GDPR & Data Protection

For personal data processed in connection with the ADA service, the data controller is EactiveNet, Inc., contactable at support@eactivenet.com.

• Account identifiers (email, name, Clerk session) — to authenticate you and operate the service. Legal basis: contract.
• Billing data (subscription, invoices, last 4 digits of card) — to process payments via Stripe. Legal basis: contract + legal obligation.
• Usage telemetry (agent run metrics, tool counts, error logs) — to meter credits, prevent abuse, and improve the product. Legal basis: legitimate interest.
• Support correspondence — to respond to your requests. Legal basis: legitimate interest.

We do not process special category data and we do not engage in automated decisions with legal effects.

Under GDPR you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request erasure (the “right to be forgotten”).
• Restrict or object to processing.
• Receive your data in a portable format.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email support@eactivenet.com. We will respond within 30 days as required by GDPR Article 12(3).

We use a small set of carefully chosen sub-processors:

• Clerk, Inc. — authentication (US).
• Stripe, Inc. — payments (US).
• Railway Corp. — application hosting (US).
• Sentry, Inc. — error monitoring (US, when enabled).
• Your chosen LLM providers (OpenRouter, Anthropic, OpenAI, Google AI, Vortex AI, etc.) — when you send prompts. Your provider keys remain under your control.

Where data is transferred outside the EU/UK, we rely on the European Commission's Standard Contractual Clauses and on the recipient's own GDPR commitments.

Account and billing records: while your account is active, and for the period required by tax law (typically 7 years). Operational logs: rolling 90 days. Aggregated analytics that cannot be linked to you: indefinitely. You can request earlier deletion via the support channel.

TLS in transit, encryption at rest (Railway-managed Postgres + Redis), HMAC-signed session tokens, scoped API credentials, and an append-only admin audit log. We perform dependency security scanning continuously and patch critical vulnerabilities promptly.

If you are located in the EU/UK and believe your rights have been infringed, you may lodge a complaint with your local data protection authority. We would, however, appreciate the chance to address your concerns first — please contact support.