Privacy Policy

1. Introduction

This Privacy Policy explains how [LEGAL ENTITY NAME] (“[PRODUCT NAME]," we, us, or our) collects, uses, discloses, stores, and otherwise processes personal data in connection with:

• our website;
• our self-serve software platform for creating and managing AI agents;
• related onboarding, billing, provisioning, diagnostics, support, and account-management features; and
• our communications with customers, prospective customers, and users.

This Privacy Policy also explains your privacy rights and how to exercise them.

2. Who We Are

If we have appointed a Data Protection Officer or EU representative, their details are below:

3. Scope

This Privacy Policy applies to personal data processed by us in connection with:

• visits to our public website, documentation, pricing, and legal pages;
• authentication and account creation;
• workspace creation and management;
• subscription billing and payment administration;
• provisioning and operation of dedicated infrastructure for customer workspaces;
• creation and management of agents and channel integrations;
• diagnostics, audit logs, and security monitoring;
• customer support;
• marketing communications, where permitted by law; and
• compliance with legal obligations and enforcement of our terms.

This Privacy Policy does not apply to third-party websites, products, or services that we do not control, even where they are linked from our website or integrated into our service.

4. Roles: When We Act as Controller and When We Act as Processor

4.1 Account, website, billing, and platform administration data

For personal data relating to account registration, authentication, website usage, billing, subscription management, support, fraud prevention, compliance, and internal operations, we act as the data controller.

4.2 Customer end-user and conversation data processed through the platform

Our platform is designed so that certain operational and conversation data are stored on the customer’s dedicated infrastructure rather than centrally in the control plane. Where customers use the platform to process personal data relating to their own end users, contacts, or message senders, the customer is typically the controllerof that data and we act as a processor/service provider on the customer’s behalf, subject to our contract with that customer.

In those cases:

• the customer determines why the data are processed and which agent or channel is used;
• we provide and operate the underlying service infrastructure and related support/security functions; and
• the customer is responsible for providing any required notices and obtaining any necessary permissions from its own end users.

Where we independently determine the purposes and means of processing, we may act as a controller for that processing.

5. Categories of Personal Data We Collect

Depending on how you interact with the Service, we may collect the following categories of personal data.

5.1 Account and identity data

• name;
• email address;
• login credentials and authentication data;
• OAuth profile data made available by your identity provider;
• session identifiers and account preferences.

5.2 Workspace and subscription data

• workspace name and slug;
• subscription status;
• billing contact details;
• Stripe customer ID, subscription ID, invoice IDs, and related billing metadata;
• selected plan and pricing history.

5.3 Infrastructure and operational metadata

• provisioning status;
• VPS/service identifiers;
• region and infrastructure metadata;
• system version and health data;
• agent configuration metadata;
• channel configuration metadata;
• event timestamps, activity counts, and diagnostic metadata.

5.4 Support and communications data

• the content of support requests, emails, and related correspondence;
• issue reports, feedback, and appeal submissions;
• records of communications with you.

5.5 Technical, device, and usage data

• IP address;
• browser type and version;
• device and operating system information;
• referral URLs;
• timestamps;
• page views and interaction events;
• cookie or similar identifier data, where used.

5.6 Security and audit data

• access logs;
• account/session activity;
• admin actions and audit events;
• abuse detection signals;
• fraud, security, and enforcement-related records.

5.7 Customer-provided configuration and secret material

During setup, you may provide configuration data and credentials such as API keys, bot tokens, or channel credentials. As described in our product design, our control plane handles these values transiently for validation and secure delivery to the customer environment and is designed not to retain the full secret value in persistent control-plane storage, except where temporary handling is technically necessary to complete setup or rotation. We retain only limited metadata such as masked fingerprints and validation timestamps.

5.8 Customer end-user message metadata

For platform operation, we may process limited metadata about customer end-user interactions, such as message counts, timestamps, and channel identifiers. According to the service architecture, message content is intended to remain on the customer’s dedicated infrastructure rather than in the control plane.

6. Sources of Personal Data

We collect personal data:

• directly from you when you create an account, subscribe, configure the platform, contact us, or otherwise use the Service;
• automatically from your browser, device, and usage of the Service;
• from identity providers when you sign in using OAuth;
• from payment providers and billing tools;
• from infrastructure, security, and support tools we use to operate the Service;
• from channel or API providers when needed to validate your configuration; and
• from your organization or account owner where your access is provisioned through them.

7. Why We Process Personal Data and Our Legal Bases

We process personal data only where we have a lawful basis to do so. The legal basis depends on the context of the processing.

7.1 To provide and operate the Service

Examples: account creation, authentication, workspace creation, provisioning, agent management, channel setup, product functionality, diagnostics, support.
Legal basis: performance of a contract, or steps taken at your request before entering into a contract.

7.2 To administer subscriptions and payments

Examples: creating checkout sessions, managing subscriptions, invoicing, handling payment failures, refunds, pricing changes, and billing support.
Legal basis: performance of a contract; legal obligation for accounting/tax records where applicable.

7.3 To secure the Service and prevent abuse

Examples: rate limiting, session management, fraud screening, security monitoring, audit logs, suspension workflows, protection of infrastructure and accounts.
Legal basis: our legitimate interests in securing the Service and preventing fraud/abuse; legal obligation where applicable.

7.4 To communicate with you

Examples: service emails, onboarding messages, provisioning notices, billing notices, security alerts, support communications, and administrative updates.
Legal basis: performance of a contract, legal obligation, or our legitimate interests in operating the Service.

7.5 To improve and develop the Service

Examples: analytics, troubleshooting, service quality review, performance monitoring, feature improvement, capacity planning.
Legal basis: our legitimate interests in improving, maintaining, and developing the Service.

7.6 To comply with legal obligations

Examples: tax, accounting, sanctions/compliance reviews, lawful requests, dispute management, records retention.
Legal basis: compliance with a legal obligation.

7.7 To send marketing communications

Examples: product updates, events, newsletters, or promotional outreach where permitted by applicable law.
Legal basis: your consent where required, or our legitimate interests where permitted by law. You can opt out at any time.

8. Product-Specific Processing Details

Because of the architecture of the Service, the way data are processed depends on the layer involved.

8.1 Control plane data

The control plane processes data needed to:

• create and authenticate accounts;
• create and manage workspaces;
• manage subscriptions and billing;
• orchestrate provisioning and deprovisioning;
• store platform metadata and audit events;
• show health, diagnostics, and configuration status;
• support users and enforce the service terms.

8.2 Customer dedicated infrastructure

Each customer workspace is designed to run on dedicated customer infrastructure provisioned by us. Based on the product architecture:

• conversation content is intended to be stored on the customer’s dedicated infrastructure;
• control-plane storage is limited primarily to metadata and service administration data;
• backups of conversation content are not centralized by default; and
• data export jobs are triggered from the customer environment and made available to the customer through a time-limited mechanism.

8.3 Secrets and credentials

When you provide API keys, tokens, or channel credentials:

• we may validate them to confirm they work;
• we may securely transmit them to the dedicated customer environment;
• we aim not to store the full secret value permanently in control-plane databases or logs; and
• we may retain masked fingerprints, validation times, and related configuration metadata.

8.4 Diagnostics and logs

We generate logs, health indicators, and audit events to secure and operate the Service. We are committed to avoiding the storage of secret values in logs and to limiting diagnostics to what is reasonably necessary for security, support, and reliability.

9. Cookies and Similar Technologies

We may use cookies and similar technologies on our website and product for purposes such as:

• authentication and session continuity;
• security;
• load balancing and service reliability;
• remembering preferences;
• analytics; and
• measuring site and product performance.

Where required by applicable law, we will request your consent before placing non-essential cookies or similar technologies on your device. You can also manage cookies through your browser settings, though some parts of the Service may not function properly without essential cookies.

If you use a cookie banner or consent manager, you should align this section with the categories and vendors actually deployed on the website.

10. Who We Share Personal Data With

We may share personal data with the following categories of recipients, where necessary and subject to appropriate safeguards.

10.1 Service providers and processors

Including providers of:

• hosting and infrastructure;
• content delivery and DNS;
• payment processing and billing tools;
• email delivery;
• authentication;
• monitoring and logging;
• support tools;
• analytics; and
• security services.

For the product described in your implementation plan, this may include providers such as:

• OVHcloud for infrastructure;
• Cloudflare for DNS and related network services;
• Stripe for payments and billing administration;
• Google, GitHub, and Apple for optional OAuth sign-in;
• Resend, Postmark, or Amazon SES for transactional email, depending on what is actually used; and
• messaging/API providers such as Telegram, Meta/WhatsApp, OpenAI, and Anthropic, where customers configure those integrations.

10.2 Professional advisers and corporate counterparties

Lawyers, auditors, insurers, banks, investors, acquirers, and advisers, where reasonably necessary.

10.3 Authorities and third parties where required by law

Courts, regulators, tax authorities, law enforcement, or other parties where required to comply with law or to protect rights, safety, or security.

10.4 Business transfers

In connection with an actual or proposed merger, acquisition, financing, reorganization, sale of assets, or similar transaction, subject to appropriate confidentiality protections.

11. International Data Transfers

Some of our service providers or integration partners may process personal data outside the European Economic Area. Where personal data are transferred outside the EEA, we will rely on an appropriate safeguard, such as:

• an adequacy decision;
• the European Commission’s Standard Contractual Clauses;
• the EU-U.S. Data Privacy Framework, where applicable; or
• another valid transfer mechanism recognized under applicable law.

You may contact us using the details above to request more information about the safeguards we rely on for relevant transfers.

12. Data Retention

We retain personal data for no longer than necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods vary depending on the category of data and the purpose of processing. By way of example:

• account and subscription records: for the life of the account and for a reasonable period afterward;
• billing, tax, and accounting records: for the period required by applicable law;
• security and audit logs: for as long as reasonably necessary for security, fraud prevention, abuse handling, and legal defense;
• support correspondence: for as long as reasonably necessary to manage the support relationship and protect against disputes;
• marketing data: until you opt out or the data are no longer needed;
• customer workspace data in the control plane: until account closure and then according to our deletion/retention schedule;
• customer end-user data on dedicated infrastructure: according to the customer’s configuration and the product’s deprovisioning/deletion workflow.

According to the current product design, following workspace deprovisioning, customer data stored on the dedicated infrastructure are intended to be destroyed, while certain control-plane records may be retained for limited periods for legal, audit, and security reasons.

13. Security

We take appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

These measures may include, as appropriate:

• encryption in transit;
• encryption at rest where applicable;
• role-based access controls;
• audit logging;
• secret redaction in logs;
• session controls;
• network security controls;
• provider due diligence; and
• incident response procedures.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

14. Your Rights

Depending on your location and the circumstances, you may have the right to:

• request access to your personal data;
• request correction of inaccurate or incomplete data;
• request deletion of your personal data;
• request restriction of processing;
• object to processing based on legitimate interests;
• receive a copy of certain data in a portable format;
• withdraw consent at any time, where processing is based on consent; and
• lodge a complaint with a supervisory authority.

To exercise your rights, contact us at [PRIVACY EMAIL]. We may need to verify your identity before responding.

If you are located in France, you may also lodge a complaint with the CNIL. If you are located elsewhere in the EEA or UK, you may contact your local supervisory authority.

15. Marketing Communications

Where we send marketing communications, we will do so in accordance with applicable law. You can opt out of non-essential marketing emails at any time by using the unsubscribe link in the email or by contacting us at [PRIVACY EMAIL].

Please note that you may still receive transactional or service-related communications, such as account, billing, security, support, or legal notices.

16. Children

The Service is not directed to children, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us and we will take appropriate steps.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, or our processing practices. When we do, we will update the “Last updated” date above. If changes are material, we may provide additional notice through the Service or by email where appropriate.

18. Contact Us

Schedule 1 — Product-Specific Disclosure Addendum

Schedule 2 — Suggested Processor List Section

You may optionally include a live subprocessors section on your website and then reference it here.

We may update our service providers from time to time. Where required by law or contract, we will provide notice of material subprocessor changes.

Schedule 3 — Draft Website Footer Short Notice