Version
1.1
December 28, 2025
Privacy policy
Privacy policy
Privacy policy
1. Who We Are and What This Policy Covers
1. Who We Are and What This Policy Covers
1. Who We Are and What This Policy Covers
This Privacy Policy explains how ModulexAI, LLC (“ModuleX,” “we,” “us,” “our”) collects, uses, discloses, and protects information when you access or use our websites, applications, APIs, and related services (collectively, the “Service”); it also describes your privacy rights and how to exercise them, and it does not cover third-party websites, services, or integrations that you choose to connect to ModuleX, which are governed by their own privacy policies.
This Privacy Policy explains how ModulexAI, LLC (“ModuleX,” “we,” “us,” “our”) collects, uses, discloses, and protects information when you access or use our websites, applications, APIs, and related services (collectively, the “Service”); it also describes your privacy rights and how to exercise them, and it does not cover third-party websites, services, or integrations that you choose to connect to ModuleX, which are governed by their own privacy policies.
This Privacy Policy explains how ModulexAI, LLC (“ModuleX,” “we,” “us,” “our”) collects, uses, discloses, and protects information when you access or use our websites, applications, APIs, and related services (collectively, the “Service”); it also describes your privacy rights and how to exercise them, and it does not cover third-party websites, services, or integrations that you choose to connect to ModuleX, which are governed by their own privacy policies.
2. Information We Collect
2. Information We Collect
We collect information you provide directly, such as account and profile details (name, email address, company/organization name, authentication details), billing contact details, and communications you send to us; we also process Customer Content you submit to the Service (including workflow definitions, configurations, automation logic, inputs, files, and outputs) to the extent necessary to provide the Service; and we automatically collect technical and usage information such as IP address, device and browser type, approximate location derived from IP, referral/landing data, pages and features used, timestamps, and diagnostics and performance data (including workflow execution metadata, error logs, and security events), and we use cookies or similar technologies for essential functions like session management, authentication, security, and basic analytics.
We collect information you provide directly, such as account and profile details (name, email address, company/organization name, authentication details), billing contact details, and communications you send to us; we also process Customer Content you submit to the Service (including workflow definitions, configurations, automation logic, inputs, files, and outputs) to the extent necessary to provide the Service; and we automatically collect technical and usage information such as IP address, device and browser type, approximate location derived from IP, referral/landing data, pages and features used, timestamps, and diagnostics and performance data (including workflow execution metadata, error logs, and security events), and we use cookies or similar technologies for essential functions like session management, authentication, security, and basic analytics.
3. BYOK API Keys and Credentials (Session-Only Handling)
3. BYOK API Keys and Credentials (Session-Only Handling)
ModuleX supports “Bring Your Own Key” (BYOK), meaning you may supply API keys or credentials to connect ModuleX to third-party services at your direction; we do not store BYOK API keys in long-term storage and instead handle them transiently only for the duration needed to complete an active session and/or workflow run and then discard them, we do not intentionally log raw keys and apply reasonable secret-redaction and access controls to reduce the risk of exposure in logs or support artifacts, and if we ever introduce an optional persistent credential vault or scheduled execution that requires stored secrets, we will describe it clearly and update this Policy before that feature applies.
ModuleX supports “Bring Your Own Key” (BYOK), meaning you may supply API keys or credentials to connect ModuleX to third-party services at your direction; we do not store BYOK API keys in long-term storage and instead handle them transiently only for the duration needed to complete an active session and/or workflow run and then discard them, we do not intentionally log raw keys and apply reasonable secret-redaction and access controls to reduce the risk of exposure in logs or support artifacts, and if we ever introduce an optional persistent credential vault or scheduled execution that requires stored secrets, we will describe it clearly and update this Policy before that feature applies.
4. How We Use Information
4. How We Use Information
We use the information we collect to provide and operate the Service (including creating accounts, authenticating users, running workflows, generating workflows from your prompts, delivering outputs, and maintaining platform functionality), to provide support and respond to requests, to process subscriptions and administer billing, to monitor and improve performance and reliability, to secure the Service and prevent abuse or fraud, to comply with legal obligations and enforce our terms, and to communicate with you about the Service (including critical notices and, where permitted, product updates and marketing that you can opt out of).
We use the information we collect to provide and operate the Service (including creating accounts, authenticating users, running workflows, generating workflows from your prompts, delivering outputs, and maintaining platform functionality), to provide support and respond to requests, to process subscriptions and administer billing, to monitor and improve performance and reliability, to secure the Service and prevent abuse or fraud, to comply with legal obligations and enforce our terms, and to communicate with you about the Service (including critical notices and, where permitted, product updates and marketing that you can opt out of).
5. AI, Prompts, and Training
5. AI, Prompts, and Training
Your prompts and workflow content may be processed by AI systems to generate workflows or outputs as part of providing the Service, and ModuleX does not use Customer Content to train generalized AI models; however, when you choose to connect third-party services (including AI model providers) using BYOK or other integrations, those providers may receive and process data you send through your workflows under their own terms and privacy policies, and you are responsible for configuring workflows and data flows consistent with your obligations and risk tolerance.
Your prompts and workflow content may be processed by AI systems to generate workflows or outputs as part of providing the Service, and ModuleX does not use Customer Content to train generalized AI models; however, when you choose to connect third-party services (including AI model providers) using BYOK or other integrations, those providers may receive and process data you send through your workflows under their own terms and privacy policies, and you are responsible for configuring workflows and data flows consistent with your obligations and risk tolerance.
6. Sharing and Disclosure
6. Sharing and Disclosure
We do not sell your personal information in the traditional sense, and we share information only as necessary to run the Service, including with service providers (subprocessors) that perform functions on our behalf such as payments processing (e.g., Stripe), hosting and infrastructure, analytics, email delivery, error monitoring, and customer support tools under contractual obligations to protect and process data only on our instructions; we may also disclose information to comply with law or valid legal process, to protect the rights, safety, and security of ModuleX and our users, to investigate or prevent fraud, abuse, or security incidents, or in connection with a corporate transaction such as a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards and notice where required.
We do not sell your personal information in the traditional sense, and we share information only as necessary to run the Service, including with service providers (subprocessors) that perform functions on our behalf such as payments processing (e.g., Stripe), hosting and infrastructure, analytics, email delivery, error monitoring, and customer support tools under contractual obligations to protect and process data only on our instructions; we may also disclose information to comply with law or valid legal process, to protect the rights, safety, and security of ModuleX and our users, to investigate or prevent fraud, abuse, or security incidents, or in connection with a corporate transaction such as a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards and notice where required.
7. Data Retention and Security
7. Data Retention and Security
We retain information only for as long as necessary for the purposes described in this Policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements; typical retention includes account data until you delete your account plus up to 30 days for cleanup and integrity, workflow data until you delete it, execution and security logs for up to 90 days (or longer if needed for investigations or compliance), and prompt-related debugging data for up to 30 days (which may be deleted earlier upon request where feasible), and backups may persist for a limited period before being overwritten; we use commercially reasonable safeguards designed to protect data (such as encryption in transit (TLS/HTTPS), encryption at rest where applicable, access controls and least-privilege practices, monitoring, and incident response procedures), but no system is perfectly secure and you are responsible for maintaining the confidentiality of your account credentials and any systems you connect to the Service.
We retain information only for as long as necessary for the purposes described in this Policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements; typical retention includes account data until you delete your account plus up to 30 days for cleanup and integrity, workflow data until you delete it, execution and security logs for up to 90 days (or longer if needed for investigations or compliance), and prompt-related debugging data for up to 30 days (which may be deleted earlier upon request where feasible), and backups may persist for a limited period before being overwritten; we use commercially reasonable safeguards designed to protect data (such as encryption in transit (TLS/HTTPS), encryption at rest where applicable, access controls and least-privilege practices, monitoring, and incident response procedures), but no system is perfectly secure and you are responsible for maintaining the confidentiality of your account credentials and any systems you connect to the Service.
8. Legal Bases, International Transfers, and Required Information (GDPR)
8. Legal Bases, International Transfers, and Required Information (GDPR)
Where GDPR or similar laws apply, we process personal data based on one or more legal bases, including performance of a contract (to provide the Service), legitimate interests (to secure, maintain, and improve the Service and prevent abuse), consent (where required, such as certain cookies or marketing), and legal obligations (such as accounting and compliance); we are based in the United States and our subprocessors may process data in the United States and other countries, and where required we use appropriate safeguards such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms; some information is required to provide the Service (for example, an email address for account access and billing identifiers for paid plans), and if you choose not to provide required information we may not be able to provide some or all of the Service.
Where GDPR or similar laws apply, we process personal data based on one or more legal bases, including performance of a contract (to provide the Service), legitimate interests (to secure, maintain, and improve the Service and prevent abuse), consent (where required, such as certain cookies or marketing), and legal obligations (such as accounting and compliance); we are based in the United States and our subprocessors may process data in the United States and other countries, and where required we use appropriate safeguards such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms; some information is required to provide the Service (for example, an email address for account access and billing identifiers for paid plans), and if you choose not to provide required information we may not be able to provide some or all of the Service.
9. Your Rights and How to Exercise Them (GDPR and General)
9. Your Rights and How to Exercise Them (GDPR and General)
Depending on your location, you may have rights to request access to, correction of, deletion of, or portability/export of your personal data, to object to or restrict certain processing, and to withdraw consent where processing is based on consent; we do not make decisions that produce legal or similarly significant effects about you solely by automated processing in a manner that would require additional notices under GDPR, and if that changes we will update this Policy and provide the required information; to exercise your rights, contact privacy@modulex.dev with your name, account email, and the nature of your request, and we will respond within a reasonable period (typically within 30 days) subject to identity verification and lawful exceptions, and if GDPR applies you also have the right to lodge a complaint with your local supervisory authority.
Depending on your location, you may have rights to request access to, correction of, deletion of, or portability/export of your personal data, to object to or restrict certain processing, and to withdraw consent where processing is based on consent; we do not make decisions that produce legal or similarly significant effects about you solely by automated processing in a manner that would require additional notices under GDPR, and if that changes we will update this Policy and provide the required information; to exercise your rights, contact privacy@modulex.dev with your name, account email, and the nature of your request, and we will respond within a reasonable period (typically within 30 days) subject to identity verification and lawful exceptions, and if GDPR applies you also have the right to lodge a complaint with your local supervisory authority.
10. California Privacy Notice (CCPA/CPRA)
10. California Privacy Notice (CCPA/CPRA)
For California residents, in the last 12 months we may have collected (depending on your use) identifiers (such as name, email, IP address), commercial information (subscription and billing metadata), internet or other electronic network activity information (usage and device data), and inferences drawn from usage data to improve the Service, sourced from you, your devices, and our service providers; we disclose these categories to service providers for business purposes such as payments, hosting, analytics, email delivery, security monitoring, and customer support, and we do not “sell” personal information, and we do not “share” personal information for cross-context behavioral advertising unless explicitly stated and enabled, and where required we honor applicable opt-out preference signals such as Global Privacy Control (GPC); you may have rights to know/access, delete, correct, and obtain information about disclosures of personal information, and you may submit requests (including via an authorized agent) to privacy@modulex.dev , subject to verification and lawful exceptions, and we will not discriminate against you for exercising your rights.
For California residents, in the last 12 months we may have collected (depending on your use) identifiers (such as name, email, IP address), commercial information (subscription and billing metadata), internet or other electronic network activity information (usage and device data), and inferences drawn from usage data to improve the Service, sourced from you, your devices, and our service providers; we disclose these categories to service providers for business purposes such as payments, hosting, analytics, email delivery, security monitoring, and customer support, and we do not “sell” personal information, and we do not “share” personal information for cross-context behavioral advertising unless explicitly stated and enabled, and where required we honor applicable opt-out preference signals such as Global Privacy Control (GPC); you may have rights to know/access, delete, correct, and obtain information about disclosures of personal information, and you may submit requests (including via an authorized agent) to privacy@modulex.dev , subject to verification and lawful exceptions, and we will not discriminate against you for exercising your rights.
For California residents, in the last 12 months we may have collected (depending on your use) identifiers (such as name, email, IP address), commercial information (subscription and billing metadata), internet or other electronic network activity information (usage and device data), and inferences drawn from usage data to improve the Service, sourced from you, your devices, and our service providers; we disclose these categories to service providers for business purposes such as payments, hosting, analytics, email delivery, security monitoring, and customer support, and we do not “sell” personal information, and we do not “share” personal information for cross-context behavioral advertising unless explicitly stated and enabled, and where required we honor applicable opt-out preference signals such as Global Privacy Control (GPC); you may have rights to know/access, delete, correct, and obtain information about disclosures of personal information, and you may submit requests (including via an authorized agent) to privacy@modulex.dev , subject to verification and lawful exceptions, and we will not discriminate against you for exercising your rights.