Privacy Policy

This policy applies to anyframe.dev, our SDKs, the AnyFrame API, and any other product or service that links to it. It does not apply to third-party services you connect to AnyFrame, which are governed by their own policies.

We collect the minimum needed to run the service:

• Account data. Email address and GitHub login (OAuth), provided when you sign in.
• Workspace contents. Files, processes, environment variables, and any data you place inside a frame. We treat this as your data — see “How we handle workspace contents” below.
• Usage telemetry. Frame IDs, request IDs, timestamps, durations, and resource usage (CPU, memory, network) — used for billing, capacity planning, and incident response.
• Device data. IP address, user agent, and standard server logs, retained for security and debugging.
• Waitlist data. Email and source page if you submit our waitlist form.

We do not collect special-category data (health, biometric, etc.) and do not knowingly collect data from anyone under 16.

Your code and any data inside a frame are encrypted at rest. We do not read, inspect, or use workspace contents to train models. Snapshots are stored in the same encrypted form and persist only as long as the frame exists in your account.

We may access workspace contents only when (a) you explicitly request support that requires it, (b) we have a legal obligation to do so, or (c) we have concrete reason to believe a frame is being used to violate our Acceptable Use Policy in a way that threatens the platform. In each case, access is logged.

• To provide, operate, and improve the service.
• To authenticate accounts and prevent abuse.
• To send transactional email (e.g. account, billing, security notices). We do not send marketing email without consent.
• To meet legal, regulatory, or contractual obligations.

• Contract. Most processing is necessary to deliver the service you signed up for.
• Legitimate interests. Security, fraud prevention, and platform reliability.
• Consent. Marketing communications and any non-essential cookies (we do not currently set non-essential cookies).
• Legal obligation. Tax, accounting, and lawful requests from authorities.

We use the following third parties to run AnyFrame. Each is bound by data processing terms equivalent to those required by GDPR Article 28.

• Ubicloud — compute and database hosting (US).
• GitHub (Microsoft) — OAuth sign-in.
• Cloudflare — DNS, edge caching, DDoS protection.
• Google (Apps Script) — waitlist intake.

We will update this list before adding new subprocessors that materially change how data is handled. You can request the current list at any time via [email protected].

• Account data: kept for the life of your account, plus up to 90 days after deletion for backups.
• Workspace contents and snapshots: retained while the frame exists in your account; deleted within 30 days of frame deletion.
• Telemetry and logs: 90 days, then aggregated or deleted.
• Billing records: 7 years (legal requirement).

Subject to your jurisdiction, you have the right to access, correct, delete, restrict, port, or object to our processing of your personal data. EEA/UK residents may also lodge a complaint with their supervisory authority. California residents have the rights granted under the CCPA/CPRA, including the right to know, delete, correct, and opt-out of any “sale” or “sharing” of personal information (we do not sell or share personal information for cross-context behavioral advertising).

To exercise any right, email [email protected]. We'll respond within 30 days. We will not discriminate against you for exercising any right.

AnyFrame is operated from the United States. If you access the service from outside the US, your data will be transferred to and processed in the US. Where required, we rely on the EU Standard Contractual Clauses (and the UK Addendum) to legitimize these transfers.

We use TLS for data in transit, encryption at rest for workspace contents and backups, scoped credentials with least-privilege access, and audit logging on privileged actions. No system is perfect — if we discover a breach affecting your data, we'll notify you in line with applicable law and our contractual commitments.

AnyFrame is not intended for users under 16. We do not knowingly collect personal data from anyone under that age. If you believe a child has provided us with personal data, contact us and we'll delete it.

We'll update this policy as the product evolves. Material changes will be announced by email or in-product notice at least 14 days before they take effect. The “Last updated” date above reflects the most recent revision.

Email: [email protected]