Privacy Policy

We collect information in the following categories when you use the FixedCostAgents platform (operated by FixedCostAgents.com, LLC):

1.1 Account Information

When you create an account, we collect your name, email address, and payment information (processed and stored by Stripe; we do not store full payment card numbers). Pro tier accounts may include additional portal user information for team members (name, email, role assignment).

1.2 Customer Data

“Customer Data” refers to all data you create, upload, or transmit through the Service, including: conversation logs between your assistants and messaging platforms, assistant configurations and skill settings, knowledge base content, automation workflows and schedules, and webhook payloads. Customer Data belongs to you (see Section 6).

1.3 BYOK Credentials

If you provide API keys for third-party services (LLM providers, messaging platforms, productivity integrations), these are encrypted and stored securely. We store the encrypted credential; we never log, inspect, or access the plaintext value except to inject it into your container at runtime. We never use your BYOK credentials for any purpose other than to provide them, as you direct, to enable third-party services on your behalf.

1.4 Usage and Operational Data

We collect operational telemetry for platform management and capacity planning, including: inference token counts (prompt and completion), API call volumes, container resource utilization (CPU, memory), storage consumption, webhook message volumes, and error/performance metrics. This data is used for internal analytics, abuse detection, and capacity planning only. It is not used for customer-facing billing (all tiers are fixed monthly pricing).

1.5 Log Data

Our platform generates operational logs including container lifecycle events, authentication attempts, API request metadata (timestamps, status codes, request paths), and infrastructure health data. Logs are retained for 90 days in hot storage and archived to cold storage for compliance purposes.

We use the information we collect to:

• Provide the Service: Operate your AI assistant containers, route messages, execute webhooks, serve inference requests, and maintain your configuration
• Manage your account: Process payments via Stripe, send billing notifications, manage subscription lifecycle, and authenticate portal access
• Maintain security: Detect and prevent abuse, unauthorized access, and terms violations; enforce rate limits; monitor container behavior for anomalies
• Improve the platform: Analyze aggregate, anonymized usage patterns for capacity planning, infrastructure optimization, and feature development
• Communicate with you: Send transactional emails (billing lifecycle, security alerts, operational notices), respond to support requests, and provide service announcements
• Comply with legal obligations: Respond to lawful requests from law enforcement or regulatory authorities, and maintain records as required by applicable law

We do not use your Customer Data to train AI models. We do not sell, rent, or share your Customer Data with third parties for their own purposes. We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act (CCPA). Your inference requests (prompts and responses) are processed by our enterprise inference partners (see Section 5, Sub-processors) to provide AI capabilities. These partners are contractually prohibited from storing, logging, or using your prompts and responses for any purpose including model training. No inference data is retained by our inference partners after processing. If you require that inference data never leave our infrastructure, the Dedicated Inference add-on (Pro tier) provides fully on-premises processing on isolated GPU hardware within your private network environment.

Your data is stored on AWS infrastructure in the us-east-1 (N. Virginia) region. We employ multiple layers of security:

• Encryption at rest: All data is encrypted at rest using dedicated encryption infrastructure. Standard and Premium tiers use a shared encryption key. Pro tier customers receive a dedicated encryption key, providing cryptographic isolation from all other customers.
• Encryption in transit: All data transmitted between your devices and our platform, and between internal services, is protected with TLS 1.2 or higher.
• Container isolation: Each customer's assistant runs in a hardened container with read-only root filesystem, seccomp profiles, and network-level isolation. Pro tier customers receive dedicated compute instances with their own VPC subnet and network access control lists (NACLs).
• Egress filtering: A proxy service restricts each container to communicating only with approved external endpoints. Unauthorized outbound connections are denied by default.
• Secrets management: BYOK credentials are encrypted at rest and stored securely. Credentials are injected at runtime, never stored in plaintext, and never visible in logs or environment variable listings.
• Backup: Hourly EFS snapshots provide a Recovery Point Objective (RPO) of 1 hour. Recovery Time Objective (RTO) is 4 hours for containers.

For more details on our security posture, see our Security Architecture page.

Active accounts: Customer Data is retained for the duration of your subscription and is available for self-service export at any time.

After cancellation: Your data is preserved for 30 days following the end of your paid period. During this window, you may still export your data by contacting support.

Permanent deletion: After the 30-day retention period, all Customer Data is permanently deleted. The specific deletion process includes:

1. Container configurations and task definitions removed
2. Persistent storage volumes and data deleted
3. Stored credentials and secrets force-deleted
4. For Pro tier: dedicated encryption key scheduled for destruction, rendering all encrypted data unrecoverable after a mandatory waiting period
5. Operational logs purged
6. Account records removed from the customer inventory
7. Authentication entries deleted

For Pro tier accounts, destruction of the dedicated encryption key renders all previously encrypted data cryptographically irrecoverable, regardless of whether individual data objects have been individually deleted from storage. Backup snapshots containing deleted data are overwritten through the normal 7-day rolling rotation cycle and are not actively restored after deletion is completed.

Retention periods by data category:

Payment failure accounts: Accounts suspended due to payment failure follow the same timeline: configuration preserved during the 30-day grace period, then deletion if no payment is received.

We use the following third-party service providers (“sub-processors”) to operate the platform:

If you use BYOK credentials to connect to third-party LLM providers or messaging platforms, your data also flows to those providers under their respective privacy policies. FixedCostAgents acts as a pass-through and does not control how those providers process your data. Pro tier customers with the Dedicated Inference add-on bypass all third-party inference providers — inference requests are processed entirely on isolated GPU hardware within their private network environment on our AWS infrastructure.

We will notify you by email before adding any new sub-processors that handle Customer Data, providing at least 30 days' notice before the change takes effect. If you object to a new sub-processor, you may cancel your subscription.

You own all your data. We provide comprehensive self-service data export through the customer portal at any time during your subscription. Exports are delivered in standard JSON/ZIP format and include:

• Conversation logs and message history
• Assistant configurations and skill settings
• Knowledge base content
• Automation workflows and schedule definitions
• Secrets metadata (names and descriptions, not the encrypted values themselves, which must be re-entered in any new environment)

Because FixedCostAgents is built on the open-source OpenClaw runtime, your exported configuration is portable to any compatible OpenClaw environment. There is no vendor lock-in on the runtime level.

Pro tier customers additionally have access to a compliance data export webhook endpoint for automated export of audit logs, usage reports, and security events.

For Customer Data, we process data on your behalf (we are the data processor; you are the data controller). For account information, usage data, and operational telemetry, we are the data controller.

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with similar data protection laws, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate personal data
• Right to erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to data portability: Receive your data in a structured, machine-readable format (available via self-service export)
• Right to restrict processing: Request that we limit how we process your data
• Right to object: Object to certain types of processing, including direct marketing
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at support@fixedcostagents.com. We will respond within 30 days. Our Data Processing Agreement (DPA) applies automatically to all customers located in the EEA/UK or who process personal data of EEA/UK residents, regardless of tier. It is incorporated by reference into the Terms of Service. A copy is available upon request at privacy@fixedcostagents.com.

You also have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information. This section supplements the rest of this Privacy Policy.

8.1 Categories of Personal Information We Collect

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers: Name, email address, account ID, IP address
• Commercial information: Subscription tier, billing history, add-on purchases
• Internet or electronic network activity: API request logs, authentication events, portal usage patterns
• Professional or employment-related information: Company name and role (if provided during signup)

Sources: We collect personal information directly from you (account creation, portal usage, support requests) and automatically from your use of the Service (log data, usage telemetry).

8.2 We Do Not Sell or Share Your Personal Information

We do not sell your personal information as defined under the CCPA. We do not share your personal information for cross-context behavioral advertising purposes as defined under the CPRA. We have not sold or shared personal information in the preceding 12 months.

8.3 Sensitive Personal Information

We do not intentionally collect sensitive personal information as defined by the CPRA (such as Social Security numbers, precise geolocation, racial or ethnic origin, or biometric data). If you transmit sensitive personal information through your assistants as part of your Customer Data, that data is stored encrypted and is not accessed or processed by us for any purpose other than hosting it on your behalf.

8.4 Your California Privacy Rights

As a California resident, you have the right to:

• Right to know: Request the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purposes for collecting it, and the categories of third parties with whom we share it
• Right to delete: Request deletion of your personal information (subject to certain exceptions under the CCPA)
• Right to correct: Request correction of inaccurate personal information
• Right to opt-out of sale/sharing: We do not sell or share your personal information, so no opt-out is necessary. If this changes, we will provide a “Do Not Sell or Share My Personal Information” link.
• Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond what is necessary to provide the Service
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you the Service, charge you different prices, or provide a different level of quality because you exercised a privacy right.

To exercise your California privacy rights, contact us at support@fixedcostagents.com with the subject line “California Privacy Request.” We will verify your identity and respond within 45 days (with a possible 45-day extension if needed). You may also designate an authorized agent to submit requests on your behalf.

Residents of other U.S. states with consumer privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may have similar rights to access, delete, and correct their personal information, and to opt out of the sale of personal information and targeted advertising. We do not sell personal information or engage in targeted advertising as defined under these laws.

Nevada residents: Under Nevada Revised Statutes Chapter 603A, Nevada residents may opt out of the sale of certain “covered information.” We do not sell covered information as defined under Nevada law. To submit an opt-out request, contact us at support@fixedcostagents.com.

To exercise any state privacy rights, contact us at support@fixedcostagents.com with the subject line “State Privacy Request” and include your state of residence. We will respond within the timeframe required by your state's law.

Our website and customer portal use a minimal set of cookies:

• Essential cookies: Required for authentication, session management, and security (e.g., Cognito session tokens). These cannot be disabled as the Service will not function without them.
• Preference cookies: Store your portal preferences such as theme selection and display settings.

We use Umami, a self-hosted, cookie-free analytics platform, to understand aggregate website usage patterns such as page views, referrer sources, and geographic distribution. Umami runs on our own infrastructure — no data is shared with third parties. This analytics system:

• Runs entirely on our own infrastructure (not a third-party service)
• Does not use cookies or local storage
• Does not collect personally identifiable information
• Does not track you across websites
• Complies with GDPR, CCPA, and PECR without requiring a cookie consent banner
• Respects your browser's Do Not Track (DNT) setting

We do not use third-party advertising cookies, tracking pixels, or behavioral analytics services that track you across other websites. We do not load third-party scripts that set cookies or collect personal information. We do not sell cookie data or use it to build advertising profiles.

Cookie notice: Our website displays a brief informational notice stating: “This site uses only essential cookies for authentication. We do not use tracking cookies or third-party analytics.” This notice is provided for transparency in accordance with the ePrivacy Directive and does not require your consent because we use only strictly necessary cookies.

The Service is not directed to children under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child under 18, please contact us at support@fixedcostagents.com and we will promptly delete such information.

Your data is processed and stored in the United States (AWS us-east-1, N. Virginia). If you are located outside the United States, your data will be transferred to, stored, and processed in the United States.

For transfers from the EEA or UK, we rely on the EU-U.S. Data Privacy Framework (DPF) where applicable, Standard Contractual Clauses (SCCs) as approved by the European Commission, or other legally recognized transfer mechanisms as appropriate. Our AWS infrastructure provider participates in relevant data protection frameworks.

We are evaluating an EU region deployment option (likely eu-west-1, Ireland) for customers with strict data residency requirements. This will be offered as a configuration option when available.

In the event of a data breach that affects your personal data or Customer Data, we will:

• Notify affected customers by email within 72 hours of confirming the breach, consistent with GDPR Article 33 requirements and applicable state data breach notification laws (including California Civil Code § 1798.82)
• Provide details of the breach including: a description of the incident, the types of data involved, the approximate number of affected individuals, the likely consequences, and the measures taken or proposed to address and mitigate the breach
• Post updates on our status page at status.fixedcostagents.com
• Cooperate with applicable regulatory authorities as required by law
• Provide notice to the California Attorney General if the breach affects more than 500 California residents, as required by California law

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting a notice in the customer portal at least 30 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

As of March 27, 2026, FixedCostAgents.com, LLC has:

• Not received any National Security Letters (NSLs) or orders issued under the Foreign Intelligence Surveillance Act (FISA)
• Not received any gag orders preventing disclosure of government data requests
• Not been required to provide any backdoor, secret key, or other covert access to customer data or encryption systems
• Not received any classified requests for customer information from any government agency

This warrant canary is updated quarterly. If this section is removed or not updated for more than 120 days, users should assume that one or more of the above statements is no longer true. We publish this notice because gag orders may prohibit affirmative disclosure, but courts have generally recognized the legality of removing a previously published canary.

Last verified: March 27, 2026

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us: