LegalVersion 1.0Effective 2026-04-28

Legal

This page contains the four documents that govern your use of the Antifragile Labs Service during beta:

Questions on any of the below: [email protected].

Beta Service Agreement

This Beta Service Agreement ("Agreement") is entered into between Antifragile Labs ("AL", "we", "us") and the entity or individual identified in the order or registration form ("Customer", "you").

1. Introduction

Antifragile Labs operates an AI-powered agency operating system (the "Service") that orchestrates marketing and content workflows. The Service is currently offered as beta software. Features may change, break, or be removed at any time. The Service is not intended for production-critical workloads and is provided without any warranty of fitness for a particular purpose.

2. Definitions

  • Service — the Antifragile Labs hosted platform, including dashboard, agents, skills, daemons, and APIs.
  • Customer — the legal entity or individual that accepts this Agreement and uses the Service.
  • Beta — the pre-general-availability phase during which the Service is offered for evaluation and early use.
  • BYOK — Bring Your Own Key; the model under which Customer provides API credentials for third-party providers (OpenAI, Anthropic, Meta, Perplexity, etc.) used by the Service.
  • Output — content generated by the Service in response to Customer instructions, including text, images, video, and structured data.
  • Personal Data — any information relating to an identified or identifiable natural person, as defined in Regulation (EU) 2016/679 ("GDPR").

3. License

Subject to this Agreement, AL grants Customer a revocable, non-transferable, non-exclusive license to access and use the Service during the beta period for Customer's internal business purposes. The license terminates automatically when the beta period ends or when this Agreement is terminated.

4. Customer Responsibilities

  • Customer is solely responsible for the API keys it provides under BYOK. Keys belong to Customer; AL only uses them to execute Customer's requests.
  • Customer is liable for all charges incurred on its third-party provider accounts (OpenAI, Anthropic, Meta, Perplexity, Firecrawl, and others), including charges resulting from Service usage.
  • Customer must keep its account credentials confidential and is responsible for all activity under its account.
  • Customer must comply with all applicable laws when using the Service and when providing instructions to the agents.

5. Acceptable Use

Customer agrees not to use the Service to:

  • generate, distribute, or host illegal content;
  • circumvent rate limits, robots.txt, paywalls, or anti-scraping measures of third-party sites;
  • process personal data of third parties without a lawful basis under GDPR Article 6;
  • generate content designed to deceive, defame, or impersonate a natural or legal person;
  • attempt to reverse engineer, probe, or attack the Service's security mechanisms.

6. Fees

The Service is currently offered free of charge during the beta. AL reserves the right to introduce fees with at least 30 days' prior written noticeby email. Customer may terminate this Agreement before any new fees take effect. Third-party provider charges (BYOK) are not affected by this clause — they continue to flow directly to Customer's accounts.

7. Confidentiality

Each party agrees to treat as confidential any non-public information disclosed by the other party in connection with this Agreement, including the Service's implementation details, prompts, playbooks, customer lists, business plans, and credentials. This obligation survives termination for three (3) years.

8. Warranties

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, OR NON-INFRINGEMENT. No SLA, no uptime guarantee, and no support response time applies during the beta period.

9. Limitation of Liability

To the maximum extent permitted by applicable law, AL's aggregate liability arising out of or related to this Agreement is limited to the greater of (a) one hundred euros (€100) or (b) three (3) months of fees paid by Customer to AL in the period immediately preceding the event giving rise to the claim.

IN NO EVENT WILL AL BE LIABLE FOR CONSEQUENTIAL, SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING LOST PROFITS, LOST REVENUE, LOST DATA, OR BUSINESS INTERRUPTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The above limits do not apply to: (i) AL's indemnity for intellectual property infringement of the Service itself, (ii) gross negligence, or (iii) willful misconduct.

10. Indemnification

By Customer.Customer will defend, indemnify, and hold AL harmless from any third-party claim arising from Customer's misuse of the Service, illegal content generated under Customer instructions, or breach of Section 5 (Acceptable Use).

By AL.AL will defend, indemnify, and hold Customer harmless from any third-party claim alleging that Customer's use of the Service, in compliance with this Agreement, infringes the intellectual property rights of that third party.

11. Term and Termination

This Agreement begins when Customer first accepts it and remains in effect for the duration of the beta period. Either party may terminate at any time with seven (7) days' written notice. AL may suspend or terminate immediately for breach of Section 5. Sections 7 (Confidentiality), 9 (Limitation of Liability), 10 (Indemnification), and any provision that by its nature should survive, shall survive termination.

12. Governing Law

This Agreement is governed by the laws of Spain, without regard to conflict-of-laws rules. The parties submit to the exclusive jurisdiction of the courts of Madrid, Spainfor any dispute arising out of or related to this Agreement.

13. Changes

AL may modify this Agreement by posting an updated version at this URL and giving Customer at least 30 days' notice by email. Continued use of the Service after the effective date constitutes acceptance of the new terms.

14. Contact

Legal notices and questions about this Agreement: [email protected].

Privacy Policy

This Privacy Policy explains how Antifragile Labs ("AL", "we") processes personal data when you use our Service. It is written to comply with Regulation (EU) 2016/679 ("GDPR").

1. Who we are

Antifragile Labs is the controller of personal data described in this Policy, except where we act as a processor under a Data Processing Agreement with a Customer. For privacy questions, contact: [email protected].

2. What data we collect

  • Account information — name, email, organization, role, password hash, authentication tokens.
  • Usage logs — timestamps, IP addresses, user agent, API endpoints called, errors, and request metadata for security and debugging.
  • BYOK credentials — API keys you provide for third-party providers (OpenAI, Anthropic, Meta, Perplexity, Firecrawl, etc.). Stored encrypted at rest.
  • Content uploaded for processing — prompts, documents, images, videos, audio, and any other input you submit to the agents.
  • Generated output — content the Service produces on your behalf, retained so you can re-access it.

3. Why we process it

We process data on the following GDPR Article 6(1) bases:

  • (b) Performance of a contract — to provide the Service, authenticate you, execute your skills and workflows, deliver outputs, and provide support.
  • (c) Legal obligation — to retain records required by tax, accounting, or other applicable laws.
  • (f) Legitimate interests — to secure the Service, prevent fraud and abuse, debug failures, and improve reliability. You may object to this processing at any time.

4. Data retention

  • Logs — retained for 90 days after termination of your account, then deleted or anonymized.
  • BYOK credentials — encrypted at rest while active; destroyed within 7 days of revocation or account termination, whichever is sooner.
  • Account data and content — retained for the life of your account; deleted within 30 days of termination, except where law requires longer retention.

5. Sub-processors

We use the following sub-processors to operate the Service. Each processes data only on documented instructions and under appropriate safeguards.

  • Supabase (EU region) — managed Postgres database, authentication, storage.
  • OpenRouter — model routing and orchestration (where you choose to use it).
  • OpenAI — language and image model inference (BYOK).
  • Anthropic — Claude model inference (BYOK).
  • Perplexity — research and search APIs (BYOK).
  • Firecrawl — web scraping and crawling (BYOK).
  • Meta Platforms — Meta Ads API for campaign management and analytics (BYOK).

6. International transfers

Some sub-processors are located outside the European Economic Area. Where this is the case, transfers are governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by additional safeguards where appropriate.

7. Your rights

Under GDPR Articles 15–22, you have the right to:

  • access the personal data we hold about you (Art. 15);
  • rectify inaccurate or incomplete data (Art. 16);
  • request erasure ("right to be forgotten") where the legal basis no longer applies (Art. 17);
  • restrict processing in specific circumstances (Art. 18);
  • receive your data in a structured, machine-readable format and transmit it to another controller (Art. 20);
  • object to processing based on legitimate interests (Art. 21);
  • not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22).

To exercise these rights, email [email protected]. You also have the right to lodge a complaint with your local supervisory authority.

8. Security measures

  • Encryption at rest using pgcrypto for credentials and sensitive fields, and managed disk encryption for the underlying storage.
  • TLS 1.2+ in transit for all client and server-to-server communication.
  • Row-Level Security (RLS) on the database to enforce tenant isolation.
  • Role-based access control with the principle of least privilege for AL personnel.
  • Audit logs of administrative actions.

9. Breach notification

If we become aware of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours in accordance with GDPR Article 33, and we will notify affected users without undue delay where required by Article 34.

10. Contact

Privacy and data-protection inquiries: [email protected].

Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between Antifragile Labs ("Processor") and the Customer ("Controller") and forms an integral part of the Beta Service Agreement. It governs the processing of personal data by Processor on behalf of Controller and is designed to comply with Article 28 of the GDPR.

1. Processor obligations

Processor will process personal data only on documented instructions from Controller, including with regard to international transfers, unless required to do so by Union or Member State law to which Processor is subject.

  • Confidentiality — Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Security measures — Processor implements the technical and organizational measures described in Annex 2.
  • Sub-processors — Processor uses the sub-processors listed in Annex 3. Processor will notify Controller of any intended addition or replacement of sub-processors with at least 30 days' notice, giving Controller the opportunity to object.
  • Assistance with data-subject requests — Processor will assist Controller, by appropriate technical and organizational measures, in fulfilling Controller's obligation to respond to requests for exercising data-subject rights under GDPR Chapter III.
  • Breach notification — Processor will notify Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach.
  • Return or deletion — On termination of the services, Processor will, at Controller's choice, return or delete all personal data, unless Union or Member State law requires storage.
  • Audit rights — Processor will make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, once per calendar year with reasonable prior notice and at Controller's expense.

Annex 1 — Description of processing

  • Subject matter: provision of the Antifragile Labs Service to Controller, including agent execution, content generation, scheduling, and analytics.
  • Duration: for the duration of the Beta Service Agreement, plus any retention period required by law.
  • Nature and purpose: hosting, storage, automated processing, transmission to selected third-party providers under BYOK, and presentation of results.
  • Types of personal data: contact data, account credentials, content provided by users, generated outputs, usage logs, IP addresses, and any personal data Controller chooses to submit to the Service.
  • Categories of data subjects: Controller's employees, contractors, end users, customers, and any third parties whose data Controller submits.

Annex 2 — Technical and organizational measures

  • Encryption at rest — credentials and sensitive fields encrypted with pgcrypto; managed disk encryption on the underlying storage.
  • Encryption in transit — TLS 1.2+ for all connections.
  • Row-Level Security (RLS) on the database to enforce tenant isolation at the data layer.
  • Multi-factor authentication (MFA) required for administrative access.
  • Audit logs of administrative and security-relevant actions, retained for at least 90 days.
  • Regular backups of the database, with periodic restore testing.
  • Incident response — documented procedure with named on-call responder, triage steps, and notification path to Controllers.
  • Least-privilege access for personnel; access reviewed at least annually.

Annex 3 — Sub-processors

  • Supabase (EU region) — database, authentication, storage.
  • OpenRouter — model routing.
  • OpenAI — language and image model inference (BYOK).
  • Anthropic — Claude model inference (BYOK).
  • Perplexity — research and search APIs (BYOK).
  • Firecrawl — web scraping (BYOK).
  • Meta Platforms — Meta Ads API (BYOK).

For sub-processors located outside the EEA, the Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision (EU) 2021/914 are incorporated by reference into this DPA, with Processor acting as data exporter and the relevant sub-processor acting as data importer, as applicable.

Order of precedence

In case of conflict between this DPA and the Beta Service Agreement, this DPA prevails with respect to processing of personal data. In case of conflict between this DPA and the SCCs, the SCCs prevail.

BYOK Addendum

Customer brings and owns their own API keys.Antifragile Labs never sells, shares, or repurposes Customer keys. All third-party provider charges flow directly to Customer's accounts.

This Addendum ("BYOK Addendum") supplements the Beta Service Agreement and the DPA. It governs how Antifragile Labs ("AL") handles API credentials that Customer provides for third-party providers used by the Service.

1. Ownership

API keys provided by Customer ("Customer Keys") belong to Customer at all times. AL holds them as a custodian solely for the purpose of executing Customer's requests against the designated providers (e.g., OpenAI, Anthropic, Meta, Perplexity, Firecrawl). AL neversells, rents, sublicenses, shares with other Customers, or uses Customer Keys for any purpose other than executing Customer's explicit requests.

2. Storage

Customer Keys are encrypted at rest using pgcryptosymmetric encryption inside the Service's Supabase Postgres instance. The decryption key is managed via Supabase Vault and is never exposed to client-side code. Customer Keys never leave the server-side environment and are not logged in plaintext.

3. Costs

All provider charges flow to Customer. When the Service uses a Customer Key to call OpenAI, Anthropic, Meta, Perplexity, Firecrawl, or any other provider, the resulting usage charges are billed by that provider directly to Customer's accountwith that provider. AL has no visibility into Customer's provider invoices and receives no revenue share from those charges.

4. Spend monitoring

Customer is responsible for monitoring its own usage on each provider's billing dashboard and for setting hard limits at the provider level (where the provider supports them). AL may, from time to time, surface usage figures or warnings inside the Service as a courtesy, but those are best-effort indicators and do not replace Customer's own monitoring.

5. Revocation

Customer may revoke any Customer Key at any time from Settings inside the Service. Once revoked, AL will:

  • stop using the key for any new requests immediately;
  • hard-delete the encrypted record from the database within one (1) hour of revocation;
  • remove the key from all in-memory caches as part of the next deploy or restart cycle, whichever comes first.

Customer should also revoke the key on the provider side to be certain it cannot be used by anyone else, including by Customer's own former staff.

6. Liability

AL is not liablefor charges incurred on Customer's provider accounts through the use of Customer Keys, including but not limited to charges resulting from:

  • bugs in the Service that cause unintended provider calls or retries;
  • prompt injection or other adversarial inputs that cause an agent to behave unexpectedly;
  • agent loops, runaway recursion, or feedback loops between agents and tools;
  • third parties accessing Customer's account through compromised Customer credentials;
  • rate-limit miscalibration or aggressive retry policies in the Service or any sub-processor;
  • configuration errors made by Customer (incorrect model, incorrect context window, missing budget cap, etc.).

Customer must monitor its own spend on each provider's dashboard and is responsible for setting hard limits at the provider level (where the provider supports them).

7. Customer obligations

  • Rotation — Customer rotates Customer Keys at the cadence required by its compliance regime, and at minimum whenever a key is suspected to be compromised.
  • Leak notification — Customer immediately notifies [email protected] if it suspects a Customer Key may have been leaked, exposed, or misused.
  • Single tenant — Customer does not share Customer Keys among unrelated users, organizations, or tenants. Each tenant should hold its own keys.
  • Provider terms — Customer ensures that its use of the Service via Customer Keys complies with each provider's terms of service.

8. Survival

This Addendum survives termination of the Beta Service Agreement with respect to any Customer Keys still held at the time of termination, until those keys have been deleted in accordance with Section 5.