Privacy Policy

Phoenix Horizon, Inc. ("Phoenix," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our products and services, including Rush, Halo, and related offerings.

By using our services, you consent to the data practices described in this policy. If you do not agree with our practices, please do not use our services.

For product-specific data practices, see: Rush Privacy Policy

Account Information

• Email address
• Name (if provided)
• Profile photo (via OAuth providers)
• Payment information (processed by Stripe)

Google API Data

When you connect your Google account via Rush, we request access to the following scopes:

• Gmail (read, send, modify) — To enable AI agents to triage, summarize, and draft email responses on your behalf
• Google Calendar (read, write) — To enable calendar-aware agents that schedule events and check availability
• Google Spreadsheets — To enable data analysis agents that read and write spreadsheet data
• User info (email) — To identify your account

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Other Connected Services

When you connect additional third-party services, we access data based on the permissions you grant:

• Twitter/X: Profile information, ability to post tweets and read your timeline
• Slack: Workspace information, channel messages, direct messages, and ability to post messages
• Stripe: Customer and subscription data for analysis

OAuth tokens are stored locally on your device with restricted permissions (mode 0600) and on our servers for session management.

Usage Data

• Session identifiers and execution logs
• Agent usage metrics (tokens consumed, cost, duration)
• Tool calls and error information (metadata only, not content)
• Device information (OS, app version)
• IP address

Local Data

Rush stores the following data locally on your device in the ~/.rush/ directory:

• Session histories (conversation logs with agents)
• OAuth tokens for connected services
• Installed agent packages
• User preferences and settings

We use collected information to:

• Provide, maintain, and improve our services
• Process transactions and send billing notifications
• Execute agent actions on your behalf via connected services
• Monitor usage for security, abuse prevention, and debugging
• Generate aggregated analytics to improve our products
• Communicate with you about updates and support
• Comply with legal obligations

Data obtained through Google APIs is used exclusively to provide the agent features you explicitly invoke:

• Gmail data is used by AI agents to read your inbox, summarize messages, and draft responses. Email content is processed in real-time and is not stored on our servers.
• Calendar data is used by calendar-aware agents to check your availability and create events. Calendar data is not stored on our servers.
• Spreadsheet data is used by data analysis agents to read and write to your spreadsheets as instructed.

We do not:

• Use Google user data for advertising
• Sell, rent, or share Google user data with third parties except as necessary to provide the service (e.g., sending prompts to LLM providers to execute your requested agent task)
• Use Google user data to train AI models
• Store Google user data on our servers beyond what is necessary for session management and token refresh

We want to be clear about what we do not store on our servers:

• Email body content - We read email metadata for agent functionality but do not store email bodies on our servers
• Raw prompts and responses - We log metadata (token counts, costs) but not the actual content of your conversations
• File contents - Files are processed locally; contents are not uploaded unless explicitly shared
• Passwords - We use OAuth; we never see or store your passwords

Our services integrate with and send data to the following third parties:

LLM Providers

• Anthropic - Powers our AI agents. Your prompts are sent to Anthropic's API. See Anthropic's Privacy Policy.
• OpenAI - Used for certain agent capabilities. See OpenAI's Privacy Policy.

Connected Platforms

• Google (Gmail, Calendar)
• Twitter/X
• Slack
• Stripe
• Additional platforms as they become available

Infrastructure

• Supabase - Authentication and database
• Cloudflare - CDN and security
• Hetzner - Server infrastructure (EU)

Local Storage: Sensitive data (OAuth tokens, session histories) is stored locally on your device with restrictive file permissions.

Server Storage: Usage analytics, billing data, and session metadata are stored on our servers. We use industry-standard encryption in transit (TLS) and at rest.

Retention: We retain usage data for as long as necessary to provide our services, typically up to 24 months for analytics data. You may request deletion at any time.

We do not sell your personal data. We may share data:

• With your consent - When you explicitly authorize sharing
• With service providers - Third parties that help us operate our services (under strict confidentiality agreements)
• For legal compliance - When required by law, subpoena, or legal process
• For safety - To protect the rights, property, or safety of Phoenix, our users, or others
• In business transfers - In connection with a merger, acquisition, or sale of assets

You have the right to:

• Access your data - Export your usage logs and audit trail via our dashboard
• Delete your data - Request deletion of your account and associated data
• Disconnect services - Revoke OAuth connections at any time through your account settings
• Opt out of analytics - Contact us to opt out of non-essential analytics
• Data portability - Export your session histories and artifacts

To exercise these rights, contact us at [email protected].

GDPR (European Users): If you are in the European Economic Area, you have additional rights under GDPR including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object. Our legal basis for processing is contractual necessity and legitimate interests.

CCPA (California Users): California residents have the right to know what personal information is collected, to delete personal information, and to opt out of the sale of personal information. We do not sell personal information.

Data Transfers: Your data may be transferred to and processed in the United States and other countries. We use appropriate safeguards for international transfers.

Our services are not intended for children under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

Your prompts and data are not used to train AI models. We send your prompts to third-party LLM providers (Anthropic, OpenAI) to execute agent tasks. These providers have their own data policies regarding whether and how they use API inputs for training. Please review their policies for details.

We may use aggregated, anonymized usage patterns (not content) to improve our orchestration and infrastructure.

We use minimal cookies and similar technologies for authentication and session management. We do not use third-party advertising trackers.

• Essential cookies - Required for authentication and core functionality
• Analytics - Basic usage analytics to improve our services (can be opted out)

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on our website and updating the "Last updated" date. Your continued use of our services after changes become effective constitutes acceptance of the updated policy.

For privacy-related questions or requests, please contact us at:

• Email: [email protected]
• General inquiries: [email protected]

Phoenix Horizon, Inc.
United States