← Back to AgentBurn

Privacy Policy

Last updated: March 21, 2026

1. Who We Are

AgentBurn ("we", "us", "our") provides AI spend tracking and cost attribution tools for agencies, consultancies, and teams.

2. Information We Collect

Account information: When you sign up, we collect your email address and name. If you use Google OAuth, we receive your Google profile email.

Usage data: We collect information about how you use AgentBurn, including pages visited, features used, and actions taken. This is collected via PostHog analytics.

AI provider data: When you connect an AI provider account (OpenAI, Anthropic, etc.), we access your usage and billing data from that provider. We store token counts, costs, and model information. We do NOT store your prompts, completions, or any request/response content.

API keys: Provider API keys you enter are encrypted with AES-256-GCM before storage. Keys are only decrypted in memory during API calls and are never logged.

3. How We Use Your Information

  • To provide and maintain the AgentBurn service
  • To track and attribute your AI spend across clients and projects
  • To generate invoices and billing reports
  • To send you alerts about budget thresholds and anomalies
  • To improve the product based on usage patterns (via PostHog)
  • To communicate with you about your account

4. Analytics (PostHog)

We use PostHog for product analytics. PostHog collects:

  • Page views and navigation patterns
  • Feature usage events (e.g., connecting a provider, generating an invoice)
  • Device type, browser, and approximate location (country level)
  • Referral source and UTM parameters

PostHog does NOT collect your AI provider data, API keys, prompts, or financial information. You can opt out of analytics by blocking the PostHog script in your browser.

5. Data Security

  • All data is transmitted over HTTPS (TLS 1.3)
  • API keys are encrypted at rest with AES-256-GCM
  • Database access is protected by Row Level Security — users can only access their own data
  • The reverse proxy never stores request or response content — only metadata (model, token counts, cost)
  • Passwords are hashed by Supabase Auth (bcrypt)

6. Data Sharing

We do NOT sell your data. We share data only with:

  • Supabase — database and authentication hosting
  • Vercel — application hosting
  • PostHog — product analytics
  • Your AI providers — we call their APIs with your keys to fetch usage data

We do not share your data with any other third parties.

7. Data Retention

We retain your account data and AI spend records for as long as your account is active. You can request deletion of your account and all associated data by contacting us. Analytics data in PostHog is retained for 12 months.

8. Your Rights

You have the right to:

  • Access the data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and data
  • Export your data (via the Reports and CSV export features)
  • Opt out of analytics tracking

9. Cookies

We use essential cookies for authentication (Supabase session) and analytics cookies (PostHog). We do not use advertising or tracking cookies from third parties.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or an in-app notice. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For privacy-related questions or requests, contact us at hello@agentburn.com