Privacy Policy

1. Who this policy covers

This policy applies to visitors to our marketing sites, registered users, organization administrators, and anyone whose information we process to operate the Services. If you use the Services on behalf of a company or other legal entity, you represent that you have authority to bind that entity, and “you” includes the entity and its users where applicable.

2. Information we collect

We collect information in the following categories, depending on how you use the Services:

• Account and profile data. Name, email address, authentication identifiers, organization or workspace memberships, role assignments, and preferences you set in the product.
• Service usage and technical data. Log data (such as IP address, device type, browser type, timestamps), diagnostic events, feature usage, performance metrics, security signals, and similar metadata needed to operate and protect the Services.
• Content you submit. Text and files you provide to the assistant, prompts, conversation history stored according to your settings, and outputs generated for you. If you upload or connect content from third-party systems, we process it as described in the integrations section below.
• Billing and administration. Where applicable, billing contact details, transaction references, and tax or invoicing information processed by our payment and accounting subprocessors.
• Support and communications. Information you send when you contact us, including email content and attachments, and records of our responses.

We do not knowingly collect sensitive categories of data (such as health information) except where you choose to include them in content you submit—and you should avoid sending us sensitive data unless we have expressly agreed to handle it under a separate agreement.

3. How we collect information

We collect information:

• Directly from you when you register, configure integrations, submit forms, or use chat and related features.
• Automatically through cookies, local storage, and similar technologies as described on our Cookies page.
• From third parties such as identity providers (for example, when you sign in with Google), payment processors, analytics providers where enabled, and integrated services you authorize.

4. Integrations and third-party services

The Services may allow you to connect third-party products (for example Notion, Discord, or Obsidian-related hosting). When you connect an integration, we receive and process information in accordance with the permissions and OAuth scopes you grant. Those providers process data under their own terms and privacy policies; we are not responsible for their practices, though we select integrations with care and design access to follow least-privilege patterns where possible.

You can disconnect integrations from in-product settings where supported. Disconnecting stops new data pulls subject to reasonable propagation delay and retention rules below.

5. Purposes of processing

We use information to:

• Provide, maintain, secure, and improve the Services;
• Authenticate users, enforce access controls, and manage organizations and roles;
• Operate AI features you invoke, including generating responses and, where enabled, tool calls;
• Detect, prevent, and respond to fraud, abuse, and security incidents;
• Comply with law, enforce our terms, and defend legal claims;
• Analyze aggregated or de-identified usage to understand product performance;
• Communicate with you about the Services, updates, and support; and
• Process payments and maintain financial records where applicable.

6. Legal bases (EEA, UK, and similar regions)

Where the GDPR or UK GDPR applies, we rely on one or more of the following legal bases: performance of a contract (providing the Services you request), legitimate interests (securing and improving the product, internal analytics that do not override your rights), consent (where required for non-essential cookies or marketing), and legal obligation.

7. Automated decision-making and AI

Certain features use machine learning models to generate text or suggestions. Outputs are probabilistic and may be incorrect or incomplete. We do not use these systems for decisions that produce legal or similarly significant effects about you without human review unless we explicitly disclose otherwise and provide any rights required by law.

8. How we share information

We may share information with:

• Service providers and subprocessors who host infrastructure, provide authentication, deliver email, process payments, monitor security, or support customer success, bound by confidentiality and processing terms.
• Your organization, where you use a company workspace—admins may be able to see membership, usage summaries, and configuration consistent with product design.
• Professional advisers (lawyers, accountants) under professional obligations of confidentiality.
• Authorities when required by law, regulation, legal process, or to protect rights, safety, and security.
• Business transfers in connection with a merger, acquisition, or asset sale, subject to appropriate safeguards and notice where required.

We do not sell personal information as that term is commonly defined in U.S. state privacy laws.

9. International transfers

We may process and store information in the United States and other countries where we or our subprocessors operate. If we transfer personal data from the EEA, UK, or Switzerland to countries not deemed adequate, we use appropriate safeguards such as Standard Contractual Clauses or other mechanisms recognized under applicable law, supplemented by technical and organizational measures.

10. Retention

We retain information for as long as necessary to fulfill the purposes described in this policy, unless a longer period is required or permitted by law. Retention depends on the nature of the data: account records typically persist for the life of the account plus a reasonable period thereafter; logs may be kept for shorter rolling windows; conversation content may be retained according to product settings, workspace policy, or your deletion requests, subject to backups and legal holds.

11. Security

We implement administrative, technical, and organizational measures designed to protect information against unauthorized access, loss, or alteration. No method of transmission or storage is completely secure; you use the Services at your own risk to that extent. You are responsible for maintaining the confidentiality of credentials and for configuring integrations consistent with your security policies.

12. Your rights and choices

Depending on your location, you may have rights to access, correct, delete, or export personal data; to object to or restrict certain processing; to withdraw consent where processing is consent-based; and to lodge a complaint with a supervisory authority. You may also have rights regarding automated decision-making where applicable law provides them.

To exercise rights, contact us using the details below. We may need to verify your request. Organization administrators may need to act on behalf of workspace users where accounts are enterprise-managed.

Marketing emails, where sent, include unsubscribe instructions. Essential service and security notices may continue regardless of marketing preferences.

13. Children

The Services are not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will take appropriate steps to delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version with a new effective date and, where changes are material, provide additional notice as required by law (for example via email or in-product banner).

15. Contact

For privacy questions or requests, contact us through our contact page. If you designate a data protection officer or EU/UK representative in the future, add their details here after counsel review.