Excalibur

Legal

Privacy Policy

Last updated: June 17, 2026

This Privacy Policy explains how Excalibur ("we", "us") handles information in connection with the getexcalibur.dev website, the open-source Excalibur Core CLI, and the commercial Excalibur Enterprise service.

Local-first by design

Excalibur Core runs entirely on your machine. Your source code never leaves your device unless you explicitly connect it to a model provider or to Excalibur Enterprise. Model API keys are read from your environment at runtime and are never stored by Excalibur. Run artifacts live locally under .excalibur/.

Information we collect

  • Website. Minimal, privacy-respecting analytics (aggregate page views and referrers). No advertising trackers.
  • Excalibur Core. No account is required. Optional, anonymous usage telemetry is opt-in and contains no code or prompts.
  • Excalibur Enterprise. Account data (name, work email, organization), authentication identifiers via your SSO/IdP, and operational metadata about agent runs (workflow, model, tokens, cost, audit events) needed to provide the service.
  • Communications. Information you send us (e.g. a demo request or support message).

How we use information

  • To provide, secure and improve the service.
  • To show organizations their own usage, cost and audit data.
  • To respond to requests and provide support.
  • To meet legal and compliance obligations.

We do not sell personal information, and we do not use your code or prompts to train models.

Sharing & sub-processors

We share information only with service providers that help us operate (e.g. cloud hosting, model providers you configure, analytics, payment processing for Enterprise), under appropriate data-processing terms, and where required by law.

Data retention

We keep personal data only as long as needed for the purposes above or as required by law. Enterprise customers control retention of their run and audit data through organization settings.

Security

We use industry-standard safeguards including encryption in transit and at rest, encrypted secrets, and access controls. No method of transmission or storage is perfectly secure.

Your rights

Depending on your location (including under GDPR and CCPA), you may have rights to access, correct, export or delete your personal data, and to object to or restrict certain processing. To exercise these rights, contact us at the address below.

International transfers

We may process information in countries other than your own, using appropriate safeguards such as Standard Contractual Clauses. Enterprise customers may select data residency where offered.

Children

Excalibur is not directed to children under 16 and we do not knowingly collect their data.

Changes

We may update this policy; we will revise the "last updated" date and, for material changes, provide additional notice.

Contact

Questions or requests: privacy@getexcalibur.dev.