Privacy Policy

This Privacy Policy describes how Modulus ("Modulus," "we," "us," or "our") collects, uses, discloses, and protects information when you use our website, desktop application, developer tools, APIs, MCP servers, integrations, and related services (collectively, the "Service").

Modulus is an AI-powered developer platform. The Service may connect to your authentication provider, workspace tools, and AI coding environment to help coding agents respond with more relevant project context across chats, branches, and repositories.

This policy applies to information we process as a service provider for workspaces and as a business responsible for our own website, accounts, billing, security, and product operations.

1. Information We Collect

Account and Workspace Data

We collect information needed to create and administer accounts and workspaces, including name, email address, profile image, email verification status, identity-provider user identifiers, GitHub username or user identifiers when connected, organization or workspace name, workspace membership, onboarding status, account active status, and related account metadata.

Authentication

When you sign in or connect an identity provider, we process authentication data such as session cookies, OAuth flow metadata, provider identifiers, access tokens, refresh tokens, token expiration times, OAuth scopes, and authorization state where necessary to complete authentication, refresh sessions, connect the desktop application, or connect GitHub.

The desktop application may store authentication tokens in the operating system keychain and may store limited account profile, session, GitHub token, and GitHub user cache data in local app storage.

API Keys and Integration Data

We collect and store API keys generated for the Service, workspace and user identifiers associated with those keys, and integration settings needed to connect external tools. Depending on which features you enable, this may include GitHub installation data, Slack workspace or channel metadata, billing customer identifiers, and AI provider configuration.

When repository integrations require provider access, we may generate or receive short-lived provider tokens to access the repositories and branches you select. We do not ask for or store your GitHub password.

Usage Data

We process the prompts, issue titles, issue descriptions, repository selections, branch names, and other content you submit to the Service so that Modulus can route work to the right integrations and provide AI-assisted outputs.

Cross-agent memory and context features may process conversation items, user prompts, assistant or agent responses, tool-call outputs, file-change payloads, chat identifiers, branch identifiers, session identifiers, repository identifiers, project identifiers, pull request status, prior session summaries, and cross-branch summaries. These records may be summarized, embedded, and retrieved later to provide context across chats, branches, and repositories. The desktop application may send this information to Modulus cross-agent context services using your Modulus access token.

Local Application Data

The desktop application stores some information locally on your device, including projects, repositories, branches, sessions, chat messages, session summaries, normalized git remote URLs, settings, workspace records, cached account profile data, and local app cache data. User-supplied Anthropic keys may be stored in a local keys file with restrictive file permissions.

If you use dictation, the desktop application requests microphone permission and transcribes audio on-device using downloaded Whisper model files. Raw dictation audio is not intentionally sent to Modulus servers. If you submit feedback, we may collect the feedback text, attached images or screenshots, image count, account or GitHub username, and related submission metadata.

Payment Data

Paid features are processed through third-party payment providers. We may receive and store billing identifiers, subscription status, payment status, plan information, and related transaction metadata. We do not intentionally store full payment card numbers on our own systems.

Device, Log, and Analytics Data

We collect technical and usage information such as IP address, browser and device information, operating system, screen size, pages viewed, download events, app update metadata, MCP request events, timestamps, error logs, workspace identifiers, repository identifiers, chat identifiers, prompt length, model name, image count, and product interaction events. Logs may include account email addresses, workspace identifiers, request metadata, truncated prompt previews, repository names, usernames, or error details when needed for security, debugging, and operations.

If AI tracing, evaluation, or observability features are enabled for the Service, telemetry may include prompts, truncated prompts, outputs, retrieved context, model identifiers, endpoint metadata, latency, error details, and evaluation metadata. We configure these tools to support product quality, debugging, and safety review, not to sell customer content.

2. How We Use Information

We use information to:

• Provide, maintain, secure, and improve the Service
• Create accounts, workspaces, sessions, and API keys
• Authenticate users and connect the desktop application
• Store and retrieve cross-agent memory, chat memory, session summaries, cross-branch summaries, and related vector embeddings
• Send requested information to AI systems and coding agents so they can perform requested tasks
• Generate session summaries, commit messages, pull request titles, and pull request descriptions
• Run local desktop workflows such as terminal sessions, worktrees, repository cloning, git operations, dictation, and app updates
• Process downloads, subscriptions, payments, and support
• Measure usage, diagnose errors, and improve reliability
• Prevent fraud, abuse, unauthorized access, and misuse
• Comply with legal, security, and contractual obligations

We may use aggregated, anonymized, or de-identified data to understand product usage, improve performance, and develop new features. We do not sell your personal information.

3. AI Processing

The Service uses automated systems, including large language models and embedding models, to summarize chat sessions, enhance user prompts, and assist coding workflows. To provide these features, we may send user prompts, conversation transcripts, session summaries, and related context metadata to AI infrastructure or model providers.

Depending on the feature and configuration, content may be sent to language model providers for session summaries and context drafting, and to embedding providers to generate vector representations of prompts and summaries. We do not send repository source files to model providers for codebase analysis.

We treat embeddings as customer content because embeddings can encode information derived from prompts, summaries, chat messages, and other submitted content. Embeddings and related metadata may be stored in vector databases and used for retrieval across chat, branch, and repository context.

AI outputs may be inaccurate, incomplete, insecure, or outdated. You are responsible for reviewing and validating outputs before relying on them or merging generated code.

Unless explicitly disclosed in a separate agreement or feature notice, we do not use customer content to train foundation models. Model providers may process submitted data only as needed to deliver the requested feature, subject to their applicable terms and data processing commitments.

AI observability or evaluation systems, when enabled, may process prompts, model outputs, retrieved context, and related metadata to help us debug failures, evaluate output quality, monitor abuse, and improve reliability.

4. Developer Service Access Controls

Workspace features, MCP endpoints, API routes, and context-processing workflows are intended to use authenticated accounts, workspace membership, generated API keys, connected-provider credentials, or service-to-service credentials as applicable. Public website, legal, marketing, download, or status routes may be reachable without a signed-in user, but server-side credentials used by those routes are not exposed to visitors.

API keys and provider tokens should be treated as secrets. You are responsible for protecting keys issued to your account or workspace, rotating them when appropriate, and revoking access for users or integrations that should no longer use the Service.

5. Sensitive Data and Customer Content

Modulus is built for software development workflows, not for storing regulated sensitive information. You should not submit protected health information, payment card data, government identifiers, secrets, private keys, passwords, or other highly sensitive information unless you have confirmed that your plan, contract, and configuration permit that processing.

Source code and repository content may contain credentials, personal information, proprietary business logic, or confidential material. You are responsible for ensuring that you have the rights and permissions needed to connect repositories and submit content to the Service.

Anything present in a prompt, conversation, tool output, feedback screenshot, or file diff may be processed by Modulus and, where needed for the feature, sent to AI providers, embedding providers, vector databases, analytics, observability systems, or other sub-processors. Do not submit secrets, production credentials, private keys, payment card data, health data, or regulated personal information unless your agreement and configuration permit that processing.

6. How We Share Information

We share information with service providers and integrations only as needed to operate the Service, comply with law, protect users, or complete actions you request. These recipients may include:

• Authentication and identity providers
• Repository and developer platform providers, to authenticate users and operate issue and pull request workflows
• Cloud hosting, database, storage, cache, and infrastructure providers
• Modulus-operated MCP and context-processing services
• AI, embedding, and observability providers used to generate, embed, trace, or evaluate outputs
• Workflow orchestration, API-key verification, search, and crawling providers where configured
• Analytics and product telemetry providers
• Payment processors
• Feedback, app update, and model-download providers where desktop features use them
• Communication and workspace integrations when enabled by a workspace
• Professional advisers, law enforcement, regulators, or other parties when required to protect rights, safety, security, or legal compliance

We do not sell personal information. We may disclose information in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, subject to appropriate protections.

7. How Long We Keep Data

We retain information only as long as needed to provide the Service, maintain accounts, meet legal obligations, resolve disputes, and protect security.

• Keep account, workspace, subscription, and billing metadata while your account or workspace is active, and for a reasonable period afterward.
• Keep session summaries, embeddings, vector records, chat memory, and related context outputs while needed to operate cross-agent memory and context retrieval features.
• Keep logs and analytics data according to our operational retention practices for security, debugging, and product improvement.

Deletion from active production systems may occur before deletion from backups, logs, provider systems, and audit records, which are removed or aged out according to applicable retention schedules.

8. Security

We use administrative, technical, and organizational safeguards designed to protect information, including authentication, access controls, HTTPS/TLS, and environment-based secret management.

No method of transmission or storage is completely secure. You should protect your account credentials, API keys, repository permissions, and local development environment. Avoid submitting secrets, credentials, or other highly sensitive information in prompts or conversations.

9. Cookies and Analytics

We use cookies and similar technologies for authentication, session management, product analytics, and security. Analytics tools may collect page views, download events, product usage events, device information, and identifiers used to understand how the Service is used.

Product analytics may include events such as prompt length and model name, whether images were attached, project openings, worktree creation, app downloads, MCP requests, and feedback submission metadata. Feedback endpoints may include the feedback message body, screenshots or attached images, image count, and the user's GitHub username.

Desktop app update checks may send platform, architecture, current version, and IP-derived network metadata to the update provider. Dictation model downloads may contact the model hosting provider to fetch selected model files.

Your browser may let you block or delete cookies. Some Service features, including sign-in and workspace access, may not work correctly without necessary cookies.

10. Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us, contact us so we can take appropriate action.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Service or by other appropriate means. The "Last updated" date below indicates when this policy was last revised.

12. Contact Information

For questions about this Privacy Policy or our privacy practices, contact us at founders@backtickai.com.

If you have a workspace agreement with Modulus, the notice and contact terms in that agreement may also apply.