Legal

Privacy Policy

Last updated: [EFFECTIVE DATE]

This Privacy Policy describes how Actuator handles personal information in the hosted service at useactuator.ai (the "Service").

What we collect

  • Account data. The email address you sign in with, an optional display name, and the organizations and projects you belong to.
  • Authentication data. Hashed session tokens and magic-link tokens (we never store the raw values), plus a last_seen_at timestamp per session for audit purposes.
  • Configuration data. The feature flags, configs, segments, rules, and audit log entries you create while using the Service. This is your data; we host it on your behalf.
  • Server logs. Standard request logs (IP address, user agent, request path, status code, timing) for operating, debugging, and securing the Service. Retained for a limited period.

We do not collect contexts you submit to the /evaluate endpoint as personal data — those values are processed in memory to compute a result and are not stored beyond the audit log entries that name them by reference.

How we use it

  • To authenticate you and authorize requests.
  • To operate the Service, including evaluating rules and serving the dashboard.
  • To debug issues, prevent abuse, and respond to security incidents.
  • To send transactional email (magic-link sign-ins, invitations, billing if applicable).
  • To comply with legal obligations.

We do not sell your personal information. We do not use it to train third-party AI models.

Cookies

The Service sets a single first-party session cookie (actuator_session) after sign-in. It is HttpOnly, Secure, and SameSite=Lax, scoped to useactuator.ai. We do not use third-party advertising cookies or analytics that track you across sites.

Sharing and subprocessors

We use third-party providers to operate the Service. Categories include cloud hosting, transactional email, and error monitoring. These providers process personal information on our behalf and only as instructed. A current list of subprocessors is available on request from privacy@useactuator.ai.

Data retention

We retain account and configuration data for as long as your account is active. If you delete your account, we delete or anonymize the associated personal information within a reasonable period, except where retention is required by law or necessary for security and dispute resolution.

Server logs are retained for a limited period (typically 30–90 days) and then deleted on a rolling basis.

Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete the personal information we hold about you, and to object to or restrict certain processing. Contact privacy@useactuator.ai and we will respond within a reasonable timeframe.

Security

We use TLS for all network traffic, hash session and API tokens with industry-standard primitives, and isolate tenant data at the database level. No system is perfectly secure; report suspected vulnerabilities to security@useactuator.ai.

Children

The Service is not directed to children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children.

International transfers

The Service is operated from [REGION]. If you access it from elsewhere, your information will be transferred to and processed in the region where the Service runs.

Changes to this policy

We may update this policy from time to time. Material changes will be announced on this page or by email to the address on file.

Contact

Questions or requests: privacy@useactuator.ai.