This policy describes what data Team-AI collects, how it's stored, and who it's shared with. Team-AI is operated as an independent open-source project — not by Anthropic. It is provided on a best-effort basis and is currently in preview.
1. What we collect
Account data
- Email address, username, first and last name (at registration or from your Google/GitHub OAuth profile).
- A salted, hashed password if you register with email/password. The raw password is never stored.
- OAuth tokens issued by Google and GitHub, stored in our database so agents can act on your behalf (e.g. create a repo, open a pull request).
Anthropic API key (bring-your-own-key)
You provide your own Anthropic API key in Settings. It is stored in the user_integrations table attached to your user record. It is only used to call the Claude API for your own projects. It is never shared between users and never proxied.
Project data
- Project names, descriptions, and the natural-language requirements you submit.
- Generated artifacts: code files, READMEs, task outputs, validation reports.
- Task logs — which agent ran, which status, timestamps, errors.
Operational data
- Standard server logs (IP, user-agent, request path) retained by the hosting provider.
- A session cookie / JWT for keeping you signed in.
2. What we do not collect
- Payment or billing information — the platform does not charge you. Anthropic bills you directly for API usage under their own terms.
- Analytics trackers, ad pixels, or session replay tools.
- Device fingerprints beyond standard HTTP request metadata.
3. How we use your data
- Run your projects. Your description and context are sent to the Claude API using your own key.
- Create your GitHub repository and commit the generated code on your behalf, using the OAuth scope you granted.
- Display your projects and progress in the dashboard.
- Enforce rate limits (currently: 5 project creations per user per minute).
4. Third parties that receive your data
- Anthropic — your prompts, project context, and generated output are sent to Anthropic's API and are subject to Anthropic's privacy policy.
- GitHub — if you connect a GitHub account, repositories are created and code is pushed via the GitHub API under the permissions you granted.
- Google — if you sign in with Google OAuth, Google receives the usual OAuth handshake metadata.
- Railway — our hosting provider sees the same data your server sees (standard infrastructure metadata).
5. Training on your data
Team-AI does not train any models on your data. Whether Anthropic trains on your API inputs depends on their API terms, which typically do not use API inputs for model training — please review Anthropic's policy directly.
6. Data retention
We keep your account, project, and artifact data until you delete it. You can delete individual projects from the dashboard. Account deletion is available in Settings → Account → Delete Account and removes your user record and associated projects.
7. Security
We apply reasonable engineering practices — HTTPS everywhere, bcrypt password hashing, JWT-based session auth, environment-variable secrets — but the platform is in preview and does not carry any formal certification (SOC 2, ISO 27001, HIPAA, etc.). Please evaluate accordingly before using Team-AI for sensitive data.
How we run AI-generated code during validation
The Integration Validator agent runs the generated project's build and tests on our infrastructure. That means arbitrary code written by Claude executes on our servers. Our current safeguards are:
- The repo is cloned into a throwaway temporary directory and deleted after validation.
npm install and npm ci run with --ignore-scripts, which blocks the common preinstall/postinstall supply-chain attack vector.- Every command has a 300-second timeout.
- Environment variables that look like secrets (anything containing
KEY, SECRET, TOKEN, PASSWORD, or provider prefixes like ANTHROPIC_/GITHUB_/GOOGLE_/JWT_/DATABASE_URL) are scrubbed from the subprocess environment, so generated test code can't read them via process.env or os.environ.
- Integration Validator auto-rework is capped at two rounds per task.
What we do not currently do: run validation inside a container, jail, or microVM; restrict outbound network access from the subprocess; enforce CPU or memory limits beyond the Railway host's own limits. Treat the validation environment as a best-effort sandbox, not a hostile-code-proof one — don't generate projects whose dependencies you don't trust.
8. Your rights
- You can view and edit your profile in Settings.
- You can delete your account at any time.
- You can revoke GitHub and Google access from those services' respective settings.
- Under GDPR / CCPA you can request a copy of or the deletion of your data — reach out via GitHub Issues on the project repository.
9. Cookies
We use a single JWT-bearing cookie for keeping you signed in. We do not set advertising or tracking cookies.
10. Changes to this policy
When we make material changes we update the "last updated" date at the top and, where possible, surface a notice in the dashboard.
11. Contact
Project repository: github.com/e-triyaj/Team-AI. For privacy questions, open an issue there.
