Foil | Look into the mind of your AI agent

1. Introduction

Foil ("we," "our," or "us") provides an AI model monitoring and logging platform that helps developers track, analyze, and improve their AI applications. This Privacy Policy explains how we collect, use, store, and protect information when you use our services.

2. Information We Collect

2.1 Account Information

When you register for Foil, we collect:

First name and last name
Email address
Company name (optional)
Password (stored as a bcrypt hash)
Authentication tokens from OAuth providers (Google, GitHub) if you choose social login

2.2 AI Trace and Span Data

When you integrate Foil with your AI applications, we collect:

Trace identifiers: traceId, spanId, sessionId
Model information: model name, provider, configuration parameters (temperature, max tokens, etc.)
Input/Output content: prompts sent to AI models and responses received
Performance metrics: latency, token usage, cost estimates
Status information: success/error states, error messages
Agent metadata: agent name, version, environment (development/staging/production)

2.3 End User Data

If you enable end user tracking in your integration, we may collect:

End user identifiers (endUserId)
Custom end user properties you choose to send
Device information: platform, OS, browser, app version, locale, timezone, screen resolution, IP address, user agent

2.4 Media and Attachments

If you use our multimodal features, we store:

Images, documents, spreadsheets, code files, and other attachments
Extracted text from documents
Generated previews and thumbnails

2.5 Signals and Feedback

We collect custom metrics and feedback you send through our SDK:

Signal names, types, and values
User feedback (thumbs up/down, ratings)
LLM-generated quality assessments

2.6 Billing Information

Payment processing is handled by Stripe. We store:

Stripe customer ID and subscription ID
Plan selection and usage statistics
We do not store credit card numbers or full payment details

2.7 Usage Data

We automatically collect:

API request logs
Feature usage patterns
Error and diagnostic information

3. How We Use Your Information

3.1 Core Service Delivery

Ingesting and storing AI traces for monitoring
Providing analytics dashboards and search functionality
Generating alerts based on your configured thresholds
Enabling semantic search across your traces

3.2 AI-Powered Evaluations

We use Large Language Models to analyze your AI traces for:

Content Evaluations:

Hallucination detection (fabricated facts, fake entities)
NSFW content detection
Quality assessment (off-topic, unhelpful responses)
Stuck/loop behavior detection
User satisfaction and frustration signals

Security Evaluations:

Prompt injection attempts
PII leakage detection (SSN, credit cards, phone numbers, addresses)
Jailbreak attempt detection

These evaluations are processed using OpenAI's API. Trace data sent for evaluation is subject to OpenAI's data usage policies.

3.3 Machine Learning

With your opt-in, we may:

Train custom ML models to reduce false positives in evaluations
Generate embeddings for semantic search functionality
Build agent profiles to improve evaluation accuracy

3.4 Communication

We use your contact information to:

Send alert notifications (email, SMS, Slack)
Provide account-related communications

4. Data Retention

We retain your data for the following periods:

Account Information: Retained while your account is active and for 30 days after deletion
Trace and Span Data: Retained according to your plan's retention period (7-90 days depending on plan)
Media and Attachments: Retained for the same period as associated trace data
Billing Records: Retained for 7 years for tax and legal compliance
Usage Logs: Retained for 90 days for debugging and security purposes

You may request earlier deletion of your data by contacting us at privacy@getfoil.ai.

5. Data Security

We implement industry-standard security measures to protect your data:

Encryption in Transit: All data is transmitted over TLS 1.2+
Encryption at Rest: Data is encrypted using AES-256 in our databases and storage systems
Access Controls: Role-based access controls limit employee access to customer data
Infrastructure: We use AWS with SOC 2 Type II certified data centers
Monitoring: 24/7 security monitoring and intrusion detection
Password Security: Passwords are hashed using bcrypt with appropriate work factors

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

6.1 All Users

Access: Request a copy of your personal data
Correction: Update inaccurate or incomplete data
Deletion: Request deletion of your data (subject to legal retention requirements)
Export: Download your data in a portable format via our API

6.2 European Users (GDPR)

Right to Object: Object to processing based on legitimate interests
Right to Restrict: Request restriction of processing in certain circumstances
Data Portability: Receive your data in a structured, machine-readable format
Withdraw Consent: Withdraw consent at any time where processing is based on consent
Lodge Complaint: File a complaint with your local data protection authority

6.3 California Users (CCPA)

Right to Know: Request disclosure of data collected, sources, and purposes
Right to Delete: Request deletion of personal information
Right to Opt-Out: Opt out of sale of personal information (we do not sell personal information)
Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise any of these rights, contact us at privacy@getfoil.ai.

7. International Data Transfers

Foil is based in the United States. If you access our services from outside the US, your data will be transferred to and processed in the United States.

For transfers from the European Economic Area (EEA), UK, or Switzerland, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Your explicit consent where appropriate

Our sub-processors (AWS, OpenAI, Stripe) maintain their own data transfer mechanisms and certifications.

8. Children's Privacy

Foil is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@getfoil.ai and we will promptly delete it.

9. Cookies and Tracking

We use the following cookies:

Essential Cookies: Required for authentication and security (session cookies, CSRF tokens)
Functional Cookies: Remember your preferences and settings

We do not use advertising or tracking cookies. We do not sell your data to third parties.

You can control cookies through your browser settings, but disabling essential cookies may prevent you from using the service.

10. Third-Party Services

We share data with the following third-party service providers:

OpenAI: For AI-powered evaluations (trace data sent for analysis)
Stripe: For payment processing (billing information)
AWS: For infrastructure and data storage
Sentry: For error tracking and diagnostics
SendGrid/Twilio: For email and SMS notifications

Each provider processes data according to their own privacy policies. We encourage you to review them.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Notify you via email or a prominent notice in our dashboard
Provide at least 30 days notice before changes take effect for material changes

Your continued use of the service after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: privacy@getfoil.ai
General inquiries: support@getfoil.ai

We will respond to your request within 30 days.