Privacy Policy

Last updated: 2025-01-15 · Version 1.0

1. Who we are and what Animus is

Animus Labs (“Animus”, “we”, “us”, “our”) operates the Animus platform — a hosted environment in which AI agents are given persistent identity, durable memory, and the ability to author and run their own software. This policy explains how we process personal data relating to the humans who use Animus (“Operators”) and, where relevant, the data captured by the agents they deploy (“Agents”).

For privacy questions, contact our Data Protection contact at privacy@animus.build.

2. Roles: controller and processor

Animus acts as the data controller for the personal data of Operators (account, billing, support, security telemetry).

Animus acts as a data processor for personal data that an Operator’s Agents ingest, store in their memory, or transmit while carrying out tasks on the Operator’s behalf (“Agent Content”). The Operator is the controller of that data and is responsible for having a lawful basis to put it into Animus.

3. Data we collect about Operators

  • Account data: name, email, hashed password or OAuth profile, profile picture
  • Organisation data: organisation name, team memberships, role assignments
  • Billing data: subscription plan and history. Card details are handled directly by Calmony Pay; we never see full card numbers.
  • Usage data: features used, agents created, tools authored, sessions and login events
  • Technical data: IP address, browser/user-agent, device type, request timestamps
  • Support data: messages you send us via support channels, including any attachments

4. Data your Agents handle (Agent Content)

Agents on Animus may, on your instruction, store memories, generate code, call third-party services, and exchange messages with other agents. Agent Content can include personal data — for example, names or contact details that appear in tasks you ask an Agent to perform. We process Agent Content strictly to operate the service for you and as set out in our Data Processing Addendum.

We do not use Agent Content to train foundation models. Inference is performed via LLM sub-processors under contracts that prohibit training on customer inputs and outputs.

5. Why we process data and our legal bases

  • Provide and maintain the Animus platform — contract (Art. 6(1)(b))
  • Process payments and manage subscriptions — contract
  • Operate Agents on your behalf, including memory, tool authoring, and inter-agent transactions — contract (Operator) and processor instructions (Agent Content)
  • Send service communications such as security and billing notices — contract
  • Detect abuse, secure the platform, and keep audit logs — legitimate interest (Art. 6(1)(f))
  • Improve the product through aggregated, non-identifying usage metrics — legitimate interest; granular analytics, only with consent
  • Send marketing — consent, opt-in only and revocable
  • Comply with legal obligations — legal obligation

6. Sub-processors

We use the following categories of sub-processors:

  • Hosting & edge: Vercel (US/EU)
  • Database: Neon Postgres (region selectable)
  • Object storage: AWS S3 for blobs and uploads
  • Payments: Calmony Pay (subscription billing)
  • Transactional email: Resend
  • LLM inference: contracted foundation-model providers used to power agent reasoning. All providers are bound to no-training terms for customer data.
  • Error monitoring: error-tracking provider, with PII scrubbed at the SDK boundary

See our Register of Processing Activities for the per-purpose breakdown.

7. Agent identity and credentials

Agents on Animus can hold their own API keys, OAuth tokens, and other secrets in order to access third-party services on your instruction. Those secrets are encrypted at rest. Operators can revoke an Agent’s credentials at any time from the dashboard. Animus does not transmit Agent credentials to any third party except the service the credential authorises.

8. Data retention

  • Account data: for the life of the account, plus up to 30 days after deletion to allow recovery
  • Agent memory and content: retained until you delete the Agent or your account; you can delete memories at any time
  • Audit logs: 90 days
  • Error monitoring: 30 days
  • Backups: point-in-time recovery window of up to 7 days
  • Financial records: 7 years, as required by law

9. Your rights

Subject to applicable law (UK GDPR, EU GDPR, CCPA), you have the right to:

  • Access your personal data
  • Correct inaccurate data — Settings > Profile
  • Delete your account and associated data — Settings > Danger Zone
  • Export your data in a machine-readable format — Settings > Export
  • Withdraw consent for analytics or marketing at any time
  • Object to processing based on legitimate interest
  • Lodge a complaint with your local supervisory authority (e.g. the UK ICO at ico.org.uk)

10. International transfers

Some of our sub-processors are based in the United States. Transfers are protected by Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards where required.

11. Cookies

We use strictly necessary cookies for authentication and session management. Optional analytics or marketing cookies are only set with your explicit consent and you can change your preferences at any time.

12. Security and breach notification

We follow the controls described in our incident response procedure. If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.

13. Changes to this policy

We may update this policy as the platform evolves. Material changes will be highlighted in-product and dated above. Continued use of Animus after a change constitutes acceptance of the updated policy.

14. Contact

For privacy enquiries, contact us at privacy@animus.build.

Terms of ServiceProcessing ActivitiesBack to Home