Phrony

Privacy Policy

Phrony Labs BV  |  KvK 42039600

Last updated: June 2026

1. Who we are

Phrony Labs BV ("Phrony", "we", "our") is the data controller for personal data collected through our website (phrony.com) and for the limited personal data we hold to manage licensed-software and Enterprise relationships. Phrony Labs BV is registered in the Netherlands under KvK number 42039600.

Contact: compliance@phrony.com

2. The short version

Phrony is an open specification and a self-hosted runtime. The software runs on infrastructure that you control. We do not see your Agents, your traces, or any data your Agents process. The only personal data we hold is what you give us through the website and what we need to manage a software or Enterprise relationship with you. We do not sell personal data, and we do not use anyone's data to train AI models.

3. What we collect

Website visitors

  • Contact details you provide (name, email, company) when you request a demo, subscribe to updates, or contact us.
  • Technical data: IP address, browser type, device type, pages visited, referral source.
  • Cookie data: essential and analytics cookies, as described in section 8.

Licensed-software and Enterprise contacts

  • Account and relationship data for license management and Enterprise engagements: name, email, organisation, and role of the individuals we deal with.
  • Billing and contractual records for Enterprise customers, processed through our payment and accounting providers.

What we do not collect

We do not collect, access, or receive any data from your self-hosted Runtime. Your Agents, their execution traces, and any personal data they process stay entirely on your infrastructure. We have no technical means of seeing them.

4. How we use it

  • To operate the website and respond to enquiries (legal basis: legitimate interest, GDPR Article 6(1)(f), and steps prior to contract, Article 6(1)(b)).
  • To manage software licenses and Enterprise relationships, including support (legal basis: performance of contract, Article 6(1)(b)).
  • For billing, invoicing, and statutory accounting (legal basis: legal obligation, Article 6(1)(c), and performance of contract).
  • For product and website analytics in aggregate (legal basis: legitimate interest, Article 6(1)(f)).
  • For marketing communications, only with consent (legal basis: consent, Article 6(1)(a)).

We do not sell personal data. We do not use customer or visitor data to train AI models.

5. Self-hosted deployments

For self-hosted use of the Runtime, Phrony is neither a data controller nor a data processor of the data your Agents handle. You are the controller and, as applicable, the processor for all data processed on your own infrastructure. Phrony has no access to it. The only personal data Phrony holds in connection with self-hosted use is the contact and license-management data described in section 3.

6. Enterprise processing

Where an Enterprise engagement involves Phrony processing personal data on your behalf (for example, in a managed deployment), Phrony acts as a data processor under GDPR Article 28, governed by a separate Data Processing Agreement. We process that data only on your documented instructions and only to provide the agreed service. The current list of sub-processors used in any such engagement is provided as part of the Data Processing Agreement, and you are notified of changes with a minimum 14-day notice period and a right to object on compliance grounds.

7. International transfers

Phrony is based in the Netherlands (EU) and aims to keep personal data within the European Economic Area. Where personal data we control is transferred outside the EEA, we rely on the EU-US Data Privacy Framework (where the recipient is certified) or on Standard Contractual Clauses approved by the European Commission. Note that for self-hosted use, any transfer of data your Agents process, including calls to LLM providers, is determined and controlled by you, not by Phrony.

8. Cookies

The website uses essential cookies (required to function, no consent needed) and analytics cookies (consent required). You can manage analytics cookies through the cookie banner or your browser settings.

9. Retention

  • Website enquiry and contact data: kept while the enquiry is active and for a reasonable follow-up period, then deleted.
  • License and Enterprise relationship data: kept for the duration of the relationship plus 12 months after it ends.
  • Billing records: 7 years (Dutch tax-law requirement).
  • Marketing data: until consent is withdrawn.

Self-hosted customers control their own data retention entirely. Phrony retains nothing from self-hosted deployments.

10. Your rights

Under the GDPR you have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21), and the right to withdraw consent at any time for consent-based processing. To exercise any of these, contact compliance@phrony.com. We will respond within 30 days.

11. Security

For the data we do hold, we apply appropriate technical and organisational measures, including encryption in transit (TLS) and at rest, role-based access control, an encrypted secrets vault for any credentials we manage, and regular security assessments. Because self-hosted deployments run on your infrastructure, the security of the data your Agents process is your responsibility.

12. Complaints and contact

For any question or concern about our data practices, contact compliance@phrony.com. Phrony Labs BV, the Netherlands.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

13. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via the website or by email. The "Last updated" date above indicates the most recent revision.