Privacy Policy
Cantrip ("Cantrip," "we," "us," or "our") is operated by Austin King, a sole proprietorship based in Seattle, Washington, USA. This Privacy Policy describes how we collect, use, and share information when you use our website at cantrip.ai and related services (collectively, the "Service").
Contact: austin@cantrip.ai
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Name and email address
- Authentication credentials (managed by Clerk, our authentication provider)
- Billing information (managed by Stripe, our payment processor)
1.2 Usage Data
When you use the Service, we automatically collect:
- Commands and requests you send to the Service
- Credit consumption and transaction history
- Feature usage patterns and session duration
- Browser type, device information, and IP address
1.3 Cookies and Tracking
We use the following cookies and similar technologies:
- Authentication cookies (Clerk): Required to keep you signed in and manage your session. These are essential cookies and cannot be disabled.
- Session cookies: Required to maintain your session state while using the Service. These are essential cookies.
- Analytics cookies (PostHog): Used to understand how visitors interact with the Service, including page views, feature usage, and navigation patterns. You may opt out of analytics tracking via our cookie consent banner.
We do not use advertising cookies or sell data to advertisers.
1.4 Traces and Quality of Service Data
We retain traces of customer requests to support quality of service, debugging, and product improvement. All personally identifiable information (PII) is redacted from traces before storage. Traces contain only operational metadata such as request type, timing, credit cost, and anonymized error information.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process transactions and manage your credit balance
- Send transactional communications (account confirmations, billing receipts, service alerts)
- Monitor and enforce usage limits and rate limiting
- Analyze usage patterns to improve the Service (via anonymized analytics)
- Detect, prevent, and address fraud, abuse, and technical issues
- Comply with legal obligations
We do not use your data to train AI models. Your project data, specifications, and agent outputs belong to you.
3. How We Share Your Information
We share information only with the following third-party service providers, and only to the minimum extent required to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Clerk | Authentication and session management | Email, name, auth tokens |
| Stripe | Payment processing and billing | Billing details, transaction amounts |
| OpenMeter | Usage metering and billing analytics | Anonymized usage metadata. No project content or PII. |
| Unkey | Rate limiting and abuse prevention | API key identifiers, request counts. No project content or PII. |
| PostHog | Product analytics | Anonymized usage events, page views, device/browser info |
| AWS | Infrastructure (EC2, S3) | All Service data is hosted on AWS in the United States |
We do not sell, rent, or trade your personal information to third parties. We may disclose information if required by law, legal process, or to protect the rights, property, or safety of Cantrip, our users, or the public.
4. Data Storage and Security
- All customer data is stored in the United States on AWS infrastructure (EC2 and S3).
- We use encryption in transit (TLS/HTTPS) for all communications.
- Authentication is managed by Clerk with industry-standard security practices.
- Payment information is handled by Stripe and never touches our servers.
- PII is redacted from operational traces before storage.
While we implement reasonable security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
5. Data Ownership and Export
You own your data. All project data, specifications, agent outputs, and other content you create using the Service belongs to you.
You may request a full export of your data at any time by contacting us at austin@cantrip.ai. We will provide your data in a standard, machine-readable format within 30 days of your request.
6. Data Retention
- Account data: Retained while your account is active and for 90 days after account deletion.
- Usage and billing records: Retained for 7 years to comply with tax and financial reporting obligations.
- Traces (PII-redacted): Retained for 12 months, then automatically purged.
- Analytics data (PostHog): Retained for 24 months in anonymized form.
Upon account deletion, we will delete or anonymize your personal data within 90 days, except where retention is required by law.
7. Your Rights
All Users
You have the right to:
- Access your personal data
- Export your data in a machine-readable format
- Correct inaccurate personal data
- Delete your account and associated personal data
- Opt out of analytics tracking
To exercise any of these rights, contact us at austin@cantrip.ai.
Additional Rights for EU/EEA Residents (GDPR)
If you are located in the European Economic Area, you have additional rights under the GDPR:
- Lawful basis for processing: We process your data based on (a) contractual necessity, (b) legitimate interest, and (c) your consent (for analytics cookies).
- Data controller: Austin King, austin@cantrip.ai, Seattle, WA, USA.
- Right to restrict processing: You may request that we limit how we use your data.
- Right to data portability: You may request your data in a structured, commonly used format.
- Right to object: You may object to processing based on legitimate interest.
- Right to lodge a complaint: You may file a complaint with your local data protection authority.
We do not currently appoint a Data Protection Officer (DPO) or maintain an EU representative. As our EU user base grows, we will evaluate whether these appointments are required under GDPR Article 27.
Additional Rights for California Residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell personal information)
- Non-discrimination for exercising your privacy rights
8. Age Restrictions
The Service is intended for users aged 18 and older. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will promptly delete it. If you believe a child under 13 has provided us with personal information, please contact us at austin@cantrip.ai.
9. International Data Transfers
The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer. For EU/EEA users, we rely on Standard Contractual Clauses (SCCs) or your explicit consent as the legal mechanism for data transfers.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last Updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.
For material changes that significantly affect your rights, we will provide at least 30 days' notice via email.
11. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:
Austin King
austin@cantrip.ai
Seattle, WA, USA