← 143

Privacy Policy

Last updated: March 20, 2026

Scope

This policy covers the 143 website and hosted service at 143.dev, operated by Assembled, Inc. It does not cover self-hosted deployments of the 143 open-source software except to explain that self-hosted operators, not Assembled, control their own infrastructure and data-handling practices.

When you run 143 on your own infrastructure, data is not sent to Assembled by default. Self-hosted operators may still choose to send data to third-party services they configure, such as GitHub, Sentry, Linear, Slack, Anthropic, OpenAI, OpenRouter, or Google Gemini.

Who controls data

We act as the provider of the hosted service for account, operational, and security data related to 143.dev. If you use 143.dev through an organization, that organization may control repositories, issues, tickets, prompts, and other workspace content made available to the service.

What we collect

When you use the hosted service at 143.dev, we store code, prompts, agent output, and related workspace data on our servers in order to run cloud-hosted coding agents on your behalf. If you use the open-source, self-hosted version of 143, none of this data is sent to or stored by Assembled — it stays entirely on your own infrastructure.

  • Account information - name, email address, organization membership, and role
  • Authentication and session data - login provider identifiers, session records, security tokens, and short-lived OAuth state
  • Customer content - source code, issue descriptions, pull request content, review comments, stack traces, repository metadata, and other data made available through connected services
  • Agent and workspace data - prompts, manual-session messages, uploaded image URLs, generated diffs, logs, token-usage metadata, and temporary workspace snapshots
  • Technical and security data - IP address, user-agent, request identifiers, audit events, and device/browser details we observe when you use the service

Sources of personal data

We collect data directly from you, from your organization, from your browser when you use 143.dev, and from connected services such as GitHub, Google, Sentry, Linear, and Slack.

How we use data

  • To provide, secure, and maintain the hosted service
  • To authenticate users, manage sessions, and enforce access controls
  • To sync connected services and run coding-agent workflows
  • To generate, validate, and present model or agent output
  • To troubleshoot incidents, prevent abuse, and meet legal obligations
  • To communicate with you about your account, support, or service changes

Legal bases

Depending on your location, we rely on contractual necessity, legitimate interests, consent, and legal compliance to process personal data. Our legitimate interests include securing the service, preventing abuse, debugging failures, and improving reliability.

AI providers and data retention

We may send prompts and related workspace content to AI providers that power the service, such as Anthropic, OpenAI, OpenRouter, or Google Gemini. Which provider receives content depends on the model and credentials configured for the run. If your organization supplies its own API keys, those requests run through your configured provider accounts.

AI providers may temporarily retain request data in accordance with their own policies. For example, as of the date of this policy, Anthropic and OpenAI retain API inputs for up to 30 days for trust and safety purposes and do not use API data to train models by default. Google retains Gemini API data in accordance with its Cloud data processing terms. We encourage you to review each provider's data-handling policies directly, as they may change.

Cookies

We use session, CSRF, and short-lived OAuth flow cookies to authenticate users, protect against request forgery, carry invitation state, and complete login or integration flows. We do not use third-party advertising cookies or cross-site tracking cookies on the hosted service.

Sharing and subprocessors

We share data with service providers and infrastructure partners only as needed to operate 143.dev, including hosting, storage, source control, authentication, issue-tracking, collaboration, email, and AI inference providers. We do not sell personal information and we do not share personal information for cross-context behavioral advertising.

A current list of our subprocessors is available upon request by contacting privacy@assembled.com.

International transfers

We and our service providers may process data in the United States and other countries where we or they operate. Data-protection laws in those locations may differ from the laws where you live.

Retention

We retain data for different periods depending on the category and purpose:

  • Account information - retained while the account is active and for a reasonable period after account closure to support recovery, dispute resolution, or legal obligations
  • Authentication and session data - session tokens expire after 30 days; audit records (including login events) are retained for a default of 90 days, configurable by your Organization
  • Agent and workspace data - session messages, generated diffs, and logs are retained while the workspace is active; temporary workspace snapshots are cleaned up shortly after a session becomes idle or completes
  • Technical and security data - IP addresses, request identifiers, and audit events are retained for a default of 90 days for security and compliance purposes, configurable by your Organization
  • Webhook data - webhook payloads may be retained for operational and debugging purposes and deleted according to internal retention schedules
  • Backups - deleted data may persist in backups for a limited period after deletion before being purged

Specific retention periods may vary based on product settings configured by your Organization, applicable legal obligations, or ongoing security investigations. Where required by law, we will retain data for the minimum period necessary to comply.

Your rights and choices

Depending on your location, you may have rights to access, correct, delete, export, or object to certain processing of personal data. If a request relates to organization-controlled content, we may direct you to your organization administrator first.

Residents of certain U.S. states have additional rights under applicable privacy laws, including the California Consumer Privacy Act (CCPA/CPRA), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Delaware Personal Data Privacy Act, and similar state statutes. These rights may include the right to know what personal data we collect and how it is used, the right to request deletion, the right to opt out of the sale or sharing of personal data (we do not sell personal data), and the right to non-discrimination for exercising your rights. To make a request, contact us at privacy@assembled.com.

European and UK users

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you may have additional rights under the General Data Protection Regulation (GDPR) or the UK GDPR, such as the right to access, correct, delete, restrict, or port your personal data. To exercise any of these rights, contact us at privacy@assembled.com.

Security

We use administrative, technical, and organizational safeguards designed to protect data handled by the hosted service. For more detail, see our Security page.

Children

143 is not directed to children under 13, and we do not knowingly collect personal information from children under 13.

Changes

We may update this policy from time to time. If we make material changes, we will update the date at the top of this page and may provide additional notice where required.

Contact

For privacy questions, reach us at privacy@assembled.com.