Phrony
Log inGet started for free

Phrony

Privacy Policy

Phrony Labs BV  |  KVK 42039600

Last updated: April 2025

1. Who We Are

Phrony Labs BV ("Phrony", "we", "our") is the data controller for personal data collected through our website (phrony.com) and, where applicable, as data processor for personal data processed through our platform on behalf of our customers.

Registered in the Netherlands under KVK number 42039600.

Contact: privacy@phrony.com

2. What Data We Collect

Website visitors:

  • Contact information you provide (name, email, company) when requesting a demo, subscribing to updates, or contacting us
  • Technical data: IP address, browser type, device type, pages visited, referral source
  • Cookie data: analytics and functional cookies (see our Cookie Policy)

Platform users (SaaS):

  • Account information: name, email, organisation, role
  • Usage data: sessions run, features used, API calls made
  • Platform logs: session, run, and step logs generated by AI agents (these may contain personal data depending on the Customer's use case)
  • Billing information: processed through our payment provider

Platform users (self-hosted):

  • Account information for licence management only (name, email, organisation)
  • We do not collect, access, or process any data from self-hosted deployments. All platform data remains on the Customer's infrastructure.

3. How We Use Your Data

We process personal data for the following purposes:

  1. Providing and operating the Platform (legal basis: performance of contract, GDPR Article 6(1)(b))
  2. Account management and customer support (legal basis: performance of contract)
  3. Billing and invoicing (legal basis: performance of contract and legal obligation, GDPR Article 6(1)(c))
  4. Product improvement and analytics (legal basis: legitimate interest, GDPR Article 6(1)(f))
  5. Marketing communications, only with consent (legal basis: consent, GDPR Article 6(1)(a))
  6. Compliance with legal obligations, including tax and financial reporting (legal basis: legal obligation)

We do not sell personal data. We do not use Customer data to train AI models.

4. Data Processing on Behalf of Customers

SaaS deployments: When Customers deploy AI agents on our managed platform, Phrony acts as a data processor under GDPR Article 28. We process Customer data solely on the Customer's instructions and for the purpose of providing the Platform service. A Data Processing Agreement (DPA) governs this relationship.

Self-hosted deployments: Phrony does not act as a data processor. The Customer is both data controller and processor for all data processed on their own infrastructure. Phrony has no access to Customer data in self-hosted deployments.

5. Sub-Processors

For SaaS deployments, we use the following categories of sub-processors:

  1. Cloud infrastructure providers (hosting and compute)
  2. LLM providers (as configured by the Customer — e.g., OpenAI, Anthropic, Mistral)
  3. Payment processors
  4. Analytics tools (anonymised data only)

A current list of sub-processors is available at phrony.com/sub-processors and is updated when changes occur. Customers are notified of new sub-processors with a minimum 14-day notice period and may object if the new sub-processor creates a compliance concern for their use case.

6. International Data Transfers

Phrony is based in the Netherlands (EU). We aim to keep all personal data within the European Economic Area (EEA).

Where data is transferred outside the EEA (e.g., to LLM providers based in the United States), we rely on:

  1. EU-US Data Privacy Framework (where the recipient is certified), or
  2. Standard Contractual Clauses (SCCs) approved by the European Commission

For SaaS Enterprise customers, Phrony offers an EU-only processing tier where all data processing, including LLM API calls, is routed through EU-based infrastructure and providers.

7. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

  1. Account data: for the duration of the Customer relationship, plus 12 months after account closure
  2. Platform logs (SaaS): retained to operate and secure the service; we do not vary retention by plan tier. Deletion requests and legal obligations may still require retention limits in specific cases.
  3. Billing records: 7 years (Dutch tax law requirement)
  4. Marketing data: until consent is withdrawn

Self-hosted customers control their own data retention. Phrony does not retain any data from self-hosted deployments.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  1. Right of access (Article 15) — request a copy of your data
  2. Right to rectification (Article 16) — correct inaccurate data
  3. Right to erasure (Article 17) — request deletion of your data
  4. Right to restrict processing (Article 18)
  5. Right to data portability (Article 20) — receive your data in a structured format
  6. Right to object (Article 21) — object to processing based on legitimate interest
  7. Right to withdraw consent at any time for consent-based processing

To exercise any of these rights, contact us at privacy@phrony.com. We will respond within 30 days.

9. Security

We implement appropriate technical and organisational measures to protect personal data, including:

  1. Encryption in transit (TLS) and at rest
  2. Role-based access control for all platform access
  3. Encrypted secrets vault for credentials and API keys
  4. Multi-tenancy isolation at the database level
  5. Immutable, tamper-resistant audit logging
  6. Regular security assessments and vulnerability scanning

10. Cookies

Our website uses cookies for essential functionality and analytics. We use:

  1. Essential cookies: required for the website to function (no consent required)
  2. Analytics cookies: to understand how visitors use our website (consent required)

You can manage your cookie preferences at any time through the cookie banner on our website or through your browser settings.

11. Data Protection Officer

For questions or concerns about our data processing practices, contact:

Privacy contact: privacy@phrony.com

Phrony Labs BV, the Netherlands

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through our website. The "Last updated" date at the top of this policy indicates the most recent revision.