1. Information we collect
We collect: account data (name, email, password hash, billing contact), workspace data (agent definitions, agent transcripts, knowledge files, run logs, memory contents, event streams, attachments), integration credentials you connect (encrypted at rest), payment metadata via Stripe (we do not store full card numbers), communications you send us, usage and product analytics (page views, feature usage, performance metrics), and technical data (IP address, user agent, device identifiers, log files, cookies). When you invoke our Service from an external agent (Claude, ChatGPT, Cursor, or another platform), we also collect the request payload and any associated metadata.
2. How we use information
We use information to: operate, secure, support, and improve the Service; authenticate you and your agents; bill you and detect fraud; communicate with you (transactional, security, and service messages, and, if you opt in, product updates); train internal models on aggregated and de-identified data; enforce our terms, including the AUP; comply with the law and respond to lawful requests; and pursue our legitimate business interests in product analytics, research, and benchmarking.
We do not train foundation models on your private workspace content. We do not sell personal data. We do not share personal data with third parties for their independent marketing.
3. Legal bases (EEA, UK, Switzerland)
Where GDPR applies, we rely on: contract performance (to deliver the Service you signed up for), legitimate interests (security, fraud prevention, product improvement, aggregated analytics), legal obligation (tax, audit, lawful requests), and consent where required (marketing emails, certain cookies).
4. Sharing and sub-processors
We share information with: sub-processors that help us operate the Service (see /legal/sub-processors); foundation model and voice/browser providers when you instruct an agent to use them; integration providers you connect (Gmail, GoHighLevel, Resend, etc.) under your control; professional advisors and authorities when required by law or to protect rights, safety, or property; and successors in connection with a merger, acquisition, or sale of assets.
5. International transfers
We are based in the United States. We process data in the United States and other countries where our sub-processors operate. For transfers out of the EEA, UK, or Switzerland we rely on the EU Standard Contractual Clauses, the UK addendum, and equivalent safeguards.
6. Retention
We retain account data while your account is active and for up to 12 months after closure (or longer if required by law, for dispute resolution, or for audit). Run logs are retained for 90 days on Starter, 1 year on Pro, and a contracted period on Enterprise. Suppression-list entries are retained indefinitely to honor unsubscribes. Backups follow our standard rolling retention schedule.
7. Your rights
Depending on where you live, you may have rights to access, correct, port, delete, restrict, or object to the processing of your personal data, and to withdraw consent. Workspace owners can export and delete workspace data from settings. To exercise other rights, use our contact form. We will respond within the timeframes required by applicable law. You may also lodge a complaint with your local data protection authority.
8. Security
We use envelope encryption for credentials, TLS in transit, isolated worker runtimes, scoped OAuth tokens with rotation, and audit logging. See /security for details. No system is perfectly secure; you remain responsible for safeguarding your own credentials and end-user data.
9. Children
The Service is not directed to children under 16, and we do not knowingly collect their data. If you believe a child has provided us personal data, contact us and we will delete it.
10. Cookies and tracking
We use strictly necessary cookies and limited first-party analytics. See /legal/cookies. We do not run cross-site advertising trackers.
11. Changes
We may update this policy from time to time. Material changes will be announced by email or in-app with reasonable notice. Continued use after the effective date constitutes acceptance.
12. Contact
For any privacy question or request, use our contact form.