Effective: 2026-05-15 · Version 1.0

Privacy Policy

This Privacy Policy explains how Agentic Tool Optimization (“ATO,” “we,” “us,” or “our”) collects, uses, shares, retains, and protects personal data when you visit agentictool.ai, install the open-source ATO desktop application, or sign up for an ATO cloud account.

ATO is local-first by design. Most of what the product does happens on your own machine, in a SQLite database at ~/.ato/local.db. We only see data when you choose to sync to the optional cloud service. This document explains that distinction in detail.

We comply with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679 and the UK GDPR), the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, Lei nº 13.709/2018, or “LGPD”), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and the privacy laws of other US states where they apply.

1. Who we are (the controller)

Controller: Guilherme Nigri, operating as the publisher of ATO and agentictool.ai.

Privacy contact: will@nigri.io

Postal contact: available on request at the email above.

We do not currently have a designated Data Protection Officer (DPO) or Encarregado de Tratamento de Dados Pessoais under LGPD Art.41, because our processing volume does not require one. The privacy contact above functions as our point of contact for all data-protection inquiries. We will appoint a formal DPO/Encarregado when processing scale requires it, and will update this Policy at that point.

2. Plain-language summary

The desktop app stores your data locally on your computer. We don’t see it unless you sign in to the cloud and turn on sync.
When you sign up, we collect your email, a hashed password, and your name. That’s it for the account itself.
When you use the product to dispatch prompts to AI providers like Anthropic, OpenAI, Google, or MiniMax, your prompts and any files the model reads via tool calls leave your machine and go to that provider. We do not store the prompt content on our servers unless you choose to sync traces.
We do not use cookies, analytics, advertising trackers, or session replay on our website today. When we add any of those, this Policy will be updated and (where required) we will ask for your consent first.
You have rights over your data: access, correction, deletion, export, and more. Section 11 explains how to exercise them.

3. What personal data we collect

3.1 Data you give us directly

When you create an ATO cloud account, we collect:

Email address — used as your account identifier, for login, password reset, security notifications, and required service communications.
Password — stored as a bcrypt hash with a cost factor of 12 or higher. We never see, store, or log your plain-text password.
Display name — shown in the product UI; can be edited or removed.
Avatar URL (optional) — if you choose to set one.
Consent records — timestamp, version of the policy and terms you accepted, plus your separate (optional) marketing-communications consent.

When you contact us by email or via our data-request form, we receive whatever you send us — typically your name, email, and the contents of your message.

3.2 Data we generate when you use the cloud service

Login attempts — email-lowercased, IP address, success/failure, reason code. Used to detect and throttle brute-force attacks. Retained for 90 days.
Refresh tokens — hashed (not the raw token), expiry timestamp, revocation timestamp.
Session metadata — when you sync sessions from the desktop, we receive token counts, model identifiers, timestamps, and aggregated cost figures. We do not store prompt or response content on our servers unless you explicitly enable trace sync.
Usage records — per-request token usage for billing and analytics within your account.
Agent traces, configuration changes, file-attribution snapshots, prompt summaries, pipeline traces, embed keys, mesh-relay records, provider-key references — populated only for users who opt into cloud sync of those specific features.

3.3 Data that stays on your machine

The ATO desktop application stores all of the following on your computer and does not transmit it to us unless you turn on cloud sync:

Dispatch history, replay history, full prompts and responses, agent definitions, chat threads, file-attribution snapshots, configuration change ledger, automation workflows, cron schedules
LLM API keys you supply (encrypted at rest within the local SQLite database)
Local backups of your configurations

You are the controller of this local data. ATO is a tool you run on your machine; we never receive it.

3.4 Data we do not currently collect

No website analytics, page-view trackers, or visitor identifiers
No error tracking or session replay
No marketing pixels, conversion APIs, or retargeting
No cookies, localStorage tracking, or fingerprinting on agentictool.ai (other than purely-essential storage your browser may use to remember language settings)
No payment information — ATO does not currently process payments
No children’s data — the product is not directed to anyone under 18

If we add any of these in the future, this Policy will be updated before the change takes effect, and where applicable we will ask for your consent (see Section 12).

4. Why we process your data, and the legal basis

Under GDPR Art.6 / LGPD Art.7, every processing activity must rest on a specific legal basis. We rely on the following:

Processing activity	Purpose	Legal basis
Account creation and authentication	Identify you, log you in, secure your account	Contract execution (GDPR 6(1)(b) / LGPD 7(V))
Security event logging (login attempts, IPs)	Detect and prevent unauthorized access	Legitimate interests in service security (GDPR 6(1)(f) / LGPD 7(IX))
Sync of sessions, traces, configs (when enabled)	Provide cross-device access to your own data	Contract execution (GDPR 6(1)(b) / LGPD 7(V))
Forwarding your prompts to LLM providers you select	Deliver the multi-runtime dispatch feature you requested	Contract execution (GDPR 6(1)(b) / LGPD 7(V)). For BYOK (bring-your-own-key) setups, you remain the controller of the relationship with the LLM provider; we act as a transient processor for the forwarding step.
Required service notifications (email verification, password reset, security alerts)	Operate the service safely	Contract execution + legal obligation (GDPR 6(1)(b)(c) / LGPD 7(V)(II))
Marketing emails about ATO product updates	Share product news with subscribers who opted in	Explicit consent (GDPR 6(1)(a) / LGPD 7(I)). Separate opt-in at signup; withdrawable at any time.
Records-keeping required by Brazilian tax and commercial law	Comply with retention obligations on fiscal records	Legal obligation (GDPR 6(1)(c) / LGPD 7(II)). Applies once we begin billing.
Responding to data subject requests, complaints, legal inquiries	Comply with our duties to you and to authorities	Legal obligation (GDPR 6(1)(c) / LGPD 7(II))

We do not process sensitive personal data (special categories under GDPR Art.9 / dados pessoais sensíveis under LGPD Art.11) in the ordinary operation of the service. If we ever introduce a feature that processes such data, we will require explicit, separate consent under the higher standard those laws set.

5. Who we share your data with (recipients and subprocessors)

We share personal data only with parties that help us operate the service, and only to the extent necessary. We do not sell personal data. We do not share personal data with advertisers or data brokers.

Current recipients (subprocessors):

Railway Corp. — hosting provider for the ato-cloud backend (compute, PostgreSQL, file storage). Data processed: all server-side personal data. DPA: railway.com/legal/dpa. Location: United States primary, with regional options.
Email delivery provider (currently being finalized; will be SendGrid, Postmark, or similar) — sends verification, password-reset, and notification emails. Data processed: your email address, your display name, the message contents.
LLM providers you choose to dispatch to — when you send a prompt through ATO to Anthropic, OpenAI (including Codex), Google (Gemini), MiniMax, Grok, DeepSeek, Qwen, OpenRouter, or any other configured provider, the prompt content and any files the model reads via tool calls leave your machine and go to that provider. If you supply your own API key (BYOK), you are the controller and the provider is your processor; we are a transient pass-through. If you use a provider key supplied by ATO under a future paid tier, we are the controller of the dispatch and the provider is our subprocessor.
Future payment processor (Stripe, expected): once paid tiers go live, billing data will flow to Stripe. PCI-sensitive data (card numbers) never reaches our servers; only billing metadata (subscription state, invoice IDs) is retained on our side.

A current, up-to-date list of every subprocessor we use, with links to each DPA, is published at /legal/subprocessors.html. We update that list when we add a subprocessor, and we will notify users of changes that affect EU/EEA/UK or Brazilian users with at least 30 days’ advance notice, except in emergencies.

How our agreements with subprocessors work

For subprocessors where ATO is the controller and the vendor is our processor (such as our hosting provider, email vendor, future payment processor, future error-tracking and analytics providers), the legal contract is the vendor’s published Data Processing Agreement (DPA). We accept that DPA when we accept the vendor’s Terms of Service at signup, and we maintain a dated copy of each DPA on file. The links on the Subprocessors page point to the version currently in force. We re-verify each DPA annually and replace our copy on file if the vendor publishes a material change.

For LLM providers used in BYOK (bring-your-own-key) mode — that is, when you provide your own API key or your own CLI subscription — you have a direct contractual relationship with that provider. The provider’s Privacy Policy and Terms apply to your prompts and responses. ATO is not a party to that relationship and acts as a transient pass-through for the dispatch. The Subprocessors page lists each provider’s Privacy Policy for your reference, not a DPA with ATO, because no DPA-with-ATO is the operative contract in that arrangement.

6. International transfers

ATO data is processed on infrastructure located in the United States and (depending on your runtime selections) in the regions where the LLM providers operate. For users in the EU/EEA, UK, or Brazil, this means your personal data may be transferred outside your home jurisdiction.

For transfers from the EU/EEA/UK to recipients in the US or other third countries, we rely on:

The EU-US Data Privacy Framework adequacy decision where the recipient is self-certified (most major LLM providers participate);
Standard Contractual Clauses (SCCs) issued by the European Commission, where adequacy does not apply;
UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs for UK transfers.

For transfers from Brazil to recipients abroad, we rely on the standard clauses approved by the Brazilian National Data Protection Authority (ANPD) under LGPD Art.33, or on the recipient’s compliance with a regime ANPD has recognized.

Copies of the relevant transfer instruments are available on request to will@nigri.io.

7. How long we keep your data

Data	Retention
Account record (email, password hash, name)	Until account deletion, plus a 30-day grace window in case of accidental deletion.
Sessions, usage records, traces, configs (synced to cloud)	Until account deletion, or until you delete them individually via the product.
Login attempts and security audit logs	90 days, then automatically deleted.
Refresh tokens	Until expiry or revocation.
Consent records	For the life of the account, plus 5 years after deletion (to demonstrate lawful basis if a dispute arises).
Data subject request records	5 years (to demonstrate compliance with rights requests).
Fiscal records (once billing is live)	5 years from the end of the relevant fiscal year (Brazilian law).
Support email correspondence	3 years after the last interaction, then deleted unless tied to an unresolved dispute.

When a retention period ends, we delete or irreversibly anonymize the data.

8. Security

We use industry-standard measures to protect your data, including:

Bcrypt password hashing with a work factor of 12+; we never store plaintext passwords.
TLS 1.2 or higher on all client-to-server connections.
Encrypted storage of secrets (API keys, refresh tokens, embed keys) at rest.
Parameterized SQL queries to prevent injection.
Zod-based input validation on every endpoint.
JWT authentication with rotation on every refresh.
Role-based access to admin endpoints.
Continuous monitoring of authentication anomalies.

No system is impenetrable. If we discover a data breach affecting your personal data, we will notify you and the relevant supervisory authority (ANPD, your EU/EEA/UK supervisory authority, or applicable US state authority) in accordance with applicable law — GDPR requires us to notify the supervisory authority within 72 hours of becoming aware of the breach where feasible, and we follow that timeline regardless of which jurisdiction applies.

9. Cookies and similar technologies

We do not set cookies or use localStorage tracking on agentictool.ai today. No analytics. No advertising trackers. No fingerprinting. No session replay. No third-party scripts that set storage on your browser.

When you sign in to the cloud product or the desktop app, we issue an authentication token (JWT) that is stored in your client’s memory or local storage. This is strictly necessary for the product to function and is not used for tracking.

If we add analytics, advertising, error tracking, or any other technology that sets cookies or otherwise tracks you in the future, we will:

Update this Policy and the dedicated Cookie Notice (/legal/cookies.html);
Display a cookie consent banner that lets you accept, reject, or customize your choices, with reject and customize given equal prominence to accept;
Honor the Global Privacy Control (GPC) signal for users in jurisdictions where it is recognized;
Not fire any non-essential script before you make a choice.

10. Children

ATO is a tool for adult developers and is not directed at anyone under 18. We do not knowingly collect personal data from anyone under 13 in jurisdictions where that age is the threshold (e.g., COPPA in the United States), nor from anyone under 13 in Brazil (LGPD Art.14), nor from anyone under 16 without parental consent in the EU/EEA where the local age of digital consent is 16. The Terms of Service require all users to be 18 or older.

If we learn we have collected personal data from a child below the applicable threshold, we will delete it. Parents and legal guardians who believe their child has provided personal data to us should contact will@nigri.io.

11. Your rights

You have the following rights over your personal data. Some are framed differently under LGPD, GDPR, and US state laws, but they overlap substantially; we honor each on the most generous interpretation.

Confirmation and access — you can ask whether we process your personal data and request a copy of that data.
Correction — you can ask us to correct inaccurate or incomplete data.
Deletion / right to be forgotten — you can ask us to delete your personal data. We will do so within 30 days, except where retention is required by law (e.g., fiscal records once billing is live, or audit logs of the deletion request itself).
Portability — you can ask us for a copy of your personal data in a structured, commonly used, machine-readable format (we provide JSON).
Restriction of processing (GDPR) — you can ask us to limit processing in certain circumstances.
Objection (GDPR / LGPD) — you can object to processing based on legitimate interests; we will stop unless we demonstrate compelling overriding grounds.
Withdrawal of consent — for processing based on consent (e.g., marketing emails), you can withdraw consent at any time.
Opt out of sale or sharing (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA) — we do not sell or share personal data for cross-context behavioral advertising, but if that ever changes you may opt out.
Non-discrimination — we will not deny service, charge different prices, or provide different quality because you exercised any of these rights.
Information about how decisions are made — we do not make automated decisions that produce legal or similarly significant effects about you.

How to exercise your rights

If you have an ATO cloud account, the easiest path is in-product: Settings → Privacy exposes data export, account deletion, and consent management directly.

Otherwise, submit a request at /legal/data-request.html or by email to will@nigri.io. We will respond within 30 days of receiving a verifiable request, in accordance with GDPR Art.12, LGPD Art.19, and applicable US state laws.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with:

Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
EU/EEA: your local supervisory authority (list at edpb.europa.eu)
UK: Information Commissioner’s Office (ICO) — ico.org.uk
California: California Privacy Protection Agency — cppa.ca.gov
Other US states: your state Attorney General’s office

We would prefer you contact us first so we can address your concern directly.

12. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will:

Update the “Effective” date and version number at the top;
Notify registered users by email at least 30 days before the change takes effect, except where the change reduces our obligations or is required by law to take immediate effect;
For changes that broaden the scope of processing, request renewed consent where the original processing was consent-based.

Prior versions of this Policy are available on request.

13. Contact

Privacy contact: will@nigri.io

Data Subject Request form: /legal/data-request.html

Subprocessor list: /legal/subprocessors.html

Terms of Service: /legal/terms.html

Cookie Notice: /legal/cookies.html