Privacy Policy

This explains what mythos collects, why, who we share it with, and what choices you have. We wrote it in plain language because legal language shouldn’t be the reason you don’t know what we do with your data.

Last updated · May 27, 2026 · v1.1 · owner: robert-grey-dev

The short version

If you only have a minute, here is what you need to know:

  • We collect what is needed to run your account and nothing more.
  • We do not sell your data. We do not run advertising trackers.
  • We do not train AI models on your prompts, code, or project files.
  • Payment is on-chain in USDT on TRON — we never see a card number or bank account.
  • You can export or delete your data at any time, and you own the code you generate.

The rest of this page explains exactly what we collect, why, and who we share it with.

What we collect

Account information

When you sign up we store the identifier returned by our authentication provider (usually an email address and a provider-issued user ID) plus an optional display name. We never see or store your password.

Project data

Everything you build through mythos — prompts, generated files, commit history, preview URLs, and metadata such as project name and created date. Project files live in a private internal source repository and are mirrored to our database so the workspace UI can load them quickly.

Usage data

Basic request metadata is recorded automatically: IP address, browser and operating system strings, timestamps, the pages you visited, and the outcome of generation runs. This data is used for security, debugging, and capacity planning. It is not sold or shared with advertisers.

AI interactions

Prompts you send to the agent, along with the working-copy files the agent reads during a session, are transmitted to our upstream AI provider so they can generate a response. We keep a short log of prompt text and token counts so we can investigate failed runs and bill credits accurately.

On-chain payment data

When you top up credits with USDT on TRON we record the transaction hash, the wallet address that sent the funds, the amount, and the credit pack purchased. This is the minimum needed to credit your balance and to refund you if you change your mind.

Why we collect it

  • To sign you in and keep your session alive.
  • To generate, store, and serve the projects you build.
  • To account for credit spend and honour refunds.
  • To detect abuse, fraud, and infrastructure issues, and to keep the sandbox safe for everyone.
  • To let you contact support and to contact you about security, legal, or service-critical matters.
  • To comply with legal obligations when we receive a valid request.

That is the full list. We do not use your data to build advertising profiles, and we do not sell it to data brokers.

AI training

We do not use your prompts, your generated code, or any other content from your projects to train or fine-tune AI models.

We do send your prompts and the working copy of your project files to an upstream model provider so they can generate a response. Our provider’s enterprise terms prohibit them from using our API traffic to train their models. See the subprocessors section for the current provider.

Who we share data with

mythos is a small layer of code on top of several specialist providers. To operate the service we must share certain data with them. Here is the current list and what each one processes on our behalf:

Supabase (Singapore)
Authentication, Postgres database, and Storage. Verifies your identity, issues sessions, stores email + project metadata + credit ledger + generation logs. Encrypted in transit and at rest. Does not see your prompts.
Anthropic (USA)
AI inference (Claude). Receives your prompts plus the working- copy file tree during a generation run. Returns code edits. Anthropic's Commercial Terms forbid training on API traffic.
OpenAI (USA)
Whisper voice-to-text transcription. Receives audio when you use the voice-input button. Returns transcribed text. Audio is not retained for training.
GitHub (USA)
Per-project private git repository hosting (orgkeek-projects). Receives every commit and its history. Also processes OAuth tokens you authorise when connecting your own GitHub account.
Google Cloud (EU / USA)
Cloud Run hosts the app + the per-project sandbox containers. Secret Manager holds backend secrets. Cloud Logging holds operational logs with request IDs. Region: primarilyeurope-west3 (Frankfurt) and us-central1.
CryptAPI (Portugal)
Non-custodial payment routing for crypto top-ups. Receives the destination wallet + amount; on-chain confirmations are forwarded to us. Does not hold customer funds.
Pexels (Germany)
Stock-photo search. Receives photo search queries from the agent during scaffold. Does not receive your prompt or code.
Cloudflare (USA)
DNS for mythos.new. Sees the hostname of inbound requests. Not used as a TLS-terminating proxy.

If this list changes we update the date at the top of this page and, for significant changes, announce it in-product. Data-processing terms (DPAs) are in place with each provider above, or via their public standard terms. Questions: privacy@mythos.new.

How long we keep it

  • Account records. Kept while the account is open, and for up to thirty days after deletion to handle re-activation and support tickets.
  • Project files and git history. Kept until you delete the project or transfer the repository out of our organisation. Database mirrors are removed in the same operation.
  • Generation logs. Kept for up to ninety days for debugging, then deleted.
  • Access logs. Kept for up to thirty days for security and abuse investigations.
  • Credit and payment ledger. Kept for as long as applicable tax and accounting rules require, currently around seven years.
  • Backups. Encrypted backups may contain data for up to thirty days after you delete it from live systems, after which they roll over.

International transfers

mythos runs on Google Cloud Run in europe-west3(Frankfurt, Germany) and us-central1(Iowa, USA). The Postgres database (Supabase) is hosted in Singapore. The providers named in the sub-processor section above process data in their respective home regions (USA / EU / Asia). Where a transfer happens outside your region we rely on Standard Contractual Clauses or an equivalent legal mechanism — the relevant SCCs are linked from each provider's own DPA page (Supabase, Google Cloud, Anthropic, GitHub, OpenAI, CryptAPI, Pexels, Cloudflare).

How we protect it

  • TLS is required on every connection. Plain HTTP is rejected.
  • Secrets are stored in a managed secret store and rotated on a schedule.
  • Database access is scoped with row-level policies so one user cannot read another user’s projects.
  • The sandbox container that runs your code is isolated per project and destroyed after use. Agent tool calls are whitelisted; arbitrary shell access is blocked.
  • Error payloads are scrubbed of common secret patterns before they are sent to error tracking.

No system is perfectly secure and we do not claim otherwise. If you discover a vulnerability, please report it to security@mythos.new so we can fix it before disclosure.

Your rights

Depending on where you live — including under GDPR in the EU/UK, the CCPA and CPRA in California, and equivalent regimes elsewhere — you have the right to:

  • Access the personal data we hold about you.
  • Correct anything that is inaccurate.
  • Request deletion of your data.
  • Restrict or object to certain kinds of processing.
  • Receive your data in a portable format and move it elsewhere.
  • Withdraw consent where processing relies on consent.
  • Lodge a complaint with your local data-protection authority if you believe we are handling your data incorrectly.

To make any of these requests email privacy@mythos.new. We respond within thirty days. We may ask you to confirm identity so we do not hand your data to an impostor.

What we do not collect

mythos does not intentionally collect:

  • Payment card numbers, bank details, or SSNs.
  • Precise GPS or geolocation beyond IP-level region.
  • Biometric identifiers, health information, political views, religious beliefs, or trade-union membership.
  • Data from third-party ad networks, tracking pixels, or data brokers.

If you share any of the above with us accidentally (for example inside a prompt) we will delete it on request and we will not act on it.

Cookies

We use a small number of first-party cookies to keep you signed in and to remember UI preferences. We do not set third-party advertising cookies, and we do not embed tracking pixels from marketing networks.

You can clear cookies from your browser at any time. Clearing them will sign you out.

Children

mythos is not intended for anyone under eighteen, or the age of majority in your jurisdiction. We do not knowingly collect data from children. If you believe a minor has created an account, contact privacy@mythos.new and we will remove the account and associated data.

Changes to this policy

When we update this policy we change the “Last updated” date at the top. For material changes — a new category of data, a new kind of sharing, a new subprocessor that touches user content — we notify active users by email or in-product banner at least thirty days before the change takes effect.

Contact

Privacy and data-rights requests: privacy@mythos.new
Security reports: security@mythos.new
General support: support@mythos.new

AI App Builder

Ready to build?