Privacy Policy

Last updated: April 11, 2026

This Privacy Policy explains how Ptah ("we", "us", or "our") collects, uses, shares, and protects your information when you use our platform at byptah.com, app.byptah.com, and the VPS Agent software you install on your own infrastructure (collectively, the "Service").

Ptah is designed to be used by software outsourcing teams to analyze client requirements, generate code, and deploy demo applications. Because the Service involves AI-assisted code generation and self-hosted workers, some of the data handling here is different from a typical SaaS product. Please read this policy carefully.

1. Information we collect

1.1 Account and organization data

When you create an account we collect your email address, name, password hash, and the organization you belong to. We store the role assigned to you within each organization you are a member of.

1.2 Project data

For each project you create we store:

  • Project metadata (name, code, client name, assigned tech stack, assigned VPS)
  • Uploaded documents (PDFs, DOCX, XLSX, Markdown, plain text) and their derived representations
  • Inline annotations and comments you leave on documents
  • Chat messages exchanged with Claude, including any prompts and responses
  • References to files and deployments created on your VPS workers

1.3 VPS worker data

When you connect a VPS worker we store its IP address, host fingerprint, the public key of the agent, and an encrypted copy of any SSH private key you upload during the setup wizard. We do not store your Anthropic account credentials; those live only on the VPS itself.

1.4 Usage and diagnostic data

We collect basic telemetry to keep the Service running: HTTP access logs, error traces, client type, browser fingerprint (coarse), and timestamps. We do not use third-party analytics trackers or advertising networks.

1.5 Data we do not collect

  • We do not collect payment information directly; when billing launches, it will be handled by a third-party processor.
  • We do not collect IP addresses beyond what is needed for abuse prevention and short-term logs.
  • We do not collect biometric data, precise location, or device identifiers beyond the browser user agent.

2. How we use your information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Authenticate you and enforce organization-level access control
  • Orchestrate Claude sessions on your VPS workers
  • Generate WBS exports, diagrams, and other artifacts you request
  • Send transactional email (invites, password reset, deploy notifications)
  • Investigate incidents and enforce our Terms of Service
  • Comply with applicable law and respond to lawful requests

We do not sell your personal information. We do not share it with advertisers. We do not use your project data to train AI models — see Section 4 for details.

3. Third-party services

Ptah relies on a small set of third-party services:

  • Amazon Web Services (S3, SES) — file storage and transactional email. Files are stored in private S3 buckets with server-side encryption enabled by default.
  • Anthropic (Claude API / Claude Code CLI) — AI model inference. Prompts, attachments, and responses are transmitted to Anthropic's API from your VPS workers using your own Anthropic account credentials. See Anthropic's privacy policy at anthropic.com/privacy for how they handle API traffic.
  • Let's Encrypt — TLS certificate issuance for demo subdomains and the Ptah Cloud hostnames.
  • Vercel — hosting for the public landing site at byptah.com. Vercel does not receive application data from app.byptah.com.
  • PostgreSQL and Debian / Ubuntu — self-hosted infrastructure components.

These third parties act as processors or sub-processors for the data necessary to deliver their portion of the Service. We have reviewed their privacy commitments and select providers that contractually prohibit using your data for their own purposes.

4. AI model training

Ptah sends prompts and attachments to Claude through Anthropic's API and Claude Code CLI. Anthropic's API traffic is not used to train Anthropic's models by default, and we do not opt in to any training programs on behalf of our users. Your code, documents, and session history are never used to train any AI model by us or by our sub-processors.

5. Data retention

  • Active account and project data is retained for as long as your organization is active.
  • When you delete a project, its repository, demo deployment, session history, and associated S3 objects are removed within 24 hours.
  • When you delete your organization, all data associated with that organization — projects, members, VPS workers, audit logs — is removed within 30 days.
  • Backups are retained for 7 days as part of our standard disaster-recovery policy and are encrypted at rest.

6. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Delete your personal data ("right to be forgotten")
  • Export your personal data in a portable format
  • Object to, or restrict, certain processing
  • Lodge a complaint with a supervisory authority

To exercise any of these rights, email privacy@byptah.com from the email address associated with your account.

7. Cookies and local storage

Ptah uses first-party cookies and local storage for authentication (session token), preferences (theme, selected organization), and CSRF protection. We do not use tracking cookies, third-party cookies, or advertising pixels. The landing site at byptah.com uses no cookies beyond what Vercel sets for its edge network.

8. Security

We take reasonable measures to protect your data:

  • TLS 1.3 is enforced on all endpoints
  • Passwords are hashed with Argon2id
  • Database connections use mutual TLS
  • S3 objects use server-side encryption with keys we control
  • VPS agent tokens are scoped per organization and rotatable
  • Access to production systems is limited to a small number of authorized engineers and logged
  • Regular third-party security reviews

No system is perfectly secure. If you become aware of a vulnerability in Ptah, please report it to security@byptah.com. See our security policy for responsible disclosure guidelines.

9. Children

Ptah is not directed at children under the age of 16, and we do not knowingly collect personal data from them. If you believe a child has created an account, please contact us so we can remove the data.

10. International transfers

Ptah is operated from and primarily stores data within the Asia-Pacific region. If you access the Service from outside this region, your data will be transferred to and processed in the region where our infrastructure is hosted. By using the Service you consent to this transfer.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify account holders by email or in-app banner at least 14 days before the changes take effect.

12. Contact

For any questions about this Privacy Policy or about how your data is handled, email privacy@byptah.com.