Privacy Policy

Phoenix Horizon, Inc. ("Phoenix," "we," "us," or "our") operates Prix, a developer platform for building, distributing, and running AI agents. This Privacy Policy explains what information we collect when you use Prix and the prix.dev website, how we use it, and the choices you have.

This policy supplements the Phoenix Horizon Privacy Policy, which covers all Phoenix products and services.

Developer Account

• Email address
• Name and profile photo (via OAuth providers, if used)
• Organization affiliation and role
• Payment information (processed by Stripe; we do not store card numbers)

API Keys and Credentials

API keys you generate to call Prix from your code are stored as a one-way hash on our servers; we cannot recover the plaintext after issuance. Third-party application credentials you upload (for example, Slack or Discord app secrets) are encrypted at rest using AES-256-GCM.

Agent Registry Content

When you publish an agent, we store the agent name, version, description, icon, gallery, and signed container. Public agents are listed in the registry and on prix.dev; private agents are visible only to your organization.

Usage Data

• API request metadata (endpoint, status code, latency, token counts, cost)
• Container download and install events
• Error information and stack traces (with sensitive values redacted)
• Device information (OS, runtime version)
• IP address (used for rate limiting, abuse prevention, and geographic reporting)

Agent Execution Data

When agents you run go through our LLM proxy, we log request metadata (model, token counts, cost, latency) but do not log prompt or completion content beyond what is required to return errors and surface usage limits.

We use collected information to:

• Provide, maintain, and improve the Prix platform
• Authenticate your account and authorize API calls
• Issue invoices, process payments, and prevent fraud
• Enforce rate limits, spend limits, and security controls
• Detect and respond to abuse, malware, and policy violations
• Communicate with you about service updates, billing, and security advisories
• Comply with legal obligations

• Prompt and completion content — LLM proxy traffic is not logged beyond metadata.
• Plaintext API keys — we store a one-way hash; lost keys must be rotated.
• Passwords — authentication is via OAuth.
• Special-category personal data — see Section 7.

We rely on the following third-party processors to operate Prix. Each is bound by a written agreement that requires equivalent security and confidentiality protections.

• Supabase — primary database and authentication. Privacy Policy
• Hetzner — server infrastructure (Germany). Privacy Policy
• Cloudflare — CDN, DNS, edge network, R2 object storage. Privacy Policy
• Stripe — payments and billing. Privacy Policy
• Anthropic — LLM provider for proxy traffic. Privacy Policy
• OpenAI — LLM provider for proxy traffic. Privacy Policy
• Better Stack — centralized log storage.
• Resend — transactional email (account, billing, security notices).
• PostHog — product analytics (page views, feature usage).
• Sentry — error reporting.

We will give existing customers at least 30 days' notice before adding or replacing a subprocessor that processes customer personal data. Notices are posted on this page; customers may object by contacting [email protected].

In transit: all traffic to api.prix.dev and prix.dev is served over TLS 1.2 or higher.

At rest: third-party application credentials are encrypted with AES-256-GCM. Database storage is encrypted at the provider level.

Access: production access is gated through a zero-trust network and limited to a small number of named administrators.

Retention: account, billing, and registry data are retained for the life of your account plus the period required by tax and accounting law (up to 7 years for invoices). Operational logs are retained for up to 24 months. You may request deletion at any time (see Section 8).

Prix is not designed for, and must not be used to process:

• Protected Health Information (PHI) regulated under the U.S. Health Insurance Portability and Accountability Act (HIPAA). Prix is not a HIPAA-covered Business Associate and we do not sign Business Associate Agreements at this time.
• Cardholder data subject to PCI-DSS beyond what Stripe processes on our behalf.
• Government identification numbers (Social Security Number, passport number, driver's licence).
• Biometric identifiers, financial account credentials, or other sensitive categories under applicable law.

If you submit any of the above to Prix, you do so in violation of our Terms of Service and we may suspend or terminate your account.

Depending on your jurisdiction, you may have the right to access, correct, export, or delete personal data we hold about you, and to object to or restrict certain processing. To exercise these rights, email [email protected]. We will respond within 30 days.

EEA / UK (GDPR): our legal basis for processing is (a) performance of the contract to provide the service, (b) legitimate interests in operating, securing, and improving the platform, and (c) compliance with legal obligations. You have the right to lodge a complaint with your supervisory authority.

California (CCPA / CPRA): you may request to know, delete, correct, or opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioural advertising.

Phoenix is incorporated in the United States; some subprocessors are based in the U.S. (Cloudflare, Stripe, Anthropic, OpenAI), the EEA (Hetzner, Better Stack), and elsewhere. Where we transfer personal data out of the EEA or UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures including encryption in transit and at rest.

If we discover a personal-data breach, we will notify affected customers without undue delay and in any event within 72 hours of becoming aware where required by applicable law. Security reports may be sent to [email protected].

Prix is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact [email protected] and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated by email to account owners and posted on this page. The "Last updated" date at the top reflects the most recent revision.

For privacy-related questions or to exercise your rights:

• Privacy: [email protected]
• Security: [email protected]
• Support: [email protected]

Phoenix Horizon, Inc.
Palo Alto, CA
United States