Legal

Privacy policy, terms of service, and security practices.

Privacy Policy

Last updated: 2026-04-03

What we collect

  • Contact information (name, email) when you submit forms
  • Payment information (processed securely via PayPal; we don't store card details)
  • Technical logs for debugging and security purposes

How we use it

  • To provide services and communicate about your project
  • To process payments and send receipts
  • To improve our services and detect security issues

What we don't do

  • We don't sell your data
  • We don't share your code or project details without permission
  • We don't use your data for marketing without consent

Terms of Service

Version 1.0 — Effective February 26, 2026

By clicking "I Agree" or checking the acceptance checkbox at checkout, you enter into a binding agreement under these Terms. Please read carefully before purchasing.

§1 Governing Law & Jurisdiction

These Terms of Service and any engagement hereunder are governed exclusively by the laws of the State of Wyoming, without regard to its conflict-of-law provisions. Any dispute, claim, or controversy arising out of or relating to these Terms or the services shall be subject to the exclusive jurisdiction and venue of the District Court of Laramie County, Wyoming. Client irrevocably consents to personal jurisdiction in Wyoming and waives any objection to such venue.

§2 Intellectual Property — Conditional Assignment

All work product, materials, runbooks, code, methodologies, configurations, deliverables, and associated documentation produced by Agent Xero in connection with any engagement remain the sole and exclusive intellectual property of Agent Xero until receipt of full payment in cleared funds. Upon receipt of full and final payment for a specific engagement, Agent Xero hereby assigns to Client a limited, non-exclusive right to use the specific deliverables of that engagement for Client's internal business purposes. No partial payment, installment, or deposit shall trigger any assignment, license, or transfer of any intellectual property rights. No license of any kind is granted during any period of non-payment or where any balance remains outstanding.

§3 No Redistribution

Client shall not reproduce, redistribute, resell, publish, sublicense, publicly display, or make available to any third party any session materials, runbooks, methodologies, techniques, code examples, templates, prompts, training materials, or any other content delivered by Agent Xero, without prior written consent from Agent Xero. Violation of this clause entitles Agent Xero to seek injunctive relief without bond, in addition to all other available remedies.

§4 Confidentiality & Trade Secrets

Techniques, methodologies, systems, toolchains, prompt architectures, workflows, security approaches, and operational processes disclosed, demonstrated, or discussed during any session or engagement constitute confidential information and trade secrets of Agent Xero, protected under the Wyoming Uniform Trade Secrets Act (W.S. § 40-24-101 et seq.) and applicable federal law. Client agrees not to disclose, publish, reverse-engineer, or use such information for competitive purposes for a period of five (5) years from the date of disclosure. Client acknowledges that breach of this obligation would cause irreparable harm for which monetary damages would be inadequate.

§5 Services AS-IS — No Outcomes Guarantee

Agent Xero provides professional advisory, educational, and engineering consultation services. Services are delivered AS-IS. Agent Xero makes no representation, warranty, or guarantee as to outcomes, code quality, learning results, project success, deployment readiness, fitness for any particular purpose, or compliance with any regulatory standard. Learn to Vibe Code and other instructional services are educational in nature; no guarantee of skill attainment, employment readiness, or business results is expressed or implied. Advice and recommendations are opinions based on information available at the time of the engagement.

§6 Limitation of Liability

Agent Xero's total aggregate liability to Client for any and all claims, losses, damages, or expenses arising from or related to any engagement, whether in contract, tort, strict liability, or otherwise, shall not exceed the fees actually paid by Client for the specific engagement giving rise to the claim. In no event shall Agent Xero be liable for any consequential, indirect, incidental, punitive, exemplary, or special damages, including but not limited to lost profits, loss of data, loss of business opportunity, or cost of substitute services, even if Agent Xero has been advised of the possibility of such damages. This limitation applies to the fullest extent permitted by applicable law.

§7 Disclaimer of Warranties

AGENT XERO EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, TO THE FULLEST EXTENT PERMITTED BY LAW, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. AGENT XERO DOES NOT WARRANT THAT SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR THAT ANY DELIVERABLES WILL BE FREE FROM DEFECTS. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED FROM AGENT XERO SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THESE TERMS.

§8 Fees, Payment & Refund Policy

All session fees are due and payable in full at the time of booking via the applicable payment processor. All fees paid are non-refundable once a session begins, access to materials is provided, or work commences on any engagement. For cancellations received more than twenty-four (24) hours prior to a scheduled session start time, Client will receive a credit equal to the fees paid, applicable toward a future session of equal or lesser value, valid for twelve (12) months from the original session date. No refunds or credits are issued for cancellations received within 24 hours of a scheduled session, for no-shows, or for dissatisfaction with outcomes given the AS-IS nature of services described in §5.

§9 Entire Agreement & Severability

These Terms of Service constitute the entire agreement between Client and Agent Xero with respect to the subject matter hereof and supersede all prior and contemporaneous representations, understandings, negotiations, and agreements, whether written or oral. Any modification to these Terms must be in writing and signed by an authorized representative of Agent Xero. If any provision of these Terms is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, that provision shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force and effect.

§10 Electronic Acceptance

Clicking "I Agree," checking the acceptance checkbox during checkout or form submission, or otherwise affirmatively indicating acceptance constitutes a binding electronic signature and agreement to these Terms of Service, with the same legal force and effect as a handwritten signature, pursuant to Wyoming's Uniform Electronic Transactions Act (W.S. § 40-21-101 et seq.) and the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. § 7001 et seq.). Client acknowledges having had the opportunity to read these Terms and agrees to be bound by them.

Security & Data Protection

Security is foundational to our engineering practice. We treat all client code and data with the highest level of confidentiality and implement defense-in-depth security measures across our infrastructure and development workflows.

1. Code and Data Confidentiality

  • Non-Disclosure Agreements: We sign your NDA or provide our standard confidentiality agreement before engagement
  • Access Control: Repository access is granted on a least-privilege basis and limited to engineers actively working on your project
  • Immediate Revocation: All access credentials (GitHub, AWS, etc.) are revoked within 24 hours of project completion or termination
  • Secure Channels: All sensitive information is transmitted via encrypted channels (TLS 1.3, HTTPS, SSH)
  • No Data Retention: Local copies of your code are securely deleted from our systems upon project completion (unless ongoing support is contracted)

2. Infrastructure Security

  • Encryption in Transit: All data transmission uses TLS 1.3 with modern cipher suites (AES-256-GCM, ChaCha20-Poly1305)
  • Encryption at Rest: All stored data is encrypted using AES-256 encryption
  • Payment Security: Payment processing handled exclusively by PayPal (PCI DSS Level 1 compliant). We do not store card numbers, CVV, or banking credentials
  • Hosting: Infrastructure hosted on Cloudflare Workers (SOC 2 Type II certified) with global edge network and DDoS protection
  • Database Security: Cloudflare D1 (serverless SQLite) with encrypted connections, prepared statements (SQL injection prevention), and automated backups

3. Application Security

  • OWASP Top 10 Compliance: All deliverables audited against OWASP Top 10 vulnerabilities (injection, broken authentication, XSS, CSRF, etc.)
  • Input Validation: Server-side validation using Zod schema validation on all external inputs
  • Bot Protection: Cloudflare Turnstile (privacy-friendly CAPTCHA alternative) on all public forms
  • Rate Limiting: API endpoints protected with Cloudflare KV-based rate limiting
  • Authentication: Secure session management with httpOnly cookies, SameSite protection, and short-lived tokens
  • Dependency Scanning: Automated vulnerability scanning of npm dependencies (GitHub Dependabot, npm audit)

4. Development Security Practices

  • Coder-in-the-Loop: All AI-generated code undergoes human security review before delivery (see our Coder-in-the-Loop Checklist)
  • Code Review: Multi-stage review process including automated linting (ESLint), type checking (TypeScript strict mode), and manual security audit
  • Secret Management: No hardcoded secrets in code. Environment variables, secret rotation procedures, and secure credential storage (OpenBAO vault)
  • Least Privilege: Service accounts and API keys configured with minimal necessary permissions
  • Version Control Hygiene: No sensitive data committed to Git history. Pre-commit hooks prevent credential leaks

5. Security Audits and Compliance

  • Regular Security Audits: Annual third-party penetration testing and vulnerability assessments
  • Dependency Updates: Automated security patches applied within 7 days of disclosure for critical vulnerabilities
  • Incident Response Plan: Documented breach notification procedures compliant with GDPR (72 hours), CCPA (notification without unreasonable delay), and other applicable laws
  • Compliance Frameworks: Adherence to OWASP ASVS (Application Security Verification Standard) Level 2 for custom builds

6. Vulnerability Disclosure Policy

We welcome responsible disclosure of security vulnerabilities in our website or services. If you discover a security issue:

  1. 1. Report Privately: Email hello@agent-xero.com with subject "SECURITY VULNERABILITY"
  2. 2. Provide Details: Include reproduction steps, affected URLs/endpoints, proof-of-concept (if applicable), and severity assessment
  3. 3. Allow Time to Fix: Give us 90 days to investigate and remediate before public disclosure
  4. 4. Avoid Harm: Do not access, modify, or delete data belonging to others; do not perform denial-of-service attacks

Our Response Timeline:

  • Initial Response: Within 24 hours acknowledging receipt
  • Severity Assessment: Within 3 business days classifying severity (Critical, High, Medium, Low)
  • Remediation: Critical issues patched within 7 days; High within 30 days; Medium/Low within 90 days
  • Public Disclosure: Coordinated disclosure after remediation, with credit to reporter (if desired)

Note: We do not currently offer a bug bounty program. Vulnerability reports are accepted on a good-faith, voluntary basis.

7. Data Breach Notification

In the unlikely event of a data breach affecting your information, we will:

  • Notify affected individuals via email within 72 hours of discovery (GDPR requirement) or without unreasonable delay (CCPA requirement)
  • Provide details on: nature of the breach, data types affected, steps taken to contain the breach, and recommendations for protecting your information
  • Notify relevant regulatory authorities as required by applicable law
  • Conduct a post-incident review and implement corrective measures to prevent recurrence

8. Third-Party Security

We partner with security-vetted service providers:

  • PayPal: PCI DSS Level 1 compliant payment processor with end-to-end encryption
  • Cloudflare: SOC 2 Type II certified, ISO 27001 certified, GDPR compliant
  • Resend: SOC 2 Type II certified email service with TLS delivery and DKIM/SPF authentication

All service providers undergo security due diligence and are bound by data processing agreements ensuring GDPR compliance.

9. Contact Security Team

For security questions, vulnerability reports, or incident response, contact:

Security Team - Agent Xero

Email: hello@agent-xero.com

Subject: [SECURITY] Your Issue

Emergency security issues receive 24/7 monitoring. Expected response time: <24 hours

Cookie Policy

Last updated: February 26, 2026

This Cookie Policy explains how Agent Xero uses cookies and similar tracking technologies on our website (agent-xero.com). By using our website, you consent to our use of essential cookies. You can control non-essential cookies through your browser settings or our cookie consent banner.

1. What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences, maintain sessions, and analyze site usage. Cookies can be "session cookies" (deleted when you close your browser) or "persistent cookies" (stored until expiration or manual deletion).

2. Types of Cookies We Use

2.1 Essential Cookies (Always Active)

These cookies are necessary for the website to function and cannot be disabled:

  • Session Management: Maintain your session state during form submissions and checkout
  • Security: Cloudflare Turnstile bot protection tokens (expires after form submission)
  • CSRF Protection: Cross-Site Request Forgery prevention tokens

Example Essential Cookies:

  • cf_turnstile_token - Bot protection (expires: 5 minutes)
  • session_id - User session (expires: 24 hours)

2.2 Analytics Cookies (Optional - Requires Consent)

These cookies help us understand how visitors use our website:

  • Usage Analytics: Track page views, navigation paths, and time spent
  • Performance Metrics: Monitor page load times and error rates
  • Conversion Tracking: Measure form submissions and session bookings (no cross-site tracking)

Data Processor: We use privacy-friendly analytics (no third-party advertising networks). Data is aggregated and anonymized. Retention: 26 months maximum.

2.3 Cookies We DO NOT Use

  • Advertising Cookies: We do not use third-party advertising cookies or participate in ad networks
  • Social Media Tracking: We do not use social media tracking pixels (Facebook Pixel, LinkedIn Insight Tag, etc.)
  • Cross-Site Tracking: We do not track you across other websites

3. How to Manage Cookies

3.1 Browser Settings

You can control cookies through your browser settings:

  • Chrome: Settings → Privacy and Security → Cookies and other site data
  • Firefox: Settings → Privacy & Security → Cookies and Site Data
  • Safari: Preferences → Privacy → Manage Website Data
  • Edge: Settings → Privacy, search, and services → Cookies and site permissions

Note: Blocking essential cookies may prevent website functionality (e.g., form submissions, checkout).

3.2 Global Privacy Control (GPC)

We honor Global Privacy Control signals. If your browser sends a GPC signal, we will not set non-essential cookies or share data for analytics purposes. Learn more at globalprivacycontrol.org.

3.3 Do Not Track (DNT)

We respect Do Not Track signals. If your browser sends a DNT header, we will not set analytics cookies.

4. Third-Party Services

Our website uses the following third-party services that may set cookies:

  • Cloudflare: Security, DDoS protection, bot mitigation (essential for site operation). Cookie Policy
  • PayPal: Payment processing (only on checkout pages). Cookie Policy

5. Updates to This Cookie Policy

We may update this Cookie Policy periodically to reflect changes in technology, legal requirements, or our practices. Material changes will be communicated via website notice. Check the "Last Updated" date at the top for the most recent version.

6. Contact Us

For questions about our use of cookies, contact us at hello@agent-xero.com with subject "Cookie Policy Inquiry".

Questions or Concerns?

If you have questions about this Privacy Policy, Terms of Service, Security practices, or Cookie Policy, or if you'd like to exercise your privacy rights, please contact us:

Agent Xero

Software Engineering Services

Email: hello@agent-xero.com

Response Time: We respond to general inquiries within 2 business days. Privacy rights requests are processed within 45 days (CCPA) or 30 days (GDPR). Security vulnerabilities receive acknowledgment within 24 hours.

Last Updated: February 26, 2026 | © 2026 Agent Xero. All rights reserved.