Firmis Labs

Privacy Policy

Effective date: April 1, 2026

Firmis Labs ("we", "us", or "our") provides AI agent security scanning, remediation, and monitoring tools. This policy explains what data we collect, why we collect it, and how we protect it. We believe in plain language, not legalese.

1. The short version

  • The CLI scanner runs entirely on your machine. No source code is ever transmitted to our servers.
  • Telemetry is opt-in and anonymous. You can disable it at any time.
  • We collect your email address if you join the waitlist or create an account.
  • Deep scan sends component descriptions and metadata to our servers for AI analysis. Raw source code is never sent.
  • Monitor captures tool call metadata (names, decisions, timestamps). It does not capture tool inputs or outputs. PII is redacted before storage.
  • We do not sell your data. Ever.

2. Data we collect

Account and contact data

  • Email address (waitlist signup or account creation)
  • GitHub profile information (username, avatar, email) when you authenticate via GitHub OAuth
  • Billing contact details managed by LemonSqueezy (our payment processor)

Scan data (only when --sync is used or via workspace)

  • Scan findings: severity level, threat category, rule ID, affected file path
  • No file contents are ever transmitted. File paths only.
  • Platform type and scan timestamp

Deep scan data

When you run a deep scan, component descriptions and metadata (such as tool names, declared permissions, and skill descriptions) are sent to our server-side AI layer for analysis. Raw source code is never transmitted. Results are stored in your workspace and subject to your plan's retention policy.

Monitor data

When active monitoring is enabled, we capture runtime tool call metadata: the tool name, the allow/block decision, and the timestamp. We do not capture tool input parameters or output content. Any personally identifiable information detected in metadata is redacted before storage.

Anonymous telemetry (opt-in only)

If you opt in, we collect anonymous scan metadata: number of files scanned, number of findings by severity, scan duration, and CLI version. No file paths, no content, no identifiers. You can disable this at any time with firmis-cli telemetry off.

3. How we use your data

  • To provide and improve the Firmis Labs service
  • To authenticate your account and authorize workspace access
  • To process billing and manage your subscription via LemonSqueezy
  • To send you product updates and security notices (you can unsubscribe at any time)
  • To aggregate anonymous telemetry into product usage trends (never tied to your identity)

4. Data storage and retention

Scan results and workspace data are stored in Supabase (PostgreSQL, hosted on AWS in the US). Waitlist emails are stored in Cloudflare KV. Billing records are managed by LemonSqueezy.

  • Free plan: event history retained for 24 hours
  • Pro plan: event history retained for 7 days
  • Business plan: event history retained for 90 days
  • Account data: retained until account deletion

You can request deletion of your data at any time by emailing privacy@firmislabs.com. We will complete deletion within 30 days.

5. Third-party services

We use the following sub-processors to deliver the service:

  • Supabase - authentication, database, and edge functions (firmislabs.com workspace)
  • LemonSqueezy - subscription billing and payment processing
  • Cloudflare - website hosting, CDN, and waitlist storage (Cloudflare KV)

Each sub-processor is bound by appropriate data processing agreements. We do not share your data with any other third parties for marketing or advertising purposes.

6. Security

  • All data in transit is encrypted via TLS 1.2+
  • Data at rest is encrypted using AES-256
  • Database access is protected by row-level security (RLS) policies
  • API access is authenticated via short-lived JWT tokens
  • We conduct periodic security reviews of our infrastructure

7. Your rights (GDPR and CCPA)

Regardless of where you are located, you have the right to access, correct, or delete your personal data. If you are in the European Economic Area or California, additional rights apply under GDPR and CCPA respectively.

To exercise any of these rights, email privacy@firmislabs.com with:

  • Your name and the email address associated with your account
  • A description of the request (access, correction, or deletion)

We will respond within 30 days.

8. Cookies

We use minimal, necessary cookies for authentication (session tokens). We do not use advertising cookies or third-party tracking pixels on firmislabs.com.

9. Children

Firmis Labs is not directed at children under 16. We do not knowingly collect personal data from anyone under 16.

10. Changes to this policy

If we make material changes to this policy, we will notify you by email and post an updated version at firmislabs.com/privacy at least 30 days before the changes take effect.

11. Contact

Questions or concerns about this policy can be sent to privacy@firmislabs.com.

Firmis Labs
firmislabs.com