Effective date: 2026-04-15
Molecule AI, Inc. ("Molecule AI", "we", "us") respects your privacy. This Privacy Policy explains what personal information we collect, how we use it, and your rights under applicable data-protection laws including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
We collect the following categories of information:
**Account information.** Name, email address, and organisation name, provided when you sign up via WorkOS.
**Authentication metadata.** Session tokens, login timestamps, and IP address of the most recent session.
**Billing information.** Stripe customer ID and subscription status. We do not store credit card numbers — those are held by Stripe, Inc. under its PCI-compliant infrastructure.
**Tenant content.** Agent configurations, prompts, workspace memory, and A2A message logs that you create or upload via the Service.
**Operational telemetry.** Request logs (method, path, status, latency) and error reports, used for observability and incident response.
- To provide the Service and operate your tenant environment - To authenticate you and authorise your requests - To process billing and manage subscriptions - To detect and respond to security incidents - To communicate with you about service changes, billing, and support
We do not sell personal information. We do not use tenant content to train AI models.
The Service depends on the following sub-processors:
- **Fly.io** — container hosting for tenant instances - **Neon** — isolated per-tenant Postgres branches - **Upstash** — shared Redis with per-tenant key prefix - **WorkOS** — identity and single sign-on - **Stripe** — billing and payment processing - **Anthropic and OpenAI** — LLM inference (only when you actively deploy an agent that calls them) - **Sentry** — error monitoring and alerting - **Grafana Labs** — metrics aggregation and dashboards - **Vercel** — hosting for customer-facing canvas UI - **Cloudflare** — DNS and CDN
Each sub-processor has its own privacy policy and data-handling terms. See the Data Processing Agreement (DPA) for contractual details.
Tenant content is retained for the lifetime of the tenant. Upon deletion of the tenant, content is removed within 30 days subject to the data-export window. Operational telemetry (logs, metrics, traces) is retained for 90 days.
Billing records are retained for 7 years as required by US tax law.
Tenant secrets (database connection strings, API keys) are encrypted at rest using AES-256-GCM with envelope encryption via AWS KMS. Data in transit is encrypted with TLS 1.2 or higher.
Under GDPR, if you are located in the European Economic Area, you have the right to:
- **Access** the personal information we hold about you - **Rectify** inaccurate information - **Erase** your information (subject to legal retention obligations) - **Restrict** or **object** to certain processing - **Portability** — export your data in a machine-readable format - **Complain** to your local data-protection authority
Similar rights apply to California residents under CCPA.
To exercise any of these rights, contact privacy@moleculesai.app. We will respond within 30 days.
Tenant data is stored in the region you select at signup. For EU customers, we default to EU-region infrastructure and apply the EU Standard Contractual Clauses for any transfer outside the EEA.
We use strictly necessary cookies to manage your session. We do not use analytics or advertising cookies. Session cookies are set with `SameSite=Lax` and `Secure` flags.
The Service is not directed at children under 16. We do not knowingly collect information from children. If we become aware that a child's information has been submitted, we will delete it.
We may update this Privacy Policy from time to time. Material changes will be announced in the Service and via email at least 30 days before they take effect.
Data protection officer: privacy@moleculesai.app