Privacy Policy

We collect information you provide directly, including:

• Account information such as name, email address, password hash, tier, support code, and account settings.
• Billing-related information handled through Stripe, such as customer identifiers, subscription state, checkout events, and payment status. We do not store full payment card numbers.
• Support, security-report, and review-request messages you send to us.

We also collect service information needed to operate Chitin:

• Skill and agent metadata, including skill slug, version hash, status, permissions, revocations, scan summaries, and installed agent instances.
• Plugin activity logs and security events, such as install checks, blocked tool calls, approvals, revocation events, and threat signals.
• Behavior-deviation telemetry for Shield accounts, limited to normalized security facts such as tool family, domain category, path class, environment-variable class, command family, version hash, and event outcome.
• Basic request metadata such as IP address, user agent, timestamps, API route, and authentication outcome.

Chitin is designed to minimize sensitive content collection. Runtime behavior telemetry does not require raw prompts, file contents, command output, or secrets. The plugin may inspect local activity to enforce permissions and detect threats, but the default dashboard sync path is scoped to security metadata and normalized event details. Routine cloud activity logging rejects raw diagnostic fields such as raw tool parameters, command snippets, request or response bodies, headers, tokens, credentials, and command output.

Some user-configured diagnostic modes, local logs, support submissions, security reports, or review requests may include additional details that you or your agent provide. Avoid submitting secrets, private keys, recovery phrases, payment credentials, or other sensitive content unless it is necessary for support or security review.

API keys generated by Chitin are stored as hashes plus a short prefix. The full key is shown only when it is created or regenerated.

• Provide, secure, and improve the Chitin service.
• Authenticate users, enforce subscription tiers, and manage API keys.
• Verify skills, distribute revocations, enforce permissions, and detect suspicious behavior.
• Process subscriptions, invoices, checkout sessions, and support requests.
• Investigate abuse, fraud, security incidents, and policy violations.
• Comply with legal, accounting, tax, and regulatory obligations.

We may share information with:

• Service providers that host, store, monitor, authenticate, process payments, or help operate Chitin.
• Stripe for payments, subscriptions, billing portals, and webhook processing.
• Security, infrastructure, and analytics providers used to detect abuse and keep the service reliable.
• Authorities, legal advisors, or affected parties when required by law or necessary to protect rights, safety, and security.
• A successor organization in connection with a merger, financing, acquisition, reorganization, or asset transfer.

We do not sell personal information. We do not use normalized security telemetry to train third-party advertising profiles.

We keep account, billing, and security records for as long as needed to provide the service, meet legal obligations, resolve disputes, and enforce agreements. Routine activity logs, threat signals, and stale agent instances are subject to the retention process described in our product documentation, currently targeting a 90-day window for operational telemetry unless a longer period is needed for security, legal, or billing reasons.

• You may update account information in the dashboard where supported.
• You may regenerate API keys from the dashboard.
• You may request account deletion or data access by contacting support.
• If you are in a jurisdiction with specific privacy rights, you may request access, deletion, correction, portability, objection, or restriction as applicable.

California residents may have rights to know, delete, correct, opt out of certain sharing or sale, limit sensitive personal information use, and avoid discrimination for exercising privacy rights, when those laws apply to Chitin. We do not sell personal information.

We use administrative, technical, and organizational safeguards designed to protect information, including hashed API keys, session cookie protections, scoped access controls, request-size limits, Stripe webhook signature verification, and production monitoring. No security program can guarantee absolute protection.

Chitin is operated from the United States. If you use the service from outside the United States, your information may be processed in the United States or other countries where our providers operate.

Chitin is not directed to children under 13, and we do not knowingly collect personal information from children under 13.

We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify users, such as by posting a notice in the service or updating the date above.

Privacy questions and requests can be sent to support@chitinsec.com. Security reports can be sent to security@chitinsec.com.