Privacy Policy

1. Who We Are

Noomachy is an AI agent platform that lets you create personal AI assistants with sovereign memory and tool use. This Privacy Policy explains what data we collect, how we use it, and your rights over it.

2. Information We Collect

2.1 Account Information

• Email address
• Display name (optional)
• Profile photo (optional, from Google/GitHub OAuth)
• Onboarding preferences (use case, experience level, etc.)

2.2 Conversation Data

• Messages you send to AI agents
• Responses generated by AI models
• Tool invocations and their results
• Conversation metadata (timestamps, message counts)

2.3 Memory Data

• Working memory (current session context, expires after 24 hours)
• Semantic memory (long-term facts, you control)
• Episodic memory (logs of past tasks and outcomes)

2.4 Usage Telemetry

• API token consumption (for billing)
• Tool usage patterns (for the behavior learning system)
• Audit logs (for security and debugging)

We do not collect: phone number, physical address, payment card details (we use a third-party processor), or location data unless you explicitly share it in a conversation.

3. How We Use Your Data

• Provide the Service. We process your messages to generate AI responses.
• Personalize. We use your memory to make future responses smarter and more relevant.
• Improve. We use anonymized aggregate metrics to improve the platform.
• Bill. We track API usage to bill paid plans accurately.
• Secure. We log security events to detect and prevent abuse.

We do NOTuse your conversations or memories to train AI models of any kind, ours or third parties'.

4. Third-Party Processors

When you use Noomachy, your prompts are forwarded to AI model providers to generate responses. These providers process your data under their own terms:

• Anthropic (Claude) — model inference; privacy policy
• Google Cloud (Gemini, Firebase, Vertex AI) — model inference, hosting, storage; privacy policy
• Stripe — payment processing for paid plans; privacy policy

For Anthropic and Google, we use the API tier which contractually prohibits training on customer data.

5. Sovereign Memory

Noomachy is built on a “sovereign memory” model: every fact your agent learns is stored in your account, scoped to your user ID, isolated by Firestore security rules. Other users cannot access your memories. We cannot read them either, except as necessary to deliver the Service.

Read more: Sovereign Memory: Why AI Agents Need Their Own Brain

6. Local-First Integrations

When you use the Noomachy desktop app to connect local Mac apps (Mail, Notes, Calendar, etc.), your local data never leaves your computer except as specific responses returned to your AI agent. We do not store copies of your emails, notes, calendar events, or files.

7. Data Retention

We retain data as long as your account is active. Specifically:

• Working memory expires after 24 hours of inactivity
• Semantic memory persists until you delete it
• Episodic memory is append-only; you can delete the entire log via account deletion
• Audit logs are retained for 90 days

When you delete your account, all data is removed from our systems within 30 days, except where retention is required by law.

8. Your Rights

You have the right to:

• Access — view all your data through the Memory Explorer and Settings page
• Export — download your conversations and memories in JSON format
• Delete — remove individual memories, agents, or your entire account
• Portability — take your data to another platform via export

EU residents have additional rights under GDPR (right to rectification, right to object, right to lodge a complaint with a supervisory authority). Contact us at hello@kodefoundry.com to exercise any of these rights.

9. Cookies and Tracking

We use Firebase Auth cookies for session management. We do not use third-party advertising cookies, retargeting pixels, or behavioral tracking. We use minimal analytics (Firebase Analytics) for aggregate usage metrics; you can opt out in Settings.

10. Security

We take security seriously. Our measures include:

• All data encrypted in transit (TLS) and at rest
• Multi-tenant isolation enforced at the database level via Firestore security rules
• API keys stored as encrypted Google Cloud Secrets, never exposed to clients
• Tamper-proof audit logs for sensitive actions
• Sandboxed code execution (isolated-vm) for AI tool calls
• Regular security reviews and dependency audits

No system is 100% secure. If you discover a vulnerability, please report it to hello@kodefoundry.com.

11. Children's Privacy

Noomachy is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have collected such data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email or in-app notification at least 30 days before they take effect.

13. Contact Us

Questions about privacy? Email hello@kodefoundry.com.