← Back to home

Privacy Policy

Last updated: March 2026

AutoResearch Cloud ("AutoResearch", "we", "us", or "our") is operated by Frozo.ai. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our platform at research.frozo.ai and any related services (collectively, the "Service").

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you register for an account, we collect the following personal information:

  • Email address -- used for account identification, authentication, and communication.
  • Full name -- used for personalisation and support purposes.
  • Password -- stored using bcrypt hashing; we never store or have access to your plaintext password.

1.2 Experiment Data

When you create projects and run experiments, we process and store:

  • Program definitions (program.md files) you upload or create.
  • Experiment results including scores, diffs, and metadata from each experiment iteration.
  • Run configurations including provider selection, model choice, and experiment parameters.

1.3 Usage Metrics

We automatically collect:

  • Page views, feature usage, and navigation patterns within the dashboard.
  • Run frequency, experiment counts, and subscription usage for billing and plan enforcement.
  • Device type, browser type, IP address, and approximate geographic location.
  • Error logs and performance metrics for service reliability.

1.4 Cookies and Local Storage

We use essential cookies and browser local storage for authentication tokens and session management. Analytics cookies are used only with your consent. See our cookie consent banner for controls.

2. Bring Your Own Key (BYOK) -- API Key Handling

AutoResearch operates on a Bring Your Own Key (BYOK) model. We take the security of your API keys extremely seriously:

  • Ephemeral by default. API keys you provide when triggering a run are held in memory only for the duration of that run. Once the run completes or is cancelled, the key is immediately discarded from memory.
  • Never stored in plaintext. At no point is your API key written to disk, logged, or stored in plaintext in any database, file system, or backup.
  • Optional encrypted storage. If you choose to save a key for convenience, it is encrypted at rest using AES-256-GCM encryption with per-user encryption keys derived from a hardware security module (HSM)-backed master key. The encrypted key is only decrypted in memory at runtime when needed.
  • No proxying. We do not proxy, intercept, or inspect the content of your API calls to third-party LLM providers. Your prompts and completions flow directly between our execution environment and the provider.
  • No sharing. Your API keys are never shared with any third party, employee, or other user.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service.
  • Authenticate your identity and manage your account and subscription.
  • Process and execute experiment runs according to your configurations.
  • Enforce usage limits and billing in accordance with your subscription plan.
  • Send transactional emails (account verification, password resets, run completion notifications).
  • Detect, prevent, and address technical issues, abuse, and security threats.
  • Improve the Service through aggregated, anonymised usage analysis.

4. Data Retention

We retain your data for different periods depending on your subscription plan:

PlanExperiment Data RetentionAccount Data Retention
Free30 days after run completionUntil account deletion
Starter6 months after run completionUntil account deletion
Pro / Team1 year after run completionUntil account deletion

After the retention period, experiment data (including results, diffs, and run logs) is permanently deleted. Account information (email, name) is retained until you request account deletion. Billing records may be retained longer as required by applicable tax and financial regulations.

5. Third-Party Service Providers

We share limited information with the following third-party service providers, strictly for the purposes described:

  • DodoPayments -- Payment processing and subscription management. Receives your email address and subscription plan for billing purposes. DodoPayments handles all payment card data; we never see or store your card number.
  • Resend -- Transactional email delivery (verification emails, password resets, run notifications). Receives your email address and name.
  • Sentry -- Error monitoring and performance tracking. Receives anonymised error reports, stack traces, and browser metadata. No experiment content or personal data is sent to Sentry.
  • Amazon Web Services (AWS) S3 -- Cloud storage for experiment artifacts and run data. All data is encrypted at rest using AWS-managed encryption keys (SSE-S3) and in transit using TLS 1.2+.

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

6. Your Rights

You have the following rights regarding your personal data, exercisable at any time by contacting us at privacy@research.frozo.ai:

6.1 Data Export

You may request a complete export of your data, including account information, project configurations, experiment results, and run history. We will provide the export in a machine-readable format (JSON) within 30 days of your request.

6.2 Account Deletion

You may request permanent deletion of your account and all associated data. Upon receiving your request, we will:

  • Delete your account information within 7 business days.
  • Permanently delete all experiment data, project configurations, and run history within 30 days.
  • Remove your email from all mailing lists immediately.
  • Retain only the minimum billing records required by law for tax compliance.

6.3 Consent Withdrawal

Where we process your data based on consent (such as analytics cookies), you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. You can manage cookie consent through the banner on our website.

6.4 Data Correction

You may update your name and email address from your account settings page, or contact us to request corrections to any personal data we hold about you.

7. DPDP Act 2023 (India) Compliance

As a company operating under Indian jurisdiction, we comply with the Digital Personal Data Protection Act, 2023 (DPDP Act). Specifically:

  • Purpose limitation. We collect and process personal data only for the specific purposes stated in this policy. We do not repurpose your data without obtaining fresh consent.
  • Storage limitation. Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, as outlined in Section 4 (Data Retention) above.
  • Data Principal rights. As a Data Principal under the DPDP Act, you have the right to access, correct, and erase your personal data, as well as the right to nominate a representative. These rights are described in Section 6 above.
  • Breach notification. In the event of a personal data breach that is likely to cause harm to Data Principals, we will notify the Data Protection Board of India and affected users within 72 hours of becoming aware of the breach.
  • Consent-based processing. We process your personal data based on informed, specific, and unambiguous consent provided at the time of account registration. You may withdraw consent at any time as described in Section 6.3.
  • Data Protection Officer. For any queries or grievances related to your personal data, you may contact our Data Protection Officer at privacy@research.frozo.ai.

8. Data Security

We implement industry-standard security measures to protect your data:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • All data at rest is encrypted using AES-256 encryption on AWS infrastructure.
  • Passwords are hashed using bcrypt with appropriate work factors.
  • API keys are handled ephemerally or encrypted with AES-256-GCM as described in Section 2.
  • Access to production systems is restricted to authorised personnel with multi-factor authentication.
  • We conduct regular security reviews and maintain audit logs for all data access operations.

9. International Data Transfers

Your data is primarily stored and processed on AWS infrastructure. If your data is transferred outside of India, we ensure appropriate safeguards are in place in accordance with the DPDP Act and any applicable regulations issued by the Data Protection Board of India.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@research.frozo.ai, and we will promptly delete such data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

AutoResearch Cloud (Frozo.ai)

Email: privacy@research.frozo.ai

← HomeTerms of Service →