This Privacy Policy applies to the Agent Panel marketing site, sign-up and sign-in flows, hosted web application, billing flows, support interactions, the relay service used to connect your browser to your machines, and the Agent Panel client software (collectively, the "Services").
In this Policy, "Conn Castle Studios," "we," "us," and "our" refer to Hardware Breakout LLC doing business as Conn Castle Studios. "You" refers to the person or entity using the Services.
The Services are controlled from the United States and are intended for the U.S. market. They are not directed to residents of, or individuals located in, the European Union, European Economic Area, United Kingdom, or Switzerland. If you access the Services from outside a supported location, you understand that your information may be processed in the United States and that you are responsible for complying with local law.
1. Information We Collect
We collect different categories of information depending on how you interact with Agent Panel.
Information you provide or authorize
- Account information used to create and maintain access to Agent Panel, such as your email address and the account identifiers managed through Clerk.
- Billing and transaction information needed to sell and administer paid plans, including your Stripe customer and subscription identifiers and the billing details Stripe shares with us for plan administration.
- Information you send to us in support requests, feedback, waitlist forms, or other direct communications, including the message, category, source page, attribution context, product context, and error identifiers you submit with those requests.
Control-plane and workspace data
- Client registration data such as client names, machine identifiers, device identity public keys, operating system family, operating system display names, and heartbeat timestamps.
- Project registry data such as project names and local file paths associated with your connected machines.
- Workspace data such as saved layouts, recent layouts, layout trees, pane structure, top-project summaries, current workspace drafts, and user preferences that sync across browsers.
- Billing snapshots and ledger data, including plan slug, billing period, subscription status, payment method brand, payment method last four digits, expiration month/year, invoice references, Stripe event references, and reconciliation timestamps.
Usage, device, and diagnostic information
- Device, browser, and request information such as IP address, user agent, timestamps, page paths, navigation type, and similar service-usage metadata.
- Waitlist and acquisition metadata such as landing page, referrer, campaign parameters, allowed ad click identifiers, and first-party event identifiers used to understand which public pages and campaigns lead to waitlist sign-ups.
- Marketing email subscription records and related waitlist properties, such as waitlist source, acquisition source, campaign, landing-page path, consent version, invite status, and waitlist join timestamp.
- Performance and reliability data, including first-party web vitals and startup-performance events that we log to our infrastructure for operational monitoring.
- Error-reporting data from the browser, server, relay, and client software, including crash diagnostics and related technical context. In the browser, Sentry replay is configured only on error and is masked to hide text, inputs, and media.
- Security and authentication records such as token timestamps, refresh-token metadata, refresh-proof replay records, auth-code metadata, webhook processing records, and service logs used to operate the platform.
Session traffic and session-related metadata
- When you actively use Agent Panel, the relay and client transmit session payloads needed to render the product, which can include terminal output, prompts, responses, file content, diffs, command output, and other interactive workspace data.
- Agent Panel is designed so that this session traffic is forwarded as encrypted-in-transit payloads between your browser and the client running on your machine. Our control-plane database is not intended to store this session content as part of normal operation.
- We may still process limited session metadata such as session identifiers, client identifiers, routing data, timestamps, and error context needed to authenticate, transport, secure, and troubleshoot the Services.
2. Sources of Information
We collect information from several sources:
- Directly from you when you sign up, subscribe, connect a client, save a layout, or contact us.
- From service providers you choose to use with Agent Panel, including Clerk for authentication and Stripe for payments and subscription management.
- Automatically from your browser, device, relay connections, and client software when you use the Services.
- From our infrastructure and logging systems when we monitor performance, availability, fraud, abuse, and operational health.
3. How We Use Information
We use personal information to:
- Provide the Services, including authentication, account creation, client registration, project and layout management, workspace recovery, and paid-plan administration.
- Connect your browser to your machines, route encrypted session traffic, maintain active relay sessions, and preserve service continuity across browsers and devices.
- Process payments, manage subscriptions, reconcile billing snapshots, prevent payment abuse, and deliver receipts or billing notices.
- Monitor, secure, debug, and improve the Services, including investigating bugs, crashes, failed sessions, suspicious activity, and performance bottlenecks.
- Enforce our Terms, protect our rights and users, respond to lawful requests, and comply with legal, accounting, and tax obligations.
- Communicate with you about account activity, product updates, security notices, support responses, and other service-related matters.
- Send waitlist, launch, product-proof, and product-update emails when you have joined the waitlist or otherwise asked to receive those communications.
4. Cookies, Browser Storage, and Similar Technologies
Agent Panel uses a limited set of cookies and similar browser technologies for functional and operational purposes.
- Clerk session cookies are used to keep you signed in and to secure authenticated browser access.
- If we run a coming-soon or invite gate, we may set an invite bypass cookie so invited visitors do not need to re-enter an invite token on every visit.
- The app may use browser cookies or similar local browser state for product preferences and UI state, such as sidebar or layout preferences.
- Public marketing pages may use first-party session storage to preserve campaign source and landing-page attribution through waitlist submission.
- When you use a terminal pane, the app may store serialized terminal buffer snapshots in browser storage on your device so reloads can restore terminal content quickly. These snapshots are encrypted on your device with a key that is only available during an authenticated session and is never stored on the device; we attempt to clear these snapshots when you sign out, and the encryption key becomes unavailable after sign-out, so any remaining encrypted copies cannot be decrypted.
- Public marketing pages may use advertising pixels, cookies, or similar measurement technologies from Reddit, Meta, or similar advertising platforms when those destinations are enabled in our settings. We apply the consent, opt-out, browser preference, and notice controls required by applicable law and by the settings we make available.
- Public marketing and sign-up pages may use first-party browser storage and a product-analytics technology (Mixpanel, including its Session Replay) to measure how visitors use those pages. Analytics events key to an anonymous device identifier, not your email, and the same consent, opt-out, and browser-preference controls described in Section 7 apply to this forwarding.
You can control cookies through your browser settings, but some parts of the Services may not work properly if required cookies are blocked or deleted.
5. How We Disclose Information
We disclose information only as reasonably necessary to operate Agent Panel, fulfill your requests, or comply with law.
- Authentication provider: Clerk helps us run sign-up, sign-in, and authenticated browser sessions.
- Payment processor: Stripe helps us create customer records, host checkout and billing portal flows, process charges, and manage subscription events.
- Hosting and database providers: We use Fly.io for application and relay hosting, Tigris for staging client-binary storage, Axiom for structured log storage, and Supabase-managed Postgres for control-plane data.
- Error-reporting provider: Sentry receives browser, server, relay, and client diagnostic events subject to the masking and scrubbing controls built into the product.
- Product analytics provider: Mixpanel helps us understand how visitors move through our public marketing and sign-up pages. We send event and campaign metadata keyed to an anonymous device or user identifier — page and funnel events, campaign parameters, a coarse paid-versus-organic flag, and a country/state-level location we derive ourselves. We do not send your raw IP address (it is transmitted as
ip:0), your email, ad click identifiers, terminal or code or file contents, prompts, chat transcripts, or secrets. Mixpanel is configured with United States data residency. We may also enable Mixpanel Session Replay on these public pages to record page interactions for usability analysis; replays are sampled, all on-screen text and form inputs are masked, and the waitlist email and the sign-in/sign-up email and password fields are blocked from the recording entirely. This forwarding is consent-gated as described in Section 7. - Email delivery and marketing communications provider: Resend helps us deliver contact-form and support-feedback messages, waitlist confirmations, and waitlist or product-update Broadcasts. For marketing Broadcasts, Resend may receive your email address and minimal waitlist properties: stage, waitlist source, acquisition source, medium, campaign, content, landing-page path, consent version, invite status, and waitlist join timestamp. Resend owns Broadcast unsubscribe and suppression state for those marketing emails.
- Advertising measurement destinations: When advertising measurement is enabled, we may send approved public-page and campaign metadata to Reddit, Meta, or similar advertising platforms, including event identifiers, public URLs or paths, campaign parameters, ad click identifiers, timestamps, browser user agent, and waitlist conversion status. We do not send email addresses, hashed email addresses, terminal contents, code, file contents, prompts, chat transcripts, secrets, private project names, or authenticated workspace URLs to those destinations in the current setup.
- Professional advisors and legal process: We may disclose information to lawyers, auditors, insurers, regulators, or law enforcement when required or reasonably necessary to protect the Services, our users, or our rights.
- Business transfers: We may disclose information in connection with a merger, financing, acquisition, reorganization, or sale of all or part of our business.
We do not currently sell your personal information. To the extent our configured advertising measurement is considered sharing for cross-context behavioral advertising under applicable law, we will provide the opt-out controls required by that law.
6. Data Retention
We retain information for as long as reasonably necessary to provide the Services, maintain security, comply with legal and accounting obligations, resolve disputes, and enforce our agreements.
- Account records, connected-client records, projects, layouts, and user preferences are generally retained while your account is active and for a reasonable period afterward.
- Billing records, Stripe webhook ledgers, and related payment data may be retained longer to comply with finance, tax, fraud-prevention, and audit requirements.
- Diagnostic logs, performance logs, and error-reporting data are generally retained according to operational need and the retention settings of the systems that store them.
- Waitlist and acquisition attribution records are retained while they are needed to understand launch performance, source quality, abuse prevention, and invite follow-up. When raw campaign parameters or ad click identifiers are no longer needed for those purposes, we may delete them or keep only aggregated reporting.
- Support and feedback records are retained while needed to respond to requests, investigate bugs, understand launch quality, and maintain support history. If you delete your account, support-feedback records tied to that account are anonymized by clearing user identity, submitter details, the subject and message text, the page URL, landing page, referrer, error identifiers, and detailed product context, while preserving only coarse aggregate fields — the request category, source surface, severity, resolution status, coarse campaign attribution (source, medium, and campaign), and delivery status — used for launch reporting.
- Encrypted relay session traffic is intended to be forwarded for transport rather than stored as persistent control-plane content, although related metadata and troubleshooting records may remain in logs or diagnostics.
7. Your Choices and Rights
Where required by applicable law, you may have the right to request access to, correction of, deletion of, or information about the personal information we maintain about you. You may also have the right to object to certain processing or appeal a denied privacy request. We may respond to other requests voluntarily, but doing so does not waive our rights or make any unsupported jurisdiction part of our target market.
Agent Panel also offers practical controls that may help you manage your data:
- You can manage account access and many authentication settings through the Clerk-powered account experience.
- You can manage paid subscriptions and payment methods through Stripe-hosted billing flows when those are available for your account.
- You can disable client-side crash telemetry in the Agent Panel CLI with
agent-panel telemetry offor by settingAGENT_PANEL_TELEMETRY=off. - You can clear or block non-essential browser storage through your browser settings, subject to the functional limits described above.
- When advertising measurement or product analytics (including Mixpanel and its Session Replay) is enabled, we support the privacy choices required by applicable law and by the settings we make available. We honor the Global Privacy Control browser signal and a first-party analytics opt-out preference: when either is present we stop sending your activity to those third-party measurement and analytics destinations. Our own first-party operational records may still be kept as described in this policy.
- You can unsubscribe from marketing Broadcasts using the unsubscribe link in those emails. Unsubscribing from marketing Broadcasts does not stop transactional, account, security, billing, support, or direct request-confirming messages.
To submit a privacy request, use the contact information in the Contact section below. We may ask you to verify your identity before completing a request.
8. International Transfers
Conn Castle Studios is based in the United States, and the Services are intended for the U.S. market. The Services are hosted and supported through providers that may process information in the United States and other countries where they operate. If you access the Services from outside the United States, you understand that your information may be transferred to and processed in jurisdictions that may have different data-protection laws than your home country.
9. Children's Privacy
Agent Panel is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us, please contact us so we can review and address the issue.
10. Security
We use administrative, technical, and organizational measures designed to protect personal information, including authentication controls, access restrictions, provider security features, and encryption in transit. Browser sessions use authenticated access, and Agent Panel's relay forwards encrypted session traffic in transit between your browser and the client running on your machine.
No security measure is perfect, and we cannot guarantee that information will always remain secure. You should also protect your own devices, accounts, and credentials.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the Services, the law, or our practices. When we do, we will post the revised version here and update the "Last updated" date at the top of the page. If a change is material, we may also provide additional notice through the Services or by other appropriate means.
12. Contact
Conn Castle Studios
Hardware Breakout LLC
3 Cressier Ct.
Fairport, NY 14450
If you have questions about this Privacy Policy or want to make a privacy request, please contact us at the address above.