Privacy Policy
Last updated: April 27, 2026
CloudByte AI (“CloudByte”, “we”, “us”) operates CloudByte PMS, a productivity monitoring platform for engineering teams. This policy explains what data we collect, how we use it, and your rights. If you have questions, email hello@cloudbyte.ai.
1. What we collect
CloudByte PMS runs a lightweight sync agent on each developer’s machine. The agent reads from the local claude-mem SQLite database and ships the following to our servers:
- Account information — email address, display name, and organization membership. Provided at account creation.
- AI session metadata — session timestamps, project folder name, git branch, AI tool version, OS platform, and anonymized machine ID (a truncated SHA-256 hash of the hostname — the original hostname is never transmitted).
- AI prompt text — the full text of prompts sent to AI coding tools (Claude Code, Cursor, GitHub Copilot, etc.) within each session.
- AI observations and summaries — structured session summaries and tool observations generated by the AI during the session.
- Token usage — input and output token counts per model per session. No prompt content is re-transmitted for this.
- Git commit metadata and diffs — commit messages, author name/email, branch, file-change stats (insertions/deletions), and the full diff for each commit. Diffs are stored for 5 days then automatically deleted; only line stats are retained long-term.
- Agent heartbeat — periodic health checks including service status, agent version, and sync timestamps. No prompt content.
2. What we do not collect
- We do not record keystrokes, screen captures, or clipboard contents.
- We do not access file contents outside of git commits (i.e. we do not read files you have not committed).
- We do not collect passwords, SSH keys, or secrets stored on developer machines.
- We do not sell or broker your data to third parties.
- We do not use your organization’s prompt data to train AI models or build products for other customers.
3. How we use your data
- Provide the service — display activity feeds, adoption metrics, ROI dashboards, and agent health to authorised users in your organization.
- AI-generated commit summaries — commit diffs are sent to the AI provider configured for your organization (Anthropic, Google, OpenAI, or AWS Bedrock) to generate a 2–3 sentence plain-English summary. If you have configured your own API key (BYOK), your key is used and the data goes to your chosen provider under your agreement with them.
- Service communications — we send magic-link login emails and critical service notices to the email address on your account.
- Security and abuse prevention — logs and metadata are used to detect malicious activity, enforce rate limits, and respond to security incidents.
- Aggregate product improvement — we may analyze anonymized, aggregated usage patterns (e.g. “X% of teams use daily active tracking”) to improve the product. No individual prompt content is included.
4. Data residency and hosting
By default, all data is stored on AWS infrastructure in the ap-south-1 (Mumbai, India) region. Data does not leave this region except when AI features are used — in which case it is transmitted to the AI provider you have selected under their terms.
Enterprise customers may request EU (eu-west-1) or US (us-east-1) regional hosting. Self-hosted deployments keep all data within your own infrastructure and are never transmitted to CloudByte servers.
5. Data retention
- Git commit diffs — retained for 5 days, then automatically deleted. Commit metadata (message, stats) and AI summaries are retained for the life of the account.
- Prompt and session data — retained for the life of the account unless deleted earlier by an administrator.
- Account deletion — when an account is deleted by a super-admin, all associated sessions, prompts, observations, summaries, and commits are permanently deleted within 30 days.
- Organization offboarding — upon contract termination, all organization data is deleted within 30 days of the end date.
6. Third-party sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Compute, database, email (SES), object storage | ap-south-1 |
| Anthropic (default) | AI commit/PR summaries and skill generation | US (Anthropic-managed) |
| Google / OpenAI / AWS Bedrock | AI features — only if your org has selected this provider (BYOK) | Provider-managed |
We do not share data with any sub-processor not listed here. We require sub-processors to maintain appropriate data protection standards.
7. Access controls and security
Data is accessible only to members of your organization with an active account. Role-based access control (RBAC) enforces the following visibility rules:
- Standard — can see only their own prompts, sessions, and commits.
- Reviewer / Org Admin — can see all data within their organization.
- Super Admin — CloudByte staff; access is restricted, logged, and used only for operational support.
All data is encrypted in transit (TLS 1.2+) and at rest (AWS RDS KMS encryption). Sensitive fields (BYOK API keys, SCM tokens) use AES-256-GCM with envelope key rotation. Full security details are on our Security page.
8. Your rights (GDPR / data subject rights)
Depending on your jurisdiction you may have the right to:
- Access — request a copy of data we hold about you.
- Rectification — correct inaccurate personal data.
- Erasure — request deletion of your personal data.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interests.
To exercise any of these rights, email hello@cloudbyte.ai with the subject line “Data Request”. We respond within 30 days.
9. Cookies and analytics
The CloudByte PMS dashboard uses localStorage to store your session token (API key) client-side. We do not use third-party analytics cookies, advertising pixels, or tracking scripts on any part of the platform. This marketing site (https://getpms.cloudbyte.ai) does not use cookies.
10. Changes to this policy
We will notify organization admins by email at least 14 days before any material changes take effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance.
11. Contact
Data controller: CloudByte AI
Privacy enquiries: hello@cloudbyte.ai
Security disclosures: security@cloudbyte.ai