Junction data practices

Effective April 26, 2026

Privacy Policy

This policy explains what Junction cloud services collect, what stays local by default, how we use data, and how we protect it.

Contact

Send privacy, legal, support, or billing questions to the Junction team.

Email support

We do not sell your personal data.

Your source code and agent sessions stay local by default, with specific exceptions you control.

Junction uses analytics and conversion measurement, but OpenPanel session replay is disabled in the app.

1. Scope and Controller

This Privacy Policy describes how Zenith Global Holdings LLC, a Wyoming limited liability company, processes personal data for Junction websites, hosted app surfaces, daemon pairing, relay, Switchboard, billing, notifications, feedback, and support.

For privacy questions or data requests, contact [email protected].

2. Local-First Architecture

Junction is designed so your agents run in your own development environment. Source code, local agent timelines, provider session files, local checkpoints, terminal state, and daemon runtime state are stored on your machine by default under your Junction home and provider directories.

That local-first design does not mean nothing ever leaves your machine. Junction cloud services process the account, billing, analytics, notification, relay metadata, Switchboard, feedback, and support data described below. Third-party AI providers may process prompts, code, terminal output, or other data through the provider tools you configure.

3. Data We Collect

Account and authentication data

We collect account identifiers, name, email address, avatar, GitHub username when available, email verification state, session data, IP address, user agent, OAuth account identifiers, and OAuth tokens needed for sign-in or connected integrations such as GitHub, Google, and Linear.

Billing data

We use Stripe for payment processing. Junction stores Stripe customer, subscription, checkout, invoice, plan, trial, cancellation, webhook, and billing-status records, including Stripe identifiers, invoice URLs, invoice PDF links, amounts, currencies, timestamps, and raw Stripe webhook or object data needed to reconcile billing.

App configuration and metadata

We store preferences and configuration such as theme, layout, notification settings, default provider choices, daemon profile labels, encrypted daemon connection URLs, daemon public keys, repository names, default branches, project identifiers, linked devices, and Switchboard settings.

Switchboard and integration data

If you use Switchboard, we may store issue tracker workspace and team identifiers, issue titles, issue descriptions, issue URLs, branch names, worktree paths, workspace paths, agent provider and model choices, run status, automation rules, execution records, and related metadata needed to run automation.

Notifications

If you enable push notifications, we store notification device identifiers, browser push endpoints, endpoint hashes, push key material, VAPID key hashes, user agent, permission state, delivery state, and routing metadata. Notification payloads may include titles, body text, tags, category, agent IDs, daemon profile IDs, server IDs, cwd/workspace metadata, and timestamps.

Feedback and support

If you submit feedback or support requests, we may process your message, browser and app context, selected daemon identifiers, selected agent identifiers, workspace context, attachments uploaded to object storage, and optional daemon log snapshots. Feedback may be synced into Linear with signed attachment links and log excerpts for triage.

Analytics and site/app events

We use Google Tag Manager and OpenPanel for analytics and conversion measurement. Site analytics may include page views, CTA clicks, copy actions, outgoing links, and page attributes. App analytics may include authenticated profile identifiers, name, email, avatar, GitHub username, entitlement metadata, and product events such as checkout, billing, daemon connection, repo, agent run, notification, feedback, and Switchboard events. OpenPanel session replay is disabled in the app.

4. Data We Do Not Sell or Use for Model Training

We do not sell your personal data. Based on current product intent, we do not use personal data for cross-context behavioral advertising or retargeting. If that changes, we will update this policy and provide any required choices.

We do not use your source code, prompts, agent output, feedback attachments, or daemon logs to train AI models. Third-party AI providers you choose may process data under their own terms, settings, and privacy policies.

Junction cloud does not store your source code as part of ordinary daemon control. Exceptions can occur if you put code or secrets into issue trackers, Switchboard tasks, feedback messages, attachments, support requests, or daemon logs you choose to send.

5. Voice and Audio

Junction production voice features are not currently live. Junction cloud does not currently process production voice audio for hosted app users. If we make voice features available in production, we will update this policy to describe the audio, transcript, provider, and retention behavior before relying on it for production use.

6. How We Use Data

  • Provide, secure, debug, maintain, and improve Junction.
  • Authenticate users, manage sessions, and operate connected integrations.
  • Process subscriptions, trials, invoices, cancellations, billing support, tax, fraud, and accounting records.
  • Route encrypted relay traffic and daemon/app connection metadata.
  • Send service notifications, support responses, product communications, and important account or policy notices.
  • Measure site and app usage, conversion, reliability, and feature adoption.
  • Investigate abuse, security incidents, legal claims, or violations of our terms.

7. How We Share Data

We share data with service providers and subprocessors that help us operate Junction. These may include Stripe for billing, GitHub and Google for OAuth sign-in, Linear for connected issue workflows and feedback triage, Cloudflare services for relay and storage infrastructure, OpenPanel and Google Tag Manager for analytics and measurement, browser or operating-system push services for notifications, and support or communication tools you use to contact us.

We may also disclose data if required by law, to protect rights and safety, to investigate abuse or security issues, in connection with a business transaction, or with your direction or consent.

8. Security Measures

We use safeguards designed for Junction data, including TLS for hosted services, access controls, hashed runtime machine tokens, encrypted stored daemon profile URLs using AES-256-GCM, and relay encryption using Curve25519 shared keys with XSalsa20-Poly1305 for message contents.

The relay is designed to handle routing metadata and opaque encrypted traffic rather than plaintext agent traffic. Local daemon state remains on your machine by default, and local checkpoints may include file contents depending on the daemon features you use.

No security measure is perfect. You remain responsible for securing your devices, local daemon exposure, provider credentials, browser sessions, repositories, dependencies, terminals, and agent approvals.

9. Cookies, Local Storage, and Similar Technologies

Junction uses cookies, local storage, session storage, OAuth/session mechanisms, analytics tags, and browser push APIs to keep you signed in, remember preferences, route app state, operate notifications, and measure site or app usage.

Current browser do-not-track signals are not handled as a separate control because there is no industry-standard response that maps cleanly to Junction functionality. You can use browser settings, content blockers, or account controls to limit some storage and tracking, but disabling storage may break core features.

10. Retention

We keep personal data for as long as needed to provide Junction, maintain accounts, process billing, comply with law, resolve disputes, enforce agreements, secure the service, support users, maintain backups, and improve reliability.

Some records, such as billing, invoice, tax, fraud-prevention, security, and abuse-prevention records, may be retained after cancellation or deletion where we have a legitimate need or legal obligation. Local daemon state on your machine and data held by third-party providers are not automatically deleted by deleting your Junction cloud account.

11. Privacy Rights

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal data. You may also have the right to withdraw consent where processing is based on consent.

California residents may have rights under California privacy laws if those laws apply to Junction, including rights to know, delete, correct, and opt out of certain sales or sharing. Junction does not sell personal data based on current product practices.

To make a request, contact [email protected]. We may need to verify your identity and may deny or limit requests where allowed by law, such as to protect security, prevent fraud, complete transactions, comply with legal obligations, or preserve records needed for disputes.

12. International Data Transfers

Junction is operated from the United States and may process data in the United States or other countries where we or our service providers operate. If you use Junction from outside the United States, your data may be transferred to countries with different data-protection laws than where you live.

13. Children

Junction is not directed to children under 13, and we do not knowingly collect personal data from children under 13. Users under the age of majority may use Junction only with permission from a parent or legal guardian where required.

14. Changes and Contact

We may update this Privacy Policy as Junction changes. We will update the effective date when we make material changes and may provide additional notice through the site, app, email, or account notices where appropriate.

Questions, requests, or concerns can be sent to [email protected].