Privacy notice

Fulcrum Code is operated by RG Consulting Pty Ltd (ABN to be confirmed), an Australian-registered private company. We provide a commercial coding agent under the brand fulcrumcode.app and through the fulcrum command-line tool.

This notice describes how we handle personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Account data

• Email address — required to sign in via magic-link authentication. Without it, we cannot identify your account or send you billing receipts.
• Stripe customer ID + billing address — created the first time you start a paid subscription. Required for invoicing, GST collection, and dispute handling.
• Subscription tier and status— needed to enforce monthly token caps and route you to the correct plan's shared API key pool.

Usage data

• Token usage events — for each chat completion, we record the model used, the input/output token counts, the timestamp, and a status code. We use this to enforce monthly caps and bill correctly.
• CLI session metadata— when you sign in via the terminal, we store a session token, a label (typically your machine's hostname), the issued + last-seen timestamps, and a revocation flag. You can list and revoke sessions from /account.
• Server logs — Vercel records IP address, HTTP path, status code, and User-Agent for every request. Logs are retained for the standard Vercel retention period.

What we do NOT collect

• The contents of your code or your prompts. The CLI talks directly to scx.ai for inference — we never receive, log, or store the text of your conversations with the agent.
• The output of any tool call. File reads, shell output, web fetches, etc. all stay on your machine.
• Your scx.ai API key in plaintext. We hold an encrypted (AES-256-GCM) reference; the plaintext lives only in your operating-system keychain.

• Directly from you when you create an account, start a subscription, or open a CLI session.
• Automaticallythrough the CLI's background usage reporter, which posts your token counts to fulcrumcode.app/api/v1/usageapproximately every 30 seconds while you're running fulcrum.
• From third parties: Stripe (payment status), scx.ai (model-name and token-count metadata for billing reconciliation).

• Database (account, sessions, usage events): Neon PostgreSQL, hosted in Sydney, Australia (AWS ap-southeast-2).
• Inference: scx.ai, hosted in Australia. Neither your prompts nor your code leave Australian infrastructure.
• Payments: Stripe Inc. (United States). Stripe holds your credit-card details directly — we never see them. Stripe complies with the EU Standard Contractual Clauses and APP 8 cross-border disclosure standards.
• Email delivery: MailerSend (European servers). Used only for transactional emails (sign-in links, billing receipts). We do not run marketing campaigns.

Personal information is disclosed to the following overseas recipients, in accordance with APP 8.2:

• Stripe Inc. (United States)— for payment processing. Required to operate the subscription. The recipient country's laws may not provide protections substantially similar to the APPs; we have taken reasonable steps under APP 8.1 by contracting only with PCI-DSS Level 1 certified payment processors.
• MailerSend (European Union) — for transactional email. The EU has been recognised as a comparable privacy jurisdiction for this purpose.
• Vercel Inc. (United States) — for web hosting and operational logs. Edge servers may be in other regions.

• Authentication cookie (__Secure-authjs.session-token) — set after you sign in; required for the website to know you're logged in. Strict same-site, HTTP-only, secure.
• CSRF token cookie — set during the magic-link request; protects against cross-site request forgery on the sign-in form.

We don't use third-party advertising, marketing, or analytics cookies.

You may at any time:

• Access your account data— see your subscription, sessions, and current month's usage at /account.
• Correct your data— update your billing email or cancel your subscription via Stripe's billing portal (linked from your account page).
• Delete your account — email privacy@fulcrumcode.app and we will remove your account and associated personal information within 30 days, subject to retention requirements under Australian tax and corporate law (typically 7 years for invoice records).

• All web traffic is TLS-encrypted with HSTS preloading.
• scx.ai API keys are encrypted at rest with AES-256-GCM using a master key held only in environment variables.
• Authentication uses single-use magic-link tokens with a 24-hour TTL and a confirmation interstitial that resists corporate email-gateway pre-fetch attacks.

If a data breach occurs that is likely to result in serious harm to affected individuals, we will notify you and the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act).

If you believe we have handled your personal information in breach of the APPs, please email privacy@fulcrumcode.app. We will respond within 30 days.

If you are dissatisfied with our response, you may make a complaint directly to the OAIC at oaic.gov.au/privacy/privacy-complaints.

We may update this notice from time to time. Material changes will be communicated to all account holders by email at least 30 days before they take effect.