Skip to main content
Molecule AI

Privacy Policy

Privacy Policy

Effective date: April 21, 2026 · Molecule AI, Inc.

Scope

This Privacy Policy describes how Molecule AI, Inc. ("Molecule AI", "we") collects, uses, and shares information when you use our hosted SaaS, API, documentation, or website (collectively, the "Service"). Self-hosted deployments under BSL 1.1 are operated by you; we have no visibility into data processed by your self-hosted instances.

Information we collect

Account information: name, email, organization, billing details (handled via Stripe — we do not store full card numbers).

Authentication: WorkOS handles OAuth/SSO; we receive only the identity tokens needed to authorize you.

Workspace content: agent configurations, prompts, plugin manifests, and outputs that you submit to your workspaces. Stored encrypted at rest (AES-256-GCM payload + AWS KMS-managed data keys via envelope encryption).

Usage telemetry: request counts, latency, error rates, browser/OS for the dashboard. We use OpenTelemetry, Sentry (errors), and Prometheus (infra) — no third-party advertising trackers.

How we use your information

To provide and operate the Service; to bill you; to send service notifications; to improve reliability and performance; to comply with legal obligations. We do not use your workspace content to train models without explicit, project-level consent.

Subprocessors

We rely on the following subprocessors to operate the Service:

  • AWS (us-east-2, Ohio, United States) — workspace EC2 compute, KMS, S3 backups
  • Railway — control-plane hosting
  • Vercel — landing page + dashboard delivery
  • Neon — managed Postgres for control-plane state
  • WorkOS — SSO / SAML / SCIM identity
  • Stripe — billing
  • Sentry — error tracking
  • Langfuse (self-hosted) — agent trace storage

A current and complete list is available on request to hello@moleculesai.app.

Data location & transfers

Workspace content is processed in AWS us-east-2 (Ohio, United States). For customers requiring EU data residency, contact us about Enterprise self-hosted deployments. We will provide Standard Contractual Clauses (EU SCCs) on request for cross-border transfers from the EU.

Your rights

Depending on your jurisdiction (GDPR, CCPA, and equivalents), you may have the right to: access the personal information we hold about you; correct inaccuracies; request deletion; export your data; object to or restrict processing; lodge a complaint with a supervisory authority. Email hello@moleculesai.app to exercise any of these rights — we respond within 30 days.

Retention

Account data is retained for the life of the account plus 90 days after termination, then deleted unless legal retention obligations apply. Workspace content is deleted on workspace deletion. Aggregated, anonymized telemetry may be retained indefinitely for capacity planning.

Cookies & similar technologies

We use a single cookie (molecule_theme) to remember your light/dark/system preference. The hosted dashboard sets a mcp_session cookie after sign-in to keep you authenticated. We do not use third-party advertising or analytics cookies on the marketing site.

Security

Encryption in transit (TLS 1.2+) and at rest (AES-256-GCM via AWS KMS envelope). Org-scoped IAM roles and per-tenant secret namespaces prevent cross-tenant access. Audit logs are written for every privileged action. We are pursuing SOC 2 Type II — see the trust column on the homepage for current status.

Children

The Service is not directed to children under 18. We do not knowingly collect personal information from anyone under 18.

Changes to this policy

We will post any changes to this Privacy Policy on this page and update the effective date. Material changes will be notified via email to active accounts at least 30 days before they take effect.

Contact

Questions about this policy or our data practices: hello@moleculesai.app.