What we collect, why we collect it, and how to ask us to delete it.
Last updated:
Account data: your name, email address, and password hash when you sign up.
Service data: OAuth tokens you connect (for example Gmail) so your agent can act on your behalf, and a log of your agent's activity (messages it sent, tasks it ran, errors it hit).
Billing data: your Stream (streampay.sa) consumer ID, subscription state, and invoice history. We do not store full card numbers — Stream handles that.
Operational data: IP address, browser, and basic device info when you use the site, to keep it working and to fight abuse.
We only collect what we need to run the service you paid for: provisioning your agent, connecting it to the tools you choose, billing you correctly, and supporting you when something goes wrong.
We do not sell your data. We do not use the content of your emails, calendar, or agent conversations to train models.
Cloud hosting and infrastructure providers — run the application and database behind the service.
Stream (streampay.sa) — processes your subscription and stores your payment method.
An email delivery provider — sends transactional emails (welcome, billing, security alerts).
Google — receives the OAuth authorization when you connect Gmail; we receive an access token in return.
We only share what each provider needs to do its job, and only for as long as needed.
While your subscription is active, we keep your account and service data so the agent can do its work.
Billing records are kept for one year after cancellation, as required for accounting and tax.
On request, we will delete everything except records we are legally required to keep. Email [email protected] and we will action it within 30 days.
Under the Saudi Personal Data Protection Law (PDPA), you have the right to:
Access — ask for a copy of the personal data we hold about you.
Correct — ask us to fix anything that is wrong or out of date.
Delete — ask us to remove your data (subject to the retention above).
Withdraw consent — disconnect any OAuth connection at any time from your dashboard.
To exercise any of these rights, email [email protected].
Customer secrets — OAuth tokens, API keys — are encrypted at rest with AES-256-GCM.
Your agent runs in a multi-tenant system where every request is scoped to your account; customers' data is isolated from one another in code.
We use HTTPS everywhere and we never log full request bodies, secrets, or personal data.
When we make material changes to this policy, we will email you and update the 'Last updated' date at the top.
Questions about this policy or your data?