Legal
Privacy Policy
Effective date: 1 May 2026 · Last updated: 8 May 2026
1. Who we are
Beweird SAS (“Azoth”, “we”, “our”, “us”) operates Azoth OS, the AI runtime economics platform available at azothos.ai. We are registered in France.
Data controller contact: privacy@azothos.ai
2. What data we collect
We collect data in four categories:
- Account data — name, email address, company name, password hash (managed by Supabase Auth).
- Usage data — LLM call metadata: model name, token counts, cost (USD), latency (ms), cache hit status, agent/workflow identifiers, timestamp. Trace rows do not include raw prompt or completion content.
- Semantic cache (optional) — when a workspace enables the semantic cache, we store the prompt text (hashed for exact lookup; full text for vector-similarity search) alongside the cached response so subsequent semantically-identical prompts can be served without a new LLM call. Cached entries expire after 7 days. Workspaces can disable the cache from Settings → Governance. Full record at /legal/ropa activity ACT-003.
- Billing data — Stripe customer ID, subscription status, plan name. Full payment card data is handled exclusively by Stripe and never touches our servers.
3. How we use your data
- Provide and operate the Azoth OS platform (routing decisions, savings attribution, FinOps reporting).
- Send transactional emails (account confirmation, billing receipts, anomaly alerts).
- Improve our model routing algorithms using aggregated, anonymized usage patterns.
- Comply with legal obligations.
We do not sell your data. We do not use your data to train foundation models.
4. Data sharing
We share data only with the following sub-processors, bound by Data Processing Agreements:
- Supabase — database and authentication (EU region available on request)
- Stripe — payment processing (PCI DSS Level 1 certified)
- Anthropic — AI inference provider (prompts forwarded via API for language model processing; bound by Anthropic's data processing agreement)
- OpenAI — AI inference provider (when OpenAI models are selected) and embedding generation for the optional semantic cache; bound by OpenAI's data processing addendum
- Vercel — hosting and edge functions
- Sentry — error tracking (no PII in error payloads)
- Resend — transactional email delivery (account confirmation, billing receipts)
- Upstash — Redis rate limiting and caching (ephemeral; no personal data at rest beyond 5-minute TTL)
5. Data retention
We retain different categories of data for different periods. Several windows scale with the workspace plan — the binding values per plan are published at /pricing.
- Usage traces (LLM call metadata) — per-plan retention: Forge 7 days · Developer / Pro 90 days · Team / Scale 365 days · Enterprise per contract. After the window the rows are auto-deleted by the nightly purge function.
- Audit logs — 24 months (compliance + SOC 2 audit trail). On account erasure these rows are pseudonymised (user_id and workspace_id nulled) rather than deleted, so the immutable accountability record survives without identifying the ex-user.
- Loop detection events — 6 months.
- Semantic cache — 7 days per cached entry (rolling TTL).
- Webhook delivery records — 6 months.
- Billing records — 7 years (legal and tax obligation).
- Account data — deleted within 30 days of account closure on request.
All retention windows are enforced automatically by a scheduled database purge function that runs nightly.
6. Your rights (GDPR Article 15–22)
- Access — request a copy of all data we hold about you.
- Portability — export your workspace data via
GET /api/v1/export(JSON or NDJSON). - Rectification — correct inaccurate data via account settings.
- Erasure — request deletion of your account and all associated workspace data.
- Restriction / Objection — restrict or object to processing in certain circumstances.
To exercise any right, email privacy@azothos.ai. We respond within 30 days.
7. Security
We apply OWASP ASVS L1/L2 controls, encrypt data in transit (TLS 1.3) and at rest (AES-256 via Supabase), and enforce Row Level Security on all database tables. API keys are stored as SHA-256 hashes only. See our Security Policy for full details.
8. Cookies
We use only session cookies necessary for authentication. We do not use advertising or analytics cookies. No third-party trackers are embedded in the dashboard.
Cookies set by Azoth OS:
sb-[project]-auth-token— Supabase authentication JWT. Expires after your session max-age (default 8 hours of inactivity). Deleted on sign-out.sb-[project]-auth-token-code-verifier— PKCE code verifier used during OAuth sign-in. Short-lived (deleted after the OAuth callback completes).
No persistent tracking cookies, advertising pixels, or analytics cookies are set. The cookies above are strictly necessary for the service to function.
9. Contact
Data protection inquiries: privacy@azothos.ai
General: hello@azothos.ai
Beweird SAS · 128 rue de la Boétie, 75008 Paris, France