Privacy Policy

Last updated: May 11, 2026

TinyFat, Inc. ("we", "us", "our") operates Tiny Fat Agents. This Privacy Policy explains how we collect, use, and protect your information.

1. Information We Collect

Account Information

Email address
Password (hashed, never stored in plain text)
Payment information (processed by Stripe, not stored by us)

Agent Configuration

Agent name and settings
API keys you provide (encrypted at rest)
Slack and email integration tokens (encrypted at rest)
Knowledge base files you upload

Message Content

Emails sent to your agent's address
Slack messages in channels where your agent is active
SMS/MMS messages sent to or from phone numbers connected to your agent
Agent responses

SMS Consent Information

Phone numbers you submit for SMS/MMS access
Your SMS opt-in records and consent context
SMS delivery, opt-out, and support metadata

Technical Data

Agent logs and activity history
IP addresses for security purposes
Browser/device information when accessing the dashboard

2. How We Use Your Information

Data	Purpose
Email address	Account access, service notifications
Phone number and SMS consent	Providing SMS/MMS agent messaging, support, opt-out handling, and compliance records
API keys	Powering your AI agent
Message content	Processing by your agent, generating responses
Logs	Debugging, showing you agent activity
Payment info	Processing subscription payments (via Stripe)

3. Data Sharing

We do not sell your data. We share data only with:

Anthropic — Message content is sent to Claude for AI processing (using your API key or ours)
Cloudflare — Infrastructure provider, hosts the Service
Stripe — Payment processing
Supabase — Database hosting
Resend — Email delivery for agent responses
Twilio and messaging providers — SMS/MMS delivery, routing, and delivery status

We do not sell, rent, or share SMS opt-in information or phone numbers for third-party marketing. SMS consent is used only to provide and support Tiny Fat Agents messaging.

We may also disclose data if required by law or to protect our rights.

4. Data Retention

Active accounts: Data retained while your account is active
Logs: Retained for 30 days, then automatically deleted
Deleted accounts: Data deleted within 30 days of account deletion
Backups: May persist in backups for up to 90 days

5. Data Security

We implement reasonable security measures:

All API keys and tokens encrypted at rest (AES-256-GCM)
All traffic encrypted in transit (TLS)
Access controls and authentication required for all data access
Regular security reviews

No system is 100% secure. You are responsible for keeping your account credentials safe.

6. Your Rights

You can:

Access your data through the dashboard
Export your agent configuration and logs
Delete your account and all associated data
Update your account information at any time

For data requests, contact [email protected].

7. International Users

The Service is operated from the United States. By using the Service, you consent to the transfer of your data to the US. We comply with applicable data protection laws including GDPR and CCPA.

8. Children

The Service is not intended for users under 18. We do not knowingly collect data from children.

9. Cookies

We use essential cookies for:

Authentication (keeping you logged in)
Security (CSRF protection)

We do not use advertising or tracking cookies.

10. Changes

We may update this Privacy Policy. Material changes will be notified via email. Continued use after changes constitutes acceptance.

11. Contact

Privacy questions? Contact us at [email protected].

Terms | Privacy | Acceptable Use | Contact