EEngramia
Legal document

Privacy Policy

Engramia — Reusable Execution Memory for AI Agents

Last updated: 2026-04-05

1. Introduction

This Privacy Policy describes how Marek Čermák ("we", "us", "our", "Licensor") collects, uses, stores, and protects information when you use Engramia (the "Service"), including the cloud-hosted API ("Cloud Service"), the self-hosted deployment, the Python library, the website, and related services.

We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

2. Data Controller

The data controller for the purposes of GDPR is:

Marek Čermák Czech Republic Email: support@engramia.dev

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at the email address above.

3. What Data We Collect

3.1 Account Data

When you create an account or purchase a Subscription, we collect:

  • Email address
  • Name or organization name
  • Billing information (processed by our third-party payment processor; we do not store full payment card details)
  • API keys (generated by us, stored as hashed values)

Legal basis: Contract performance (Art. 6(1)(b) GDPR) — necessary to provide the Service.

3.2 Customer Data (Data You Submit to the Service)

When you use the Service, you may submit data including:

  • Task descriptions, code snippets, prompts
  • Evaluation results and scores
  • Agent patterns and pipeline configurations
  • Feedback and failure logs

We process Customer Data solely to provide the Service to you. We do not access, review, or use your Customer Data for any purpose other than operating the Service, unless you explicitly consent or as described in Section 4.3 (Aggregated Data).

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Important: You are responsible for ensuring that Customer Data does not contain personal data of third parties unless you have a lawful basis for processing such data. If your use case involves processing personal data through the Service, you must contact us to establish a Data Processing Agreement (DPA).

3.3 Usage Data

We automatically collect technical and usage data when you interact with the Service:

  • API request metadata (endpoint, timestamp, response code, latency)
  • IP address (for rate limiting and security; see Section 5)
  • User-Agent string
  • Error logs (sanitized — no Customer Data content in logs)

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — necessary for security, abuse prevention, and service improvement.

3.4 Website Data

If you visit our website, we may collect:

  • Standard web server logs (IP address, browser type, pages visited, referrer)
  • Cookies — see Section 8

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

4. How We Use Your Data

4.1 To Provide the Service

We use Account Data and Customer Data to:

  • Authenticate your API requests
  • Store and retrieve your patterns, evaluations, and feedback
  • Process your recall, compose, and evaluate requests
  • Generate and manage your API keys

4.2 To Operate and Improve the Service

We use Usage Data to:

  • Monitor service health, performance, and availability
  • Detect and prevent abuse, fraud, and security incidents
  • Debug errors and improve reliability
  • Plan capacity and infrastructure

4.3 Aggregated and Anonymized Data

We may derive anonymized, aggregated data from your use of the Service to:

  • Improve the Service and develop new features
  • Generate benchmarks and performance analytics
  • Create industry reports or research publications

Such aggregated data does not identify you or any individual and cannot be re-identified. Examples include: average pattern counts per user tier, aggregate API call volumes, distribution of evaluation scores.

We will never share, sell, or disclose your raw Customer Data to third parties.

4.4 To Communicate With You

We may use your email address to:

  • Send service-related notifications (downtime, security alerts, billing)
  • Notify you of material changes to these Terms or Privacy Policy
  • Respond to your support requests

We will not send marketing emails without your explicit opt-in consent.

5. Data Sharing and Third Parties

5.1 Third-Party AI Model Providers

When you use Service functions that require AI inference (evaluate, compose, evolve), your task descriptions and code snippets are sent to the configured AI model provider (e.g., OpenAI, Anthropic) for processing. This is necessary to provide the Service.

Important: Data sent to third-party AI model providers is subject to those providers' privacy policies and data processing terms. We recommend reviewing:

  • OpenAI: https://openai.com/policies/privacy-policy
  • Anthropic: https://www.anthropic.com/privacy

If you use a self-hosted deployment with local embeddings and a local/self-hosted LLM, no data is sent to third-party providers.

5.2 Infrastructure Providers

We use third-party infrastructure providers (cloud hosting, CDN, monitoring) to operate the Cloud Service. These providers process data on our behalf under data processing agreements that ensure GDPR compliance.

5.3 Payment Processors

Billing and payment are handled by third-party payment processors. We do not store full credit card numbers or bank account details. Our payment processor receives only the data necessary to process your payment.

5.4 Legal Requirements

We may disclose your data if required by law, regulation, legal process, or governmental request, or to protect our rights, property, or safety.

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you before your data becomes subject to a different privacy policy.

6. Data Retention

| Data Type | Retention Period | |-----------|-----------------| | Account Data | Duration of your account + 12 months after deletion | | Customer Data (active Subscription) | Duration of your Subscription | | Customer Data (after termination) | 30 days grace period + 60 days retrieval period, then permanent deletion (see ToS Section 6.5) | | Usage Data (logs) | 90 days, then automatically deleted | | Aggregated/anonymized data | Indefinitely (not personal data) | | Billing records | As required by applicable tax and accounting law (typically 5–10 years) |

Upon written request, we will delete your personal data within 30 days, subject to legal retention obligations.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit — all API communication over HTTPS/TLS
  • Authentication — Bearer token authentication with timing-safe comparison (HMAC)
  • Rate limiting — per-IP, per-endpoint rate limiting to prevent abuse
  • Security headers — X-Content-Type-Options, X-Frame-Options, Referrer-Policy
  • Input validation — strict validation on all API inputs (length limits, type checks, path traversal prevention)
  • Audit logging — structured audit logs for security-relevant events (auth failures, pattern deletions, rate limiting)
  • Hashed API keys — API keys stored as SHA-256 hashes, never in plaintext
  • Non-root containers — Docker containers run as non-root user
  • Body size limits — request body size limited to prevent abuse

For a detailed description of our security measures, see our Security Policy.

Encryption

In transit: All data transmitted between your systems and Engramia is encrypted using TLS 1.2 or TLS 1.3.

At rest: Database contents (patterns, evaluation scores, metadata) are stored on Hetzner VPS infrastructure in Germany. Hetzner CX-series servers do not provide hardware-level disk encryption by default. Data is protected at the application layer through: hashed API keys (SHA-256), non-root container execution, network segmentation (internal Docker bridge), and restricted database access (no public exposure).

We recommend enterprise customers with strict at-rest encryption requirements to consider the self-hosted deployment option, where you control the infrastructure and can apply LUKS disk encryption or encrypted block storage.

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Cookies

8.1 Cloud Service API

The Cloud Service API does not use cookies. Authentication is handled via Bearer tokens in HTTP headers.

8.2 Website

If we operate a website (documentation, marketing, dashboard), we may use:

| Cookie Type | Purpose | Legal Basis | |-------------|---------|-------------| | Strictly necessary | Session management, authentication, security | Legitimate interest (no consent required) | | Analytics | Usage statistics, performance monitoring | Consent (opt-in) |

We do not use advertising or tracking cookies.

If analytics cookies are used, we will implement a cookie consent banner that allows you to accept or reject non-essential cookies before they are set.

9. Your Rights (GDPR)

If you are in the EU/EEA, you have the following rights regarding your personal data:

| Right | Description | |-------|-------------| | Access (Art. 15) | Request a copy of the personal data we hold about you | | Rectification (Art. 16) | Request correction of inaccurate personal data | | Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten") | | Restriction (Art. 18) | Request restriction of processing of your personal data | | Data Portability (Art. 20) | Receive your personal data in a structured, machine-readable format | | Objection (Art. 21) | Object to processing based on legitimate interest | | Withdraw Consent (Art. 7) | Withdraw consent at any time (where processing is based on consent) | | Complaint (Art. 77) | Lodge a complaint with a supervisory authority |

To exercise any of these rights, contact us at support@engramia.dev. We will respond within 30 days.

Supervisory authority: If you are in the Czech Republic, the relevant authority is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ), https://www.uoou.cz.

10. International Data Transfers

If you are located outside the EU/EEA:

  • Your data may be processed in the EU/EEA (where our primary infrastructure is located).

If you are located in the EU/EEA:

  • Your data is primarily processed within the EU/EEA.
  • When you use AI model providers (OpenAI, Anthropic), your data may be transferred to the United States. These transfers are governed by the providers' own data transfer mechanisms (e.g., EU-US Data Privacy Framework, Standard Contractual Clauses).
  • We do not independently transfer your personal data outside the EU/EEA except through third-party AI model providers as described above.

International Data Transfers

Engramia infrastructure is hosted exclusively in Germany (Hetzner, Frankfurt region). However, to provide AI inference capabilities, prompts and content submitted for evaluation may be transmitted to:

  • OpenAI, Inc. (United States) — for LLM inference. Transfer governed by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c). OpenAI's DPA available at: https://openai.com/policies/data-processing-addendum
  • Anthropic, PBC (United States) — for alternative LLM inference. Transfer governed by Standard Contractual Clauses. Anthropic's privacy policy at: https://www.anthropic.com/privacy

Engramia does not transfer data to any other third countries. Where SCCs are used, a Transfer Impact Assessment has been considered in light of the nature of the data (pseudonymized execution patterns, not directly identifying natural persons in typical use).

11. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service with at least 30 days' notice. The "Last updated" date at the top of this document indicates the most recent revision.

Continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

13. Contact

For questions about this Privacy Policy, to exercise your data protection rights, or to report a privacy concern:

Marek Čermák Email: support@engramia.dev Czech Republic

For complaints, you may also contact your local data protection authority.