Privacy Policy
Effective June 22, 2026
act101, LLC ("act101", "we", "us") operates the act command-line interface and the act101.ai website. This policy explains what data we collect, why, and how we protect it.
1. Your Source Code Stays on Your Machine
The act CLI processes your code locally. We do not transmit, collect, or store your source code, file contents, project structure, or repository data. Your code never leaves your machine in the ordinary course of using the Software.
2. Leaderboard & Online Scanner Data
The canonical rule: act101 NEVER ships your code off-site. We ship only opt-in usage metrics. The single exception to "your code stays on your machine" is the opt-in public surface below — and it holds aggregate counters, never code.
For the act101 online scanner (GitHub Action) and the act101 leaderboards, we hold exactly the following, and nothing else:
- Public-repo health scores — the published overall + category scores from a full-repo scan of a public repository, its non-blank line count, and its language mix. These power the repo badge and the "Most Improved" leaderboard. Private-repo scores are never stored. Diff-scoped (PR) scores are never stored. Any repository can opt out with the workflow input
arena: false, which excludes it from boards entirely (its own score-history chart is unaffected). - Opt-in usage counters — when you opt in at
actCLI onboarding, the CLI uploads aggregate counters only: tokens saved (a measured counterfactual, see How we measure), operation and grammar names (product vocabulary, not your data), and per-week totals. Never source code, file paths, project hashes, per-project breakdowns, or repository contents. Raw operation records stay on your machine; only the aggregated payload is uploaded. - GitHub handle — the enrolled handle under which opt-in usage counters are ranked on the leaderboard.
- Email address — from the GitHub OAuth
user:emailscope, disclosed at enrollment, used solely for leaderboard nurture emails (milestones, streaks, achievements) at a maximum of one per day, with one-click unsubscribe.
Why: the leaderboard is a "receipts, not vibes" surface — instrumented, signed, third-party proof of AI-assisted development. The data held is the minimum required to publish a rank and a profile, and it is published only for enrolled users and board-eligible public repos. Read paths serve from precomputed cache; viral traffic never touches the ingestion path.
Leave at any time. Deleting ~/.act/arena.json stops further uploads. DELETE /api/arena/me (linked from your profile page) deletes your account, your usage-counter rows, and your achievements — a clean exit that removes your profile and its sitemap entry at the next nightly rebuild. arena: false removes a public repo from boards without affecting its own badge or score history.
3. What We Do Collect
We collect the minimum data necessary to operate the licensing and payment system:
- License validation: your license key, a machine fingerprint derived from stable hardware identifiers, the Software version, operating system, and architecture. This data is sent to our licensing provider (Keygen.sh) when you activate a license and during periodic revalidation (every 7 days for paid tiers).
- Payment processing: when you purchase a license through our website, payment is handled by Paddle.com, our merchant of record. Paddle collects your name, email, billing address, and payment method. We do not directly handle or store your payment card details.
- Website analytics: we may collect anonymous, aggregate page-visit data. We do not use tracking cookies or third-party advertising trackers.
- Support communications: if you email us, we retain the correspondence to provide support.
4. What We Do Not Collect
- Source code, file contents, or project data
- Keystrokes, clipboard contents, or editor state
- Names or contents of files on your machine
- Browsing history or activity outside of act101.ai
- Data from other applications on your machine
5. How We Use Your Data
- License validation and enforcement
- Payment processing and subscription management
- Responding to support requests
- Improving the Software (using only aggregate, anonymized usage statistics if you opt in)
6. Third-Party Processors
- Keygen.sh — license management and validation
- Paddle.com — payment processing (merchant of record)
- Cloudflare — website hosting and CDN
- Google Workspace — business email
Each processor handles data under their own privacy policies and applicable data-protection agreements.
7. Data Retention
License validation data is retained for the duration of your subscription plus 30 days. Payment records are retained as required by tax and accounting regulations. Support correspondence is retained for up to 3 years. You may request deletion of your data at any time by emailing info@act101.ai.
8. Your Rights
You may request access to, correction of, or deletion of your personal data by contacting us at info@act101.ai. We will respond within 30 days. If you are located in the European Economic Area, the United Kingdom, or California, you have additional rights under the GDPR, UK GDPR, or CCPA respectively — contact us and we will honor them.
9. Children
The Software is not directed at children under 16. We do not knowingly collect personal data from children under 16.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be noted on this page with an updated effective date. Continued use of the Software after changes constitutes acceptance.
11. Contact
Questions about this policy may be sent to info@act101.ai.