Privacy Policy — Protofac
1. Overview
This Privacy Policy explains what data we collect when you use Protofac, how we use it, and your rights over it.
Summary: We store your Google profile and conversation history. We do not store raw audio. We do not sell your data or use it to train AI models. You can delete your account and all data at any time. To let the AI agent work for you, we also handle your workspace contents and the credentials you authorize (SSH and GitHub), which we encrypt and use only to act on your behalf.
2. Data We Collect
2.1 Account Data
When you sign in with Google we receive your email, display name, profile picture URL, and a unique Google user ID. We do not access your Google contacts, calendar, files, or other Google services.
2.2 Conversation Data
Every message you send and every AI response is stored in our database (text, timestamp, model used, estimated cost). Conversation history is kept for 90 days after a session ends by default. You can request earlier deletion at any time.
2.3 Voice Transcription
Voice input is either processed by your browser's native Speech API (audio never reaches our servers) or by server-side Whisper (audio is transcribed and immediately discarded — only the resulting text is stored).
2.4 Usage Data
We collect anonymized usage signals (features used, session duration, error logs) to improve the service. This data is not linked to your identity in our analytics.
2.5 Payment Data
Payment is processed by Stripe. We never store your card number or CVV. Stripe provides us only with subscription status, payment method type, and billing email.
2.6 Cookies and Local Storage
We use a signed session cookie (va_session, 7 days, HttpOnly, Secure) for authentication, and localStorage for UI preferences (never sent to our servers). We do not use tracking, advertising, or third-party analytics cookies.
2.7 Workspace, Code, and Credentials
So the AI agent can work on your behalf, Protofac accesses the contents of your development workspace — source files, the shell commands the agent runs together with their output, and the repository URLs and branches you work on. If you connect your own machine over SSH, we store the connection details (host, username, and key or password) and use them only to reach that machine at your request. If you authorize GitHub access, we store the OAuth token to read and write only the repositories you select. We do not browse, copy, or use your code for any purpose other than performing the actions you direct.
3. How We Use Your Data
Account data identifies you and enables account-related emails. Conversation history powers your history view and provides AI context. Usage signals improve the product. Payment data manages your subscription. We do not sell data, train AI models on your conversations, or show ads.
4. Who We Share Data With
We share data only with the providers needed to run Protofac: Claude (Anthropic) (AI responses), GitHub (access to the repositories you authorize via OAuth), Google (Sign-In and text-to-speech), Stripe (payment processing), and Cloudflare (DNS and DDoS protection). We share no data with any other third parties, and we never sell your data.
Your own AI account: Because Protofac runs on your own Anthropic subscription, your prompts and the code the agent reads are sent to Anthropic under your account, governed by your agreement with Anthropic. We pass this content to Anthropic on your behalf and do not retain it other than as part of your conversation history described above.
5. Data Security
All data is transmitted over TLS/HTTPS and encrypted at rest. If you provide your own API keys (BYOK), they are stored with AES-256-GCM encryption and decrypted only at call time. If you believe your account is compromised, contact office@inctasoft.com immediately.
SSH credentials and GitHub tokens you authorize are encrypted at rest with AES-256-GCM and decrypted only at the moment we connect on your behalf. Each user's workspace is isolated from other users.
6. Your Rights (GDPR)
If you are in the EEA, UK, or equivalent jurisdiction, you have rights to access, rectify, erase, port, restrict, or object to processing of your data. To exercise any right, email office@inctasoft.com with subject "Privacy Request". We respond within 30 days.
You may also lodge a complaint with the Bulgarian data protection authority (CPDP): www.cpdp.bg
7. Data Retention
Account data: until deletion + 30 days. Conversation history: 90 days after session. Payment records: 7 years (legal requirement). Security logs: 90 days. Anonymized analytics: 12 months.
Workspace contents: retained for the life of your workspace. When you delete a workspace — or delete your account — its contents and any stored SSH or GitHub credentials are deleted. If you connect your own machine, your files stay on that machine; we do not copy them to our servers beyond what appears in your conversation history.
8. International Transfers
Inctasoft is based in Bulgaria (EU). Data may be processed by providers outside the EU (Anthropic, Google, Stripe) under standard contractual clauses approved by the European Commission.
9. Children's Privacy
We do not knowingly collect data from children under 13. If you believe a child has created an account, contact us at office@inctasoft.com.
10. Changes to This Policy
We will notify you of material changes by email or in-app notice. The date at the top of this page shows when this version was published.
11. Contact
Inctasoft OOD (EIK 206353354)
46 Patriarch Evtimiy Blvd, Sofia 1000, Bulgaria
office@inctasoft.com
Last updated: 3 June 2026