Privacy Policy

1. Who we are

Fuze (trading name) is a data controller established in Dublin, Ireland. We operate the fuze-ai.techwebsite, the Fuze cloud compliance platform, and the Fuze open-source SDK. References to “Fuze”, “we”, “us”, or “our” in this policy refer to that entity.

Our designated contact for data protection matters is reachable at privacy@fuze-ai.tech.

2. Data we collect

2.1 Account and identity data

When you create an account we collect your email address, display name, and authentication credentials via Firebase Authentication. If you authenticate through a third-party provider (Google, GitHub) we receive the profile data that provider makes available under its own privacy terms.

2.2 Usage and telemetry data

When you use the Fuze cloud platform we collect: API requests and responses (excluding the content of agent payloads unless you opt in to trace storage), session identifiers, IP addresses, browser and operating system type, page navigation events, and error logs.

2.3 Agent trace data

If you instrument your AI agents with the Fuze SDK and connect them to the Fuze cloud, we store the trace records your agents produce. These records may include prompts, tool-call inputs and outputs, token counts, latency measurements, guard events, and side-effect logs. The content of these records is determined entirely by the data you choose to send. You are responsible for ensuring that any personal data within those traces is processed under an appropriate legal basis and that data minimisation principles are respected before transmission.

2.4 Billing data

Payment processing is handled by Stripe. We receive a tokenised payment method reference, billing name, billing address, and transaction identifiers. We do not store raw card numbers.

2.5 Communications data

When you contact us by email or submit a form we retain the content of that communication and associated metadata for the purpose of responding and keeping a record.

2.6 Data you provide on behalf of others

Where you process personal data about third parties through the Fuze platform (for example end-user interactions captured in agent traces), you do so as a data controller in your own right. Fuze acts as a data processor for that data, governed by the Data Processing Agreement.

3. Lawful basis for processing

We rely on the following legal bases under GDPR Article 6:

• Contractual necessity (Art. 6(1)(b)): processing required to provide the platform, authenticate users, process payments, and deliver the services you have signed up for.
• Legitimate interests (Art. 6(1)(f)): product analytics, fraud prevention, security monitoring, and improving service reliability, where those interests are not overridden by your interests or rights.
• Legal obligation (Art. 6(1)(c)): retaining financial records and complying with lawful requests from competent authorities.
• Consent (Art. 6(1)(a)): marketing emails and optional product-improvement telemetry, where we ask for and record your explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

4. How we use your data

• Providing, operating, and improving the Fuze platform and SDK.
• Authenticating your identity and managing your account.
• Processing payments and issuing invoices.
• Sending transactional communications (account events, billing receipts, security alerts).
• Sending product update or marketing communications where you have given consent or we have a legitimate-interest basis and an opt-out mechanism.
• Detecting, investigating, and preventing fraud, abuse, and security incidents.
• Complying with legal obligations and responding to lawful government requests.
• Producing anonymised or aggregated analytics that do not identify individuals.

5. International transfers

Fuze stores data primarily within the European Union. Specifically, agent trace data and application data are stored in Supabase (PostgreSQL) provisioned in the europe-west1 (Belgium) Google Cloud region, and the Fuze API is hosted on Google Cloud Run in the same region.

However, several of our sub-processors are entities domiciled in the United States, and their administrative or control-plane operations occur from US-based infrastructure. This includes Supabase, Inc. (Delaware, US) and Google LLC (California, US, which operates Firebase Authentication). These transfers fall outside the EEA and are governed by:

• Standard Contractual Clauses (SCCs) under European Commission Implementing Decision (EU) 2021/914, incorporated into our agreements with each US sub-processor. Copies are available in the Data Processing Agreement.
• Supplementary technical measures including TLS encryption in transit and AES-256 encryption at rest, ensuring that data transferred is protected against access by third parties.

We disclose explicitly that the US CLOUD Act (18 U.S.C. § 2523) may require US-domiciled operators to disclose data held on behalf of EU customers to US law enforcement under certain conditions, even when data is physically stored in the EU. Our mitigations are described on the Security page.

A full list of sub-processors, their locations, and applicable transfer mechanisms is maintained at /subprocessors.

6. Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law.

• Account data: held for the duration of your account and for 30 days after account closure, after which it is purged. Legal hold may extend this where required.
• Agent trace data: retention is org-configurable between 6 and 24 months from the date of ingestion, enforced by an automated deletion job. The default is 6 months. You may request earlier deletion at any time via the platform or by contacting us.
• Billing records: retained for 7 years to comply with Irish tax and accounting law.
• Security and audit logs: retained for 12 months.

7. Your rights

Under GDPR Chapter III you have the following rights in relation to your personal data. To exercise any right, contact us at privacy@fuze-ai.tech.

• Right of access (Art. 15): you may request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification (Art. 16): you may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): you may request deletion of your personal data where one of the conditions in Art. 17(1) applies, subject to exceptions for legal compliance and legal claims under Art. 17(3).
• Right to data portability (Art. 20): where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): you may object to processing based on legitimate interests or carried out for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
• Right to restrict processing (Art. 18): you may request restriction of processing in certain circumstances, for example while the accuracy of data is contested.
• Right to withdraw consent (Art. 7(3)): where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

We will respond to substantiated requests within one calendar month. Where the request is complex or numerous, this may be extended by a further two months; we will inform you of any extension and the reasons within the initial one-month period.

8. Security

We apply technical and organisational measures appropriate to the risk, including TLS 1.2+ for data in transit, AES-256 encryption at rest (provided by Supabase and Google Cloud), least-privilege access controls for staff, and a formal incident response process. Full details are on the Security page.

9. Cookies and tracking

The Fuze website uses a small number of functional cookies strictly necessary for session management and authentication. We do not use third-party advertising cookies or cross-site tracking pixels. Analytics, where used, are conducted through privacy-preserving, aggregated methods that do not identify individual visitors.

10. Children

The Fuze platform is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without appropriate consent, contact us at privacy@fuze-ai.tech and we will take steps to delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to registered users at least 30 days before they take effect, and the “Last updated” date at the top of this page will be revised. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

12. Contact and complaints

For any question, request, or concern about this policy or about how we process your personal data, contact our data protection contact:

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority for data protection in Ireland: