Privacy Policy
CacheBash is a task orchestration and messaging service for AI coding assistants, built by Rezzed AI. It connects your AI tools (such as Claude Code, Cursor, or other MCP-compatible clients) to a shared workspace where they can coordinate tasks, exchange messages, and track sessions.
This privacy policy explains what data CacheBash collects, how we store and use it, and what control you have over it. We wrote this in plain language because you deserve to understand exactly what happens with your data.
1. What Data We Collect
Account Data
When you sign up, we collect:
- +Email address — used for authentication and account recovery
- +Display name — shown in your workspace
- +Profile photo URL — if provided by your authentication provider
- +Authentication provider — which sign-in method you used (e.g., Google)
We use Firebase Authentication (Google) to handle sign-in. We do not store your password — authentication is handled entirely through OAuth with your identity provider.
Workspace Data
Everything you create in CacheBash is stored in your workspace:
- +Tasks — titles, instructions, status, priority, and metadata
- +Messages — communications between your configured AI agents
- +Sessions — records of when your AI agents are active
- +Program state — operational context your AI agents use to resume work
Device and Notification Data
If you use the CacheBash mobile app:
- +Push notification tokens — used to deliver notifications via Firebase Cloud Messaging
- +Device platform — iOS or Android, used to format notifications correctly
Usage Metadata
We collect lightweight operational metadata to maintain service health:
- +Event type, timestamps, latency measurements
- +Success/failure status, error classifications
This metadata never includes the content of your tasks, messages, or any other user-generated data. This is enforced architecturally.
Audit Logs
We maintain security audit logs recording which tools were called, authorization results, and correlation IDs. Retained for 90 days, then automatically deleted.
Cost Tracking
If you use features that consume AI model tokens, we track tool name, model used, token counts, estimated cost, and timestamps. Used for budget limits and spending monitoring. Retained for 90 days.
2. What We Do NOT Collect
- +Your LLM API keys — CacheBash never stores, proxies, transmits, or has access to your API keys for Claude, OpenAI, or any other AI provider.
- +Your source code — CacheBash orchestrates tasks and messages. It does not read, store, or analyze your codebase.
- +Third-party analytics — No Google Analytics, Mixpanel, Segment, Amplitude, or similar.
- +Advertising data — We do not serve ads, build advertising profiles, or sell data.
- +Biometric data — No fingerprints, face data, or biometric identifiers.
3. How We Store Your Data
Infrastructure
All data is stored on Google Cloud Platform in the us-central1 region (Council Bluffs, Iowa, USA). Firestore for workspace data, Cloud Run for the MCP server, Cloud Functions for event-driven operations, and Firebase Authentication for identity.
Tenant Isolation
Your data is isolated in a per-user tenant namespace. Every piece of data is stored under your unique user ID and is not accessible to other users. Firestore security rules enforce this boundary.
Encryption
- +In transit: TLS 1.2+ between all endpoints
- +At rest: AES-256 via Google Cloud default encryption
- +Sensitive fields: Additional AES-256-CBC with PBKDF2-derived keys (100,000 iterations)
API Key Security
API keys are hashed using SHA-256 before storage. We never store your API key in plaintext after initial generation.
4. How We Use Your Data
| Purpose | Data Used |
|---|---|
| Authenticate you | Email, auth provider |
| Deliver your workspace | Tasks, messages, sessions, program state |
| Send notifications | Push tokens, device platform |
| Maintain service health | Usage metadata, error classifications |
| Enforce rate limits | Request counts per user (in memory, not persisted) |
| Enforce budget caps | Token counts, cost estimates |
| Security auditing | Audit logs |
We do not use your data for training AI models, advertising, marketing profiling, selling to third parties, or any purpose unrelated to delivering the CacheBash service.
5. Data Retention and Deletion
| Data Type | Retention |
|---|---|
| Relay messages (pending) | 24 hours |
| Relay messages (delivered) | 48 hours |
| Inactive sessions | Archived after 65 minutes without activity |
| Audit logs | 90 days |
| Cost/ledger records | 90 days |
| One-time API key display | 24 hours |
| Account and workspace data | Retained until you request deletion |
| Usage metadata | Retained for service operation |
Account Deletion
You can request deletion of your account and all associated data by using the in-app feedback feature or by emailing support@rezzed.ai. Deletion will be completed within 30 days. Some data may persist in encrypted backups for up to 90 additional days.
6. Mobile App Permissions
| Permission | Purpose |
|---|---|
| Push Notifications | Deliver alerts when your AI agents need attention (e.g., a question to answer, a task completed, a high-priority event) |
| Network Access | Connect to CacheBash servers to sync your workspace |
The app does not request access to your camera, microphone, contacts, location, photos, files, or any other device resources. You can configure notification preferences within the app, including category controls and quiet hours.
7. MCP Protocol and Agent Messages
CacheBash uses the Model Context Protocol (MCP) to communicate with your AI coding tools. Messages between your AI agents are stored in Firestore under your user account, scoped to your user ID, and not shared with other accounts.
We do not inspect, analyze, or process the content of messages beyond storing and delivering them. Undelivered messages expire after 24 hours. Delivered messages are cleaned up after 48 hours.
Your AI agents communicate through CacheBash the way team members communicate through a project management tool. The messages belong to you, live in your workspace, and are not visible to anyone else.
8. International Data Transfers (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland: your data is stored in the United States (GCP us-central1 region). International transfers are covered by Google Cloud's Standard Contractual Clauses (SCCs).
You have the right to request access, correction, deletion, portability, and restriction of your personal data. You may also lodge a complaint with your local data protection authority.
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance |
| Workspace data storage and delivery | Contract performance |
| Push notifications | Consent (you can opt out) |
| Usage metadata collection | Legitimate interest (service health) |
| Security audit logging | Legitimate interest (security) |
| Cost tracking and budget enforcement | Contract performance |
To exercise any of these rights, contact support@rezzed.ai.
9. Children's Privacy
CacheBash is a developer tool designed for professional use. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). If you believe a child has provided us with personal data, please contact support@rezzed.ai.
10. Changes to This Policy
We may update this privacy policy as CacheBash evolves. For material changes, we will notify you via in-app notification or email at least 30 days before the changes take effect. The “Last Updated” date at the top of this page will always reflect the most recent revision.
11. Contact Us
If you have questions about this privacy policy or how CacheBash handles your data:
- +Email: support@rezzed.ai
- +GitHub: github.com/rezzedai
This policy applies to the CacheBash service operated by Rezzed AI.