Legal

Privacy policy

How Archibot collects, uses, shares, and protects personal information for Console, Archibot Chat, workspaces, support, and billing.

Customer adminsCustomer membersPlatform operators

Last updated June 18, 2026

Last updated: April 26, 2026

This Privacy Policy explains how ISM Services, Inc. handles personal information for Archibot Console, Archibot Chat, Archibot workspaces, managed AI routing, onboarding, billing, support, and related services.

Scope

This policy applies to Archibot products and services that link to this page.

Customer agreements, order forms, data-processing terms, security addenda, and support statements may add more specific terms. If a signed customer agreement conflicts with this policy, the signed agreement controls for that customer.

Roles and account relationships

When Archibot is provided to an organization, that organization and its customer admins decide who can use Archibot, what repositories or workspaces are connected, and what data is submitted through the service.

In those cases, the customer organization is the primary controller or business decision-maker for user accounts, workspace activity, and Customer Content, and ISM acts as a service provider or processor to operate the service on that customer’s behalf.

ISM may also act as an independent controller for limited operational purposes such as account security, fraud prevention, billing, tax and accounting records, service reliability, compliance, and operation of this public docs site.

Service tiers and operating modes

Archibot may be offered in different service tiers or deployment shapes, such as public Archibot Chat, shared-hosted workspaces, dedicated-tenant, dedicated-release, or dedicated-cluster arrangements. The applicable customer agreement determines the approved service tier, hostnames, support profile, billing model, and any vendor-managed services.

Different service tiers may change where workloads run, which hostnames or identity clients are used, how customer admins are scoped, what approvals are required for provisioning, and what operational data ISM needs to process.

Hosting models and infrastructure

Depending on the customer’s plan, Archibot may run in an ISM-operated shared-hosted environment, an ISM-arranged dedicated environment, or a customer-hosted environment where ISM provides approved vendor-managed services.

The applicable customer agreement, onboarding record, or related security materials determine the approved hosting model, primary hosting region, public hostnames or ingress, whether third-party cloud or infrastructure providers are used, and which party is responsible for cloud accounts, network controls, backups, disaster recovery, retention, and material infrastructure changes.

Not every service tier includes customer-dedicated infrastructure, a specific hosting region, local data residency, custom backup schedules, disaster-recovery commitments, or customer-controlled infrastructure access.

International customers

Archibot is intended for business and organizational use. Service availability, onboarding requirements, payment rails, tax handling, supported regions, and vendor-managed features may vary by country or customer profile.

For international customers, we may collect additional business-verification, tax, sanctions-screening, billing, and transfer-compliance information before approving service, provisioning resources, or enabling certain features.

Personal information we collect

We collect the information needed to provide, secure, support, and bill for Archibot services.

Category	Examples
Account and identity	Name, email address, username, organization, customer account, tenant, role, group membership, SSO identifiers, invite and membership status.
Contact and onboarding	Billing contact, technical contact, SSO setup details, support contact details, customer-submitted onboarding notes, operator-visible launch context.
Service-plan and commercial data	Service tier, support profile, quote or approval references, lifecycle state, onboarding milestones, billing verification status, and notification recipients.
Workspace and runtime metadata	Workspace id, owner, status, template, target, customer and tenant labels, uptime intervals, storage and artifact usage metadata, create/update/delete events.
Archibot Chat data	Conversation ids and titles, messages, prompt and response content, API key metadata, hidden browser-chat credential metadata, artifact metadata, onboarding preferences, notification preferences, activity events, request ids, and shared chat credit ledger rows.
Environment and artifact metadata	Environment id, environment kind, repo or branch, artifact id, artifact kind, seed or catalog selections, S3-compatible object-storage path metadata, exposure mode, and backup or retention settings.
Hosting and infrastructure metadata	Hosting model, cloud account or cluster identifier, region, node pool or workspace target, ingress hostname, DNS or load-balancer metadata, storage bucket or prefix metadata, backup or replication status, and infrastructure change or incident records.
Billing and product data	Product selections, prepaid balances, checkout state, Stripe customer or session identifiers, meter export status, invoice or billing-review references.
Usage and diagnostics	API request metadata, provider usage summaries, token totals, model names, timestamps, error states, logs needed for support and security.
Feedback and support	Feedback text, category, route, browser metadata, issue links, attachments or screenshots you choose to provide.
Browser and device data	Theme preference, local browser storage used for login recovery or provider setup when explicitly enabled, device or browser type, and session or redirect state used to complete sign-in or sign-out.
Security data	IP address, user agent, authentication events, audit events, rate-limit data, abuse-prevention signals, and security investigation records.

Do not submit passwords, private keys, one-time invite links, provider API keys, payment card numbers, raw database credentials, kubeconfigs, or other secrets through feedback, onboarding notes, or support tickets.

Information from other services

Archibot may receive information from services you or your organization connect to Archibot, such as:

Identity providers and SSO systems.
Coder workspace services.
Stripe checkout and billing services.
Git providers such as GitLab, GitHub, Bitbucket, or Azure DevOps.
AI providers when managed or customer-provided AI access is enabled.
Email, ticketing, support, observability, and infrastructure providers used to operate the service.

We use connected-service data only for the product, security, billing, and support purposes described in this policy and in the customer’s agreement.

How we use information

We use personal information to:

Create and manage customer accounts, tenants, memberships, invites, and access roles.
Qualify onboarding requests, generate quotes, record approvals, provision approved service plans, validate first use, and complete customer handoff.
Review region eligibility, tax posture, sanctions or denied-party screening, transfer mechanisms, and supported payment rails before activation where required.
Determine approved hosting model, hosting region, ingress, backup expectations, and subprocessor footprint for the customer’s plan.
Authenticate users and enforce customer, tenant, workspace, and platform permissions.
Operate Archibot Chat browser chat, API keys, artifact handling, onboarding preferences, account export, and activity or audit views.
Create, update, start, stop, delete, and support workspaces.
Provision, operate, and support approved persistent environments, customer-scoped artifact paths, and related runtime resources.
Operate approved shared-hosted, dedicated, or customer-hosted vendor-managed environments and coordinate related infrastructure incidents, backup workflows, and disaster-recovery actions.
Track prepaid workspace time, managed AI credit, shared chat credits, usage, billing status, and product orders.
Process checkout, invoices, meter events, refunds, disputes, and billing support through payment providers.
Provide customer support, respond to feedback, and investigate reported issues.
Deliver approved vendor-managed onboarding, automation, or support actions under documented runbooks and approval gates.
Detect, prevent, and investigate security incidents, abuse, fraud, unauthorized access, and policy violations.
Improve reliability, product quality, onboarding, documentation, and support workflows.
Maintain session state, remember limited interface preferences, and complete configured login or logout flows.
Plan or execute offboarding, export, retention, access revocation, and timed deletion workflows.
Comply with legal, tax, accounting, security, and contractual obligations.

Cookies, browser storage, and session data

Archibot may use cookies, browser storage, and similar session mechanisms to keep users signed in, complete logout, maintain CSRF or session state, and remember limited local preferences.

Current product examples include:

Authentication or session cookies set by the configured identity and access path used for Console sign-in.
A tb_theme browser storage value used to remember a user’s light or dark theme preference in Console.
Archibot Chat may use limited browser storage as a fallback to remember whether local first-run setup was completed, while account setup state is stored by the service when the backend is available.
In local or recovery-only environments where token-based login is explicitly enabled, a locally stored session token for that browser.
Limited browser-side preferences for connected-provider helpers, such as a previously entered organization URL.

Clearing cookies or browser storage may sign you out, remove saved preferences, or require you to reconnect a configured provider flow.

Hosting providers, subprocessors, and operational responsibility

Depending on the customer’s plan, Archibot may rely on cloud, DNS, storage, observability, and other infrastructure providers engaged by ISM or approved through a customer-hosted vendor-managed arrangement.

Customer agreements or associated security materials determine the approved hosting model, primary region, backup and retention expectations, disaster-recovery scope, and which party is responsible for cloud-account administration, network rules, infrastructure changes, and related support coordination.

See Archibot Chat subprocessors and service providers for the current provider list that applies to Archibot Chat.

Managed AI, Archibot Chat, workspaces, persistent environments, and artifacts

Archibot records metadata-only usage for managed AI billing and support, such as customer id, workspace id, model name, token totals, timing, status, and safe CLI metadata.

Archibot does not need prompts, responses, transcripts, source code, database contents, or secrets to produce normal customer-facing usage totals. If a user or customer enables AI tooling or uses Archibot Chat, prompt and response content may be sent to the configured AI provider so the requested AI feature can work. Provider handling is governed by the applicable provider terms, customer configuration, and customer agreement.

ISM does not sell Customer Content or use Archibot Chat prompts, responses, uploads, artifacts, or transcripts to train general-purpose AI models. Third-party AI providers may process prompts and responses to provide the requested feature, subject to the provider configuration, provider terms, and customer agreement.

Workspace content, source code, databases, backups, logs, persistent-environment data, and artifacts remain customer-controlled content. We access customer content only as needed to operate the service, provide support requested by the customer, execute approved vendor-managed actions, investigate security or abuse issues, or comply with legal obligations.

Customer-facing artifact catalogs and storage paths may be hosted through an S3-compatible object-storage layer selected by the service configuration. We process artifact metadata, access events, and storage-usage information as part of normal operation, attribution, support, backup, restore, and offboarding workflows.

Hosted Archibot Chat is a commercial SaaS product unless a signed customer agreement says otherwise. Use it only for data your organization has approved for the configured identity, storage, backup, support, and model-provider paths. Customers with special security, regulatory, data-residency, or deployment requirements should request the enterprise security packet before use. See Archibot Chat approved data use and the Archibot Chat security overview for product-level guidance.

We share personal information only as needed to provide, secure, support, and bill for Archibot services.

Recipient	Purpose
Customer admins	Manage users, workspaces, onboarding, billing readiness, and support context for their customer account.
Service providers	Host infrastructure, store data, process payments, deliver email, monitor services, provide support tooling, and operate connected product features.
Connected providers	Authenticate through SSO, access repositories, run workspaces, process managed AI requests, or complete billing workflows chosen by the customer.
Legal and safety recipients	Comply with law, enforce agreements, protect the service, investigate abuse, or respond to valid legal process.
Business transfer recipients	Evaluate or complete a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate protections.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

Customer admin and support access

Customer admins may be able to view or manage user profiles, memberships, workspace status, billing readiness, support context, and other information within their assigned customer scope.

In shared-hosted arrangements, customer admins are scoped to their own customer account and do not receive unrestricted administrator visibility into a shared host tenant or unrelated customer records.

ISM operators and support personnel access personal information only on a need-to-know basis to operate the service, provide requested support, investigate misuse or incidents, maintain billing records, or satisfy contractual or legal obligations. Sensitive support or security actions may be logged or reviewed.

Legal bases for processing

When required by applicable law, we rely on one or more of the following bases for processing personal information:

Performance of a contract or taking steps requested before providing the service.
Legitimate interests in operating, securing, supporting, improving, and billing for Archibot.
Consent, where a feature or jurisdiction requires consent.
Compliance with legal obligations and lawful requests.

Payment information

Stripe or another payment provider may collect and process payment details during checkout or billing. Archibot stores payment workflow metadata such as customer ids, checkout session ids, billing state, product selections, and transaction status. Archibot does not store full card numbers.

For some international customers, Archibot may rely on invoice, bank transfer, wire, operator approval, or other non-card verification evidence instead of instant self-service payment activation.

Security

We use administrative, technical, and organizational controls intended to protect personal information. These controls include role-based access, SSO and access checks, scoped service credentials, secret-management boundaries, audit records, encrypted transport, least-privilege runtime patterns, and operational review for sensitive support actions.

No online service can guarantee perfect security. Customers should use SSO, strong account controls, scoped provider credentials, and least-privilege workspace permissions.

Retention

We retain personal information for as long as needed to provide services, support customers, maintain billing and accounting records, meet legal obligations, resolve disputes, enforce agreements, and protect the service.

Workspace runtime, Archibot Chat conversation metadata, artifact metadata, credit ledger records, activity or audit records, and billing metadata may be retained for billing, reconciliation, support, security, and audit purposes. Operational logs and support records may have different retention periods based on security, reliability, and contractual needs.

Customer offboarding may include access revocation, export of approved customer metadata, conversations, artifacts, or account records, retention of audit and billing records for a defined period, and scheduled deletion of runtime resources after the applicable retention window.

Customer controls

Depending on your role and your customer agreement, you may be able to:

View and update account, tenant, member, onboarding, and workspace information in Console.
Invite, disable, or remove customer users.
Start, stop, update, or delete workspaces.
Manage approved persistent environments, artifact selections, or service-plan requests when those features are enabled for the customer’s plan.
Create, rotate, or revoke Archibot Chat API keys when the API product gate is enabled.
Export an Archibot Chat account record and delete individual Archibot Chat artifacts when those controls are available.
Configure SSO and provider integrations through customer-admin or operator-reviewed workflows.
Request onboarding review, quota changes, support actions, export, or offboarding assistance.
Request support for access, correction, deletion, export, or restriction of personal information.

Some records must be retained for billing, security, legal, fraud-prevention, or audit reasons.

Privacy rights and requests

Depending on your location, role, and relationship with a customer account, you may have rights to request access, correction, deletion, portability, objection, restriction, or withdrawal of consent for certain personal information.

If you use Archibot through an employer, customer, or other organization, that organization may be the primary controller of your account and workspace information. We may direct requests to that organization when appropriate.

To make a privacy request, contact your customer admin or use the support contact in your customer agreement or Console.

International transfers

Archibot and its service providers may process information in the United States and other locations where we or our providers operate. When required, we use contractual or other lawful transfer mechanisms for cross-border processing.

Children

Archibot is intended for business use. It is not directed to children and should not be used by anyone under 16.

Updates

We may update this policy as the product, providers, legal requirements, or customer agreements change. The “Last updated” date shows when this page was last changed.

Contact

For privacy questions, contact your customer admin or the support contact listed in your Archibot agreement or Console.

Done When

Roles, service tiers, data categories, and browser or session handling are explained.
Billing, workspace, Archibot Chat, support, and AI data handling are explained.
Sharing, retention, offboarding, privacy rights, and contact paths are explained.