On this page
Privacy Policy
Last updated: May 2026
Introduction
Reins is a spend governance platform for AI agents. We help teams monitor, control, and audit the API calls their agents make. This privacy policy explains what data we collect, why we collect it, and what we do with it.
This policy covers data processed by Reins (the platform at reins-rh6x.polsia.app and its API). It does not cover third-party services you connect to Reins, or the AI vendors your agents call through us. Those services have their own privacy policies.
Plain language promise: We wrote this to be read, not to be skimmed past. If something is unclear, email us at reins@polsia.app and we will clarify it.
Information We Collect
Account Information
When you sign up, we collect:
- Your name and email address
- Your company or organization name
- A password (stored hashed, never in plaintext)
Usage Data
When your agents make API calls through Reins, we collect transaction metadata:
- Transaction amounts and currencies
- Vendor names (which AI provider was called)
- Agent identifiers (which agent made the call)
- Timestamps and request durations
- Policy actions taken (throttled, blocked, allowed)
What we do NOT collect: We do not read, store, or inspect the content of your AI requests or responses. We see metadata only — amounts, vendors, timestamps. Your prompts and completions never pass through our systems.
Technical Data
When you use the Reins dashboard or API, we automatically collect:
- IP address
- Browser type and version
- Device type and operating system
- Pages visited and features used
Communication Data
If you contact us via email or support channels, we retain:
- The content of your messages
- Your email address and any attachments
- Our responses to you
How We Use Information
We use the data we collect to:
- Provide and maintain the service — process transactions, enforce spend policies, generate dashboards and reports.
- Enforce spend policies — evaluate your configured rules against real-time transaction data.
- Generate audit logs — create immutable records of every transaction and policy action for your compliance needs.
- Send service-related notifications — alert you when spend thresholds are hit, policies trigger, or your account requires attention.
- Improve our product — understand how teams use Reins so we can build better features. We use aggregate, anonymized usage patterns — never individual transaction data.
- Respond to support requests — help you when something breaks or you have questions.
We do NOT sell your data. Not to advertisers, not to data brokers, not to anyone. Your transaction data is yours. We are a SaaS business — we make money from subscriptions, not from selling data about you.
Data Sharing
We share data only in these specific circumstances:
Vendors You Connect
When you configure an integration with an AI vendor (OpenAI, Anthropic, etc.), the metadata needed to enforce your policies flows through that connection. You explicitly choose which vendors to connect — we never share data with vendors you haven't authorized.
Sub-processors
We use a small number of infrastructure providers to run Reins:
| Provider | Purpose | Data Types |
|---|---|---|
| Render | Application hosting | All application data (encrypted at rest) |
| Neon | Database hosting | All stored data (encrypted at rest) |
| Stripe | Payment processing | Billing info, payment method details |
| Postmark | Transactional email | Email addresses, notification content |
Legal Requests
We will disclose data if required by law — specifically in response to valid subpoenas, court orders, or other legally binding requests. We will notify you before disclosure unless legally prohibited from doing so.
What We Never Do
- We do not share data with advertising networks
- We do not sell data to data brokers
- We do not use your transaction data to train AI models
- We do not share data with other Reins customers
Data Retention
We retain data for as long as it serves a clear purpose. Here are our standard retention periods:
| Data Type | Retention Period |
|---|---|
| Transaction logs | 12 months (standard), configurable per account |
| Audit logs | 12 months |
| Account data | Duration of account + 90 days post-deletion |
| Support emails | 2 years |
| Technical logs (IP, browser) | 90 days |
After the retention period, data is permanently deleted. We do not archive it "just in case." If you need longer retention for compliance, contact us — we can extend retention periods on a per-account basis.
Your Rights
Regardless of where you are located, you have the following rights over your data:
- Right to access — Request a copy of all data we hold about you. We will provide it in a structured, machine-readable format within 30 days.
- Right to correct — If any data we hold about you is inaccurate, tell us and we will fix it.
- Right to delete — Request deletion of your account and all associated data. Email reins@polsia.app with the subject "Deletion Request." We will process it within 30 days and confirm when complete.
- Right to data portability — Request an export of your data in a standard format (JSON or CSV). Available through the dashboard or by email request.
- Right to opt out — Opt out of non-essential data processing (analytics, product improvement). Email us to opt out.
- Right to lodge a complaint — If you believe we are handling your data improperly, you can lodge a complaint with your local data protection authority.
For EU/EEA residents, these rights are guaranteed under the General Data Protection Regulation (GDPR). For California residents, the California Consumer Privacy Act (CCPA) provides similar protections. We honor these rights for all users regardless of location.
Security
We take the security of your data seriously. Our measures include:
- Encryption in transit — All data transmitted to and from Reins uses TLS 1.2+ encryption.
- Encryption at rest — All stored data is encrypted using AES-256.
- Access controls — Internal access to production data is restricted to a minimal set of personnel, with audit logging on all access.
- API key security — All API keys are hashed before storage. We never store or display your full API key after creation.
- Password security — Passwords are hashed using bcrypt with high work factors. We never store plaintext passwords.
- Regular audits — We review our security practices and access controls regularly.
Breach Notification
In the unlikely event of a data breach that affects your personal data, we will:
- Notify affected users within 72 hours of discovering the breach (per GDPR requirements)
- Describe what data was affected and what we are doing about it
- Report to the relevant supervisory authority where required
- Provide clear guidance on any steps you should take
Cookies & Tracking
We use cookies minimally and transparently:
Essential Cookies (Required)
- Session cookie — Keeps you logged in. Expires when you close your browser or after 7 days of inactivity.
- Authentication token — Validates your identity on API requests. Stored securely in httpOnly cookies.
What We Do NOT Use
- No third-party analytics cookies (no Google Analytics, no Mixpanel)
- No advertising cookies or tracking pixels
- No cross-site tracking
- No fingerprinting
How to Disable Cookies
You can disable cookies in your browser settings. Note that disabling essential cookies will prevent you from logging in to Reins. Since we only use essential cookies, there are no "preferences" to manage — it is all-or-nothing.
International Transfers
Reins infrastructure is hosted in the United States. If you are located outside the US (including the EU/EEA or UK), your data is transferred to and processed in the US.
We protect international transfers through:
- Standard Contractual Clauses (SCCs) — Our sub-processors use EU-approved SCCs for data transfers outside the EEA.
- Encryption — Data is encrypted in transit and at rest regardless of location.
- Access controls — The same strict access controls apply regardless of where data is processed.
If the European Commission issues an adequacy decision for our hosting jurisdiction, we will rely on that as an additional safeguard.
Children's Privacy
Reins is a business tool designed for professional use. It is not intended for users under 16 years of age. We do not knowingly collect data from children under 16.
If you believe a child under 16 has created an account, contact us at reins@polsia.app and we will delete the account and all associated data immediately.
Changes to This Policy
We may update this privacy policy from time to time. When we do:
- Material changes — We will email all active users at least 30 days before the change takes effect. The email will clearly describe what is changing and why.
- Minor changes — Typo fixes, formatting updates, or clarifications that do not change the substance of the policy will be updated in place with a new "Last updated" date.
The "Last updated" date at the top of this page always reflects the most recent revision. Previous versions are available by request.
Contact
Questions, concerns, or requests about your data? Reach us at:
- Email: reins@polsia.app
- Data Protection Officer: Nikita Dmitrieff — reins@polsia.app
- Subject line: Include "Privacy" in your subject for faster routing
For EU/EEA residents, you may also contact your local supervisory authority if you believe your data protection rights have been violated. A list of EU data protection authorities is available at edpb.europa.eu.
We aim to respond to all privacy-related inquiries within 5 business days and to fulfill data requests within 30 days.