Privacy policy

How FOP Florin Boneta (Commands.io) handles personal and service data: Google storage, OpenAI and Anthropic Claude, integrations, Policies on every plan.

Updated: June 11, 2026

1. Controller

FOP Florin Boneta, 4 Richkova St, Kyiv, 04073, Ukraine. General: contact@commands.io. Legal & personal data: contact@legal.commands.io. Reports: report@legal.commands.io. Website: https://commands.io.

We determine purposes for account and platform data. Google, OpenAI, Anthropic, LiqPay, and integrations you connect also process data under their own terms.

2. Policies included in every plan

Every plan (including free tier and trials) includes the Policies module in the console: you can define allowed domains, tools, call limits, blocked actions, and other guardrails for your flows, gateway, and automations.

These policies are enforced when your requests run on the platform. They do not replace this Privacy Policy, but help you control what your teams and products may do.

Separate privacy terms and usage policies of third-party AI providers (OpenAI, Anthropic, etc.) also apply to content you send for model processing.

3. Data we collect

Account: email, Firebase UID, profile settings, locale, workspace roles, plan settings.

Content & config: flows, prompts, documentation, chatbots, studio assets, Policies, API keys (hashed/prefix only), webhooks, run logs, Contacts hub, lead forms.

Integration data: OAuth tokens, BYOK API keys, third-party account IDs, payloads sent to CRM, email, social, webhooks via Flow/Studio.

Technical & metering: IP, user-agent, timestamps, session IDs, token/request counts, errors — security, billing, support, trial fraud prevention.

Payments: LiqPay metadata (amount, currency, status, ID); no full card numbers on our servers.

Support: ticket content, email correspondence, attachments you send.

4. Google storage and infrastructure

Commands.io runs primarily on Google services (Firebase / Google Cloud). A large share of your data is stored and processed on Google servers under their terms and processing regions.

Typically stored in Google: accounts and profiles (Firebase Authentication), Firestore documents (settings, flows, hashed API keys, usage logs, studio content, policies, subscriptions, etc.), files in Firebase Storage where used, server logic in Cloud Functions, and static web hosting via Firebase Hosting.

API request logs, session metadata, IP addresses, and technical events may be recorded for security, metering, and support.

We do not sell your data to Google; Google acts as an infrastructure processor under Google Cloud / Firebase agreements.

5. OpenAI and Anthropic (Claude) request processing

When you use the AI gateway, prompt builder, flows, chatbots, studio tools, or other LLM features, your requests (prompts, messages, context, supported attachments) are sent from our infrastructure to the model provider you select.

OpenAI: models such as GPT-4o / GPT-4o-mini and others available on your plan are processed via the OpenAI API under OpenAI's privacy policy and terms (https://openai.com/policies).

Anthropic: Claude models (e.g. Claude 3.5 / Claude 4 families), when enabled in your model router, are processed via the Anthropic API under their legal terms (https://www.anthropic.com/legal).

We transmit only what is required to fulfill your request (prompt, session history per settings, system instructions, documentation context). Model outputs may be stored in Firestore (run logs, chatbot history, saved drafts) for your account.

Do not submit special-category personal data or secrets through the service unless your compliance program allows it; you are responsible for the lawfulness of content sent to models.

Model routing, token limits, and platform Policies may restrict which providers and models your workspace can use.

6. Typical request flow

1) Your client (web console) sends a request to Commands.io (commands.io).

2) The request is authenticated; your Policies and plan limits apply; the event may be logged in Google Firestore.

3) If a model is needed, the request is forwarded to OpenAI or Anthropic; the response returns to you and may be stored in Google for history and metering.

4) Payments, when applicable, are handled by LiqPay or another provider; we do not store full card numbers.

7. Integrations & recipients

When you connect an integration, data is sent per your configuration. Categories: /legal/integrations.

Google — infrastructure. OpenAI, Anthropic — LLM requests. LiqPay — payments. CRM, email, social, webhooks — only if you enable and trigger them.

We do not sell personal data to advertisers.

8. Purpose

Operate SaaS; run AI requests; enforce Policies; meter usage; payments and refunds; integrations you request; security; product improvement; legal compliance; service communications.

9. Legal basis

Contract (offer, terms), legitimate interest (security, trial fraud prevention), consent where required (marketing, certain cookies if used).

10. International transfers

Google, OpenAI, Anthropic, and many integrations may process data in the US and other countries under standard contractual terms. You acknowledge this for features you enable.

11. Retention

Account data while active; after deletion — removal or anonymization within a reasonable period (typically up to 90 days for ops logs, up to 3 years for financial metadata if required).

Deleted console content may persist briefly in Google backups.

12. Cookies & analytics

Necessary cookies/local storage for Firebase auth, locale, and session security.

Aggregated marketing analytics may be used without identifying individuals where enabled.

reCAPTCHA (Google) on forms — Google's policy applies.

13. Security

Restricted production access; API keys not stored in plain text; HTTPS; Firestore rules scope by userId/workspace.

14. Children

Not intended for users under 16. Contact contact@legal.commands.io if a child provided data without parental consent — we will delete it.

15. Your rights

Access, rectification, erasure, restriction, portability, objection — contact@legal.commands.io. We respond per Ukrainian law and GDPR where applicable.

Complaints to your local data protection authority.

Account deletion does not erase data already sent to OpenAI/Anthropic/integrations — contact those providers too.