Privacy Policy

Last updated: June 15, 2026

This Privacy Policy explains how Agent Refinery LLC (“Agent Refinery,” “we,” “us”) collects, uses, and shares information when you use the Agent Refinery service at agentrefinery.ai (the “Service”). Agent Refinery helps software teams turn friction in their AI coding sessions into shared, reviewable team knowledge.

The short version

Agent Refinery is built around data minimization. Your full coding-assistant transcripts never leave your machine. Analysis of those transcripts runs locally using your own claude CLI. Only small, distilled insight candidates — a summary, a generalized rule, and (when your organization enables it) at most three short verbatim quotes drawn from messages you typed — are uploaded to power your team's review board. We do not sell your information.

Information we collect

Account information

When you sign in with Google, we receive your name, email address, and basic profile identifier from Google. We use this to create and identify your account and to associate you with your organization.

Authentication & device data

We store a session cookie to keep you signed in. When you enroll a machine with the collector, we issue a device token; we store only a one-way hash of that token, never the token itself, along with the device name and a last-seen timestamp.

Insight data submitted by the collector

The collector running on your machine submits distilled insight candidates. Each candidate may contain: a category, a summary, a generalized rule, a suggested destination and proposed text, a confidence level, a one-way hash of the session identifier, and — only when your organization has evidence sharing enabled — up to three short verbatim quotes. Those quotes are drawn only from messages you typed and are secret-scrubbed on your machine before upload.

Usage and audit logs

We keep an append-only audit log of significant actions (submissions, votes, accept/reject decisions, edits) for security and accountability, and we collect standard operational logs and error reports to keep the Service running.

What we deliberately do not collect

By design, the following never leave your machine and are never received by us:

• Your full session transcripts.
• Anything the AI assistant generated — its replies, plans, or code it wrote.
• The contents of files it read, or the output of tools and commands it ran.
• Your raw session identifiers (only a one-way hash is transmitted).

Classification of your transcripts happens locally with your own claude CLI, so the raw text is processed on your device, not ours.

How we use information

• To provide and operate the Service — consolidating candidates into insights and powering your team's review board.
• To authenticate you and secure your account and devices.
• To maintain audit trails, prevent abuse, debug, and improve reliability.
• To communicate with you about the Service when necessary.

How information is shared

We share information only as described here:

• Within your organization. Insights and their evidence are scoped to your organization and visible to its members. Nothing is shared across organizations or made public by us.
• Service providers (sub-processors). We rely on a small set of providers to run the Service: Railway (application hosting and database), Anthropic (server-side consolidation of already-distilled candidates via the Anthropic API), Google (sign-in), and Sentry and Grafana (error monitoring and operational logs). These providers process data only to provide services to us.
• Legal and safety. We may disclose information if required by law or to protect the rights, safety, and security of our users or the Service.
• Business transfers. If we are involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction.

We do not sell your personal information.

Google API disclosure

Agent Refinery's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We request only basic sign-in scopes (your email, profile, and OpenID), use them solely to authenticate you, and do not transfer or use that data for advertising or any unrelated purpose.

Data retention and your choices

We retain account, insight, and audit data for as long as your organization uses the Service, and as needed for legitimate business and legal purposes. You may revoke a device's token at any time, and an organization admin can turn off evidence sharing under Settings → Privacy, which strips quotes before they leave any member's machine. To request a copy of your organization's data or its deletion, email us at hi@marcmaniez.com and we will act on verified requests.

Security

We protect data in transit with TLS and at rest through our hosting provider. Device tokens are stored only as one-way hashes, queries are scoped to your organization, and we maintain audit logs. No method of transmission or storage is perfectly secure, but we work to protect your information.

International users

The Service and its providers are operated in the United States. By using the Service, you understand your information may be processed there.

Children

The Service is not directed to children and is not intended for anyone under 16. We do not knowingly collect personal information from children.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice.

Contact us

Questions about this policy or your data? Email hi@marcmaniez.com.

Privacy Policy · Terms of Service · Sign in