Octyl octyl

Last updated: February 2026

Privacy Policy

"Your workspace is private. We cannot access your code, AI conversations, or API keys. This is enforced by our architecture, not just policy."

1. Information We Collect

We collect the following categories of information to provide and improve the Service:

  • Account information — your email address and name, provided through Clerk during registration.
  • Usage metrics — session duration, runtime type (e.g., Claude Code, Codex), and workspace-hours consumed. These metrics are aggregated and do not contain the content of your work.
  • Billing data — payment method details are processed and stored by Stripe. Octyl retains only transaction records (amounts, dates, subscription tier).

2. Information We Cannot Collect

Due to our zero-knowledge architecture, the following data is encrypted end-to-end and is inaccessible to Octyl, its employees, and its infrastructure:

  • Source code and repository contents
  • AI prompts, responses, and conversation history
  • API keys and credentials stored in your workspace
  • Secrets vault contents
  • Workspace memory and knowledge graph data

This is not a policy choice — it is an architectural constraint. We do not possess the encryption keys necessary to decrypt this data, and no Octyl employee can override this protection.

3. How We Use Information

We use the information we collect for the following purposes:

  • Provide the Service — authenticate your identity, provision workspaces, and manage your account.
  • Billing — process payments, generate invoices, and manage subscriptions.
  • Product improvement — analyze aggregated, anonymized usage patterns to improve performance, reliability, and features.
  • Support — respond to your requests and troubleshoot issues with non-encrypted aspects of the Service.

4. Data Security

We employ multiple layers of security to protect your data:

  • AES-256-GCM encryption — all workspace data is encrypted using AES-256-GCM, a widely trusted authenticated encryption standard.
  • AWS Nitro VM isolation — workspaces run in isolated AWS Nitro-based virtual machines that provide hardware-level separation between tenants.
  • End-to-end encrypted access — data in transit between your device and your workspace is encrypted end-to-end, preventing interception at any point in the network path.

5. Data Retention

Account data (email, name, billing history) is retained for as long as your account is active. Upon account termination, all workspace data — including encrypted content, knowledge graphs, and configuration — is permanently deleted within 30 days.

Aggregated, anonymized usage metrics may be retained indefinitely for product improvement and benchmarking purposes. These metrics cannot be linked back to individual users or workspaces.

6. Third-Party Services

We use the following third-party services to operate the platform:

  • Clerk — authentication and identity management.
  • Stripe — payment processing and subscription management.
  • PostHog — product analytics based on anonymized usage events.
  • AWS — cloud infrastructure, compute, and storage.

Each third-party service operates under its own privacy policy. None of these services have access to your encrypted workspace content.

7. Cookies

Octyl uses the following cookies:

  • Session cookies — required for authentication. These expire when you close your browser or after a set inactivity period.
  • Stealth bypass cookie — stores access token state for early-access users. Persistent until cleared.
  • Analytics cookies — used by PostHog to collect anonymized usage data. You can opt out of analytics cookies through your browser settings.

8. Your Rights

You have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request that we correct inaccurate or incomplete personal data.
  • Deletion — request that we delete your account and all associated data.
  • Data export — export your workspace data at any time through the Service, or within 30 days of account termination.

To exercise any of these rights, contact us at privacy@octyl.ai. We will respond within 30 days.

9. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@octyl.ai.

10. Changes to Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or through the Service before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy. The "Last updated" date at the top of this page indicates when the policy was last revised.

11. Contact

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at privacy@octyl.ai.