Privacy Policy

01.Scope & roles

This Policy covers personal information we process as a “controller” (or “business”) — for example, information about prospects, website visitors, and contacts at client organizations.

When we build and operate AI systems for a client, we typically process that client’s data as a “processor” (or “service provider”) acting on the client’s instructions under a separate Data Processing Agreement (“DPA”) and Master Services Agreement. In that role, the client is the controller and its own privacy notice governs. Section “Client data & AI processing” describes how we handle that data.

02.Information we collect

Information you provide

Contact and inquiry details you submit through forms, email, calls, or booking tools — such as your name, business email, company, role, phone number, and the contents of your message.

Engagement information exchanged while scoping or delivering work, including documents and materials you choose to share.

Information collected automatically

Usage and device data such as IP address, browser type, operating system, referring pages, pages viewed, and timestamps, collected through server logs and analytics.

Cookies and similar technologies (see “Cookies & tracking”).

Information from third parties

Limited business-contact and enrichment data from analytics, advertising, and business-information providers, and information from integrations you authorize.

03.How we use information

• Provide, operate, secure, and improve the Services and our website.
• Respond to inquiries, schedule calls, and deliver proposals and engagements.
• Communicate about projects, updates, and — where permitted — relevant content and offerings.
• Analyze usage to understand and improve performance and content.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Comply with legal obligations and enforce our agreements.

We do not sell your personal information, and we do not use client data shared with us under an engagement to train general-purpose models (see “Client data & AI processing”).

04.Legal bases (EEA/UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR/UK GDPR: performance of a contract; our legitimate interests in operating and growing our business (balanced against your rights); your consent (which you may withdraw); and compliance with legal obligations.

05.Cookies & tracking

We use strictly necessary cookies to run the site, plus analytics and (where applicable) advertising cookies to measure and improve performance. You can control cookies through your browser settings and, where required, through our consent banner. Some features may not function without certain cookies.

We honor Global Privacy Control (GPC) signals where required by law as a valid opt-out of sale/sharing for targeted advertising.

06.How we share information

Service providers

Vendors that host our infrastructure, deliver email, process analytics, and support operations, bound by contracts limiting their use of the information.

Professional advisers & legal

Where necessary to comply with law, respond to lawful requests, protect rights and safety, or enforce our agreements.

Business transfers

In connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.

With your direction

When you ask us to share information or use an integration you connect.

07.Client data & AI processing

When we design, deploy, or operate AI agents and related systems for a client, we process the client’s data strictly to provide the contracted Services, on the client’s documented instructions, under a DPA.

• We do not use client data to train general-purpose or third-party foundation models.
• We deploy within the client’s perimeter where required — on-prem, in the client’s cloud/VPC, or air-gapped — so data residency and access controls stay with the client.
• Sub-processors and model providers are disclosed and contractually bound; many engagements use models hosted so that prompts and outputs are not retained for training.
• Access is least-privilege, logged, and time-bound; high-risk agent actions can require human approval.

Specific data-handling commitments for an engagement are governed by that engagement’s DPA and statement of work, which control in the event of any conflict with this Policy.

08.Data retention

We retain personal information only as long as necessary for the purposes described here, to comply with legal, tax, and accounting obligations, to resolve disputes, and to enforce agreements. Retention periods vary by data type and context; client engagement data is retained and deleted per the applicable DPA.

09.Security

We maintain administrative, technical, and physical safeguards designed to protect information, including encryption in transit, access controls, network isolation, logging, and vendor due diligence. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10.International transfers

We are based in the United States and may process information in the U.S. and other countries. Where we transfer personal information from the EEA, UK, or Switzerland, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK Addendum, along with supplementary measures where needed.

11.Your privacy rights

EEA/UK (GDPR)

You may have rights to access, correct, delete, restrict, or object to processing, to data portability, and to withdraw consent. You may also lodge a complaint with your supervisory authority.

California (CCPA/CPRA)

California residents may request to know, access, correct, and delete personal information, and to opt out of “sale” or “sharing” and limit use of sensitive personal information. We do not sell personal information for money. We will not discriminate against you for exercising these rights.

In the prior 12 months we may have collected the following categories: identifiers, internet/network activity, commercial information, professional/employment information, and inferences. We collect these for the business purposes described above.

Other U.S. states

Residents of states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Texas, Utah) may have similar rights.

How to exercise

Submit requests to [email protected]. We will verify your request and respond within the timeframes required by law. You may use an authorized agent where permitted.

12.Children’s privacy

The Services are intended for businesses and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

13.Third-party links

Our Services may link to third-party sites and services we do not control. This Policy does not apply to them; review their privacy notices.

14.Changes to this Policy

We may update this Policy from time to time. We will revise the “Last updated” date and, for material changes, provide additional notice where required. Continued use of the Services after changes take effect constitutes acceptance.

15.Contact us

Questions, requests, or complaints about this Policy or our data practices can be sent to [email protected]. We will work in good faith to resolve concerns.