Legal

Privacy Policy

Last updated: January 2026 · Effective: January 2026

🔒

Your data stays in Switzerland. We never read your AI conversations or agent content. This policy explains exactly what we collect, why, and how we protect it.

What we DON'T see

✓ Content of your AI agent conversations
✓ Data processed by your AI agents
✓ Your AI provider API keys (stored encrypted, never read by our staff)
✓ Files uploaded to your agents' knowledge base (encrypted at rest)
✓ Your customers' personal data handled by agents

What we DO collect

• Account info (name, company, email)
• Billing info (handled by Stripe — we store only last 4 digits + card brand)
• Agent configuration metadata (name, model choice, region, channel settings — NOT content)
• Usage metrics (uptime, error counts, API call counts — NOT content)
• Audit log event types and timestamps (NOT the content of agent actions)
• IP address and browser info for security

1 Who We Are

Cybrient Technologies SA (“Cybrient”, “we”, “us”, “our”) is the data controller for personal data processed through the agents.diy platform. We are incorporated in Switzerland and subject to the Swiss Federal Act on Data Protection (nFADP) and, where applicable to our European Economic Area customers, the General Data Protection Regulation (GDPR).

Data Controller

Cybrient Technologies SA
Rue Liotard 6
1202 Geneva, Switzerland

Phone: +41 22 539 18 45
General: [email protected]
Privacy: [email protected]

Questions about this policy? Contact our privacy team at [email protected]. We aim to respond within 5 business days.

2 What Data We Collect & Why

We collect only the minimum personal data necessary to operate, secure, and improve the agents.diy platform. Below is a breakdown by category.

Account Data

Your full name, company name, and work email address. Collected when you register and updated by you at any time. Purpose: to create and manage your account, authenticate your identity, and send you service-related communications.

Payment Data

All payment processing is handled by Stripe, Inc. (PCI-DSS Level 1 compliant). We never receive or store your full card number. We retain only a Stripe customer token, your card's last 4 digits, and card brand for display in your billing dashboard. Subscription amounts and invoice dates are stored for legal compliance.

Agent Configuration Metadata

Agent name, chosen AI model (e.g., “gpt-4o”), deployment region, channel settings, and operational status. This metadata is required to operate and display your agents. We do not store or access the content your agents process.

Technical & Usage Data

Agent uptime statistics, error counts, API call counts (numeric only — not content), IP addresses, browser type and version, and session tokens. Used for platform reliability, security monitoring, and abuse prevention.

Communication Data

Emails and support messages you send to us. Retained to resolve your queries and improve our support. We do not use your support communications for marketing without your consent.

3 What We Explicitly Do Not Collect

The architecture of agents.diy is designed to ensure that sensitive AI data never passes through systems we control in a readable form. This is a deliberate privacy-by-design decision.

Guaranteed not collected

✓Content of your AI agent conversations
✓Data processed by your AI agents
✓Your AI provider API keys (stored encrypted, never read by our staff)
✓Files uploaded to your agents' knowledge base (encrypted at rest)
✓Your customers' personal data handled by agents

Architecture note: API calls to AI providers (Anthropic, OpenAI, Google, etc.) are made from your agent's isolated workspace using your own API key. We route the connection but do not log, inspect, or retain the content of those calls. Your API keys are stored using AES-256 envelope encryption: a unique Data Encryption Key (DEK) per company is itself encrypted with a Master Key Encryption Key (KEK) stored only in our server environment variables — never in the database. This means no database breach can expose your API keys in readable form.

Audit logs record event types and timestamps (e.g., “agent started”, “channel message sent”) but never the content of agent actions or messages.

4 Data Storage & Location

We are committed to keeping your data in Switzerland. All primary infrastructure is hosted with Infomaniak SA, a Swiss provider with data centres located in Geneva and Lausanne.

🇨🇭 Switzerland — Primary storage 🔒 AES-256 at rest 🔓 TLS 1.3 in transit

All data is encrypted at rest using AES-256. Sensitive agent data uses an additional layer of envelope encryption.
All data in transit is protected by TLS 1.3. We enforce HTTPS across all endpoints with HSTS headers.
Backups are taken daily, retained for 30 days, and stored exclusively on Infomaniak infrastructure within Switzerland.
We do not transfer personal data outside Switzerland or the European Economic Area (EEA) without your prior consent, except where strictly required by law or as described in Section 6 (Third-Party Services).
Each company's agent workspace is isolated by a unique company UUID. There is no cross-tenant data access at the application layer.

5 Data Retention

We retain personal data only as long as necessary for the purposes described in this policy, or as required by applicable law.

Data Category	Retention Period	Basis
Account data	Active account + 30 days after deletion request	Contract performance
Audit logs	12 months (configurable per account)	Legitimate interest / security
Billing records	10 years	Swiss commercial law (CO Art. 958f)
Agent content files	Deleted immediately upon your request	User control
Support communications	3 years from last contact	Legitimate interest
Server / access logs	90 days	Security monitoring

When you request account deletion, we will confirm the deletion of your personal data within 30 days. Billing records are retained for the legally required 10-year period even after account deletion, as required by Swiss law.

6 Third-Party Services

We use a minimal set of third-party services. We do not use advertising networks, tracking pixels, or behavioural analytics tools of any kind.

Stripe, Inc. EU/US

Payment processing and subscription management. Stripe processes your card data under its own privacy policy. No card details are stored on our servers. See privacy.stripe.com for details.

Infomaniak SA Switzerland

Cloud hosting, servers, and object storage. All infrastructure resides in Switzerland. Infomaniak is ISO 27001 certified and subject to Swiss law. See infomaniak.com for details.

AI Providers (Anthropic, OpenAI, Google, etc.)

Important: These providers are engaged directly by you, using your own API keys. When your agent makes an AI API call, that request travels from your agent's isolated workspace to your chosen provider. Cybrient is not a party to that data flow and does not log, store, or process the content of those calls. Each AI provider's own privacy policy governs that data.

We do not embed Google Analytics, Meta Pixel, Hotjar, Intercom, or any other advertising or behavioural analytics SDK. The only scripts loaded on agents.diy are those necessary to operate the platform itself.

7 Your Rights (Swiss nFADP & GDPR)

Under the Swiss Federal Act on Data Protection (nFADP) and, where applicable, the EU General Data Protection Regulation (GDPR), you have the following rights regarding your personal data.

Right to Access

Request a copy of all personal data we hold about you.

Right to Rectification

Correct inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data (“right to be forgotten”).

Right to Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interest.

Right to Restrict Processing

Request that we limit how we use your data in certain circumstances.

Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent.

Right to Lodge a Complaint

File a complaint with the Swiss FDPIC or your local supervisory authority.

How to exercise your rights

Email [email protected] with your request. We will verify your identity and respond within 30 days (or 15 days for Swiss nFADP requests). There is no charge for exercising your rights. If your request is complex or numerous, we may extend this period by a further 60 days and will inform you of this extension.

8 Cookies & Tracking

We use only the cookies strictly necessary to operate the platform. We do not use advertising cookies, tracking pixels, or third-party analytics.

Cookies we use

All cookies above are first-party, essential, and expire at the end of your session or within 30 days.

Cookies we do NOT use

Because we use only essential cookies, no cookie consent banner is required under Swiss law. If you are accessing from the EU/EEA and disagree with our cookie use, please contact [email protected].

9 Security

We take the security of your data seriously and implement technical and organisational measures appropriate to the risks involved.

Encryption at rest: All data encrypted with AES-256. Sensitive agent data (API keys, knowledge base files, soul/skills/context documents) uses envelope encryption: a unique Data Encryption Key (DEK) per company, itself encrypted with a Master Key Encryption Key (KEK) stored only in the server environment — never in the database.
Encryption in transit: TLS 1.3 enforced on all connections. HSTS headers prevent downgrade attacks.
Tamper-evident audit logs: Audit log entries are linked with a SHA-256 hash chain, making retrospective tampering detectable.
Access controls: Employee access to production systems requires two-factor authentication (2FA) and is logged. Access is granted on a least-privilege basis and reviewed quarterly.
Breach notification: We will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of a confirmed personal data breach that poses a risk to your rights.
Penetration testing: We conduct annual third-party security assessments of our platform.

Despite these measures, no system is completely secure. If you discover a security vulnerability, please report it responsibly to [email protected].

10 Children's Privacy

agents.diy is a business-to-business SaaS platform intended exclusively for use by individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected such data, please contact us at [email protected] and we will delete it promptly.

11 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. For material changes (changes that affect your rights or how we use your data in a significant way), we will:

Send an email notification to the address registered with your account at least 30 days before the change takes effect.
Display a prominent banner on the platform dashboard.
Update the “Last updated” date at the top of this page.

For non-material changes (such as clarifications or corrections), we will update this page and the “Last updated” date. Your continued use of agents.diy after the effective date of any changes constitutes acceptance of the revised policy.

12 Contact & Complaints

For any questions, requests, or concerns about this Privacy Policy or our data practices, please contact us:

Privacy Contact

Cybrient Technologies SA — Privacy Team
Rue Liotard 6, 1202 Geneva, Switzerland
Email: [email protected]
Phone: +41 22 539 18 45

If you are not satisfied with our response, you have the right to lodge a complaint with the Swiss data protection supervisory authority:

Swiss Federal Data Protection and Information Commissioner (FDPIC)

Feldeggweg 1, CH-3003 Bern, Switzerland
Website: www.edoeb.admin.ch
Email: [email protected]

If you are located in the EU/EEA, you may also contact the data protection authority in your country of residence.