Pathrule
Legal

Privacy Policy

Effective 3 May 2026 · Last updated 3 May 2026 · Version 1.0

This Privacy Policy explains how Pathrule ("Pathrule", "we", "us", "our") collects, uses, discloses, and safeguards information when you use the Pathrule desktop application, the Pathrule cloud service, the Pathrule MCP server, or the website at pathrule.io (together, the "Service").

If you do not agree with this Policy, please do not use the Service.

About Pathrule. Pathrule is a shared memory, rule, and skill layer for AI coding agents (such as Claude Code, Cursor, Codex, and other MCP-compatible clients). It runs partly on your computer (a native desktop app and a local hook supervisor that observes your AI agent's tool calls) and partly in our cloud (a Supabase-hosted database, Edge Functions, and an AI router). The cloud component is the source of truth for the memories, rules, and skills you author.

0. At a glance

  • Operator: Pathrule
  • Registered address: 30 Ağustos Zafer Mah. 73. Sok. No:3, Bursa/Nilüfer, Türkiye
  • Privacy contact: [email protected]
  • Website: pathrule.io
  • Jurisdictions: European Union (GDPR), Türkiye (KVKK), United States including California (CCPA / CPRA)
  • AI sub-processor: Anthropic (Claude Haiku model)
  • Sale of data: We do not sell or share personal data for cross-context behavioural advertising
  • Minimum age: 16

1. Information we collect

We collect only what is necessary to operate the Service and to comply with the law.

1.1 Information you provide directly

  • Account information. Your email address and the basic profile attributes returned by the OAuth identity provider you choose (for example Google) via Supabase Auth.
  • Profile and workspace settings. Workspace names, display preferences, locale.
  • User-authored content. Memories, rules, skills, and activity-log task summaries that you, or your AI agent acting on your behalf, write into Pathrule. This is the core knowledge graph the Service exists to manage.
  • Support communications. When you email us or report an issue, we keep the message and any attachments.

1.2 Information collected automatically

  • Workspace metadata. Node paths in your workspace tree, the workspace-relative file paths your AI agent reports as "touched" in an activity log, and timestamps. We do not receive the contents of those files unless you (or your agent) explicitly paste them into a memory, rule, or skill.
  • AI agent telemetry. Prompts, responses, tool calls, and tool-call results that are routed through the Pathrule MCP server or the Pathrule AI router (including routing classifications, intent labels, latency, and token counts).
  • Internal product analytics. Usage events stored in our own Supabase tables (feature usage, error events, route timings) used to operate, debug, and improve the Service.
  • Device and connection data. Operating system, app version, IP address, coarse geolocation derived from IP, language, time zone, crash reports, and diagnostic logs.
  • Cookies and similar technologies. The website uses cookies described in Section 9. The desktop app does not set HTTP cookies; it stores settings locally in the app's OS-level data directory.

1.3 Information from third parties

  • Identity providers. The OAuth provider you sign in with returns your email and basic profile.
  • Stripe. When you purchase a subscription, Stripe shares with us a customer ID, subscription status, the last 4 digits and brand of the card, billing country, and invoice metadata. We never receive or store full card numbers, CVC, or full bank details; those are handled exclusively by Stripe.

1.4 Sensitive content you may write into Pathrule

Pathrule is not designed to receive special-category data (health, biometric, political, religious, racial or ethnic origin, trade-union membership, sexual orientation, criminal records) or developer secrets such as API keys, access tokens, or customer data. If you choose to paste such content into a memory, rule, or skill, you do so at your own risk and you remain solely responsible for ensuring you have a lawful basis to process it. Cloud rows are protected with Supabase Row Level Security so that only members of the owning workspace can read them, but Pathrule disclaims liability for content the user voluntarily inserts. We strongly recommend not storing secrets or special-category data in Pathrule.

2. How we collect information

  • Directly from you. When you sign up, configure a workspace, write memories, rules, or skills, install third-party skills, or contact support.
  • Automatically from the desktop app and MCP server. When the local hook supervisor records your AI agent's tool calls and forwards activity logs to the cloud, and when the MCP server proxies AI requests through the Pathrule AI router.
  • Automatically from the website, through cookies and analytics described in Section 9.
  • From third parties: identity providers (OAuth sign-in), Stripe (billing), and Anthropic (the AI provider that the AI router currently forwards prompts to).

3. How we use information

We use information for the following specific purposes:

  1. Provide the Service. Authenticate you, store and retrieve your memories, rules, and skills, route AI requests, deliver path-scoped context to your AI agent, and sync activity logs.
  2. Operate the AI router and MCP server. Classify intent, route to the right model, attach the right context, and log the call for debugging and quota enforcement.
  3. Billing. Manage subscriptions, process payments via Stripe, issue invoices, and comply with applicable tax law.
  4. Improve the product. Analyse aggregated usage patterns (which features people use, which routing decisions correlate with successful AI outcomes, where users hit errors) so we can prioritise fixes and new features.
  5. Cost and quality monitoring. Track per-user, per-model, per-feature LLM cost and latency to detect regressions and prevent abuse.
  6. Support and communication. Reply to your support emails and send transactional emails such as account confirmation, billing receipts, and security alerts.
  7. Security and abuse prevention. Detect fraudulent sign-ups, rate-limit abusive callers, and investigate suspected misuse of the Service.
  8. Legal compliance. Respond to lawful requests and retain records that tax or commercial law requires us to keep.
  9. Marketing communications. If you opt in, we send product update emails and a product newsletter via Resend. You can unsubscribe at any time using the link in every marketing email.

We will not use your data for materially different purposes without first updating this Policy and, where required, obtaining your consent.

4. Legal basis for processing (GDPR / KVKK)

We rely on the following legal bases:

PurposeGDPR (Art. 6)KVKK (Art. 5)
Provide the Service to a logged-in userContract, Art. 6(1)(b)Sözleşmenin kurulması veya ifası, m. 5/2-c
Bill subscriptions and retain invoicesLegal obligation, Art. 6(1)(c)Hukuki yükümlülük, m. 5/2-ç
Internal analytics, cost monitoring, abuse detectionLegitimate interests, Art. 6(1)(f)Meşru menfaat, m. 5/2-f
Marketing emailsConsent, Art. 6(1)(a)Açık rıza, m. 5/1

You can withdraw consent at any time without affecting processing carried out before the withdrawal.

5. Data sharing and sub-processors

We share information only with the categories of recipients listed below, and only as needed for the purposes in Section 3.

RecipientPurposeRegion
SupabaseDatabase, authentication, storage, Edge FunctionsUnited States (AWS)
StripeSubscription billing and payment processingEuropean Union and United States
CloudflareCDN, DNS, edge networking, R2 object storage for desktop release artifactsGlobal edge
ResendTransactional and marketing email deliveryUnited States
AnthropicAI inference (Claude Haiku model). Prompts you or your agent submit to the AI router are forwarded to Anthropic for processing; we receive metadata back (token counts, latency, cost).United States
Identity providers (e.g. Google)OAuth sign-inPer provider
Auditors, lawyers, accountantsUnder confidentiality, where strictly necessaryTürkiye / EU
Law enforcement and regulatorsWhere compelled by valid legal processPer request

We do not sell personal data, and we do not share personal data for cross-context behavioural advertising as defined by CCPA / CPRA. We do not engage in targeted advertising of any kind.

6. International data transfers

Because Pathrule's primary cloud backend (Supabase) and several sub-processors (Stripe, Cloudflare, Resend, Anthropic) are located outside Türkiye and the EU/EEA, your personal data is transferred internationally, primarily to the United States.

For these transfers we rely on the following safeguards:

  • EU/EEA users: Standard Contractual Clauses (Module 2 / Module 3 as applicable) with each sub-processor, supplemented by encryption in transit and at rest, strict access controls, and contractual confidentiality obligations.
  • UK users: the UK International Data Transfer Addendum to the EU SCCs.
  • KVKK transfers (Türkiye): açık rıza (KVKK m. 9) ve sektörel olarak uygun olduğu hallerde KVK Kurulu tarafından onaylanmış taahhütname mekanizmaları.

7. Data retention

We keep personal data only as long as needed for the purpose it was collected for, after which it is deleted or irreversibly anonymised. The retention model below is enforced by a daily retention job.

7.1 Activity logs

  • Full-detail activity logs are retained for 30 days.
  • Between 30 and 180 days the entries are summarised and decayed into a compact form for long-term context.
  • After 180 days the entries are purged. If an entry has already been promoted into the work-episode layer it is purged earlier as soon as the promotion completes.

7.2 Work episodes

  • Low-confidence episodes are kept for 30 days.
  • Medium- and high-confidence episodes are kept for 180 days; whenever an episode is reused its expiry is rolled forward by another 180 days. There is no hard cap while the workspace remains active.
  • Expired episodes are removed by the daily retention job.

7.3 Workspaces, memories, rules, skills

  • Archived workspaces are auto-purged 90 days after archiving.
  • Memories, rules, and skills that you delete are soft-deleted and remain restorable for 30 days, after which they are permanently deleted.

7.4 Billing lifecycle

  • If a paid organisation becomes unpaid, we apply a 30-day grace period before any cleanup. We send warning emails 7 days and 3 days before the grace period ends.
  • Invoices and payment records are kept for the period required by applicable tax and commercial law (currently 10 years under Turkish law).

7.5 Account deletion

  • Account deletions are reversible for a minimum of 30 days. If your paid organisation has a billing period that ends later, the deletion window is extended to that period end.
  • After the window closes, account data is deleted within 90 days, except where we are required to retain specific records (for example billing records) by law.

7.6 Other retention windows

  • AI prompt and response payloads routed through the AI router: 30 days in raw form for debugging, then deleted or aggregated to non-identifying telemetry.
  • Support email correspondence: 24 months after the ticket is closed.
  • Encrypted database backups: 35 days rolling.
  • Security and abuse logs: 12 months.

8. Your rights

Subject to local law, you have the right to:

  • Access the personal data we hold about you and receive a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten"), subject to legal retention obligations.
  • Restrict processing in certain situations.
  • Object to processing that is based on our legitimate interests, including profiling.
  • Data portability. Receive your data in a structured, machine-readable format and ask us to transmit it to another controller where technically feasible.
  • Withdraw consent at any time, without affecting prior lawful processing.
  • Not be discriminated against for exercising your privacy rights (CCPA / CPRA).
  • Opt out of "sale" or "sharing" of personal data. We do not sell or share, but we will still honour the signal.
  • Lodge a complaint with a supervisory authority such as the Kişisel Verileri Koruma Kurumu (Türkiye), your local Data Protection Authority (EU/EEA), or the California Privacy Protection Agency / California Attorney General.

How to exercise your rights. Email [email protected] from the address associated with your account, or use the in-app Settings → Privacy → Export / Delete my data tools when available. We respond within 30 days for GDPR / KVKK requests (extendable by 60 days where the request is complex) and within 45 days for CCPA requests. We may ask you to verify your identity before fulfilling a request.

9. Cookies and tracking

The website at pathrule.io uses the following categories of cookies:

CategoryPurposeConsent
Strictly necessaryAuthentication, session management, CSRF protection (Supabase auth cookies)Not required (essential)
FunctionalRemember preferences such as locale and themeNot required (essential to feature)
AnalyticsAggregated usage analytics on site pages, captured into our own Supabase tablesOpt-in for visitors from the EU, UK, EEA via the cookie banner

You can manage cookies via the in-product cookie banner or your browser settings. Disabling strictly-necessary cookies will break the site. For the full list of cookies we set, their purposes, durations and providers, see our Cookie Policy (/cookie-policy).

The Pathrule desktop app does not use HTTP cookies. Settings are stored in the app's OS-level data directory; on macOS, credentials are stored in the Keychain.

10. Security

We implement reasonable technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS 1.2 or higher) and encryption at rest at the database and object-storage layers.
  • Strict access controls: least-privilege role-based access for our team, and user JWT only on the data path so user-facing endpoints cannot bypass row-level security.
  • Supabase Row Level Security on every user-data table so that only members of the owning workspace can read or write rows.
  • Workspace access checks on every Edge Function before reading or writing user data.
  • Secrets stored in Cloudflare and Supabase secret stores; never committed to source control.
  • Regular dependency updates, code review, and a documented incident response process.
  • Logged and audited administrative access.

If we become aware of a personal-data breach, we will notify the relevant supervisory authority within 72 hours where required, and notify affected users without undue delay where the breach is likely to result in a high risk to their rights.

No system is 100% secure, and we cannot guarantee absolute security.

11. Children's privacy

Pathrule is intended for professional developers and is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, please contact [email protected] and we will delete it.

12. Contact

  • Operator: Pathrule
  • Registered address: 30 Ağustos Zafer Mah. 73. Sok. No:3, Bursa/Nilüfer, Türkiye
  • Privacy contact: [email protected]
  • Data Protection & KVKK contact person: Sertan Helvacı, [email protected]
  • Response time: we aim to respond to all rights requests within 30 days (GDPR / KVKK) or 45 days (CCPA).

13. Changes to this Policy

We may update this Policy from time to time. When we make material changes we will:

  • Update the "Last updated" date at the top of this page.
  • Notify registered users by email and via an in-app banner at least 14 days before the changes take effect (30 days where the changes involve new categories of processing).
  • For changes that require consent, request fresh consent before the change applies to you.

If you disagree with material changes you may close your account before they take effect.

14. Additional provisions

  • No sale of data. We do not sell or share your personal data for cross-context behavioural advertising or any other purpose.
  • Third-party links. The Service may link to or interoperate with third-party services such as GitHub, the Stripe billing portal, and the Anthropic Console. Their privacy practices are governed by their own policies.
  • Governing law. This Policy is governed by the laws of the Republic of Türkiye, without prejudice to the mandatory protections that GDPR, UK GDPR, or CCPA give to users in those jurisdictions.
  • Language. This Policy is published in English. Where translations are provided for convenience, the English version prevails in case of inconsistency.
  • Effective date. 3 May 2026.

Questions about this Policy? Email [email protected].