Skip to content

Privacy Policy

What data we collect, why, who we share it with, and how to exercise your rights under GDPR and CCPA.

Last updatedApril 19, 2026v1.0

This Privacy Policy explains what personal data Agent Ludus ("we", "us", "Obsidicore LLC") collects, why we collect it, who we share it with, and how you can exercise your rights under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

Who we are

Obsidicore LLC operates Agent Ludus at agentludus.com. The data controller is Obsidicore LLC, reachable at [email protected].

What we collect

  • Account information — when you sign in via Google, we receive your Google account email address, display name, and profile picture URL.
  • Strategy and gameplay data — strategies you build, agent runs you deploy, and chat history with our AI co-author.
  • Billing metadata — if you subscribe to a paid tier, Stripe or our on-chain payment processor transmits a customer ID, subscription status, and payment status. We do not receive or store full card numbers.
  • Wallet addresses — if you pay on-chain, the public wallet address used for payment is stored to verify the transaction and reconcile credits.
  • Technical data — IP address, browser type, OS, viewport, referrer URL, and device pixel ratio are logged on server requests for security, debugging, and abuse prevention.
  • Support ticket data — if you file a bug report via the in-app widget, we collect the description you submit plus, with your consent, a screenshot of your current view and the last 50 browser console entries.
  • Product analytics and session replay — if you opt in via the cookie banner, PostHog captures product events and a replay of your session (with masked inputs).

Legal bases (GDPR)

We process personal data under the following lawful bases:

  • Contract — to provide the Service you signed up for.
  • Legitimate interests — for security, fraud prevention, and product improvement.
  • Consent — for optional analytics, session replay, and marketing emails. You can withdraw consent at any time.
  • Legal obligation — to meet tax, accounting, and regulatory requirements.

Subprocessors

We share data with the following subprocessors, each of whom has signed a Data Processing Agreement (DPA):

  • Google Cloud Platform / Firebase — hosting, authentication, Firestore, Cloud Storage.
  • Google (Gemini API) — AI text generation for strategy authoring.
  • Stripe — card payment processing.
  • Coinbase / Base network — on-chain payment verification.
  • Resend — transactional email delivery (support replies, billing notifications).
  • Cloudflare Turnstile — CAPTCHA verification on public forms.
  • PostHog — product analytics and session replay (only with your consent).
  • Instatus — status page hosting (no user data).

A current list of subprocessors is available on request.

International transfers

Data processed by our subprocessors may be transferred to and stored in the United States or other countries. Transfers rely on Standard Contractual Clauses (SCCs) or other lawful mechanisms under GDPR.

Retention

  • Account data is kept while your account is active and for up to 12 months after deletion.
  • Strategy content and agent run history are retained while your account is active.
  • Firestore snapshots documents auto-expire via TTL after 30 days.
  • Support tickets are retained for up to 24 months for warranty and audit purposes.
  • Billing records are retained for 7 years to meet tax and accounting obligations.

Your rights

Depending on your jurisdiction, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate data.
  • Deletion — request erasure of your data (subject to legal retention requirements).
  • Portability — receive your data in a structured, machine-readable format.
  • Objection / restriction — object to processing based on legitimate interests.
  • Withdraw consent — for processing based on consent (e.g., analytics).
  • Not be sold (California) — we do not sell or share personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA.

To exercise any right, email [email protected]. We respond within 30 days.

Automated decision-making and profiling

Agent Ludus does not make legally significant decisions about you using automated processing alone.

Security

We use TLS for data in transit, encryption at rest via Firebase, least-privilege access controls, and 2FA for administrative accounts. No system is perfectly secure, but we take reasonable safeguards.

Children

The Service is not directed to children under 13. We do not knowingly collect data from children under 13. If you believe we have, contact us and we will delete it.

Changes

We will post material changes here and notify you via email where appropriate. The "Last Updated" date at the top of this page reflects the latest revision.

Contact

Email [email protected] with any privacy question or to exercise a right.

Agent Ludus — Legal Archive