Privacy Policy - Plexor Labs

This Privacy Policy explains how Plexor Labs, Inc. handles personal information across both of the services we operate: Bumblebee, our elastic engineering-capacity service for funded early-stage startups, and Plexor, our AI API gateway and platform. It applies to this website, our forms, and the products we provide.

Introduction

Plexor Labs, Inc. ("Plexor Labs", "we", "us", or "our") respects your privacy. This policy describes the personal information we collect, why we collect it, how we use and share it, how long we keep it, and the rights you have over it. We have written it to be specific to what we actually do rather than to cover hypothetical activities we do not engage in.

We run two distinct offerings, and the kinds of information involved differ between them:

Bumblebee is an elastic engineering-capacity service for funded early-stage startups. Founders engage us for Scout trial sprints and for Worker, Swarm, and Hive engagements. We sell and intake Bumblebee through this website.
Plexor is an AI API gateway and platform that routes requests across multiple model providers. Early users access it through API keys, a playground, and our documentation.

Where a section applies to only one of these offerings, we say so. Where it applies to both, it covers both.

Who we are

Plexor Labs, Inc., a Delaware C corporation (referred to as "Plexor Labs", "we", "us", or "our"), is the controller responsible for the personal information described in this policy. We are an early-stage company and a member of the Harvard Launch Lab X Accelerator. If you have any question about this policy or about how we handle your information, you can reach us at team@plexor.dev. The Contact section at the end of this policy has full details.

Information we collect

We collect information in a few different contexts: when you use this website and submit a form, when you use the Plexor platform, and automatically through cookies, analytics, and advertising tools. We describe each below.

Website and contact forms

When you ask us to start a Scout or otherwise contact us through this site, our Start-a-Scout form and contact form collect:

your name;
your email address; and
a description of what you want built, which may include details about your product, your codebase, your roadmap, and your business.

If you become a Bumblebee client, we also collect and process business-contact and engagement information that you share with us during the relationship. This can include the names and contact details of people on your team, information about your project and its requirements, access credentials or repository access you choose to grant us so we can do the work, scheduling and meeting information, and billing and payment details. Please share only the access and information that an engagement genuinely needs.

Plexor platform usage

When you use the Plexor platform through API keys, the playground, or our docs, we collect:

account information, such as the email address and identifiers associated with your account;
API keys that authenticate your requests to the platform; and
usage and request data, including the prompts, inputs, and requests you submit, the model and routing options you select, and associated metadata such as timestamps, token counts, latency, request and response sizes, model identifiers, and the cost of each call.

The core function of Plexor is to route your prompts, requests, and associated metadata to third-party AI model providers (for example Anthropic, OpenAI, and Google) so that an API call can be fulfilled and a response returned to you. This means the content you send through the platform is transmitted to the provider that handles your request. The How we share information and our subprocessors section explains this in more detail.

Cookies and analytics

This website uses cookies and similar technologies, and we use analytics to understand how the site is used. We use Google Analytics and the Google tag (gtag) to measure traffic, see which pages and content perform, and understand the path visitors take through the site. These tools collect information such as the pages you view, the time and duration of your visit, your approximate location derived from your IP address, your device and browser type, and the referring source that brought you to the site. The Cookies section lists the categories of cookies we use.

Advertising

We advertise Bumblebee, including through Google Ads, and we use Google Ads conversion tracking through the Google tag (gtag) to measure how those ads perform. When you arrive at our site from a Google ad, the ad click typically carries a Google Click Identifier (the gclid) in the URL. We use the gclid together with gtag to attribute a later action, such as submitting the Start-a-Scout form, back to the ad campaign that brought you here, so we can measure conversions and avoid wasting spend. This advertising and conversion data is processed by Google in connection with your activity on our site.

Server logs and security data

Our website and platform sit behind Cloudflare, which provides content delivery, performance, and security protection against abuse and attacks. Cloudflare and our hosting environment generate standard server logs that record information such as IP addresses, request URLs and methods, response status codes, user agents, timestamps, and similar technical details. We use this information to operate, secure, and troubleshoot our services.

How we use information

We use the information we collect to:

respond to Start-a-Scout and contact submissions, scope work, and communicate with prospects and clients;
deliver Bumblebee engagements, including Scout sprints and Worker, Swarm, and Hive work, and manage the client relationship and billing;
provide, operate, and maintain the Plexor platform, including authenticating API requests, routing prompts and requests to the appropriate model provider, returning responses, and metering usage and cost;
monitor, debug, secure, and improve our services, including investigating errors, abuse, and security incidents;
measure website and advertising performance, including analytics and Google Ads conversion tracking, so we understand what works and spend responsibly;
send service and transactional communications, and, where permitted, relevant updates about our offerings; and
comply with our legal obligations and enforce our agreements.

We do not use the prompts and content you route through the Plexor platform to advertise to you, and we do not use that content for purposes unrelated to operating the platform and providing your requested responses.

Legal bases (GDPR)

If you are in the European Economic Area, the United Kingdom, or another region whose law requires a legal basis for processing, we rely on the following bases:

Contract. We process information to take steps at your request before entering an agreement and to perform our contract with you, for example to respond to a Scout request, deliver an engagement, or operate the Plexor platform for your account.
Legitimate interests. We process information to run, secure, and improve our business, including site analytics, fraud and abuse prevention, measuring advertising performance, and general operations, where those interests are not overridden by your rights.
Consent. Where law requires it, we rely on your consent, for example for certain advertising and analytics cookies. You can withdraw consent at any time, and withdrawing it does not affect processing that already took place.
Legal obligation. We process information where we must to comply with applicable law, such as tax, accounting, and record-keeping requirements.

How we share information and our subprocessors

We do not sell your personal information. We share information only as described here, and we work with service providers and subprocessors who process information on our behalf under appropriate contractual protections.

AI model providers. To fulfill Plexor API calls, we route your prompts, requests, and associated metadata to the third-party AI model providers that serve your request, for example Anthropic, OpenAI, and Google. The provider that handles a given request receives the content of that request and returns a response. These providers process that content under their own terms and privacy commitments in order to generate the response.
Cloud hosting. We host our services and store data on Microsoft Azure, which provides our compute, storage, and database infrastructure.
Google. We use Google for analytics (Google Analytics and the Google tag) and for advertising and conversion measurement (Google Ads), as described above. Google processes the related data in connection with these services.
Cloudflare. We use Cloudflare for content delivery, performance, and security. Cloudflare processes network and request data to route and protect traffic to our services.
Email providers. We use email service providers to receive, send, and manage communications with prospects and clients, including responses to form submissions and engagement correspondence.

We may also share information with professional advisors such as lawyers and accountants, with authorities when we are legally required to do so or to protect our rights and the safety of others, and with a successor entity in connection with a merger, acquisition, financing, or sale of assets. In any such transaction, your information would remain subject to commitments consistent with this policy.

Data retention

We keep personal information only for as long as we need it for the purposes described in this policy, and then we delete it or anonymize it. How long that is depends on the type of information:

Form submissions and prospect correspondence are kept while we evaluate and pursue a potential engagement and for a reasonable period afterward so we can follow up and keep records.
Client and engagement records are kept for the duration of the relationship and for as long afterward as we need them to meet legal, accounting, and contractual obligations.
Plexor account information and API keys are kept while your account is active. Usage and request metadata is retained for operational purposes such as metering, billing, debugging, and abuse prevention.
Analytics, advertising, and server log data are kept for the limited periods needed for measurement, security, and troubleshooting, after which they are deleted or aggregated.

If you ask us to delete your information, we will do so unless we are required to keep it to comply with the law or to resolve a dispute.

Security

We take reasonable and appropriate technical and organizational measures to protect personal information against loss, misuse, and unauthorized access. These include encryption of sensitive data, encryption of data in transit, access controls that limit who can reach what, the use of reputable infrastructure providers such as Microsoft Azure and Cloudflare, and monitoring and logging to detect and respond to issues. API keys and stored credentials are protected with encryption. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security, but we work to keep our protections current. Please keep your own API keys and account credentials confidential, and tell us promptly if you believe they have been compromised.

International data transfers

We are based in the United States, and our service providers and subprocessors, including our model providers, cloud hosting, analytics, advertising, security, and email providers, may process information in the United States and in other countries. This means your information may be transferred to and processed in a country other than the one you live in, and the privacy laws there may differ from those in your location. Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, together with additional measures where needed, to protect that information.

Your rights

Depending on where you live, you have rights over your personal information. We honor these rights, and we will not discriminate against you for exercising them. To make a request, contact us at team@plexor.dev. We may need to verify your identity before we act, and we will respond within the time the law allows.

GDPR rights

If you are in the European Economic Area or the United Kingdom, you have the right to:

access the personal information we hold about you;
correct information that is inaccurate or incomplete;
erase your information in certain circumstances;
restrict or object to certain processing, including processing based on our legitimate interests;
receive your information in a portable format and ask us to transmit it to another controller where applicable;
withdraw consent where we rely on it; and
lodge a complaint with your local data protection authority.

CCPA and CPRA rights

If you are a California resident, under the California Consumer Privacy Act as amended by the California Privacy Rights Act, you have the right to:

know the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of parties with whom we share it;
delete personal information we have collected from you, subject to legal exceptions;
correct inaccurate personal information; and
limit the use of sensitive personal information, and exercise these rights without facing discrimination.

We do not sell personal information, and we do not share it for cross-context behavioral advertising in the sense those terms are defined under California law. You can submit a request through the contact details below, and you may use an authorized agent where the law permits.

Cookies

Cookies are small files that a website stores on your device. We use the following categories:

Strictly necessary cookies that are required for the site and platform to function and to keep them secure, including protection provided by Cloudflare.
Analytics cookies set by Google Analytics and the Google tag that help us understand how the site is used.
Advertising and conversion cookies set in connection with Google Ads that let us measure the performance of our advertising, including through the gclid as described above.

You can control cookies through your browser settings, including blocking or deleting them, although some features may not work properly if you disable strictly necessary cookies. Where law requires consent for non-essential cookies, we ask for it before setting them.

Children

Our services are not directed to children. Bumblebee and Plexor are intended for businesses and professionals, and they are not meant for people under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has provided us with personal information, please contact us at team@plexor.dev and we will delete it.

Changes to this policy

We may update this policy from time to time to reflect changes in our services, our practices, or the law. When we do, we will revise the effective date at the top of this page. If we make a material change, we will take reasonable steps to let you know, such as posting a notice on this site or contacting you directly. We encourage you to review this page periodically.

Contact

If you have any question, concern, or request about this policy or about how we handle your personal information, please reach out using the details below, and we will do our best to help.

Plexor Labs, Inc.
160 NW Gilman Blvd, Suite 441, Issaquah, WA 98027
Phone: 425 574-2156
Email: team@plexor.dev