Iteration
Machine

← Back

Privacy Policy

Last updated: May 11, 2026

This Privacy Policy describes how Iteration Machine, Inc., a Delaware corporation (“Iteration Machine,” “we”), collects, uses, and shares information when you use iterationmachine.comand the Iteration Machine application (together, the “Service”).

1. Information We Collect

Account information. Authentication is handled by Clerk. When you sign up, Clerk shares with us your email address, a user identifier, and the OAuth identities you connect (for example, Google or GitHub sign-in). We do not receive or store your password.

Connected-provider data. When you connect a third-party system, we store the access and refresh tokens required to act on your behalf and retrieve the data the agent needs. The connected systems may include:

  • GitHub — repository metadata, file contents, pull requests, issues, and commits for the repositories you link.
  • Google Analytics & Google Search Console — traffic, conversion, and search-query metrics for the properties you link.
  • Google Workspace — limited document and calendar data only for the scopes you grant during OAuth.
  • Stripe — anonymized billing and revenue metrics for the account you link.
  • PostHog — product-analytics events and funnels for the project you link.

Project workspace and agent outputs. The agent operates in a per-project workspace that contains source files, drafts, plans, experiment state, and conversation history. We store this workspace, along with the inputs and outputs of each agent run, so that subsequent runs can resume from prior context.

Usage and device data. Like most services, our servers automatically log basic technical information (IP address, timestamp, user-agent, request path) for security, abuse prevention, and debugging.

2. How We Use Information

  • operate, maintain, and improve the Service;
  • execute the actions you authorize on connected systems and produce agent output;
  • communicate with you about your account, security, and product updates;
  • monitor and protect the Service against fraud, abuse, and security threats; and
  • comply with legal obligations.

3. AI Model Providers

The Service uses third-party large-language-model providers (including OpenAI and Anthropic) to power the agent. Content you submit and the agent's working context may be transmitted to these providers solely to generate responses. We select providers whose terms commit not to train their general models on customer data submitted via API. We do not sell your data to AI providers.

4. Sub-processors

We rely on the following sub-processors to operate the Service:

  • Vercel — web hosting and edge delivery for the marketing site and web app.
  • Google Cloud Platform — virtual machines that run the control plane and the per-project agent sandboxes.
  • Supabase — managed Postgres database for account and project data.
  • Clerk — authentication and identity management.
  • Stripe — subscription billing, if you subscribe to a paid plan.
  • OpenAI, Anthropic — language-model inference.

5. Sharing

We do not sell your personal information. We share information only (a) with the sub-processors listed above, under contracts that require them to safeguard it; (b) with third-party systems you connect, to perform the actions you authorize; (c) to comply with a valid legal request; and (d) in connection with a merger, acquisition, or sale of assets, in which case the successor will be bound by this Policy or give you notice and a choice.

6. Retention

We retain account and project data for as long as your account is active and for a reasonable period afterwards to handle disputes, meet legal requirements, and operate backups. You may request deletion at any time by writing to hello@emotionmachine.ai; we will delete your data within thirty days unless we are required to retain it.

7. Your Choices

  • Disconnect providers.You can revoke access for any connected provider from the dashboard or directly from the provider's account settings.
  • Access, correction, deletion. Depending on where you live, you may have the right to access, correct, delete, or port your personal data, or to object to or restrict certain processing. To exercise these rights, email hello@emotionmachine.ai.
  • EU/UK and California residents. Where the GDPR, UK GDPR, or CCPA/CPRA applies, you have the rights granted by those laws, including the right to lodge a complaint with a supervisory authority.

8. Security

We use industry-standard safeguards — encryption in transit, scoped access tokens, isolated per-project sandboxes — to protect your information. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.

9. International Transfers

We are based in the United States and our sub-processors operate there. If you access the Service from outside the United States, you consent to the transfer of your information to the United States for processing.

10. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we will delete it.

11. Changes

We may update this Policy from time to time. Material changes will be announced via email or an in-app notice. The “Last updated” date above always reflects the current version.

12. Contact

Questions about this Policy or your data can be sent to hello@emotionmachine.ai.