Contents
- Who we are
- Scope
- Information we collect
- How we use your information
- Data processing in AI agent operations
- How we share your information
- International data transfers
- Data retention
- Data security
- Your rights
- Cookies and tracking
- Children’s privacy
- Changes to this policy
- Complaints and supervisory authorities
- Contact us
- Governing law
1. Who we are
Persei Labs LLC ("Persei Labs," "we," "us," or "our") is a Wyoming limited liability company providing AI automation products and consulting services. Our flagship product is RustyClaw, an open-source operating system for AI agents.
- Website: https://perseilabs.com
- Email: [email protected]
- Registered address: Persei Labs LLC, c/o Northwest Registered Agent, 30 N Gould St Ste R, Sheridan, WY 82801
For privacy-related inquiries, contact: [email protected]
2. Scope
This Privacy Policy describes how we collect, use, process, and disclose your personal information when you:
- Visit our website at perseilabs.com
- Use or evaluate our products, including RustyClaw
- Engage our consulting services
- Communicate with us (email, support requests, inquiries)
- Subscribe to our newsletters or marketing communications
This policy applies to all visitors, clients, prospects, and other individuals whose personal data we process. If you are a client of our consulting services, additional terms specific to your engagement may apply under your service agreement.
We also describe your privacy rights under the General Data Protection Regulation (GDPR) for individuals in the European Economic Area, Switzerland, and the United Kingdom, and the California Consumer Privacy Act (CCPA/CPRA) for California residents, along with other applicable US state privacy laws.
3. Information we collect
3.1 Information you provide directly
| Category | Examples |
|---|---|
| Contact information | Name, email address, phone number, company name, job title |
| Account information | Username, password, billing address, payment information |
| Communications | Emails, support tickets, survey responses, feedback |
| Engagement data | Business requirements, workflows, and data shared during consulting engagements |
| Inquiry data | Information submitted through contact forms, demo requests, or sales inquiries |
3.2 Information collected automatically
When you visit our Site, we may automatically collect:
- Usage data: pages visited, time spent, referring URL, browser type, device type
- Analytics data: aggregated usage patterns via cookies and similar technologies (see Section 11)
- Log data: IP address, browser language, operating system, timestamps
3.4 Information we do not intentionally collect
- Special categories of data (health, biometric, political/religious beliefs, etc.)
- Children’s data (we do not target or knowingly collect information from individuals under 16)
- Financial account credentials beyond what is needed for billing
4. How we use your information
We use your personal information for the following purposes and on the following lawful bases (where GDPR applies):
4.1 Legitimate interests
| Purpose | Our legitimate interest |
|---|---|
| Providing consulting services and delivering automation products | Operating our business and fulfilling contractual obligations |
| Responding to inquiries and support requests | Serving our customers and prospects |
| Improving our Site, products, and services | Business improvement and product development |
| Security monitoring and fraud prevention | Protecting our systems, data, and users |
| Business development and outreach (where lawful) | Growing our business through legitimate marketing |
4.2 Contractual necessity
- Fulfilling our obligations under service agreements
- Processing payments and billing
- Delivering product access, updates, and support
4.3 Consent (where required)
- Sending marketing communications where consent is required by applicable law
- Setting non-essential cookies (see Section 11)
4.4 Legal obligation
- Complying with applicable laws, regulations, and legal process
- Responding to lawful requests from public authorities
5. Data processing in AI agent operations
A core part of our business involves operating AI agents (powered by RustyClaw) on behalf of clients. When we process data through AI agents as part of a consulting engagement:
- Data is isolated per client. Each engagement operates in a dedicated, isolated sandbox environment. One client’s data can never reach another client’s context or sandbox.
- Data is minimized. We process only the data necessary to deliver the agreed automation outcome. We do not collect or store data beyond what the engagement requires.
- No training on client data. Client data processed in the course of an engagement is never used to train, fine-tune, or improve our models or products without explicit, written client consent.
- Human oversight. AI agents operating on client data have bounded authority and operate under human supervision, per our AI Governance Policy.
- Agent disclosure. Where our AI agents interact directly with our clients or their customers, they will disclose that they are AI agents and offer a path to a human.
If you are a client and have specific questions about how your data is handled during an automation engagement, please contact us at [email protected].
6. How we share your information
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We may share your information in the following limited circumstances:
6.1 Service providers
We engage trusted third-party service providers who process data on our behalf:
| Provider | Purpose | Data shared |
|---|---|---|
| Hostinger | Cloud hosting infrastructure | Server logs, encrypted data |
| Cloudflare | DNS, CDN, security | IP addresses, request metadata |
| GitHub | Code hosting, issue tracking | Account name, public profile (if applicable) |
| Stripe (or equivalent) | Payment processing | Transaction data (we do not store full card numbers) |
| Stalwart (self-hosted) | Email hosting and communications | Email addresses, message content |
All service providers are contractually bound to process data only as instructed by us and to maintain appropriate security measures.
6.2 Legal and compliance
We may disclose your information if required to do so by law, regulation, or legal process, or to protect our rights, property, or safety, or the rights, property, or safety of others.
6.3 Business transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.
6.4 With your consent
We may share your information for other purposes with your explicit consent.
7. International data transfers
Persei Labs is based in the United States. Your personal information may be transferred to, stored, and processed in the United States and other jurisdictions where our service providers operate.
7.1 EU/UK users
If you are located in the European Economic Area (EEA), Switzerland, or the United Kingdom, we ensure appropriate safeguards are in place for international data transfers, including:
- Standard Contractual Clauses (SCCs) adopted by the European Commission, where required
- Equivalent transfer mechanisms recognized under UK and Swiss law
- Data Processing Agreements (DPAs) with our service providers, as applicable
7.2 Adequacy decisions
Where we transfer data to jurisdictions that have not received an adequacy determination from the European Commission, we rely on SCCs or other approved transfer mechanisms to protect your data.
Contact us at [email protected] if you would like more information about the safeguards applied to your data in connection with international transfers.
8. Data retention
We retain your personal information only as long as necessary to fulfill the purposes described in this policy, or as required by law.
| Data type | Retention period |
|---|---|
| Client engagement data | Duration of engagement + 3 years (or as specified in your service agreement) |
| Contact/inquiry data | 2 years after last contact |
| Account information | Until account closure + 2 years |
| Payment records | 7 years (tax/accounting compliance) |
| Website analytics | 26 months (aggregated) |
| Marketing communications data | Until opt-out or 2 years of inactivity |
When retention is no longer necessary, we securely delete or anonymize your data.
9. Data security
We implement appropriate technical and organizational measures to protect your personal information, including:
- Encryption at rest and in transit (AES-256, TLS 1.2+)
- Per-client sandbox isolation for all consulting engagements
- Least-privilege access — data is accessible only to authorized agents and humans with a legitimate need
- Encrypted secrets vault (AES-256-GCM) with optional TOTP two-factor authentication
- Prompt injection detection (PromptGuard) and exfiltration prevention (LeakDetector)
- SSRF protection on all outbound requests
- Regular security audits and incident response procedures
- Access controls — production systems require multi-factor authentication
While no system is completely secure, we take reasonable precautions appropriate to the sensitivity of the data we process. In the event of a data breach affecting your personal information, we will notify you and relevant supervisory authorities as required by applicable law.
10. Your rights
10.1 GDPR rights (EEA, UK, Swiss residents)
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the following rights under the GDPR and equivalent legislation:
| Right | Description |
|---|---|
| Right of access | Request a copy of the personal data we hold about you |
| Right to rectification | Request correction of inaccurate or incomplete data |
| Right to erasure ("right to be forgotten") | Request deletion of your personal data, subject to legal retention obligations |
| Right to restrict processing | Request restriction of how we process your data |
| Right to data portability | Request a copy of your data in a structured, machine-readable format |
| Right to object | Object to processing based on legitimate interests or direct marketing |
| Right to withdraw consent | Withdraw consent at any time where processing is based on consent |
10.2 CCPA/CPRA rights (California residents)
If you are a resident of California, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
| Right | Description |
|---|---|
| Right to know | Request disclosure of the categories and specific pieces of personal information we have collected about you |
| Right to delete | Request deletion of personal information we have collected, subject to exceptions |
| Right to correct | Request correction of inaccurate personal information |
| Right to opt-out of sale/sharing | We do not sell personal information or share it for cross-context behavioral advertising |
| Right to limit use of sensitive data | We do not process sensitive personal information for purposes beyond those authorized by the CCPA |
| Right to non-discrimination | We will not discriminate against you for exercising any of your CCPA rights |
Notice of financial incentive
We do not offer financial incentives tied to the collection of personal information.
Categories of personal information collected and disclosed in the past 12 months
| Category | Collected? | Disclosed for business purpose? | Sold? |
|---|---|---|---|
| Identifiers (name, email, IP address) | Yes | Yes (to service providers) | No |
| Commercial information (transaction history) | Yes | Yes (to payment processors) | No |
| Professional/employment information | Yes | No | No |
| Internet/electronic activity | Yes | Yes (analytics providers) | No |
| Geolocation data (IP-based) | Yes | Yes (hosting provider) | No |
| Inferences drawn from above | Limited | No | No |
| Sensitive personal information | No | N/A | N/A |
10.3 Other US state law rights
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Texas (TDPSA), Oregon (ODPA), Montana (MCDPA), Delaware (DPDPA), Tennessee (TIPA), and other applicable states may have similar rights to access, correct, delete, and opt out of certain data processing. To exercise these rights, please contact us using the information below.
10.4 Exercising your rights
To exercise any of these rights, please contact us at:
Email: [email protected]
We will respond to your request within the timeframes required by applicable law (generally 30–45 days, extendable as permitted). We may need to verify your identity before processing your request. Verification may require matching identifying information you provide against information we already hold.
Verification process: For access or deletion requests, we may ask you to provide your name, email address, and details about your relationship with us (e.g., client, website visitor) to verify your identity. If we are unable to verify your identity with the information provided, we may request additional information, or deny the request as permitted by law.
Authorized agent: You may designate an authorized agent to make a request on your behalf. We will require the agent to provide proof of your written authorization and verify their identity.
Appeals: If we decline to take action on your request, you may appeal our decision by replying to our response. If your appeal is denied, you may have the right to file a complaint with your state attorney general or data protection authority (see Section 14).
11. Cookies and tracking
11.1 What we use
We use cookies and similar tracking technologies on our Site for the following purposes:
| Type | Purpose | Persistence |
|---|---|---|
| Essential cookies | Site functionality, security, session management | Session or persistent |
| Analytics cookies | Understanding Site usage and performance | Persistent (up to 26 months) |
| Preference cookies | Remembering your settings and choices | Persistent |
11.2 Your choices
On your first visit to our Site, we will present you with a cookie consent notice. You may accept all cookies, decline non-essential cookies, or customize your preferences.
You can also control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that blocking essential cookies may affect Site functionality.
11.3 Do Not Track
Our Site does not currently respond to Do Not Track (DNT) browser signals, as there is no uniform standard for interpreting such signals. However, you may control tracking through your browser settings and our cookie preference tools.
12. Children’s privacy
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will:
- Update the "Last updated" date at the top of this policy
- Notify clients via email (if you have an account or engagement with us)
- Post a notice on our website
We encourage you to review this policy periodically.
14. Complaints and supervisory authorities
14.1 GDPR
If you are in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority. Contact details for EEA data protection authorities are available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
If you are in the UK, you may lodge a complaint with the Information Commissioner’s Office (ICO): https://ico.org.uk
If you are in Switzerland, you may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch
14.2 United States
If you are a California resident and believe your privacy rights have been violated, you may file a complaint with the California Privacy Protection Agency (CPPA): https://cppa.ca.gov
15. Contact us
| [email protected] | |
| Mailing address | Persei Labs LLC, 30 N Gould St Ste R, Sheridan, WY 82801 |
| Response time | We aim to respond within 10 business days |
16. Governing law
This Privacy Policy is governed by the laws of the State of Wyoming, United States, without regard to its conflict of laws principles. However, where applicable data protection law provides you with greater rights, those rights shall prevail.
This policy is a living document. It will be reviewed and updated as our business evolves and as privacy regulations develop.