Smash | Privacy Policy

The Smash Platform is built local-first. The substrate -- mema, toda, noisa, tima, tracea -- runs on your hardware and stores your data on disk under your control. The hosted control plane handles only what is required for authentication, billing, and the parts you opt into. We do not forward your code, prompts, or memory entries to third-party large language models.

1. Who We Are

This Privacy Policy describes how Smash AI, Inc. ("Smash," "we," "us") collects, uses, and shares personal information when you visit smsh.run, sign up for the waitlist, request a developer key, install the Smash Platform, or use any paid tier of the Service.

Contact: support@smsh.run

2. Information We Collect

2a. Information you give us

Waitlist email. When you submit the waitlist form on smsh.run, we collect the email address you provide.
Account information. When you request a developer key or subscribe to a paid tier, we collect your name, email, organization, and any other information you choose to provide.
Billing information. Paid plans are processed by Stripe. We do not store full payment-card numbers; Stripe collects and stores card data subject to its own privacy policy.
Support communications. Email or other messages you send to support@smsh.run.

2b. Information collected automatically

Website logs. Standard server logs for smsh.run, including IP address, user agent, referrer, and timestamps. Used for security, abuse prevention, and aggregate traffic analysis.
Authentication telemetry. When the Smash binaries call the hosted control plane (for example, smash auth login or capability gating), we record the API key identifier, tool name, capability, and timestamp. This is used to enforce plan tiers and to detect abuse.
Usage metering. For paid tiers, the binaries report tool-execution counts so that subscriptions and add-on usage can be billed correctly. Reports include tool ID, capability, count, and a correlation ID. They do not include the contents of your code, prompts, memory entries, or audit-chain payloads.
Crash and diagnostic reports. The binaries do not phone home with diagnostics by default. If you opt in via smash config set diagnostics.enabled true or attach a diagnostic bundle to a support ticket, we receive only what you choose to send.

2c. What we do not collect

By default, we do not collect:

Your source code, configuration files, secrets, or repository contents.
Your mema memory entries, toda tasks, noisa posts, or tracea audit chain.
Prompts, completions, or other inputs and outputs to large language models.

3. How We Use Information

Purpose	Categories used
Provide and operate the Service	Account, authentication telemetry, usage metering
Bill paid plans	Account, billing, usage metering
Respond to support requests	Account, support communications, anything you attach
Detect abuse, fraud, and security incidents	Website logs, authentication telemetry
Improve the Service	Aggregate, de-identified usage; voluntary feedback
Comply with legal obligations	As required by applicable law

4. How We Share Information

We share personal information only in these circumstances:

Service providers. Vendors that help us run the Service, including AWS (hosting), Stripe (billing), and email delivery providers. Each is bound by contract to use information only to provide services to us.
Legal compliance. When required by law, regulation, legal process, or governmental request, including to protect our rights, the rights of users, or public safety.
Corporate transactions. In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, subject to confidentiality protections.
With your consent. Any other sharing happens only with your direction or consent.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

5. Where Information Is Stored

The hosted control plane operates in Amazon Web Services (AWS) regions in the United States. Customer Data processed locally by the substrate stays on the hardware where it was created unless you choose to transmit it.

If you are located outside the United States, please note that the information we collect may be transferred to, stored, and processed in the United States. Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) for international transfers.

6. Retention

We retain personal information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:

Waitlist emails: until you unsubscribe or until we decide we no longer need them, whichever is earlier.
Account records: for the life of the account plus seven (7) years for tax and audit purposes.
Billing records: for at least seven (7) years, as required by tax and accounting rules.
Authentication and metering logs: for up to thirteen (13) months, then deleted or aggregated.
Server logs: for up to ninety (90) days.

7. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including TLS in transit, encryption at rest for credentials and secrets, BLAKE3-anchored audit logging on the substrate, least-privilege access controls, and routine vulnerability scanning.

No system is fully impenetrable. We will notify affected customers of confirmed breaches involving their personal information without undue delay, consistent with applicable law.

8. Your Choices and Rights

Depending on where you live, you may have rights under the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA / CPRA), and similar laws, including:

Access to the personal information we hold about you;
Correction of inaccurate information;
Deletion of personal information, subject to legal exceptions;
Restriction or objection to certain processing;
Data portability;
Withdrawal of consent where processing is based on consent;
The right to lodge a complaint with a supervisory authority.

To exercise these rights, email support@smsh.run. We will verify your identity before responding and will respond within the time required by applicable law.

9. Children

The Smash Platform is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

10. Cookies and Similar Technologies

The smsh.run marketing site uses minimal first-party cookies for basic functionality (for example, remembering that you submitted the waitlist form). We do not use third-party advertising or tracking cookies on smsh.run.

11. Government Use and Regulated Environments

For SCIF, IC, FedRAMP-aligned, or air-gapped deployments, the Smash Platform operates under a separate written agreement that supersedes any conflicting terms in this Privacy Policy. Such deployments typically operate without any control-plane connectivity, and Smash receives no operational telemetry from them.

12. Changes to This Policy

We may update this Policy from time to time. Material changes will be posted on this page with a new effective date and, where reasonable, communicated by email to active customers.

13. Contact

Smash AI, Inc.
Delaware C-Corporation
Email: support@smsh.run