA Request."

California Shine the Light. California residents may once per year request information about disclosures of personal information to third parties for direct marketing. We do not currently disclose personal information for third-party direct marketing.

10. Nevada residents

Nevada residents may opt out of the future sale of covered personal information by emailing customertek@rwxtek.com with subject "Nevada Opt-Out." We do not currently sell personal information.

11. Do Not Track

Some browsers send a "Do Not Track" (DNT) signal. There is no industry consensus on how to interpret DNT, so we do not change behavior based on DNT alone. However, we do honor the Global Privacy Control (GPC) signal as a CCPA opt-out preference signal where applicable.

12. Security

We use industry-standard safeguards including TLS in transit, encryption at rest at the storage layer, hashed credentials, least-privilege access controls, audit logging, and regular review of sub-processors. See the Security Overview for details and an honest disclosure of what we have not yet certified.

No system is fully secure. You are responsible for keeping your API keys and passwords confidential. Promptly report suspected breaches to customertek@rwxtek.com.

13. Children's privacy

The Service is not intended for users under 18. We do not knowingly collect data from anyone under 13. If we learn we have collected data from a child under 13, we will delete it and terminate the Account. If you believe we have collected data from a child, contact customertek@rwxtek.com.

14. Marketing communications

We send transactional emails (account, billing, security) regardless of marketing preference. Marketing emails are sent only with your opt-in consent, captured at signup or in settings, and you can unsubscribe at any time via the link in every email or by emailing customertek@rwxtek.com.

15. Automated decision-making

We do not make decisions that produce legal or similarly significant effects on you using solely automated means, except for routine fraud and abuse detection where humans review escalations.

16. Changes to this policy

We may update this policy. Material changes will be announced by email to the Account email and posted here with a new "Last updated" date. If you do not agree to the changes, you must stop using the Service and may close your Account.

17. Contact

For privacy questions or rights requests, email customertek@rwxtek.com.