Privacy Policy
Effective Date: March 15, 2026
This Privacy Policy describes how Pavel Pravdin ("Operator," "we," "us," or "our") collects, uses, and protects information in connection with the Patchcord cloud service available at patchcord.dev (the "Service"). Payments for the Service are processed by AICHE Technologies, Inc., a Delaware corporation.
This Privacy Policy applies only to the hosted cloud Service. The self-hosted open-source version of Patchcord, available under the MIT License, is not covered by this policy.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address — provided through Google or GitHub authentication via Supabase Auth
- Basic profile data — name and avatar as provided by your authentication provider (Google or GitHub)
We do not collect or store passwords. Authentication is handled entirely through third-party OAuth providers.
1.2 Service Data
When you use the Service, we collect:
- Agent names and namespace names — identifiers you create to organize your agents
- Message content — text messages exchanged between your agents through Patchcord
- File attachments — files uploaded and relayed between your agents
- Bearer tokens — authentication tokens for connecting agents to the Service, stored as cryptographic hashes
- OAuth tokens and client registrations — used to maintain MCP (Model Context Protocol) connections with platforms such as Claude, ChatGPT, and Gemini
1.3 Usage and Analytics Data
We use Google Analytics to collect anonymized usage data, including:
- Pages visited and feature usage patterns
- Browser type, device type, and operating system
- Referring URLs and general geographic region
- Session duration and interaction events
Google Analytics may set cookies on your device. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
1.4 Log and Technical Data
Our infrastructure providers may automatically collect:
- IP addresses
- Request timestamps and HTTP metadata
- Error logs and performance data
2. How We Use Your Information
We use the information we collect to:
- Provide and operate the Service — delivering messages and attachments between your agents
- Authenticate your identity — via Google or GitHub OAuth
- Maintain MCP connections — storing OAuth tokens necessary to connect with third-party AI platforms
- Improve the Service — analyzing usage patterns to identify issues and improve performance
- Communicate with you — sending service announcements, product updates, and occasional marketing communications (you may opt out of marketing emails at any time)
- Enforce our Terms of Service — detecting and preventing abuse, fraud, and unauthorized use
- Comply with legal obligations — responding to lawful requests from authorities
We do not:
- Sell, rent, or trade your personal information to third parties
- Use your message content or attachments for AI model training
- Perform analytics or profiling on the content of your messages
- Display advertising or share data with ad networks
3. Message Content and Transport
Patchcord is a message transport layer. We relay messages between your agents and store them temporarily to enable asynchronous delivery.
- Message content is encrypted at rest using AES-256-GCM encryption
- Messages are automatically deleted after the applicable retention period (see Section 5)
- We have technical access to message metadata (sender, recipient, timestamps, delivery status) but do not routinely inspect message content
- Each user's data is completely isolated — there are no shared indexes, discovery features, or social functionality between users
4. Third-Party Services
We use the following third-party services to operate Patchcord:
| Provider | Purpose | Data Involved |
|---|---|---|
| Supabase (AWS us-east-1) | Database, authentication, file storage | Account data, messages, attachments, OAuth tokens |
| Hetzner | Application server hosting | Request/response data in transit |
| Cloudflare | DNS, CDN, DDoS protection | IP addresses, request metadata |
| Postmark | Transactional email delivery | Email addresses, email content |
| Google Analytics | Usage analytics | Anonymized usage and device data |
| OAuth authentication provider | Email, name, avatar | |
| GitHub | OAuth authentication provider | Email, name, avatar |
When you connect AI platforms (Claude, ChatGPT, Gemini) via MCP, OAuth tokens for those connections are stored in our database. We do not access your conversations, history, or files on those platforms — only MCP tool calls initiated by you pass through Patchcord.
Each third-party service is governed by its own privacy policy. We encourage you to review them.
5. Data Retention
| Data Type | Retention |
|---|---|
| Messages and attachments | Automatically deleted after 7 days (free tier). Paid plans may offer extended retention. |
| Account information | Retained while your account is active |
| OAuth and bearer tokens | Retained while your account is active; bearer tokens expire after 30 days |
| Analytics data | Subject to Google Analytics' own retention settings |
| Server logs | Retained for up to 90 days for operational purposes |
Automatic message cleanup is performed by a periodic background process. Deleted messages are hard-deleted from the database — they are not recoverable after deletion.
6. Data Security
We implement the following security measures:
- Encryption at rest: Message content is encrypted using AES-256-GCM before storage
- Encryption in transit: All connections to the Service use TLS/HTTPS
- Token security: Bearer tokens are stored as SHA-256 hashes
- User isolation: Each user's namespace and data are logically separated; no cross-user data access is possible
- Infrastructure security: Hosted on Supabase (AWS) and Hetzner with industry-standard security controls
No system is 100% secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security.
7. Account Deletion
You may request deletion of your account and all associated data by contacting us at [email protected].
Upon account deletion, we will remove:
- Your account and authentication data
- All namespaces you own
- All agents registered under your namespaces
- All messages and attachments in your namespaces
- All bearer tokens and OAuth registrations associated with your account
Deletion is permanent and irreversible. Data subject to the automatic retention schedule (Section 5) may already have been deleted prior to your request.
We are working on self-service account deletion. Until it is available, deletion requests will be processed manually within a reasonable timeframe.
8. Your Rights
8.1 All Users
Regardless of your location, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate personal data
- Delete your account and associated data (see Section 7)
- Opt out of marketing communications at any time
To exercise any of these rights, contact us at [email protected].
8.2 European Economic Area (EEA) Residents
If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):
- Lawful basis for processing: We process your data on the following bases:
- Contract performance — to provide the Service you signed up for
- Legitimate interests — to improve the Service, ensure security, and prevent abuse
- Consent — for marketing communications and analytics cookies (which you may withdraw at any time)
- Right to data portability — to receive your data in a structured, machine-readable format
- Right to restrict processing — to limit how we use your data in certain circumstances
- Right to object — to object to processing based on legitimate interests
- Right to lodge a complaint — with your local data protection supervisory authority
We do not have a Data Protection Officer (DPO) at this time. For all GDPR-related inquiries, contact [email protected].
8.3 California Residents
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights. We do not sell personal information. You may contact us at [email protected] to exercise your rights under the CCPA.
9. International Data Transfers
The Service is hosted in the United States (AWS us-east-1 region via Supabase, Hetzner). If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
For EEA users, we rely on Standard Contractual Clauses (SCCs) as adopted by our infrastructure providers to ensure adequate protection for international data transfers.
10. Children's Privacy
The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.
11. Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users by email within 72 hours of becoming aware of the breach
- Notify relevant supervisory authorities as required by applicable law
- Provide information about the nature of the breach, the data affected, and the steps we are taking to address it
To report a security vulnerability, contact [email protected].
12. Cookies
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication and session management | Duration of session |
| Google Analytics cookies | Usage analytics (see Section 1.3) | Up to 2 years |
We do not use advertising cookies or third-party tracking cookies beyond Google Analytics.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
14. Contact Us
For privacy-related inquiries:
- Email: [email protected]
- Security issues: [email protected]
- General support: [email protected]
Patchcord is operated by Pavel Pravdin. Payments are processed by AICHE Technologies, Inc., a Delaware corporation.