Privacy

Privacy Policy

What SwarmSpace collects, what it does not collect, and how data is handled when plugins execute. Last updated June 2026.

1. What SwarmSpace is

SwarmSpace is a plugin marketplace for personal AI agents — a discovery, trust, and execution layer between AI agents and third-party capability providers. Most users interact with SwarmSpace indirectly, through LUMARA or another AI companion, rather than directly. This policy explains data handling across both surfaces.

2. What we collect

We collect the minimum necessary to operate the platform. The categories below cover everything.

Category	What we collect	Purpose
Account data	Email address, authentication method (email/password, Google, or GitHub OAuth), account creation timestamp, subscription tier.	Account identity, authentication, billing tier enforcement.
Usage data	Plugin slug and call timestamp, credits consumed per call, daily call count (reset midnight UTC), tier-level quota tracking. We log that a call happened — not what was said.	Quota enforcement, billing reconciliation, and aggregate product analytics (e.g. which tools are used most). Query content is never logged. Your user ID is stripped from activity logs after 90 days by an automated daily process; the anonymized record (tool name, tier, result, timestamp) is retained for product improvement.
Developer data	Submitted manifest fields (name, description, endpoint URL, trust tier, pricing, tags), submission timestamp and review status, developer UID linked to your account.	Plugin review, listing, and catalogue management.
API keys	Each account is issued an `ss_` prefixed API key on signup. Keys are stored as a lookup reference, not in plaintext alongside your account document. Regeneration is atomic — the old key is invalidated in the same operation that creates the new one.	Authentication for direct API and MCP access.

3. What we do not collect

Personal context from your AI companion. LUMARA's CHRONICLE memory never passes to SwarmSpace. Interest tags derived from CHRONICLE are hashed client-side before any network call. SwarmSpace receives tag hashes, not raw content.
Plugin input or output content. SwarmSpace routes calls and enforces quotas. It does not read or store what you asked or what a plugin returned.
MCP query text. When an AI agent (Claude, ChatGPT, or any MCP client) calls a SwarmSpace tool, we receive your OAuth token and the tool argument — a plain-text query string. That query string is processed and returned to the caller. It is not logged or stored.
Behavioral profiles. We do not build advertising profiles or sell data to third parties.
Tracking cookies or analytics. SwarmSpace sets no tracking cookies and runs no third-party analytics SDK (no Google Analytics, Mixpanel, Segment, or equivalent). See §8 for full detail on browser storage.

4. How plugin execution works

Three things happen at execution time that are directly relevant to your privacy.

Context minimization (PRISM). Each plugin declares in its manifest exactly which fields of user context it needs (privacy_data_required). LUMARA extracts only those fields client-side. The plugin sandbox receives nothing else through the supported path. This is enforced structurally at the V8 sandbox boundary, not by policy. See the PRISM documentation for full detail.
Credential handling. SwarmSpace manages API keys for third-party services on your behalf. Plugin code never receives raw credentials. Keys are injected at the network egress boundary via HTTP filtering — plugin code issues fetch, the credential is attached transparently.
Network isolation. Each plugin call runs in a V8 isolate sandbox. Outbound network access is restricted to domains declared in the plugin manifest (network_domains). All other destinations are blocked at the platform layer.

5. MCP tool calls (Claude, ChatGPT, and other AI agents)

SwarmSpace exposes its research and workflow tools via the Model Context Protocol (MCP). When an AI agent calls a SwarmSpace tool:

What we receive: your OAuth Bearer token (used to identify your account and check your quota) and the tool argument — a single plain-text query string.
What we do not receive: the AI's conversation history, system prompt, or any other context from the calling application. The MCP protocol boundary means SwarmSpace only sees the structured tool call, not the session around it.
What we log: tool name, timestamp, your user ID, tier, and result status (success or error). The query text itself is not stored.
How results are returned: the tool result (research synthesis, analysis output, etc.) is returned directly to the calling AI agent. SwarmSpace does not retain a copy of the result after the call completes.

6. Third-party plugins

SwarmSpace hosts the index and trust layer. Plugin execution calls the developer's endpoint. SwarmSpace does not audit third-party APIs or certify their upstream data handling. The Developer Agreement each plugin developer accepts covers data handling obligations, prompt injection liability, and third-party API terms compliance.

If a plugin receives user context (declared via privacy_data_required), that context is subject to the developer's own privacy practices in addition to the constraints SwarmSpace enforces structurally. Review a plugin's manifest and Swarm page before authorizing it for sensitive use cases.

7. Data recipients

The following third-party services process data as part of operating SwarmSpace. No data is sold or shared beyond what is described here.

Service	What they receive	Why
Firebase (Google)	Email address, authentication credentials, account data, usage counters, plugin activity logs.	Authentication, database, and Cloud Functions runtime.
Stripe	Email address, payment card details (processed directly by Stripe — never stored by SwarmSpace), subscription tier.	Payment processing and subscription management.
Cloudflare	Request metadata (IP, headers) for traffic routing; OAuth token data in KV storage; plugin execution workloads.	Worker runtime, MCP server, plugin sandbox execution.
Google Gemini API	Query content for AI processing when Gemini-powered tools or the SwarmSpace discovery agent are invoked.	LLM inference for platform-level AI features.
Groq	Query content for AI processing when Groq-powered tools are invoked (using a SwarmSpace project-level key, not your key).	LLM inference for platform-level AI features.
NewsData.io	Search query terms for news retrieval. No personal account data is sent.	News briefing content sourcing.
User-configured LLM providers (OpenAI, Anthropic, Cloudflare Workers AI, and others)	If you configure a bring-your-own API key, your queries are routed to the provider you selected under your own key. SwarmSpace acts as a pass-through; the provider's privacy policy governs that data.	User-selected LLM routing.

8. Cookies and local storage

SwarmSpace sets no tracking cookies and loads no third-party analytics scripts.

Firebase Auth session. Firebase Auth persists your login session in browser IndexedDB (not a cookie). This is required to keep you signed in across page loads. It contains no personal data beyond an opaque session token tied to your Firebase UID.
Session storage. The site uses sessionStorage for a single purpose: preserving a pending workflow chain parameter during the signup redirect flow (pendingChain). This is cleared immediately after use and never sent to any server.
No persistent cookies. SwarmSpace sets no document.cookie values on your browser.

9. Email communications

SwarmSpace itself sends no email. You do not need to accept marketing email or transactional email from Orbital AI to use the platform.

Firebase Auth system emails. Firebase sends account-related system emails on its own infrastructure: email verification on signup and password reset links. These come from Firebase, not from Orbital AI servers.
Stripe billing emails. Stripe sends payment receipts, subscription confirmations, and billing notices directly from their platform when you subscribe to a paid plan.
Account deletion. To request account deletion, email marcyap@orbitalai.net. This is the only context in which you would email us directly.

10. Data retention

Account and usage data — retained while your account is active.
Plugin activity logs — your user ID is stripped after 90 days by a daily automated process (anonymizeActivityLogs, runs 02:00 UTC). The anonymized record — tool name, tier, result status, and timestamp — is retained indefinitely for aggregate product analytics. Query content is never stored at any point.
Daily usage counters — deleted after 90 days. These are quota-tracking records only and have no analytics value once the window closes.
Developer submissions — retained while the plugin is listed. Removed within 30 days of de-listing if requested.
API keys — the current key is retained. Previous keys are not stored after regeneration.
MCP OAuth tokens — access tokens expire after 30 days. Refresh tokens are stored as hashed values in Cloudflare KV and rotated on each refresh.

11. Your rights

Export your account data by contacting marcyap@orbitalai.net.
Delete your account. Email marcyap@orbitalai.net with the subject line "Account deletion request." We will complete the deletion — removing your account document, API key, usage history, and developer profile — within 14 days. Submitted plugins are de-listed as part of the same process. There is no self-service deletion UI at this time.
Regenerate your API key at any time from the dashboard. The previous key is immediately invalidated.
Revoke MCP access. Regenerating your API key from the dashboard also invalidates any MCP OAuth tokens issued under your account.

12. Security

SwarmSpace uses Firebase Auth for authentication. Firestore stores account and usage data. Cloudflare Workers handle plugin execution with V8 isolate sandboxing. Stripe handles payment processing under Stripe's own privacy and security policies. We do not store payment card details. For the full security architecture, see the Security & Trust Architecture page.

13. Changes to this policy

Material changes will be noted at the top of this document with an updated date. Continued use of SwarmSpace after a material change constitutes acceptance of the revised policy.

Contact

Orbital AI · San Diego, CA
marcyap@orbitalai.net
swarmspace.app