Privacy policy (buyer summary)

Last updated: April 28, 2026 · Applies to the marketing site and describes the product behavior of the Private AI-in-a-Box kit.

1. Scope

Private AI-in-a-Box is a self-hosted digital product: you download a starter kit and deploy it into your AWS account. The author of the kit does not operate the runtime on your behalf and does not receive your prompts or model outputs from your deployment by default.

This page covers (a) what the application code in the kit is designed to do regarding persistence and logging, and (b) high-level notes about Amazon Bedrock as the model provider inside your account.

2. Product behavior (MVP)

The following reflects the privacy posture described in the shipped docs/privacy.md and is accurate for the current MVP design. If you have modified the code or environment variables, your deployment may differ.

3. Default behavior (privacy-first)

• No conversation logging by default. The API processes prompts and returns responses but does not persist prompts or responses to disk, a database, or S3 unless you explicitly enable logging.
• Nothing about prompts or responses is written to persistent storage in the default configuration.
• Usage counters (request count and token totals when available) may be tracked in memory and reset on process restart — an MVP limitation documented in the product.

4. Optional logging (explicit opt-in)

Logging is controlled by environment configuration (see shipped docs for exact variable names):

• With logging disabled (default), content is not written to durable storage.
• With logging enabled, the backend may write events to a local JSONL file during development, and in AWS Lambda to ephemeral /tmp — see product docs for paths and retention implications.
• If you configure an S3 bucket for logging in your AWS account, the backend may write event JSON objects to that bucket — still under your control, not the kit author’s infrastructure.
• The web UI is designed to show a prominent warning when logging is enabled.

5. Amazon Bedrock and your AWS account

The kit is Bedrock-only: model inference is intended to go through Amazon Bedrock in your AWS account, subject to AWS’s terms, pricing, logging, and compliance offerings. You configure regions, model access, IAM, and monitoring.

Using Bedrock may generate AWS service logs, billing records, and CloudTrail / observability data according to your account settings. That is outside this application’s codebase and is governed by your relationship with AWS.

6. What this MVP does not include

The shipped product documentation states that the MVP does not provide, among other things:

• Automatic redaction of sensitive content in prompts or responses
• PII detection or classification
• Multi-tenant separation (the kit uses a simple admin-token style model)

No enterprise compliance warranty is sold with the kit. If you need SOC2, HIPAA, FedRAMP, or similar, that is a separate program of work with your auditors and AWS.

7. This marketing website

The static site you are reading may be hosted on a provider such as Firebase Hosting. That provider may process standard web server logs (IP, user agent, timestamps) according to its own privacy policy. The landing page does not embed third-party analytics in the stock template; if you add analytics, update this section accordingly.

8. Purchases (Gumroad)

If you buy the product on Gumroad, Gumroad processes payment and delivery according to Gumroad’s policies. The kit author does not receive your AWS credentials or Bedrock prompts through Gumroad checkout.

View on Gumroad

9. Changes

The shipped docs/privacy.md may be updated in product releases. This web summary may be updated independently; the Last updated date at the top reflects this page only.

10. Contact

For questions about this policy page or the product, use the contact method you publish with the product (for example your support email or Gumroad message). If you have not configured a public contact yet, add one on your Gumroad seller profile.