Privacy Policy

Last updated: April 26, 2026

1. Introduction

This Privacy Policy describes how 21st Labs Inc. ("21st", "we", "our", or "us") collects, uses, and protects information through our products and services, including the 21st.dev component marketplace and the 21st Agents platform (together, the "Services").

21st Labs Inc. is a Delaware corporation with a registered address at 1111B S Governors Ave, STE 28395, Dover, DE 19904, United States. For privacy questions or to exercise the rights described below, contact us at support@21st.dev.

2. Information We Collect

2.1 Information you provide

  • Account information. Name, email address, and authentication identifiers when you create an account or sign in via supported identity providers.
  • Billing information. When you purchase a paid plan, our payment processor (Stripe) collects payment method details. We do not store payment card numbers on our systems.
  • Content you upload. Components, prompts, agent configurations, code, and any other materials you submit through the Services.
  • Communications. Records of correspondence with our support team and any feedback or survey responses you send us.

2.2 Information generated by your use of the Services

  • Usage data. Pages viewed, features used, request volume, timestamps, and similar product analytics.
  • Device and connection data. Browser type, operating system, IP address, and approximate location derived from IP.
  • Agent execution data (21st Agents). When you use the 21st Agents platform, we process the prompts, responses, and execution traces of agents you build or invoke. Conversation history and run metadata are stored on your behalf so that you and your authorized end users can access them.
  • Diagnostic data. Error reports and performance metrics, captured with personal-data scrubbing rules applied where feasible.

2.3 Information from third parties

We may receive information from authentication providers (Clerk), payment processors (Stripe), and similar partners as required to operate the Services. We do not purchase personal information from data brokers.

3. How We Use Information

We use the information described above to:

  • Provide, operate, secure, and improve the Services.
  • Authenticate users, enforce account scopes, and prevent fraud, abuse, and unauthorized access.
  • Process payments and manage subscriptions through our payment processor.
  • Communicate with you about your account, transactional matters, security alerts, and (with your consent) product updates and marketing.
  • Respond to support requests and feedback.
  • Comply with legal obligations and enforce our Terms of Service.

We do not use customer prompts, completions, or agent conversation content to train our own machine-learning models without your explicit consent.

4. Subprocessors and Third Parties

We rely on a small set of trusted subprocessors to deliver the Services. Each subprocessor processes information only as directed by us and under contractual confidentiality and security obligations. Major categories include:

  • Hosting and infrastructure: Vercel, Fly.io, Cloudflare, Railway.
  • Storage and databases: Supabase, Upstash.
  • Authentication: Clerk.
  • Payments and billing: Stripe, Metronome.
  • Sandboxed code execution: E2B.
  • AI model providers: Anthropic, OpenAI.
  • Observability and analytics: Sentry, Langfuse, PostHog, Humanloop, Braintrust.
  • Email: Resend, Google Workspace.
  • Internal operations: GitHub, Slack, Notion, Vanta, Certn.

A current subprocessor list is available on request to enterprise customers and will be published on our security page. We will provide reasonable advance notice of material additions to the subprocessor list.

5. Data Retention

We retain personal information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

  • Account data: for the life of the account plus a reasonable period after closure for legal and audit purposes.
  • Conversation history and agent run data (21st Agents): retained on your behalf and deleted in accordance with your settings or upon request.
  • Logs and diagnostic data: retained for up to twelve months unless required for security or legal reasons.
  • Billing records: retained for the period required by tax and accounting law.

6. Your Rights

Depending on where you live, you may have the right to access, correct, port, or delete your personal information; to object to or restrict certain processing; and to withdraw consent where we rely on it. Customers in the EEA, UK, Switzerland, and California (CCPA/CPRA) have the rights described in their applicable laws. To exercise these rights, contact support@21st.dev. We will respond within the timeframe required by applicable law.

You may unsubscribe from marketing emails at any time using the link in the email. Transactional and security communications are not subject to opt-out while your account is active.

7. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest on supported subprocessors.
  • Multi-factor authentication on internal accounts with access to production systems.
  • Role-based access controls, regular access reviews, and background checks for personnel handling production data.
  • Continuous vulnerability monitoring of our codebase and dependencies.

We are pursuing SOC 2 attestation; current status is available on our security page. No system is perfectly secure, and we cannot guarantee absolute security.

8. International Data Transfers

21st Labs is based in the United States, and our subprocessors operate in multiple countries. When we transfer personal data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, we rely on Standard Contractual Clauses or another lawful transfer mechanism with the receiving subprocessor.

9. Children

The Services are not directed to children under the age of 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at support@21st.dev and we will delete it.

10. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above and, for material changes, provide prominent notice through the Services or by email. Your continued use of the Services after the effective date of an update means you accept the updated policy.

11. Contact

Privacy questions, requests, or complaints can be sent to:

21st Labs Inc.
1111B S Governors Ave, STE 28395
Dover, DE 19904, United States
Email: support@21st.dev
Security disclosures: security@21st.dev