Legal

Privacy Policy

How Armature collects, uses, and protects information when you connect an MCP server or CLI to our continuous testing service.

Effective  2026-05-02 Entity  Armature, Inc. (Delaware C-Corp) Contact  founders@armature.tech

01Overview

Armature, Inc. (“Armature,” “we,” or “us”) provides a continuous testing and observability platform for AI agents that operate over the Model Context Protocol (MCP) and command-line interfaces (CLIs). This Privacy Policy explains what information we collect about our customers and visitors to armature.tech, how we use it, and the choices you have.

If you are an end user of an application built by an Armature customer, your data is governed by that customer’s own privacy policy. We process such data only as a service provider on the customer’s behalf.

02Information we collect

Account and contact information

When you sign up, we collect your name, work email address, organization name, and authentication identifiers (e.g., SSO subject IDs). If you contact us, we keep the message you send and our reply.

MCP & CLI connection metadata

To run the service, we store the configuration you provide for each connected MCP server or CLI binary: the endpoint URL or invocation command, the catalog of tools and capabilities we discover, and any non-secret environment metadata.

Secrets (API keys, OAuth tokens, etc.) are never stored in plaintext in our database. They live in transport headers attached at runtime, or as encrypted secret_ref pointers managed in the Armature dashboard.

Workflow definitions and run data

For every workflow you create or that we propose, we store the prompt, expected behaviors, assertions, judge rubrics, and historical execution traces. Traces include the agent’s reasoning, tool calls and arguments, tool responses, latency, and judge verdicts.

Billing information

If you purchase a paid plan, our payment processor (Stripe) collects payment-card or banking details directly. We receive only the last four digits, brand, country, and billing address. Never the full card number.

Product telemetry

When you use the Armature dashboard, we collect basic product analytics through PostHog: pageviews, feature usage, errors, browser type, and rough geolocation derived from IP address. We do not use this data to build advertising profiles.

Marketing site (this website)

The marketing site at armature.tech does not run any analytics or tracking scripts and does not set tracking cookies. Your visit here is anonymous from our point of view; standard server logs (IP, user agent, request path) are retained briefly by our hosting provider, Vercel, for operational and security purposes.

03How we use information

We use the information we collect to:

  • Operate the service: discover tools, run scheduled workflows, generate traces, and deliver alerts to you.
  • Authenticate users, secure accounts, and prevent abuse.
  • Bill customers and keep tax and accounting records.
  • Communicate with you about service changes, security notices, and (with your consent) product news.
  • Investigate and respond to support requests.
  • Improve the service: debug issues, build new features, and measure aggregate quality of agent behavior across models and harnesses.
  • Comply with legal obligations and enforce our agreements.

We do not sell personal information, and we do not use customer workflow content or run traces to train our own foundation models or those of any third party.

05Sharing & subprocessors

We share information only where necessary to run the service, as required by law, or with your direction. The categories below cover all routine sharing.

Vercel
Hosts the marketing site and dashboard front-end. Receives request logs.
Amazon Web Services
Hosts our application backend, databases, and run-trace storage.
Anthropic
Provides the Claude model family used to execute and judge agent runs.
OpenAI
Provides GPT models used to execute and judge agent runs.
Google
Provides Gemini models used to execute and judge agent runs.
Stripe
Processes payments and stores billing data on our behalf.
PostHog
Provides product analytics for the dashboard. Self-hosted region selectable.
Slack
Delivers alerts to customer Slack workspaces when configured.

We may also share information with our auditors, lawyers, and other professional advisors under confidentiality, and in response to lawful requests from public authorities. If Armature is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction; we will notify affected customers in advance.

06Retention

We keep account information for as long as your account is active. Run traces and workflow definitions are kept while the account is active and for up to 90 days after termination, unless a longer period is needed to comply with law or resolve disputes. Billing records are kept for the period required by tax and accounting law (typically 7 years). Marketing-site server logs are kept for up to 30 days.

You can request earlier deletion at any time. See Your rights.

07Security

We follow standard industry practices to protect customer data:

  • All traffic is encrypted in transit with TLS 1.2+.
  • Data at rest is encrypted using AES-256 or equivalent.
  • Customer secrets are never stored in plaintext; they live in transport headers or encrypted secret_ref pointers.
  • We apply the principle of least privilege to internal access and review access regularly.
  • Production systems are isolated in network-segmented environments with logged administrative access.
Note

No system is perfectly secure. If you discover a vulnerability, please report it to founders@armature.tech and we will work with you in good faith.

08International transfers

Armature is based in the United States and our infrastructure runs primarily in U.S. regions. If you access the service from outside the U.S., your information will be transferred to and processed in the U.S. and other countries where our subprocessors operate.

For transfers from the EEA, UK, and Switzerland, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) with our subprocessors.

09Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data, subject to legal exceptions.
  • Export your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent for any processing based on consent.
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, email founders@armature.tech. We respond within 30 days. If you are an end user of a customer’s product, contact that customer first; we will route your request appropriately.

10Cookies & tracking

The marketing site at armature.tech does not set tracking or analytics cookies. The only browser storage we use here is a localStorage entry that records whether you have dismissed the privacy notice toast.

The Armature dashboard (the authenticated product) uses session cookies that are strictly necessary to keep you signed in, and PostHog product analytics. Both are described in-app at first sign-in.

11Children

Armature is a product for businesses and developers. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided information to us, please contact us and we will delete it.

12Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify customers by email and update the “Effective” date above. Continued use of the service after the new policy takes effect constitutes acceptance.

13Contact

For any privacy-related question, request, or complaint:

Email
founders@armature.tech
Mail
Armature, Inc.
2803 Philadelphia Pike, Suite B #1363
Claymont, DE 19703, United States

Questions about your data?

We answer privacy questions ourselves. No ticket queue, no form maze. Just email us.

Email founders@armature.tech Other support