Skip to main content
Legal

Privacy Policy

Effective date: May 1, 2026 · Version 1.0 · Changelog
The short version

We see as little of your data as possible — by design.

  • Your Anthropic API key is yours. We never proxy your AI calls. Tokens are billed directly to your Anthropic account. We can't see your billing.
  • Your code stays in your repositories. Fragua uses a GitHub App with short-lived, per-request tokens — nothing persistent, nothing exfiltrated.
  • We don't train on your data. Anthropic's commercial API terms govern AI training; we never copy your conversations or code into another model.
  • Encryption isn't optional. Sensitive data is encrypted at rest with AES-256-GCM. TLS 1.3 in transit. Operator actions that touch your account are logged and available on request.

The full policy follows. We've kept it specific and plain rather than padded with legal boilerplate. If you find something unclear, please email us — see Contact.

Who we are

Fragua is operated by Maquina, the team behind maquina.app. The product runs at fragua.app.

For data-protection purposes:

  • Data Controller: when you create a Fragua account, we are the controller of your account information (name, email, billing details).
  • Data Processor: when Fragua processes content you create within the product (workspace artifacts, agent run events, code), we act as a processor on your behalf.

For privacy questions, contact us at [email protected]. See Contact for the full mailing address.

What we collect

We try to collect as little as we need to operate the product. Here's the complete list:

From you, when you sign up

  • Your email address (required, used as your login identifier)
  • Your name (optional, displayed alongside your account)
  • The reason you submitted in your access-request form (used to evaluate your beta application)

From you, while you use Fragua

  • Workspace data you create: research synthesis, plans, feature specs, task descriptions
  • Agent run events (every NDJSON event the AI agent emits during a run)
  • Cost data (token counts and computed dollar amounts per run)
  • Settings you configure (timezone, locale, notification preferences)
  • Your Anthropic API key (encrypted at rest — see Your Anthropic API key)
  • Your GitHub App installation ID (used to mint short-lived tokens — see Your GitHub data)

Automatically, from your browser

  • IP address (for security: rate limiting, abuse detection, geolocation for tax purposes)
  • Browser user agent (to render appropriate UI and debug compatibility issues)
  • Pages you visit on fragua.app (counted in aggregate via self-hosted analytics — see Cookies & analytics)

From your billing

  • Billing contact name, email, and address (used for invoicing)
  • Payment method details (held by our payment processor — we never see your full card number)

That's everything. We don't collect device fingerprints, advertising identifiers, biometric data, location coordinates beyond IP-based country, or browsing history outside of our own site.

How we use it

We process the data above only for the following purposes:

  • To provide the product: store your workspaces, run agents on your behalf, surface cost dashboards, send transactional emails.
  • To bill you: process your subscription payment, send invoices, comply with tax obligations.
  • To keep the product secure: detect abuse, enforce rate limits, investigate suspicious activity, respond to security incidents.
  • To comply with legal obligations: respond to lawful government requests, retain records required by tax or commercial law.
  • To improve the product: aggregated, anonymized usage data only — counts and patterns, never the contents of your specs or runs.

What we never do: we don't sell your data, share it with advertisers, use it to train AI models, or read the contents of your workspaces beyond what's strictly necessary to deliver the product.

Who we share it with

We share your data only with the sub-processors listed below. Each is bound by a Data Processing Addendum and is GDPR-compliant. We don't share your data with anyone else — no advertisers, data brokers, marketing partners, or "trusted third parties."

  • Anthropic, PBC — AI model provider. Direct connection from Fragua to Anthropic using your API key. United States.
  • GitHub, Inc. — Code hosting. GitHub App with per-Account installation; tokens are minted per-request and never stored beyond the request lifetime. United States.
  • Resend, Inc. — Transactional email. Email addresses and message content for sign-in codes and member invites. United States.
  • Cloudflare, Inc. — R2 storage for encrypted SQLite database backups via Litestream. Backups are encrypted before they leave our server.
  • Stripe, Inc. — Payment processing for paid plans. Billing contact and payment method only.

We will give you 30 days' advance notice (via email and an updated version of this policy) before adding any new sub-processor. We do not use Google Analytics, Facebook Pixel, Hotjar, or any other behavior-tracking or session-recording tools.

Your Anthropic API key

Fragua operates on a Bring Your Own Key (BYOK) model. You provide your own Anthropic API key, and we use it to call Claude on your behalf when an agent runs.

  • We don't proxy your AI calls. When an agent runs, your Fragua server connects directly to Anthropic's API using your key.
  • You pay Anthropic directly. Token charges accrue against your Anthropic account, not ours.
  • Your key is encrypted at rest. Rails 8 native encryption (AES-256-GCM).
  • Your key is never logged. Application logs are scrubbed of API keys before being persisted.
  • You can rotate or remove your key at any time. Account settings → API key.
  • Anthropic's terms apply to your usage. See Anthropic's Commercial Terms of Service and Privacy Policy.

Your GitHub data

Fragua connects to GitHub via a GitHub App with per-Account installation:

  • Permissions are scoped to the repositories you choose when you install the app.
  • Tokens are short-lived. Each GitHub API call uses a freshly-minted installation token that's discarded after the request.
  • Code we read is not stored centrally. After the run completes, the working directory stays on the Fragua server but is not transmitted off it.
  • We only push what the agent generates. Branch pushes, commit messages, and PR descriptions are recorded in the agent run log.
  • You can revoke at any time from GitHub Settings → Applications, or from Fragua's Account settings.

AI training

We never use your data to train AI models. Not to fine-tune Claude, not to train another model, not to build a custom embedding index. Your specs, your code, your run history — all stay in your account.

When your agent runs make API calls to Anthropic using your key, Anthropic's training-data policy applies. Anthropic's commercial terms do not use your prompts or completions to train their models.

How long we keep it

  • Your account and workspace data: as long as your account is active, plus a 30-day grace period after Account closure.
  • Authentication sessions: 30 days from the last sign-in. Expired sessions are deleted nightly.
  • Email verification codes: 15 minutes from creation, then deleted automatically.
  • Application logs: 30 days, then automatically purged.
  • Encrypted database backups: 30 days of point-in-time backups via Litestream → Cloudflare R2.
  • Billing records: 7 years, as required by tax law in our jurisdiction.
  • Operator audit log: retained for the life of the Account plus 30 days.

Security

  • Encryption in transit: TLS 1.3 for all connections. HSTS enabled.
  • Encryption at rest: Rails 8 native encryption (AES-256-GCM) for sensitive fields.
  • Multi-tenant isolation: every database query is scoped to your Account; cross-Account leakage is the failure mode we treat most seriously.
  • Three-role authorization: viewer, member, and admin separate read access from write access from settings management.
  • Rate limiting: sign-up, sign-in, and verification endpoints are rate-limited.
  • Operator audit log: any operator access to your Account data is recorded.
  • Dependency monitoring: bundle audit and Brakeman on every commit.

Breach notification: if we have reason to believe your data has been accessed by an unauthorized party, we will notify you within 72 hours.

Your rights

You have the following rights with respect to your data, regardless of where you live:

  • Access: download a copy of all data associated with your account. Account settings → Data export.
  • Correction: edit your name, email, timezone, and other profile data directly in account settings.
  • Deletion: close your Account at any time. Account settings → Close account.
  • Portability: data export is in standard formats (JSON, Markdown, Git).
  • Objection: object to specific processing activities by emailing [email protected].
  • Restriction: ask us to suspend processing while we investigate a concern.
  • Right to lodge a complaint with your local data-protection authority.

Cookies & analytics

Fragua uses the smallest possible set of cookies. We don't use any third-party tracking cookies or advertising cookies.

  • Session cookie (_fragua_session): required to keep you signed in. Encrypted and HTTP-only.
  • Locale preference (fragua_locale): remembers your language preference. Optional.
  • Theme preference (fragua_theme): remembers dark or light mode. Optional.
  • Access request acknowledgement (fragua_access_request): keeps the request-access form from re-appearing after you submit. Signed, HTTP-only.

Analytics: Plausible Analytics in a self-hosted configuration. Plausible doesn't use cookies, doesn't fingerprint visitors, and doesn't transmit data to any third party.

Changes to this policy

We update this policy when our practices change. The current version is dated at the top of this page.

For material changes (new sub-processors, new data categories, changes to retention or sharing) we'll notify you at least 30 days in advance via email and a banner on the product. For non-material changes (typo fixes, clarifications) we'll update the policy without prior notice.

Contact

For privacy questions, requests to exercise your rights, or anything else covered by this policy:

We aim to respond within 5 business days for general inquiries and 30 days for formal data-rights requests.