Privacy Policy

Effective date: May 19, 2026.
Last updated: May 19, 2026.

1. Summary (TL;DR)

Here is what matters in plain language. The rest of this document is the formal version.

• What we collect: the email address you sign up with, basic account metadata (when you signed up, when you confirmed your email, whether your account is active), the swarms you create, the invite tokens you mint and their state (active / revoked / expired / used), and the cryptographic peer IDs of users who have redeemed an invite to one of your swarms. We also collect server logs from our hosting provider (which include IP addresses) for security and debugging.
• What we do not collect: your prompts, your model outputs, the activations that flow between peers, the model weights themselves, your swarm’s shared secret, your CLI’s identity private key, or the contents of any peer-to-peer communication. None of these ever touch our servers. They live on your hardware and the hardware of the peers you invite.
• Who we share it with: only with the third-party services we use to operate the Service (Supabase, Vercel, Resend, GitHub for the source code), and when we are compelled to by law.
• Your rights: you can request access, correction, or deletion of your account and the associated data at any time.

2. Information We Collect

2.1. Information you give us directly

• Email address — required to create an account. Used to send confirmation emails, password-reset emails, and (rarely) operational notices.
• Password — never stored in cleartext. Hashed and stored by our authentication provider (Supabase Auth) following industry-standard practice. We never see your password.
• Swarm names and optional notes on invites — the human-readable labels you choose for your swarms and any free-text notes you attach to an invite (e.g., “alice’s laptop”).

2.2. Information generated by your use of the Service

• Account record — a unique user UUID, account creation timestamp, email-confirmation timestamp, last-sign-in timestamp.
• Swarm metadata — each swarm you create generates a record with: a UUID for the swarm, the swarm name you chose, the user UUID of the owner (you), the creation timestamp, and a base64-encoded swarm shared secret (used by the redeem-invite RPC to deliver it to peers; the secret itself is generated client-side on your machine and uploaded to our backend so we can hand it to peers who redeem valid invites).
• Invite tokens — each invite you mint generates a record with: the invite token string, the swarm UUID it belongs to, creation / expiration / revocation timestamps, the max-uses count, and the currently-used count.
• Peer records — when someone redeems an invite to one of your swarms, we record their cryptographic libp2p peer ID, the invite token they used, the time they redeemed, and (optionally) the peer-credential token we issued them. We do not record their email or any other PII for joiners — peer ID is a public hash of their machine’s keypair, not a personal identifier in the traditional sense.

2.3. Information collected automatically by our infrastructure

• Server access logs— our hosting provider (Vercel) records standard HTTP access logs containing IP address, user agent, timestamp, request path, and response status code. These logs help us debug outages and investigate abuse. They are retained per Vercel’s retention policy.
• Database access patterns— our database provider (Supabase) maintains internal logs of queries against our project, including authenticated user IDs.
• Session storage — on the website, we store your authentication session in your browser’s localStorage via the Supabase JS SDK. This persists across browser sessions until you sign out or the token expires.

2.4. Information we DO NOT collect

We do not collect, store, or have any access to:

• Your prompts — the text or other input you send to a swarm for inference. Prompts are submitted by your CLI directly to swarm peers, never to our servers.
• Model outputs — the text, code, or other content the model generates. Outputs flow directly between peers and back to you, never to our servers.
• Activation tensors — the intermediate floating-point values exchanged between peers during distributed inference. They travel peer-to-peer under AES-256-GCM encryption with a key we do not have.
• Model weights — each peer downloads its assigned slice of model weights directly from HuggingFace; we are not in that path.
• Your swarm shared secret value (after upload) — though we receive the base64 encoded secret when you create a swarm so we can hand it to redeemed peers via the redeem_invite RPC, we do not use it for any other purpose. The AES key derivation (HKDF-SHA256) happens client-side. We never see your AES key.
• Your CLI’sidentity.key — the libp2p private key used to derive your peer ID. It is generated and stored entirely on your machine.
• Anything else on your local machine — including the contents of your~/.config/progresspals/config.json file beyond what you have explicitly synchronized with the backend.

3. How We Use Your Information

We use the information we collect to:

• Operate, maintain, and improve the Service.
• Authenticate you when you sign in, and authorize your CLI’s operator-side calls (swarm create, invite mint, peer kick, etc.) against the row-level security policies on our database.
• Send transactional emails (signup confirmation, password reset).
• Diagnose bugs, investigate security incidents, and respond to abuse reports.
• Enforce these Terms of Service and our Acceptable Use rules.
• Comply with applicable law, respond to lawful requests by authorities, and protect our and others’ legal rights.

We do not sell or rent your personal information to third parties. We do not use your information to train AI models. We do not serve advertising and do not share data with advertising networks.

4. Information We Share

We share information only in the following limited cases:

4.1. With service providers

We use a small number of third-party providers to operate the Service. Each one only receives what it needs:

• Supabase, Inc. — authentication and database. Stores your email, password hash, user UUID, swarm records, invite records, and peer records. Their privacy policy: supabase.com/privacy.
• Vercel Inc. — website hosting and edge network. Sees HTTP requests (including IP addresses) to our website. Does not see CLI peer-to-peer traffic. Their privacy policy: vercel.com/legal/privacy-policy.
• Resend Inc. — transactional email delivery. Receives your email address when we send you a signup confirmation, password reset, or other transactional email, plus the contents of those emails. Their privacy policy: resend.com/legal/privacy-policy.
• GitHub, Inc. — we host our source code on GitHub. GitHub does not receive any user data from us beyond ordinary repository commits.

These providers are required by contract to handle your information consistently with this Privacy Policy and applicable law. We do not transfer information to providers other than those listed here without updating this Policy.

4.2. With other peers in your swarm

When you operate a swarm and someone redeems an invite, that person’s libp2p peer ID is added to the swarm allow-list we maintain. Other peers in the swarm can see the allow-list (it’s how their CLIs know who to accept connections from).

When you join a swarm operated by someone else, the swarm operator can see your peer ID (the public hash) and the invite token you used. Peers in the swarm can also see your IP address via direct libp2p connections — see Section 6 of our Terms of Service for the full disclosure on what other peers see.

4.3. For legal reasons

We will disclose information when we are required to by law (e.g., in response to a valid subpoena or court order), when we believe in good faith that disclosure is necessary to protect the safety of a person, to investigate fraud, or to respond to a government request. When we receive a legal request, we will attempt to notify the affected user where the law permits.

4.4. In a business transfer

If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you (via email or a notice on our website) of any such transfer and any choices you may have regarding your information.

5. Data Security

We implement reasonable technical and organizational measures to protect your data:

• All HTTP traffic to our website and backend uses TLS in transit.
• Passwords are hashed using algorithms maintained by our authentication provider.
• Database access is gated by row-level security policies enforcing that each authenticated user can only read or modify their own data.
• Auth tokens stored on your machine in~/.config/progresspals/config.json have file mode0600 (owner-only) by default, written through a TOCTOU-resistant pattern.
• We do not log or display secrets in command output or in error messages. The website’s /account dashboard hides tokens behind a “Reveal” toggle by default.

No security measure is perfect. We cannot guarantee absolute security. If we become aware of a breach affecting your data, we will notify you in accordance with applicable law.

6. Data Retention

We retain data as long as needed to operate the Service:

• Account records: retained until you delete your account or we terminate the Service.
• Swarm and invite records: retained as long as the parent account exists; deleted when you delete your account, when you explicitly delete the swarm, or after a reasonable period after the swarm becomes inactive.
• Server access logs: retained per our hosting provider’s retention policy (typically 30–90 days).
• Email delivery records: retained per our email provider’s retention policy.

7. Your Rights

You have the following rights regarding the personal information we hold about you:

• Access — you may request a copy of the personal information we hold about you.
• Correction — you may ask us to correct inaccurate information about you.
• Deletion — you may ask us to delete your account and the personal information associated with it. We may retain some information where we are required by law to do so (e.g., for tax or audit purposes).
• Portability — you may ask for a machine-readable copy of the information you have provided directly to us.
• Objection — you may object to certain processing of your information, including direct marketing (though we do not currently do direct marketing).
• Withdrawing consent— where we rely on consent, you may withdraw it at any time. This does not affect the lawfulness of processing before your withdrawal.

To exercise any of these rights, contact us at progresspals@gmail.com. We will respond within a reasonable timeframe and may need to verify your identity before acting on the request.

8. Cookies and Similar Technologies

We use minimal client-side storage on our website. Specifically:

• Session storage: the Supabase JS SDK stores your authenticated session in your browser’s localStorage. This is required for the website’s authenticated pages to function. It is not shared with third-party advertising or analytics networks.
• No third-party advertising cookies.
• No third-party analytics cookies at this time. If we add analytics in the future, we will update this Policy.

9. Children’s Privacy

The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you are under 18, do not use the Service or send us any information about yourself. If we learn we have collected personal information from a child under 18, we will delete that information. If you are a parent or guardian and believe we have collected information about your child, contact us at progresspals@gmail.com.

10. International Data Transfers

Our infrastructure is operated from the United States. If you use the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate. The laws of those countries may differ from the laws of your country of residence.

11. European Users (GDPR)

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent laws.

• Lawful basis for processing: We process your information based on (a) your consent (for example, to send you transactional emails), (b) the necessity of processing to perform our contract with you (operating the Service), and (c) our legitimate interest in operating, maintaining, securing, and improving the Service.
• Data subject rights: in addition to the rights in Section 7, you have the right to lodge a complaint with your local data-protection supervisory authority.
• Data transfers outside the EEA: We rely on Standard Contractual Clauses or other appropriate safeguards approved by the European Commission to transfer your information to service providers located in the United States.

12. California Users (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information.

• Right to know what personal information we collect, the sources, the purposes for collecting it, and who we share it with. Section 2 of this Policy describes that.
• Right to delete personal information we have collected about you, subject to certain exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of “sale” or “sharing” of personal information. We do not sell or share personal information as defined by the CCPA.
• Right to non-discrimination for exercising your rights.

To exercise any of these rights, contact us at progresspals@gmail.com. We will not discriminate against you for exercising your rights.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. If we make a material change, we will notify you by email or by posting a notice on our website. Your continued use of the Service after the revised Policy takes effect constitutes your acceptance of the revisions.

14. Contact Us

If you have questions about this Privacy Policy or how we handle your personal information, contact us at progresspals@gmail.com.