Privacy Policy

Effective: May 13, 2026 · Last updated: May 17, 2026

Short version. BeagleLathe runs on your machine. Your code, prompts, shell output, and git history never leave it. Our backend sees your email address (for login), a monthly counter of how many times you used the plugin, and routine request metadata. That’s it. We don’t sell your data, we don’t run ads, and we don’t build profiles.

1. Information we collect

1.1 Account information

When you create a BeagleLathe account, we collect your email address. We use email magic links for authentication. We never store a password. When you sign in, we generate a one-time magic-link token with a 15-minute lifetime; when you click it, we issue a JSON Web Token (JWT) with a 24-hour lifetime that the plugin uses to authenticate subsequent requests.

1.2 Usage information

Each time the plugin runs one of its tools, it sends an authenticated heartbeat to our backend that increments a monthly counter against your account. The heartbeat does not include the tool name, its arguments, its output, your files, your prompts, or any other content from your machine. We use the counter only to enforce your monthly quota and to display usage in your account view.

1.3 Request metadata

Our backend records standard server logs for each request: a timestamp, the API path, an HTTP status code, the Cloudflare-forwarded client IP, and the user-agent string. We retain these logs for 30 days for security, debugging, and abuse prevention.

1.4 Payment information

If you subscribe to Pro, Stripe processes your payment. Stripe stores your card details under its own privacy policy; we never see or store your card number, CVC, or full bank details. We retain only the Stripe customer and subscription identifiers needed to associate your account with your plan.

1.5 Communications

If you contact us by email, we retain your message and any personal information you include for up to two years so that we can respond and follow up. We do not retain support email beyond that period unless required by law.

1.6 What we do not collect

We do not process sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, biometric data, health information, or sexual orientation. We do not collect personal information from third-party data brokers, social media platforms, or public databases. Any personal information you provide to us should be true, complete, and accurate; please notify us of any changes.

2. What stays on your machine

BeagleLathe is designed so that we are not a processor of your code, prompts, or working output. The following information is read, computed, and stored locally on the machine where you installed the plugin, and is never transmitted to our servers:

  • Source files, edits, and search results.
  • Shell command input and output.
  • Test, lint, and typecheck results.
  • Git history, diffs, and commit messages.
  • The local savings-counter database at ~/.beaglelathe/state.db.
  • Anthropic API requests and responses, which travel directly between your Claude Code installation and Anthropic. They never pass through our backend.

3. How we use information

We use the information we collect to:

  • Authenticate you and issue session tokens so the plugin can identify your account.
  • Enforce your monthly tool-call quota and surface upgrade prompts when you exceed it.
  • Bill you for the Pro plan if you have one, and provide receipts.
  • Send you transactional email related to your account (magic links, billing receipts, security notices, material policy changes).
  • Operate, debug, and secure the Service.

We do not sell your information. We do not run advertising. We do not build advertising or marketing profiles. We do not share your information with data brokers.

4. Where your data lives

We host the BeagleLathe API and its Postgres database on Fly.io in the United States. The marketing site at beaglelathe.dev is served from Cloudflare Pages, and Cloudflare provides DNS and CDN for our domains. Transactional email (including magic links and billing receipts) is sent through Resend.

Each of these providers acts as a subprocessor and processes data subject to its own security and privacy commitments. We choose providers that publish their security posture and offer data-protection terms appropriate for the data we share with them.

5. Sharing

We share your information only with the subprocessors named above, only to the extent necessary to operate the Service, and only as required by law (for example, in response to a valid legal process). We do not share your information with advertisers, data brokers, or other third parties for their own purposes.

Business transfers. If we are involved in a merger, acquisition, financing, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your information becomes subject to a different privacy policy.

6. Security

We apply standard production controls, including TLS in transit, encrypted storage at rest, scoped database access, and JWT revocation on subscription changes. We rotate signing keys on a defined schedule and apply security patches to our infrastructure promptly. No system is perfectly secure; we offer the Service “as is” and ask that you report anything that looks wrong to [email protected].

7. Your rights

7.1 Deleting your account

You can delete your account at any time by emailing [email protected] from the address on file. Within 30 days we remove your account record (email, authentication tokens, and monthly usage counters) from our production systems. Backups containing your record age out within 35 days of deletion. If you are a Pro subscriber, Stripe retains billing records under its own retention rules; we keep only the identifiers required for tax and accounting purposes.

7.2 Accessing and correcting your data

The only personal data we hold about you is your email address (and, if you are a Pro subscriber, Stripe billing identifiers and your current plan status). You can review or correct it by emailing [email protected]. We will respond within 30 days.

7.3 EEA, UK, and California residents

If you are in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases: contract (to provide the Service you signed up for, including authentication, quota enforcement, and billing); legitimate interests (to keep the Service secure and prevent abuse); legal obligation (to comply with applicable tax and accounting law); and consent (where we ask for it, for example for optional communications). You may withdraw consent at any time by contacting us; this does not affect the lawfulness of processing before withdrawal.

If you live in the European Economic Area, the United Kingdom, or California, you may have additional rights under the GDPR, the UK GDPR, or the CCPA, including the right to access, port, restrict, or object to certain processing of your personal data, and the right to lodge a complaint with your local supervisory authority. Contact us at [email protected] and we will honor your request to the extent the applicable law requires.

8. Children

BeagleLathe is not directed to children. You must be at least 13 years old (16 in the EEA and the UK) to create an account. If we learn that we have collected information from a child below the applicable age, we will delete it.

9. Cookies, tracking, and Do-Not-Track

The marketing site at beaglelathe.dev does not use cookies, analytics, or tracking pixels. The API issues a short-lived JWT that the plugin stores locally to authenticate subsequent requests; the JWT is not a browser cookie and is not used to track you across sites.

Most browsers include a Do-Not-Track (“DNT”) setting. Because we do not use tracking cookies or behavioral advertising, a DNT signal has no practical effect on how we operate. We do not otherwise respond to DNT signals at this time. If a binding DNT standard is adopted that we are required to follow, we will update this section.

10. International transfers

Our infrastructure is in the United States. If you use BeagleLathe from outside the US, you understand that your information will be transferred to and processed in the US. Where required, we rely on appropriate transfer mechanisms (for example, the EU Standard Contractual Clauses) with our subprocessors.

11. Retention

We retain your account record for as long as your account is active. We retain request logs for 30 days. We retain Stripe billing identifiers for as long as required for tax and accounting purposes (typically seven years). When you delete your account, we follow the timelines described in section 7.1.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we update the “Last updated” date at the top of this page. If a change is material, we will notify you by email or in-product before it takes effect.

13. Contact

BeagleLathe is operated by The Groove Salad. Questions about this policy, or about your data, should go to [email protected].