Your data,
your rules.

Casagbic (“we”, “us”) operates the platform at casagbic.com. This policy explains what data we collect, why, the legal basis for processing, and what control you have.

1. Information We Collect

Account Information

When you create an account, we collect:

• Email address (required)
• First name (required)
• Last name (optional)
• Phone number (optional)
• Profile avatar (optional)

Authentication Data

We use passwordless authentication — email OTP codes and magic links. We never store passwords. For security monitoring, we record:

• Login timestamps
• IP address at login
• Browser and device information (user agent)
• Failed login attempts (for account lockout protection)

Social Login

If you sign in with Google or Microsoft, we receive your email, display name, and profile picture URL from that provider. We do not receive or store your Google or Microsoft password.

Usage Data

When you use the platform, we store:

• Prompts you submit (your app description and follow-up messages)
• Conversation messages between you and AI agents
• Job execution logs (what the AI agents built)
• Generated code and files
• Credit usage and transaction history

Payment Information

Payments are processed entirely by Stripe. We store a Stripe customer ID and transaction metadata (amount, credits purchased). We never see or store credit card numbers, CVVs, or bank account details. Stripe handles all payment card data under PCI DSS compliance.

File Uploads

If you upload files as part of a job, we store the filename, file type, and size. Files are stored securely in encrypted cloud storage (AWS S3).

Landing Page

This landing page does not collect personal data. We load fonts from Google Fonts CDN, which may log your IP address per Google’s privacy policy.

2. How We Use Your Data

We use your data to:

• Provide and maintain the Casagbic platform
• Process your prompts through AI models to generate code
• Track credit usage and process payments via Stripe
• Send transactional emails (OTP codes, job notifications)
• Detect and prevent fraud, abuse, and unauthorized access
• Maintain security audit logs

We do not:

• Sell your data to third parties
• Use your data for advertising or profiling
• Use your prompts or generated code to train our own AI models

Legal Basis for Processing

We process your data under the following legal bases:

• Contract performance — processing your prompts, generating code, managing credits, and maintaining your account are necessary to deliver the service you signed up for.
• Legitimate interest — fraud prevention, security monitoring, audit logging, and platform improvement. We balance our interests against your privacy rights.
• Legal obligation — retaining financial transaction records as required by tax and accounting regulations.
• Consent — optional communications and marketing. You can withdraw consent at any time by contacting us.

3. Cookies

We use essential cookies only:

• Access token — authenticates your session. HTTP-only, secure, SameSite=strict. Expires after 15 minutes.
• Refresh token — renews your session. HTTP-only, secure, SameSite=strict. Expires after 7 days. Scoped to authentication endpoints only.

We do not use analytics cookies, advertising cookies, or third-party tracking cookies. There is no cookie consent banner because we have nothing optional to consent to.

4. Third-Party Services

We share data with these services as necessary to operate the platform:

• Stripe — Payment processing. Receives your email, workspace name, and transaction amounts.
• AWS S3 — Secure file storage for uploaded files, avatars, and workspace archives.
• Anthropic (Claude) — AI code generation. Receives your prompts and conversation context.
• OpenAI (Codex) — AI code generation. Receives your prompts and conversation context.
• Google / Microsoft OAuth — Social login. Receives authentication requests if you choose to sign in this way.
• Google Fonts — Typography on the landing page. Loaded from Google CDN.
• SMTP provider — Transactional email delivery. Receives your email address and email content.

Each service is governed by its own privacy policy.

5. AI Processing

When you submit a prompt, it is sent to AI model providers (Anthropic and/or OpenAI) for code generation. Important: while we do not use your prompts to train our own models, prompts sent to third-party AI providers are subject to those providers’ own data handling and retention policies. We recommend reviewing Anthropic’s and OpenAI’s privacy policies if this concerns you.

Generated code is executed in isolated Docker containers. Each job runs in its own sandboxed container with no access to other users’ data or workspaces.

Our system uses automated routing to decide which AI model processes your request. This routing is based on task characteristics, not personal attributes, and does not produce legal or similarly significant effects on you.

6. Data Retention

• Account information — retained until you delete your account
• Job data and generated code — retained until project or account deletion
• User-visible job logs — retained indefinitely
• Internal execution logs — auto-deleted after 7 days
• Security audit logs — auto-deleted after 365 days
• Notifications — auto-deleted after 90 days
• Credit transactions — retained for a minimum of 7 years as required by tax and accounting regulations, or longer if required by applicable law

7. Data Security

We protect your data with:

• HTTPS encryption for all data in transit
• HTTP-only, secure cookies with SameSite=strict
• Passwordless authentication (no password hashes to compromise)
• Encrypted OAuth tokens at rest
• HMAC-based service-to-service authentication
• Per-job security tokens for container isolation
• Rate limiting on authentication endpoints
• Account lockout after repeated failed login attempts
• Input validation and injection prevention (OWASP Top 10)

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access — request a copy of your personal data
• Rectification — correct inaccurate personal data
• Erasure — request deletion of your account and associated data
• Portability — receive your data in a structured, machine-readable format (JSON export)
• Restriction — request we limit processing of your data while a dispute is resolved
• Objection — object to processing based on legitimate interest
• Withdraw consent — where processing is based on consent, withdraw at any time without affecting prior processing
• Export code — download your generated code at any time through the platform

We will respond to data rights requests within 30 days. To exercise any of these rights, email [email protected].

If you believe we have not adequately addressed your privacy concern, you have the right to lodge a complaint with your local data protection authority.

9. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users via email within 72 hours of becoming aware of the breach. Where required by law, we will also notify the relevant data protection authorities.

10. Children’s Privacy

Casagbic is not intended for users under the age of 16 (or the minimum age required by your jurisdiction, but in no case under 13). We do not knowingly collect personal data from children. If you believe a child has created an account, contact us immediately and we will delete the account and all associated data.

11. International Transfers

Your data may be processed in countries other than your own, including the United States and other regions where our cloud infrastructure (AWS) and AI providers (Anthropic, OpenAI) operate. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms, to ensure your data receives equivalent protection.

12. Subprocessors

We use the following categories of subprocessors to deliver the service:

• Cloud infrastructure — server hosting, object storage, container orchestration
• AI model providers — code generation and language model inference
• Payment processor — credit card processing and billing
• Email delivery — transactional email sending
• Authentication providers — OAuth identity verification (Google, Microsoft)

A current list of specific subprocessors is available upon request at [email protected].

13. Changes

We may update this policy. For minor or clarifying changes, updated versions will be posted here with a new effective date. For material changes that affect how we process your data, we will notify registered users via email at least 14 days before the changes take effect, giving you the opportunity to review and, if you disagree, delete your account.

14. Contact

Privacy inquiries: [email protected]

We aim to resolve all privacy-related inquiries within 30 days.