Privacy Policy

Version 2026-07-01. Applies to tryathena.dev and the Athena API.

Athena is an engineering-knowledge and product-development platform. This policy explains what personal data we process, why, how long we keep it, and the rights you can exercise directly inside the product. For customer workspaces, the workspace owner is the data controller and Athena acts as a processor on their documented instructions.

What we collect

  • Account data. Email address, display name, avatar, and the sign-in method you chose (GitHub, Google, or email code). We never store a password.
  • Workspace content. Repositories, documents, tasks, chat conversations, and files your organization connects or uploads. This content is isolated per workspace and encrypted at rest.
  • Usage and security records. A tamper-evident audit log of actions (who did what, when, from which IP and browser), request logs, and AI-usage metering (token counts and cost). Audit records are retained for compliance and cannot be edited.

How we use it

To operate the service: authenticate you, answer questions grounded in your workspace knowledge, run the agent workflows you start, send transactional email (invitations, notifications you opted into), meter usage, and keep the platform secure. We do not sell personal data and we do not run third-party advertising or analytics trackers.

AI processing

Prompts assembled from your workspace content are sent to the model providers your organization configures (see the sub-processor list). A data-loss-prevention filter scrubs recognized secrets and sensitive patterns from outbound prompts, and per-workspace redaction rules apply to logs and audit records. Organizations can bring their own provider keys, restrict model routing, or disable AI models entirely from workspace settings.

Cookies and local storage

We use only strictly necessary cookies: the authentication session issued at sign-in. There are no advertising, analytics, or cross-site tracking cookies, which is why the app shows no cookie banner. The browser keeps a small amount of non-personal UI state (such as your active workspace id) in local storage.

Retention and deletion

  • Workspace admins configure retention windows for chat history, task artifacts, and notifications; a nightly job deletes data past the window.
  • Deleting a workspace is two-stage: a 30-day recoverable soft delete, then a permanent purge of database rows and stored files.
  • Deleting your account (Settings, then Profile) locks it immediately and permanently erases your personal data, uploaded files, and sign-in identity after a 30-day grace window. Audit-log entries retain only a pseudonymous identifier, kept to satisfy legal and security obligations.

Your rights

Wherever you are, we extend GDPR-style rights to every user, exercisable in-product without a support ticket:

  • Access and portability - download a machine-readable export of your data from Settings, then Profile.
  • Rectification - edit your display name and avatar from the same page.
  • Erasure - delete your account from the same page.
  • Withdrawal of consent - notification preferences are per-channel opt-outs; integrations and AI features can be disconnected by workspace admins at any time.

For anything not covered by the self-service tools, or to raise a complaint, contact noreply@tryathena.dev. You may also lodge a complaint with your local supervisory authority.

Security

Secrets and integration tokens are encrypted with AES-256-GCM envelope encryption. Every workspace is isolated with row-level security plus explicit per-query tenancy checks. All traffic is TLS. State changes are recorded in an append-only, hash-chained audit log whose integrity can be verified on demand.

Sub-processors and transfers

The current list of third parties that may process customer data, what they receive, and where they run is published at /legal/subprocessors and served by the API at /v1/legal/subprocessors. Where data leaves your region we rely on the providers' standard contractual clauses.

Changes

When this policy changes materially we bump the version above and ask you to re-accept it on your next sign-in. Your acceptance history is included in your data export.

Privacy Policy - Athena