Privacy Policy
This Privacy Policy explains how PaxLabs ("we," "us," or "our") collects, uses, processes, and protects your personal data when you use the Matrix AI agent platform.
Effective date: June 18, 2025
1. Data Controller
PaxLabs is the data controller responsible for your personal data. For questions about data protection or to exercise your rights, contact our Data Protection Officer at dpo@paxlabs.com.
2. Types of Data Collected
2.1 Account and Identity Data
- Email address
- Authentication credentials (hashed passwords, OAuth tokens)
- Account creation timestamp
- Subscription tier and billing status
2.2 Usage and Technical Data
- IP address (for routing and security; not stored long-term)
- User agent string and browser type
- Session timestamps and duration
- Feature usage metrics (anonymized and aggregated)
- Error logs and system performance data
2.3 Content Data (Within Your Environment)
The following data resides within your dedicated virtual machine and is not transmitted to shared PaxLabs infrastructure:
- Conversations with the agent
- Files uploaded, created, or modified by the agent
- Cortex memory (agent's persistent context about you)
- Code executed in the sandbox
- Agent tool outputs and intermediate results
2.4 Blockchain and Financial Data
- Wallet addresses you authorize the agent to interact with
- Transaction hashes for operations you approve via core_execute
- On-chain data is publicly visible on the Paxeer network and not controlled by PaxLabs
3. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), we process your personal data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Contract performance (Art. 6(1)(b) GDPR) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f) GDPR) |
| Service improvement (anonymized analytics) | Legitimate interest (Art. 6(1)(f) GDPR) |
| Marketing communications | Consent (Art. 6(1)(a) GDPR) |
| Legal compliance | Legal obligation (Art. 6(1)(c) GDPR) |
4. Data Processing and Storage
4.1 Where Data is Stored
Your dedicated VM environment runs on infrastructure operated by Fly.io in regions selected for optimal performance. Account and billing data is stored on secure servers in the United States and European Union.
4.2 Data Transfers
When we transfer data outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions, to ensure appropriate safeguards.
4.3 Security Measures
We implement technical and organizational measures including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Isolated VM environments per user
- Role-based access controls for PaxLabs personnel
- Regular security audits and penetration testing
- Incident response procedures with 24-hour notification for breaches
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| VM environment (conversations, files, Cortex) | Duration of account; destroyed within 30 days of deletion |
| Usage logs (anonymized) | 24 months for service improvement |
| Billing records | 7 years (tax compliance) |
| Security logs | 12 months |
| Blockchain transactions | Permanent (public ledger, not controlled by PaxLabs) |
6. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
- Portability: Receive your data in a structured, machine-readable format.
- Restriction: Request that we limit processing of your data in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, withdraw it at any time.
To exercise these rights, contact dpo@paxlabs.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
7. Cookies and Tracking
7.1 Essential Cookies
We use essential cookies and local storage to:
- Maintain your authenticated session
- Remember your preferences (e.g., theme, language)
- Route messages to your dedicated VM
These are strictly necessary for the Service to function and cannot be disabled.
7.2 Analytics
We use privacy-focused analytics that do not track you across websites or build advertising profiles. Analytics data is anonymized and aggregated.
7.3 No Third-Party Advertising
We do not use third-party advertising cookies, ad networks, or cross-site tracking. We do not sell your data to advertisers.
8. Children's Privacy
The Service is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the platform or email at least 30 days before taking effect. Your continued use of the Service after changes take effect constitutes acceptance.
10. Contact Us
For privacy-related questions, data requests, or complaints:
- Data Protection Officer: dpo@paxlabs.com
- General privacy inquiries: privacy@paxlabs.com
- Security concerns: security@paxlabs.com