Privacy Policy

This Privacy Policy describes how Uptown4, Inc. ("Uptown4," "we," "us") collects, uses, stores, and shares personal data when you use PrivateHost.AI and the hosted PrivateHost agent service ("Service").

Last updated: May 16, 2026

1. Scope and roles

We are the data controller for account and billing data we collect from you directly. For personal data that flows through your Agent (such as email content you direct your Agent to access), we generally act as a data processor on your behalf — you are the controller and you are responsible for the lawful basis of that processing. This policy does not cover data collected by Anthropic, OpenAI, or other AI providers you connect through our BYOK model. Those providers operate under their own privacy terms.

2. Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect personal data from children under 13. Users must be at least 18 to create an account. If we become aware that a child under 13 has provided us personal data, we will delete it promptly.

3. Data we collect

Account and profile data: Name, email address, and authentication credentials when you register. Subscription and billing metadata processed by Stripe — we do not store full payment card numbers.

Service configuration data: Agent names, personality descriptions, avatar settings, and preferences. AI provider type and encrypted API credentials (encrypted at rest using AES-256-GCM).

Messaging channel identifiers: If you connect Telegram or other channels, we store the bot token (encrypted) and your channel user ID to maintain the connection. We do not read, store, or analyze the content of your messages — those pass directly to your Agent's isolated container.

Agent-processed data: When your Agent reads emails, accesses calendars, browses websites, or processes files at your direction, that data is processed within your Agent's isolated container. We do not routinely copy, analyze, or retain that content on our systems. Incidental copies may exist in operational logs for a limited period (see Section 6).

Technical and operational data: IP addresses, browser type, access timestamps, and usage patterns for security monitoring and service reliability. Error logs and crash reports.

Communications: Support emails and correspondence you send us.

Cookies and analytics: See Section 4 and our Cookie Policy.

4. Cookies and tracking

We use essential cookies required for authentication and session management. We may use limited analytics tools to understand aggregate usage patterns. We do not use advertising cookies or sell data to advertisers. See our Cookie Policy for details and opt-out options.

5. How we use your data

We use personal data to: provide and secure the Service; authenticate users and prevent fraud; administer subscriptions and process payments; operate Agent containers and maintain infrastructure; respond to support requests; send service notices, billing communications, and policy updates; enforce our Terms and Acceptable Use Policy; and comply with legal obligations. We do not use your data to train AI models. We do not sell, rent, or share your personal data for advertising purposes.

6. Data retention

Account data: Retained while your account is active and for up to 90 days after closure for fraud prevention and legal purposes, then deleted or anonymized. Encrypted API credentials: Deleted when you remove them or close your account. Operational logs: Retained for up to 90 days. Agent container data (PVCs): Deleted within 7 days of subscription cancellation. Export your data before cancelling using the Export function in the dashboard. Legal holds: We may retain data longer if required by law, active legal proceedings, or legitimate security investigations.

7. Legal bases for processing (GDPR)

Where GDPR applies, we process personal data on the following legal bases: performance of our contract with you; compliance with legal obligations; our legitimate interests in securing the Service and preventing fraud; and consent where required and obtained.

8. Sharing and subprocessors

We do not sell personal information. We share data only with the following service providers under appropriate data processing agreements:

  • Infrastructure and hosting: Hetzner Online GmbH (cloud servers), Cloudflare, Inc. (CDN, tunnel, DNS)
  • Authentication and database: Supabase, Inc.
  • Payment processing: Stripe, Inc. (subject to Stripe's privacy policy)
  • Workflow automation: n8n GmbH (internal provisioning only; does not access user content)
  • Transactional email: Our email delivery provider (service notifications only)

We are not responsible for AI provider data practices (Anthropic, OpenAI). Those relationships are between you and the provider under your BYOK account. We may disclose personal data to law enforcement if required by valid legal process or to protect the safety of any person or the security of the Service.

9. Security

We apply safeguards including: AES-256-GCM encryption for API credentials at rest; TLS encryption for all data in transit; isolated container environments per agent; access controls and least-privilege principles; and security monitoring. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

Data breach notification: If we become aware of a breach affecting your personal data that creates risk of harm, we will notify you without undue delay and within timeframes required by applicable law (72 hours for GDPR-covered breaches where feasible).

10. Your privacy rights

Depending on your jurisdiction, you may have rights to: access a copy of personal data we hold; correct inaccurate data; request deletion (subject to legal retention requirements); receive your data in a machine-readable format; object to or restrict certain processing; and withdraw consent where processing is based on consent. Email [email protected] to exercise these rights. We may verify your identity before fulfilling requests and will respond within 30 days.

11. California residents (CCPA / CPRA)

California residents have additional rights under CCPA and CPRA: right to know categories of personal information collected and the purposes; right to delete personal information subject to exceptions; right to correct inaccurate personal information; right to opt out of sale or sharing for cross-context behavioral advertising (we do not sell or share personal information for this purpose — no opt-out action is required); and right to non-discrimination for exercising these rights. Submit California rights requests to [email protected] with "California Privacy Request" in the subject line.

12. International data transfers

Our infrastructure is hosted in the United States and European Union. If you access the Service from outside these regions, your data may be transferred to and processed there. Where cross-border transfers require additional safeguards (such as GDPR Standard Contractual Clauses), we implement them.

13. Changes to this policy

We will notify you of material changes by email at least 14 days before they take effect and by updating the "Last updated" date. Continued use after changes take effect constitutes acceptance.

14. Contact

Privacy questions and rights requests: [email protected]
General: [email protected]