1. Introduction
This Privacy Policy explains how Graphe ("Graphe," "we," "us") collects, uses, shares, and protects personal information when you visit https://www.graphe.cloud, use Graphe Cloud (the console, APIs, SDKs, CLI, and MCP server), or otherwise interact with us.
We build infrastructure for developer AI agent observability. We process data you send about your projects and agents to provide the Service—not to sell your data or use it for unrelated advertising.
2. Roles and scope
For account and billing information, Graphe is the data controller.
For Customer Data you submit through the API (events, runs, claims, embeddings, and related metadata), you are the controller of that content and Graphe acts as a processor, processing it on your instructions to deliver the Service.
If you need a data processing agreement (DPA) for enterprise use, use our contact form (https://www.graphe.cloud/contact), topic "Legal / DPA".
3. Information we collect
Account and identity
- Email address, display name, and authentication identifiers from Supabase Auth
- OAuth profile information when you sign in with Google or GitHub (as permitted by those providers)
- Workspace, project, and actor identifiers created for your account
Service and usage data
- Agent and human activity events, run metadata, observations, claims, and state you ingest
- API keys (stored as hashes; full keys are shown only once at creation)
- Search queries, console actions, and feature usage needed to operate and improve the Service
Technical and security data
- IP address, browser type, device information, and request logs
- Cookies and similar technologies for authentication and session management
- Error reports and performance metrics from our hosting providers
Billing
If you subscribe to a paid plan, payment details are processed by Stripe. We receive limited billing metadata (such as customer ID, plan, and payment status), not full card numbers.
4. How we use information
We use personal information to:
- Provide, secure, and maintain the Service
- Authenticate users and authorize API access
- Provision workspaces, projects, API keys, and console sessions
- Detect abuse, fraud, and security incidents
- Communicate about the Service, incidents, and material policy changes
- Comply with legal obligations and enforce our Terms
- Improve reliability and develop features (using aggregated or de-identified data where practical)
5. Legal bases (EEA/UK)
Where GDPR or UK GDPR applies, we rely on: (a) contract—to deliver the Service you requested; (b) legitimate interests—to secure and improve the Service, prevent abuse, and communicate with customers; (c) consent—where required for optional communications or cookies; and (d) legal obligation—where we must retain or disclose data by law.
You may object to certain processing or request restriction where applicable. Use our contact form (https://www.graphe.cloud/contact), topic "Privacy / data request".
7. Data retention
We retain account data while your account is active and for a reasonable period afterward to comply with law, resolve disputes, and enforce agreements.
Customer Data (events and derived state) is retained according to your plan and operational needs unless you delete it or request deletion, subject to backup and legal hold periods.
Logs and security records may be kept for a shorter or longer period as needed for security and compliance.
8. Security
We implement administrative, technical, and organizational measures appropriate to the nature of the data, including encryption in transit (TLS), hashed API keys, scoped workspace access, and secrets management for production environments.
No method of transmission or storage is completely secure. You are responsible for securing API keys and agent integrations in your environment.
9. Your rights and choices
Depending on your location, you may have rights to access, correct, delete, export, or restrict processing of your personal information, and to withdraw consent where processing is consent-based.
To exercise rights, submit a request via our contact form (https://www.graphe.cloud/contact), topic "Privacy / data request". We may verify your request. You may also use provider controls for OAuth-linked accounts.
California residents may have additional rights under the CCPA/CPRA. We do not sell personal information as defined by those laws.
10. International transfers
We may process data in the United States and other countries where our providers operate. Where required, we use appropriate safeguards such as standard contractual clauses for transfers from the EEA/UK.
11. Children
The Service is intended for developers and business users. It is not directed to children under 16, and we do not knowingly collect their personal information.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the effective date. Material changes may be notified by email or in-product notice.
13. Contact us
Privacy inquiries, data requests, and account deletion: https://www.graphe.cloud/contact (topic "Privacy / data request")
Legal and DPAs: https://www.graphe.cloud/contact (topic "Legal / DPA")
Product support: https://www.graphe.cloud/contact (topic "Product support")