Privacy Policy

1. Introduction

Constants ("we", "us", or "our") operates the Constants platform at www.constants.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

We collect information in the following ways:

• Account Information: When you create an account, we collect your email address, name, and authentication credentials through our authentication provider (Supabase).
• Third-Party Connections: When you connect third-party services (such as Google Docs, Google Drive, Gmail, Google Sheets, Google Calendar, or GitHub), we store OAuth tokens necessary to access those services on your behalf. We only request the specific permissions needed for the tools you use.
• Tool Usage Data: We collect information about the tools you create and run, including input parameters, execution logs, and output artifacts.
• Credentials: API keys and secrets you store in Constants are encrypted at rest using AES-256-GCM encryption and are only decrypted at the time of tool execution within isolated sandboxed environments.

3. How We Use Your Information

• To provide and maintain the Constants platform
• To execute tools on your behalf using the credentials and connections you provide
• To authenticate you and manage your account
• To communicate with you about your account or our services
• To improve and develop new features

4. Third-Party Services

Constants integrates with third-party services to provide tool functionality. When you connect a service:

• We only request the minimum permissions (OAuth scopes) required for each specific service
• OAuth tokens are stored securely and used solely to perform actions you initiate through tools on the platform
• You can disconnect any third-party service at any time through the Connectors panel
• Upon disconnection, we revoke the associated tokens and delete them from our systems

Constants' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide and improve the tool functionality you explicitly request — such as reading a document you specify or creating a calendar event on your behalf.
• We do not transfer Google user data to third parties, except as necessary to provide or improve the Service (e.g., executing your tool in a sandboxed environment), as required by law, or with your explicit consent.
• We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• We do not allow humans to read your Google user data unless you provide affirmative consent, it is necessary for security purposes (such as investigating abuse), it is necessary to comply with applicable law, or the data has been aggregated and anonymized.

5. Data Sub-Processors

We use the following third-party services to operate the platform. Each processes data only as necessary to provide their specific function:

• Supabase — authentication and file storage
• E2B — isolated sandbox environments for tool execution
• Anthropic — AI model provider for tool generation and agent functionality
• Railway — application hosting infrastructure

Google user data (such as OAuth tokens) is encrypted at rest and is only decrypted within isolated sandbox environments at the time of tool execution. Sub-processors do not have standing access to your Google user data.

6. Data Security

We implement industry-standard security measures to protect your data, including AES-256-GCM encryption at rest for all stored credentials, encrypted connections (TLS) for all data in transit, isolated sandbox execution environments for tool runs, scoped credential access with per-service OAuth tokens, and automatic token revocation upon disconnection. However, no method of electronic transmission or storage is 100% secure.

7. Data Retention

We retain your account data and tool history for as long as your account is active. You can delete your account and associated data by contacting us. Credential data is deleted immediately upon disconnection or credential removal.

8. Your Rights

You have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your data
• Disconnect third-party services and revoke access at any time
• Export your data

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

10. Contact Us

If you have questions about this Privacy Policy, please contact us at support@constants.io.