Molten — Privacy Policy

Sinuous Development LLC ("Molten," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Molten platform, including our website, applications, and all related services (collectively, the "Services").

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Services.

1. Information We Collect

1.1 Information You Provide

Account Information. When you create an account, we collect your name, email address, password (stored in hashed form), and payment information (processed by our third-party payment processor). We may also collect a username, profile picture, or other optional profile information you choose to provide.

Payment and Billing Information. When you subscribe to a paid plan, we collect billing details such as your payment method, billing address, and transaction history. Payment card details are processed and stored by our third-party payment processor (Stripe) and are not stored on our servers.

Agent Configuration Data. We collect the instructions, configurations, system prompts, and settings you provide when creating and configuring your Agents.

User Content. We store the content you provide as input to your Agents ("Input") and the content your Agents generate ("Output"), collectively "User Content." This may include text, files, images, code, and other data you upload or that your Agents produce.

Agent Memory and State. Your Agents maintain persistent memory, conversation history, and operational state, which is stored within your Agent's isolated database.

Files and Storage. Files you upload to or that are created by your Agents are stored in your Agent's dedicated object storage.

Third-Party Credentials. If you provide API keys, OAuth tokens, or other credentials to enable your Agents to connect to third-party services, these credentials are stored in encrypted form within your Agent's isolated environment.

Communications. If you contact us for support, provide feedback, or otherwise communicate with us, we collect the content of those communications along with your contact information.

Other Information. We collect information you provide when participating in surveys, promotions, or other interactions with us.

1.2 Information We Collect Automatically

Log Data. When you access the Services, we automatically collect information such as your IP address, browser type and version, operating system, referring URL, pages visited, date and time of access, and other standard server log information.

Usage Data. We collect information about how you use the Services, including the features you use, actions you take, Agent interactions, credit consumption, session duration, and usage patterns.

Device Information. We collect information about the device you use to access the Services, including device type, operating system, unique device identifiers, and screen resolution.

Location Information. We infer your approximate geographic location from your IP address for security, fraud prevention, and service optimization purposes.

Cookies and Similar Technologies. We use cookies, local storage, and similar technologies to operate and improve the Services, maintain session state, remember your preferences, and analyze usage. See Section 8 (Cookies) for more detail.

1.3 Information from Third Parties

Payment Processors. We receive transaction confirmation and billing status information from our payment processor.

Authentication Providers. If you sign up or log in using a third-party authentication provider (e.g., Google, GitHub), we receive basic profile information as authorized by you and that provider.

Security and Fraud Prevention Partners. We may receive information from security partners to help detect and prevent fraud, abuse, and threats to the Services.

2. How We Use Your Information

We use the information we collect for the following purposes:

Providing and Operating the Services. To create and manage your account, operate your Agents, process transactions, provide customer support, and deliver the functionality of the platform.

Maintaining Infrastructure. To allocate resources, manage Agent sandboxes, provision storage, and ensure the technical operation of the platform on Cloudflare's edge infrastructure.

Security and Safety. To protect the security and integrity of the Services, detect and prevent fraud, abuse, and policy violations, enforce our Terms and Acceptable Use Policy, and monitor for security threats including prompt injection attacks and malicious activity.

Improvement and Development. To analyze usage patterns, diagnose technical issues, improve existing features, and develop new features and services. We do not use your User Content (Input or Output) to train AI models unless you explicitly opt in.

Communication. To send you service-related notices, respond to your inquiries, provide customer support, and send information about changes to the Services or our policies.

Billing and Payments. To process payments, manage subscriptions, track credit usage, and handle billing inquiries.

Compliance. To comply with applicable legal obligations, respond to lawful requests from government authorities, and enforce our legal rights.

Aggregated and De-identified Data. We may aggregate or de-identify information so that it can no longer reasonably identify you, and use such data for any lawful purpose including analytics, benchmarking, and service improvement.

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

3.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Cloud Infrastructure: Cloudflare, Inc. — The Services run on Cloudflare's infrastructure, including Workers, Durable Objects, R2, D1, and other Cloudflare services. Your data is processed and stored on Cloudflare's global network.
• AI Model Providers: We transmit Input to third-party AI model providers (such as Anthropic) to generate Agent responses. These providers process your data in accordance with their own terms and privacy policies. We select providers that offer appropriate data processing terms and do not use your data for model training.
• Payment Processing: Stripe processes your payment information. Stripe's privacy policy governs its handling of your payment data.
• Email and Communication Services: We use third-party services for transactional email and customer support.
• Analytics: We use analytics services to understand how the Services are used.

These service providers are contractually obligated to use your information only as necessary to provide services to us and in accordance with applicable data protection laws.

3.2 AI Model Provider Data Handling

When your Agent processes a request, relevant Input is transmitted to the AI model provider to generate a response. We take commercially reasonable steps to select AI providers that:

• Do not use your data to train their models (under our data processing agreements)
• Implement appropriate security measures
• Process data in accordance with applicable privacy laws

However, the processing of data by AI model providers is also subject to those providers' own terms and privacy policies. We encourage you to review the privacy policies of the AI model providers whose models power your Agents.

3.3 Legal Compliance and Protection

We may disclose your information if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request
• Enforce our Terms of Use, Acceptable Use Policy, or other agreements
• Detect, prevent, or address fraud, security, or technical issues
• Protect the rights, property, or safety of Molten, our users, or the public

3.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Services before your information is transferred and becomes subject to a different privacy policy.

3.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

3.6 Aggregated or De-identified Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you with third parties for analytics, research, or other purposes.

4. Data Storage and Security

4.1 Infrastructure

The Services run on Cloudflare's global edge infrastructure. Your data is processed and stored across Cloudflare's network, with primary processing in the United States. Specific data components are stored as follows:

• Agent State and Memory: Stored in each Agent's Durable Object with an embedded SQLite database
• Files: Stored in per-Agent R2 object storage buckets
• Semantic Memory: Stored in per-Agent Vectorize indexes
• Account Data: Stored in D1 databases
• Session Data: Stored in Workers KV

4.2 Security Measures

We implement multiple layers of security to protect your data, including:

• Encryption of data in transit (TLS) and at rest
• Sandboxed code execution in isolated containers
• Multi-layer prompt injection detection and prevention
• Egress proxy with domain allowlisting for Agent network access
• In-container malware and vulnerability scanning
• Logical isolation of Agent data and resources
• Access controls and authentication mechanisms
• Regular security assessments

4.3 Security Limitations

While we implement commercially reasonable security measures, no system is completely secure. We cannot guarantee the absolute security of your data. You are responsible for maintaining the security of your account credentials and for any credentials you provide to your Agents for third-party integrations.

4.4 Breach Notification

In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law and take reasonable steps to mitigate the impact.

5. Data Retention

We retain your information as follows:

Account Information. We retain your account information for as long as your account is active and for a reasonable period thereafter to fulfill legal obligations, resolve disputes, and enforce our agreements.

User Content. We retain User Content (including Agent memory, conversation history, and files) for as long as your account is active. Upon account deletion, we will delete your User Content within 30 days, except as described below.

Billing Records. We retain billing and transaction records for as long as required by applicable tax and accounting laws (typically 7 years).

Log and Usage Data. We retain server logs and usage data for up to 12 months for security, analytics, and operational purposes, after which they are deleted or aggregated.

Security and Abuse Records. If your account is terminated for violations of our Terms or policies, we may retain relevant records for up to 3 years to protect against fraud and abuse and to enforce our policies.

Legal Requirements. We may retain information for longer periods where required by applicable law, legal process, or to establish, exercise, or defend legal claims.

De-identified Data. Aggregated or de-identified data that can no longer identify you may be retained indefinitely.

6. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information:

6.1 Access and Portability

You have the right to access the personal information we hold about you. You can access and export much of your data directly through the Services, including your Agent configurations, conversation history, and stored files.

6.2 Correction

You have the right to request correction of inaccurate personal information. You can update much of your account information directly through the Services.

6.3 Deletion

You have the right to request deletion of your personal information. You can delete individual Agents, conversation history, or your entire account through the Services. Account deletion will result in permanent removal of your data within 30 days, subject to the retention exceptions described in Section 5.

6.4 Data Processing Controls

• AI Model Training: We do not use your User Content to train AI models by default. If you have opted in, you can opt out at any time through your account settings.
• Analytics Cookies: You can manage cookie preferences through your browser settings or our cookie consent mechanism.

6.5 Communication Preferences

You can opt out of marketing communications at any time by using the unsubscribe link in those communications or through your account settings. You cannot opt out of service-related communications necessary for the operation of your account.

6.6 Rights for EEA, UK, and Swiss Residents

If you reside in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under GDPR, including the right to restrict processing, the right to object to processing, the right to data portability, and the right to lodge a complaint with your local data protection authority. Our legal bases for processing are: performance of our contract with you (providing the Services), our legitimate interests (security, improvement, and fraud prevention), your consent (where applicable), and compliance with legal obligations.

6.7 Rights for California Residents

If you are a California resident, you have rights under the CCPA/CPRA including the right to know what personal information we collect, the right to delete your personal information, the right to opt out of the sale or sharing of your personal information, and the right to non-discrimination for exercising your rights. We do not sell your personal information or share it for cross-contextual behavioral advertising.

6.8 Exercising Your Rights

To exercise any of your rights, please contact us at privacy@molten.live or use the controls available in your account settings. We will respond to your request within the timeframe required by applicable law (typically 30 days). We may need to verify your identity before processing your request.

7. International Data Transfers

The Services are operated from and data is processed in the United States. If you are accessing the Services from outside the United States, your information will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate.

Where required by applicable law, we implement appropriate safeguards for international data transfers, such as Standard Contractual Clauses approved by the European Commission, or rely on other valid transfer mechanisms.

By using the Services, you acknowledge and consent to the transfer and processing of your information as described in this Privacy Policy.

8. Cookies and Similar Technologies

We use cookies and similar technologies for the following purposes:

Essential Cookies. These are required for the operation of the Services, including authentication, session management, and security.

Analytics Cookies. These help us understand how the Services are used so we can improve them. We use aggregated, anonymized analytics where possible.

Preference Cookies. These remember your settings and preferences to provide a personalized experience.

You can manage cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Services.

9. Children's Privacy

The Services are not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child under 18, please contact us at privacy@molten.live.

10. Third-Party Links and Services

The Services may contain links to, or enable Agents to interact with, third-party websites, services, and platforms. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services that your Agents interact with.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. If we make material changes, we will provide notice via email or through the Services at least 30 days before the changes take effect. Your continued use of the Services after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

12. Data Controller

Sinuous Development LLC is the data controller responsible for the processing of your personal data as described in this Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Sinuous Development LLC
Email: privacy@molten.live
Data Protection Inquiries: dpo@molten.live
Support: support@molten.live

For data subject access requests, please email privacy@molten.live or use the controls in your account settings.