Privacy Policy

Effective Date: February 24, 2026  |  Last Updated: February 24, 2026

1. Introduction

Antihero, Inc. (“Antihero,” “we,” “us,” or “our”) operates the Antihero AI security and insurance platform (the “Service”). This Privacy Policy describes how we collect, use, disclose, and protect information when you use our Service, visit our website at antiheroes.dev, or interact with us in any way.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Name, email address, and organization name
• Billing information (processed by our payment provider; we do not store full card numbers)
• Authentication credentials (hashed and salted; never stored in plaintext)
• Subscription tier and plan details

2.2 Agent Telemetry and Audit Events

The core function of Antihero is to evaluate AI agent actions and record audit trails. When you use the Service, we process:

• Tool Call Envelopes (TCEs) — Action requests submitted for policy evaluation, including action type, resource identifier, agent identity, and contextual metadata
• Policy Decision Envelopes (PDEs) — The policy engine’s evaluation results, including effect (allow/deny), matched rules, and risk scores
• Audit Event Envelopes (AEEs) — Hash-chained records of evaluations and outcomes, including timestamps and cryptographic chain links

Important: We strongly recommend that you do not include sensitive personal data (e.g., Social Security numbers, credit card numbers, health records) in the content fields of actions submitted to Antihero. Our Content Inspection feature is designed to detect and flag such data before it reaches our servers. If sensitive data is inadvertently submitted, it is processed only for the purpose of policy evaluation and is subject to the retention periods described in Section 5.

2.3 Usage Data

We automatically collect:

• IP address, browser type, and device information
• Pages visited, features used, and interaction patterns
• API call frequency, latency metrics, and error rates
• Referral source and session duration

2.4 Cookies and Similar Technologies

We use essential cookies for authentication and session management. We use analytics cookies (which you may opt out of) to understand how the Service is used. We do not use advertising or tracking cookies.

3. How We Use Your Information

We use collected information to:

• Provide the Service — Evaluate policy decisions, record audit trails, enforce security rules, and generate compliance reports
• Insurance underwriting — Calculate risk scores, process claims, and determine premium adjustments based on your security posture (Sentinel and Sovereign tiers)
• Improve the platform — Analyze aggregate usage patterns, identify performance bottlenecks, and develop new features
• Communicate with you — Send service notifications, security alerts, billing information, and (with your consent) product updates
• Compliance and legal obligations — Fulfill regulatory requirements, respond to legal processes, and enforce our Terms of Service

We do not use your audit event data to train machine learning models. We do not sell your personal information to third parties.

4. Information Sharing

We share information only in these circumstances:

• Reinsurance partners — Aggregated, anonymized risk data may be shared with reinsurance treaty partners for insurance pricing and claims processing. No individual audit events or personally identifiable information is shared.
• Service providers — Infrastructure providers (cloud hosting, payment processing, email delivery) who process data on our behalf under contractual obligations
• Compliance and legal — When required by law, subpoena, or court order, or to protect the rights, property, or safety of Antihero, our users, or the public
• Business transfers — In connection with a merger, acquisition, or sale of assets, subject to the same privacy protections
• With your consent — When you explicitly authorize sharing (e.g., federated policy sync between organizations at the Sovereign tier)

5. Data Retention

Audit event data is retained according to your subscription tier:

• Watchdog (Free) — 7 days
• Enforcer ($29/mo) — 90 days
• Sentinel ($99/mo) — 1 year
• Sovereign (Custom) — Unlimited (or as specified in your enterprise agreement)

Account information is retained for the duration of your account plus 30 days after deletion. Billing records are retained for 7 years as required by tax law. You may request earlier deletion of non-legally-required data by contacting us.

6. Data Security

We implement industry-standard security measures including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Hash-chained, append-only audit trails with tamper detection
• Ed25519 cryptographic signatures on audit events (enterprise)
• FIPS-mode cryptography available for Sovereign tier deployments
• Regular security assessments and penetration testing
• Role-based access control with least-privilege principles
• SOC 2 Type II compliance (in progress)

No system is perfectly secure. While we take extensive measures to protect your data, we cannot guarantee absolute security. We will notify affected users promptly in the event of a data breach as required by applicable law.

7. Your Rights

7.1 All Users

You have the right to:

• Access your personal data and audit event history
• Correct inaccurate account information
• Delete your account and associated data (subject to retention requirements)
• Export your data in machine-readable format (JSON)
• Opt out of non-essential communications

7.2 European Economic Area (GDPR)

If you are located in the EEA, you additionally have the right to:

• Object to processing based on legitimate interest
• Restrict processing of your data
• Data portability
• Lodge a complaint with your local supervisory authority

Our legal basis for processing is: (a) performance of a contract (providing the Service), (b) legitimate interest (improving the Service, security), and (c) consent (marketing communications).

7.3 California (CCPA/CPRA)

California residents have the right to know what personal information we collect, request deletion, opt out of the sale of personal information (we do not sell personal information), and not be discriminated against for exercising these rights.

8. International Data Transfers

Antihero processes data primarily in the United States. If you are located outside the US, your data will be transferred to and processed in the US. For Sovereign tier customers, data residency options (including EU-only processing) are available under your enterprise agreement.

For EEA transfers, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by technical measures (encryption, access controls).

9. Children’s Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

• Email: privacy@antiheroes.dev
• Address: Antihero, Inc., Attn: Privacy, [Address]

For GDPR inquiries, you may also contact our Data Protection Officer at dpo@antiheroes.dev.