Privacy Policy

Baud Bot LLC · Last updated: March 21, 2026

TL;DR

  • Your backups: encrypted before they reach us. We store opaque blobs we cannot read.
  • Your email: stored for billing and account authentication. Not sold. Not shared.
  • Analytics: basic usage metrics (request counts, error rates). No personal data, no tracking pixels, no third-party analytics.
  • Cookies: one session cookie, used only if you're logged in. No tracking cookies.
  • Third parties: Stripe (billing), Cloudflare (infrastructure). That's it.

Who We Are

AgentBak is operated by Baud Bot LLC, based in Austin, TX. Questions: [email protected].

What We Store

Encrypted vault blobs. When you use the cloud tier, we store the encrypted output of your vault backup command. This is ciphertext — AES-256-GCM encrypted, with the key derived client-side from your passphrase via Argon2id. We cannot read it. We store a SHA-256 hash of the ciphertext for integrity checking, which also reveals nothing about the plaintext.

Your email address. Required to create an account and send billing receipts. We store a hashed version for account lookup. We do not sell your email. We do not add it to marketing lists without your explicit consent.

Backup metadata. For each backup: timestamp, file size, a tag you optionally provide. This is unencrypted metadata — but it reveals nothing about your agent's content.

Authentication tokens. Short-lived JWTs stored in your browser session. Expire after 7 days.

What We Don't Store

  • Your passphrase — never transmitted, never stored
  • Your encryption keys — derived client-side, never sent to us
  • The contents of your backups — we have only ciphertext
  • Your IP address in any persistent way (Cloudflare logs requests; we don't)
  • Browser fingerprints or tracking data

Third-Party Services

Cloudflare. Our infrastructure runs on Cloudflare Workers, R2, and Pages. Cloudflare processes your requests and stores the encrypted blobs we upload to R2. Cloudflare's own privacy policy applies to their infrastructure-level handling. They receive encrypted data only.

Stripe. Payment processing for paid tiers. Stripe receives your payment card details and billing address. We don't see or store your card number. Stripe's privacy policy applies to payment data.

We don't use Google Analytics, Mixpanel, Segment, or any other third-party analytics service. We do collect basic server-side metrics (request count, error rates) using Cloudflare's built-in analytics, which does not include personal data.

GDPR and CCPA

Because we store no plaintext personal data in your backups, GDPR and CCPA compliance is relatively simple for us.

What data we hold about you: your email address and backup metadata (timestamps, sizes). You can request deletion of this data by emailing [email protected] or closing your account from the dashboard.

Data portability: your backups are yours. You can download them any time via vault pull. The .vault format is documented and decryptable without AgentBak.

Legal basis (GDPR): we process your email for contract performance (providing the service you signed up for). We don't rely on legitimate interests for personal data processing.

California residents: we don't sell personal data. We don't share it for cross-context behavioral advertising. You have the right to request deletion — just email us.

Data Retention

Active accounts: we retain your data for as long as your account exists.

Cancelled accounts: encrypted blobs are deleted within 30 days of account closure. Email and billing records are retained for 7 years (tax/legal requirement). Everything else is deleted within 30 days.

Security

All data in transit is encrypted with TLS 1.3. Vault blobs are encrypted client-side before transmission (AES-256-GCM). Our servers run on Cloudflare's infrastructure with DDoS protection and access controls.

We will notify affected users within 72 hours of becoming aware of any breach that affects personal data. Because we can't read your backups, a breach of our storage does not expose your agent's content — only the metadata and your email address.

Changes to This Policy

If we make material changes, we'll email you at least 30 days before they take effect. The current version is always at this URL. The "last updated" date at the top tells you when it was last changed.

Contact

Privacy questions: [email protected]
Baud Bot LLC, Austin, TX