privacy
Privacy Policy
Last updated: February 5, 2026
This Privacy Policy describes how Token Fabrics LLC ("Token Fabrics," "we," "us," or "our"), based in San Diego, California, handles your information when you use our products and services.
This policy covers:
- The Big-AGI website at big-agi.com
- The Big-AGI application at app.big-agi.com, including cloud-hosted and managed instances
Big-AGI is built on a local-first architecture. Your data - conversations, preferences, configurations - is stored in your browser by default. Cloud sync is optional and requires authentication. Big-AGI is also open source, so you can audit our code and self-host the entire platform, bypassing our servers entirely.
When you bring your own API keys to connect to AI providers, you establish a direct relationship with those providers. We act as a technical conduit - not a data warehouse.
Information We Collect
Account Information
When you create an account on the Big-AGI application, we collect your email address (via Google sign-in or magic link authentication), profile information such as display name and profile picture if provided through Google OAuth, and authentication tokens to manage your sessions. We use Loops.so for magic link email delivery and Google OAuth for social sign-in. Applies to authenticated app users.
User Content
Big-AGI stores your content - chat conversations, AI personas, file attachments, and preferences - primarily in your browser's local storage (IndexedDB). This data does not leave your device unless you enable cloud sync (which stores your data on our servers via Supabase for multi-device access), you publish or share a conversation via a unique link, or you send messages to AI providers through the app (see "AI Service Providers" below). Incognito mode conversations are stored only in memory and are never persisted to disk or synced to any server. Applies to app users.
Device and Technical Data
We automatically collect certain technical information when you use our website or application, including IP address, browser type, operating system, screen resolution, device identifiers (used for multi-device sync in the app), referral URLs, pages visited, and session timestamps.
Analytics Data
We use analytics tools to understand how people use Big-AGI and to improve the platform. Details on each tool, including how to opt out, are in the Cookies and Tracking Technologies section below.
Billing Information
Payments are processed by Stripe, which is PCI-DSS Level 1 certified. We never store your credit card number, bank account details, or full payment information on our servers. We receive from Stripe only your subscription status, plan type, billing period, billing email address, and transaction identifiers. Applies to subscribers of Big-AGI's paid plans.
API Keys
Big-AGI operates on a Bring Your Own Key (BYOK) model. You may provide your own API keys for AI services such as OpenAI, Anthropic, Google, and others. These keys are stored locally in your browser's localStorage. When requests are routed through our servers, your keys may be present in transit but are never logged, stored, or used beyond fulfilling your request. We recommend rotating your keys periodically and avoiding use on shared or public devices. Applies to app users.
How We Use Your Information
We use the information we collect to provide and operate Big-AGI (authenticate sessions, sync data across your devices, process your requests), improve the platform (understand usage patterns, identify bugs, optimize performance through analytics), process payments (manage subscriptions and billing through Stripe), communicate with you (transactional emails and, where you have opted in, product updates), maintain security (detect and prevent fraud, abuse, and unauthorized access), and comply with legal obligations (respond to lawful requests, enforce our Terms of Service).
We do not sell your personal data. We do not use your conversations or content to train AI models. We do not share your information with third parties for their own marketing purposes.
Information Sharing and Third Parties
AI and Third-Party Service Providers
Applies to app users.
When you use Big-AGI, your prompts, conversation history, attachments, and related content may be sent to third-party services you select and configure. Big-AGI operates on a Bring Your Own Key model: you provide your own API keys, and each service is activated only when you configure it. We act as a technical conduit and do not control how these providers process, store, or use your data.
Big-AGI integrates with a broad and growing set of providers, including but not limited to:
- AI model providers: Alibaba Cloud, Anthropic, Azure OpenAI, Deepseek, Google Gemini, Mistral, Moonshot AI, OpenAI, OpenPipe, xAI
- AI platforms and aggregators: Chutes AI, Fireworks AI, Groq, OpenRouter, Perplexity, Together AI
- Voice and speech services: ElevenLabs, Inworld
- Local and self-hosted: LocalAI, LM Studio, Ollama, and any OpenAI-compatible server - these keep data on your own infrastructure
This list is not exhaustive. We regularly add support for new providers and services. When you connect a service through Big-AGI, you have a direct contractual relationship with that provider, and their terms of service and privacy policy govern their handling of your data. We strongly encourage you to review each provider's policies before use.
Analytics and Advertising Partners
We use the following analytics services to measure usage and improve our products:
- Google Analytics 4 - website usage analytics. Privacy Policy. Opt out.
- PostHog - product analytics, heatmaps, and session replay. PostHog requests are proxied through our domain for reliability. Privacy Policy.
- Meta Pixel - advertising effectiveness measurement. Privacy Policy. Manage preferences.
- Vercel Analytics - aggregate website performance metrics. Privacy Policy.
See the Cookies and Tracking Technologies section for details on managing these.
Infrastructure and Service Providers
We use the following providers to operate Big-AGI:
- Vercel - hosting, CDN, and edge functions for both the website and application
- Supabase - cloud database for optional data sync and authentication (app only). Data is hosted in the United States.
- Stripe - payment processing for subscriptions (app only). Stripe is PCI-DSS Level 1 certified.
- Loops.so - magic link email delivery for passwordless authentication (app only)
These providers process data on our behalf and are bound by their respective data processing terms.
When We May Disclose Information
We may share your information to comply with applicable laws, regulations, or legal processes; to protect the rights, safety, or property of Token Fabrics, our users, or the public; in connection with a merger, acquisition, or sale of assets (with notice to affected users); or when you explicitly direct us to share information.
Data Storage and Security
Big-AGI follows a local-first design. By default, your conversations, personas, and preferences are stored in your browser's IndexedDB and localStorage - they do not leave your device.
If you opt into cloud sync, your data is encrypted in transit (TLS 1.2+) and at rest, and stored in Supabase PostgreSQL databases hosted in the United States. Server-side access controls, including Row Level Security (RLS), ensure that only you can access your data. Each user's data is isolated at the database level.
Self-hosting is always an option. Big-AGI is open source under the MIT License. When you self-host, we have zero access to your data.
Payment data is handled entirely by Stripe in PCI-DSS compliant infrastructure. We never store or process card details.
We take reasonable measures to protect your information, including encryption in transit, access controls, and regular security practices. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities as required by applicable law.
Data Retention
| Data Type | Retention Period |
|---|---|
| Local browser/app data data (IndexedDB, localStorage) | Until you clear it or uninstall your browser |
| Account information | Duration of your account, plus 90 days after deletion |
| Cloud-synced content | Duration of your account; 6 months after Pro cancellation; deleted within 90 days of account deletion |
| Published/shared content | Expires after 90 days by default unless extended by the creator |
| Billing and payment records | 7 years (tax and legal requirements) |
| Analytics data | Per each provider's retention policy (typically 14–26 months) |
| Server and infrastructure logs | 30 days |
When you delete content in the app, it is immediately removed from view. Due to the distributed sync architecture, deletion markers (tombstones) are retained for up to 90 days to ensure the deletion propagates across all your devices, after which data is permanently purged.
We acknowledge deletion requests within 30 days and complete deletion within 90 days due to sync propagation requirements across devices. Billing records are retained where required by law (such as for tax compliance).
Your Privacy Rights
For EEA, UK, and Swiss Residents (GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:
- Access - request a copy of the personal data we hold about you
- Rectification - request correction of inaccurate or incomplete data
- Erasure - request deletion of your personal data ("right to be forgotten")
- Restriction - request that we limit how we process your data
- Portability - request your data in a structured, machine-readable format
- Object - object to processing based on legitimate interests, including profiling
- Withdraw consent - where processing is based on consent, withdraw it at any time
- Lodge a complaint - file a complaint with your local data protection authority
Legal bases for processing: We process your data based on: (a) contract performance - to provide the Big-AGI service you signed up for; (b) legitimate interests - to improve our products, ensure security, and prevent fraud; and (c) consent - for analytics and marketing communications, which you can withdraw at any time.
For California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know - request the categories and specific pieces of personal information we have collected
- Right to Delete - request deletion of your personal information
- Right to Opt-Out of Sale - we do not sell your personal information
- Right to Non-Discrimination - we will not discriminate against you for exercising your privacy rights
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as defined under the CCPA/CPRA. You may designate an authorized agent to make privacy requests on your behalf by contacting us with signed written authorization.
Exercising Your Rights
To exercise any privacy right, contact us at hello@big-agi.com. We will respond within 30 days. We may need to verify your identity before processing your request.
You can also manage much of your data directly within the Big-AGI application - view and export your conversations, delete individual conversations and personas, disable cloud sync to keep data local, or use Incognito mode for conversations that are never stored. If you self-host Big-AGI, you have complete control over all data and do not need to contact us.
Children's Privacy
Big-AGI is not directed at children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children under these ages. If we learn that we have collected data from a child below the applicable age, we will take steps to delete it promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@big-agi.com.
Cookies and Tracking Technologies
We use the following technologies on our website and application:
| Technology | Purpose | Type |
|---|---|---|
| Vercel Analytics | Aggregate site performance metrics | First-party; always active |
| Google Analytics 4 | Website and app usage analytics | Third-party cookies |
| PostHog | Product analytics, heatmaps, error tracking | First-party (proxied through our domain) |
| Meta Pixel | Advertising effectiveness measurement | Third-party cookies |
| Session cookies | Authentication and session management | First-party; essential |
Google Analytics 4, PostHog, and Meta Pixel are loaded conditionally based on our configuration. You can manage
tracking through your browser settings and the provider-specific opt-out tools listed below. PostHog requests are
routed through our own domain (/t/* path) to improve reliability and reduce third-party network dependencies.
This proxying does not change what data PostHog collects or how it is processed.
Managing cookies and tracking: Most browsers allow you to control or block cookies through their settings. You can opt out of Google Analytics using Google's browser add-on and manage Meta ad preferences at facebook.com/adpreferences. Blocking cookies may affect certain features of the application.
Do Not Track: We do not currently respond to browser Do Not Track (DNT) signals.
Local storage: In addition to cookies, we use browser localStorage and IndexedDB to store application data, preferences, and configurations. This data remains on your device and is not transmitted to our servers unless you enable cloud sync.
International Data Transfers
Token Fabrics LLC is based in the United States. Our infrastructure providers - including Vercel, Supabase, and Stripe - primarily process data in the United States. If you are located outside the United States, your information may be transferred to and processed in the US or other countries where our service providers operate.
Where required by applicable law, we rely on Standard Contractual Clauses (SCCs) and other approved transfer mechanisms to ensure appropriate safeguards are in place for international data transfers.
If data residency is a concern, Big-AGI can be self-hosted in the jurisdiction of your choice, giving you complete control over where your data is stored and processed.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will notify you through the application, by email, or by posting a prominent notice on our website prior to the change taking effect.
The "Last updated" date at the top of this page indicates when this policy was most recently revised. We encourage you to review this policy periodically. Previous versions of this policy are available upon request.
Contact Us
If you have questions about this Privacy Policy or want to exercise your privacy rights, contact us:
Token Fabrics LLC San Diego, California, United States
Email: hello@big-agi.com
We aim to respond to all privacy-related inquiries within 30 days.
BIG-AGI
Resources