Privacy Policy

Effective Date: March 10, 2026
Last Updated: March 10, 2026

Entropy Reversal, Inc. (“Company,” “we,” “us,” “our”), a Delaware corporation, operates LobsterCloud at lobstercloud.ai (the “Service”). This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use the Service.

This Privacy Policy applies to information we collect through the Service, our website, and related communications. Please read it carefully. If you do not agree with our practices, do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account via a supported authentication method (e.g., Google Sign-In), we receive and store:

Your name
Your email address
Your authentication provider profile identifier

1.2 Payment Information

We use Stripe to process payments. We do not store your full credit card number, expiration date, or CVV. Stripe collects and stores payment information in accordance with Stripe’s Privacy Policy. We receive from Stripe: a payment token, billing address, last four digits of your card, and transaction history.

1.3 Instance and Service Data

Infrastructure telemetry: We continuously collect basic performance data about your Instance, including CPU usage, RAM usage, and disk usage, for monitoring and service delivery.
Application telemetry: We collect operational metadata about your Instance, including application error and crash logs, LLM API call metadata (such as provider name, token counts, and error rates), installed skills and extensions, and general agent activity metrics (such as uptime and task counts). This telemetry is limited to metadata and does not include the content of your prompts, responses, conversations, or files.
LLM API keys: Your API keys are stored on your Instance and in encrypted Instance backups. Depending on your configuration, API requests may be transmitted directly from your Instance to your LLM provider, or routed through LobsterCloud infrastructure. In either case, we store and use your credentials only to authenticate requests to the LLM provider you designate. We do not sell or expose your API keys to unauthorized third parties.
Optional content-analysis features: We may offer optional features (such as request filtering, safety firewalls, or content moderation) that require analyzing the content of LLM requests and responses or other data flowing to and from your Instance. These features are disabled by default and are activated only when you explicitly enable them. When enabled, we process the relevant content solely to provide the requested feature and do not use it for any other purpose. You may disable these features at any time.
Instance contents: Your Instance may contain files, code, conversation histories, agent memory, browsing data, and other data generated during your use of the Service. Except as described above for optional content-analysis features, we do not access Instance content in the ordinary course of operations (see Section 7 for details on when access may occur).

1.4 Connected Accounts and Integrations

Your AI agent may interact with third-party services on your behalf through browser automation, including email providers, calendars, messaging platforms, websites, and online services. When your agent interacts with these services:

The agent operates within your Instance using your own credentials and sessions.
We do not use OAuth scopes or API-level integrations to access your accounts on these platforms.
Data retrieved or generated by your agent through these interactions is stored on your Instance and is subject to the same access and retention policies as other Instance contents.
We do not routinely monitor, log, or analyze the content of your agent’s interactions with third-party services.

You are responsible for ensuring that your agent’s interactions with third-party services comply with those services’ terms of use and applicable law.

1.5 Usage and Log Data

We automatically collect:

IP address
Browser type and version
Pages visited on our website
Date and time of access
Referring URL
Device identifiers

Website access logs are retained for 90 days and then deleted.

1.6 Cookies and Tracking Technologies

We use essential cookies to maintain your session and authentication state. We use Google Analytics to understand how the website is used; Google Analytics collects anonymized usage data and operates under Google’s Privacy Policy. You can control cookies through your browser settings, but disabling essential cookies may prevent you from using the Service.

Do Not Track Signals: We do not currently respond to “Do Not Track” (DNT) browser signals or similar mechanisms such as Global Privacy Control (GPC). If this changes, we will update this Privacy Policy.

2. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Service
Process payments and manage your subscription
Collect infrastructure and application telemetry for capacity planning, service health, and product improvement
Diagnose and resolve technical issues
Communicate with you about your account, billing, and support requests
Detect and prevent fraud, abuse, and violations of our Terms of Service
Provide optional content-analysis features (such as request filtering or safety firewalls) when you explicitly enable them
Comply with legal obligations
Improve and develop the Service

We do not use the contents of your Instance (including files, agent conversations, or agent memory) to train machine learning models, for advertising, or for any purpose other than providing and securing the Service.

3. How We Share Your Information

We do not sell your personal information.

3.1 Our Processors and Vendors

We share information with third-party providers who process data on our behalf to operate the Service:

Stripe (payment processing)
Google (authentication, analytics)
Infrastructure hosting providers (such as Hetzner)

These providers process your information under our instructions and in accordance with applicable data protection requirements. Where we act as a Data Processor, we will provide notice of any new or replacement sub-processors by updating this Privacy Policy or notifying you via email, giving you the opportunity to object.

3.2 Third-Party Services You Connect

When your AI agent interacts with third-party services (such as email providers, messaging platforms, or websites) through browser automation, those services operate under their own terms and privacy policies. We do not control how those services process data and are not responsible for their privacy practices. See Section 8 for links to the privacy policies of commonly used third-party services.

3.3 Other Disclosures

We may disclose information if required by law, regulation, legal process, or governmental request. We may also disclose information if we believe it is necessary to protect the rights, property, or safety of Entropy Reversal, Inc., our users, or the public, or to enforce our Terms of Service.

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change in ownership or control.

4. Data Retention

Active accounts: We retain your account information and Instance data for as long as your account is active.
Instance deletion: If you actively delete your Instance via the dashboard “Delete” action, your Instance and its live data are destroyed immediately and irrecoverably.
Account cancellation: If you cancel your subscription without deleting your Instance, we may retain your Instance data for up to 30 days before permanent deletion. During this period, you may request data export by contacting support.
Backups: Data captured in encrypted system backups will expire and be permanently purged according to our 30-day backup rotation schedule, regardless of deletion method.
Website logs: Access logs are retained for 90 days.
Billing records: We retain billing and transaction records as required by applicable law and for legitimate business purposes (typically up to 7 years for tax and accounting purposes).

5. Data Security

We implement reasonable technical and organizational measures to protect your personal information, including:

Encrypted Instance backups
Isolated Instance environments per user
Secured administrative access
HTTPS encryption for all web traffic

However, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your information.

Breach Notification: In the event of a security breach that compromises your personal information or stored credentials (such as LLM API keys), we will notify affected users in accordance with applicable legal requirements. We recommend that you rotate your LLM API keys periodically and immediately if you suspect unauthorized access.

6. Your Rights

Depending on your location, you may have certain rights regarding your personal information.

6.1 General Rights

You may have the right to:

Access the personal information we hold about you
Correct inaccurate personal information
Delete your personal information (subject to legal retention obligations)
Export your data in a portable format
Withdraw consent for processing based on consent
Object to processing based on legitimate interests

6.2 European Economic Area, UK, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland:

Legal bases for processing: We process your personal data based on: (a) performance of our contract with you (providing the Service), (b) our legitimate interests (improving the Service, preventing fraud), (c) your consent (for optional analytics cookies), and (d) compliance with legal obligations.
Data transfers: Your data is processed and stored in data centers operated by our infrastructure providers, which may be located in the United States and/or the European Union. Where personal data is transferred to jurisdictions without an adequacy decision, we implement appropriate safeguards, which may include Standard Contractual Clauses (SCCs), to ensure an adequate level of protection.
Supervisory authority: You have the right to lodge a complaint with your local data protection supervisory authority.

6.3 California (CCPA/CPRA)

If you are a California resident:

Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to delete: You may request deletion of your personal information, subject to legal exceptions.
Right to opt-out of sale: We do not sell your personal information. We do not use your personal information for cross-context behavioral advertising.
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
Categories of information collected: Identifiers (name, email, IP address), commercial information (billing records), and internet activity (usage logs).

6.4 Brazil (LGPD)

If you are located in Brazil, you have similar rights to access, correct, delete, and port your data under the Lei Geral de Proteção de Dados. Contact us to exercise these rights.

6.5 How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond to verifiable requests within applicable legal timeframes. We may need to verify your identity before processing your request.

7. Instance Access and Monitoring

We maintain administrative access to your Instance environment. We want to be transparent about what this means:

What we can access: We have the technical ability to access all data on your Instance, including files, configurations, agent conversation logs, memory, and stored credentials (such as LLM API keys).
When we access it: We do not access Instance content in the ordinary course of operations. We may access Instance content when necessary for: infrastructure management, debugging, troubleshooting, responding to your support requests, investigating potential Terms of Service violations, or complying with legal obligations.
What we do not do: We do not use your data for advertising or model training, or share Instance contents with third parties (except as required by law or as necessary to provide the Service).
Telemetry we collect by default: We continuously collect infrastructure metrics (CPU, RAM, disk) and application metadata (error logs, LLM call metadata, installed skills, agent activity metrics). This telemetry does not include prompt content, response content, files, or conversation data.
Optional content-analysis features: If you enable optional features such as request filtering or safety firewalls, we process relevant content (such as LLM requests and responses) solely to provide the feature you enabled. You control these features and may disable them at any time.

Data Controller and Data Processor Roles

For the purposes of applicable data protection laws (including GDPR and CCPA), to the extent your Instance contains personal data of third parties gathered by your AI agent (e.g., names, email addresses, or other information obtained from the web), you act as the Data Controller (or “Business” under CCPA) and we act solely as the Data Processor (or “Service Provider”) hosting that data on your behalf. You are responsible for ensuring that your agent’s collection and processing of third-party personal data complies with all applicable data protection laws.

8. Third-Party Services

The Service may be used alongside third-party services that have their own privacy policies, including, where supported:

Authentication providers (such as Google): Google Privacy Policy
Payment processors (Stripe): Stripe Privacy Policy
LLM providers (such as OpenAI, Anthropic, OpenRouter, MiniMax, xAI, and others): Your API requests to LLM providers are governed by their respective privacy policies. We do not control how LLM providers process your data.
Messaging and communication platforms (such as Telegram, Discord, Slack, WhatsApp, Signal, iMessage, and others): If your agent interacts with messaging platforms, those platforms’ privacy policies apply to data processed through them.

This list is non-exhaustive and may change as the Service evolves. We are not responsible for the privacy practices of third-party services.

9. Children’s Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information.

10. International Data Transfers

Your information is processed and stored in data centers operated by our infrastructure providers (such as Hetzner), which may be located in the United States and/or the European Union, depending on server availability and configuration. By using the Service, you acknowledge the processing and transfer of your data in and to these locations.

For EEA/UK/Swiss users, where personal data is transferred to jurisdictions without an adequacy decision, we implement appropriate safeguards as described in Section 6.2.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the “Last Updated” date. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

Entropy Reversal, Inc.
1111b S Governors Ave, Suite 58142
Dover, DE 19904, United States

Email: [email protected]
Website: lobstercloud.ai

13. Summary Table

What We Collect	How We Use It	How Long We Keep It
Name, email (via auth provider)	Account management	Duration of account + up to 30 days
Payment info (via Stripe)	Billing	Per Stripe’s policy; records up to 7 years
IP address, browser, device data	Security, analytics	90 days (logs)
Infrastructure telemetry (CPU/RAM/disk)	Service delivery, capacity planning	Duration of account
Application metadata (error logs, LLM call metadata, installed skills, activity metrics)	Service health, debugging, product improvement	Duration of account
Content processed by optional features (e.g., firewall)	Providing the opted-in feature only	Not retained beyond processing; disabled by default
Instance contents (files, agent data, keys)	Providing the Service only	Until Instance deletion (immediate) or account cancellation (up to 30 days); backups on 30-day rotation