Privacy Policy — Ex-Machina

Effective date: 2026-03-07

Controller: Bittoku KK, Japan

1. What We Collect

When you use Ex-Machina, we collect:

Email address — for account authentication and support
Password — stored as a bcrypt hash (never in plaintext)
Platform identifiers — Telegram user ID and/or Discord user ID if you connect those channels
Conversation content — messages you send to your AI agent, used to generate responses and build your agent's memory
Usage statistics — message counts and token usage, used for billing and rate limiting
Billing information — processed and stored by Stripe; we retain only a Stripe customer reference ID

2. How We Use It

Provide and operate the AI agent service
Process subscription billing and enforce usage limits
Respond to support requests
Detect and prevent abuse
Comply with legal obligations

We do not sell your data, use it for advertising, or share it with third parties beyond what is described in this policy.

3. Third-Party Processors

We share data with the following sub-processors to operate the service:

Processor	Purpose	Location	Notes
Anthropic	AI conversation processing	US	30-day retention; no model training on API data; DPA available
Stripe	Subscription billing	US	PCI DSS Level 1 compliant
Plausible Analytics	Website analytics	EU (Germany)	Cookieless; no personal data collected; GDPR compliant
Cloudflare	CDN, DDoS protection, tunnel	US	Does not store user content; transit only
Hetzner	Server hosting	US (Ashburn VA)	GDPR compliant; data encrypted at rest (LUKS full-disk)

4. Data Retention

Data Type	Active Account	After Cancellation	After Deletion Request
Account data	Kept	30 days → archived	7-day grace → purged
Agent memory & workspace	Kept	30 days → archived	7-day grace → purged
Conversation logs	Per-tier retention	30 days → deleted	Immediate delete
Stripe billing records	Kept	Stripe policy applies	Anonymised by Stripe
Encrypted backups	30-day rotation	Naturally expires	Cannot selectively purge; expires ≤ 30 days

5. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access & portability — download all your data as a ZIP from your account settings
Deletion — request account deletion from the dashboard; data is purged within 7 days
Correction — update your email or account details via settings
Objection — email us at [email protected]

6. Security Measures

Your conversations and agent memories are encrypted at rest. Nobody — not even Ex-Machina staff — can read your private data.

Conversations & agent memory — encrypted at the database level with AES-256-GCM before storage
Agent workspaces — stored on a LUKS full-disk encrypted partition; files are unreadable without the key
PII (email, platform IDs) — encrypted at rest with AES-256-GCM
Passwords — hashed with bcrypt, never stored in plaintext
Backups — encrypted with age before leaving the server; decryption key stored offline
In transit — TLS 1.3 via Cloudflare on all connections
Workspace isolation — per-user directories with strict Unix permissions (0700)

7. International Data Transfers

Our servers are located in the US (Hetzner, Ashburn VA). AI processing is performed by Anthropic (US). If you are in the EU, these transfers are covered by Standard Contractual Clauses (SCCs) entered into with Anthropic, Stripe, and Hetzner.

Bittoku KK is a Japanese entity subject to APPI. For users in Japan, we notify you that your data is transferred to the US for processing (APPI Article 24).

8. Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users by email within 72 hours of discovery, and notify applicable regulatory authorities as required by law (GDPR Art. 33, APPI).

9. Cookies

We use one functional cookie: your authentication session token (httpOnly, secure). This cookie is strictly necessary for the service to function and does not require consent under ePrivacy rules.

We use Plausible Analytics for website traffic measurement. Plausible is cookieless — it sets no cookies and collects no personal data. No cookie consent banner is required.

10. Contact

For privacy questions, data access requests, or to exercise your rights, contact us at: [email protected]

Controller: Bittoku KK, Japan