Legal

Privacy Policy

Last updated July 10, 2026

This Privacy Policy for OrgSDK ("OrgSDK", "we", "us", or "our") explains how and why we collect, use, store, disclose, and otherwise process personal information when you use our websites at orgsdk.ai and app.orgsdk.ai, our hosted agent operations platform, or related services that link to this policy (collectively, the "Services").

Questions or concerns? Reading this policy will help you understand your privacy rights and choices. If you do not agree with our practices, do not use the Services. Contact us at [email protected].

Summary of key points

  • What information do we process? Account and organisation details, Customer Content, connected credentials, billing records, support messages, and technical and usage information needed to operate the Services.
  • Do we process sensitive information? OrgSDK does not require sensitive personal information, but Customer Content and connected services are controlled by customers and may contain information they choose to submit.
  • Do we receive information from third parties? We receive information from services you connect, payment and authentication providers, service providers, and other sources described below.
  • Why do we process information? To provide, secure, administer, support, and improve the Services; process billing; communicate with you; prevent abuse; and comply with law.
  • Do we sell personal information? No. We do not sell personal information or Customer Content for money. We also do not use Customer Content to train our own AI models. External AI providers process data under their own terms, settings, and data-handling commitments.
  • How can you exercise your rights? Contact [email protected]. We will respond in accordance with applicable privacy law.

Table of contents

  1. What information do we collect?
  2. How do we process your information?
  3. When and with whom do we share information?
  4. Cookies and other tracking technologies
  5. Connected services and credentials
  6. International transfers
  7. Data retention
  8. Children and minors
  9. Your privacy rights
  10. Do-not-track and preference signals
  11. Updates to this policy
  12. Contact us
  13. Review, update, or delete your data

1. What information do we collect?

Information you provide

We collect personal information you provide when you register, purchase or use the Services, configure an organisation, communicate with us, or otherwise submit information. This may include:

  • name, email address, password-derived authentication data, and account details;
  • organisation membership, roles, permissions, plan selection, and billing status;
  • support, security, legal, sales, and other communications;
  • billing contact details, transaction records, and Stripe customer or subscription identifiers, but not complete payment-card numbers;
  • agents, roles, prompts, messages, workflows, schedules, approvals, run logs, notes, artifacts, files, tables, documents, and other Customer Content; and
  • API keys, OAuth tokens, connection metadata, and permissions you provide so agents can use connected services.

Credentials are encrypted at rest in the production Services and are not intentionally logged in plaintext.

Information collected automatically

When you visit or use the Services, we and our providers may automatically collect technical and usage information, including IP address, browser and device characteristics, operating system, language, referring URLs, pages and features used, clicks, timestamps, approximate location derived from network data, errors, workflow activity, and diagnostic information.

Information received from other sources

We may receive information from Stripe, connected plugin and OAuth providers, AI model providers, analytics and email providers, organisation administrators, public sources, and other parties you direct us to interact with. Information received from a connected service depends on the permissions you grant and that service's policies.

2. How do we process your information?

We process personal information to:

  • create accounts, authenticate users, and manage organisations and permissions;
  • provide, operate, host, maintain, troubleshoot, and secure the Services;
  • run agents, workflows, schedules, approvals, model requests, and connected plugins;
  • process subscriptions, usage, payments, invoices, refunds, and account changes;
  • respond to support, billing, privacy, legal, and security requests;
  • send administrative, transactional, security, and service communications;
  • send marketing communications where permitted, subject to your opt-out rights;
  • understand usage, diagnose errors, and improve product reliability and experience;
  • detect, prevent, and investigate abuse, fraud, security incidents, and violations;
  • enforce our Terms and protect users, third parties, and the Services; and
  • comply with legal, regulatory, tax, accounting, and reporting obligations.

Where laws such as the UK GDPR or EU GDPR apply, our legal bases may include performance of a contract, our legitimate interests in operating and securing the Services, compliance with legal obligations, and consent where required. You may withdraw consent at any time without affecting earlier lawful processing.

3. When and with whom do we share information?

We do not sell Customer Content or personal information for money. We disclose information only as described here:

  • Service providers. Vendors process information on our behalf to provide infrastructure, analytics, billing, email, AI model access, security, logging, backups, and service delivery.
  • Connected services. We send information to plugins, APIs, OAuth providers, and other services when you connect them or instruct an agent to use them.
  • Organisation members. Content and account information may be visible to authorised owners, administrators, and members of your organisation according to their permissions.
  • Legal and safety disclosures. We may disclose information to comply with law, legal process, or governmental requests; enforce agreements; investigate fraud or security issues; or protect rights, safety, and service integrity.
  • Business transfers. Information may be disclosed or transferred in connection with financing, due diligence, a merger, acquisition, reorganisation, sale of assets, or similar transaction.
  • With consent. We may disclose information for another purpose when you direct us or give consent.

Current core providers include:

  • Stripe — payment processing, subscriptions, invoices, and billing records;
  • PostHog — website and product analytics, usage measurement, and error diagnostics;
  • Resend — transactional email, service communications, and contact management;
  • OpenRouter — routing requests to AI model providers when the OrgSDK-managed model service is used;
  • Hosting and infrastructure providers — application hosting, compute, networking, storage, logging, backups, and delivery of the cloud service; and
  • AI model and plugin providers selected by you — processing prompts, outputs, files, and actions required to perform your configured workflows.

Providers may change as the Services evolve. We require providers to process information for authorised purposes and subject to applicable contractual and security obligations.

4. Cookies and other tracking technologies

We use cookies, browser local storage, pixels, and similar technologies for authentication, security, preferences, analytics, attribution, and billing flows. The application currently stores authentication session information in browser local storage. Stripe and other providers may use their own technologies on pages or flows they operate.

We use PostHog to understand traffic, signup paths, product usage, and errors. Anonymous website activity is not intentionally associated with an identified profile before signup. After signup or login, product analytics may be linked to an account so we can provide support and improve the Services.

Browser settings can block or delete cookies and local storage, but disabling essential technologies may prevent parts of the Services from working. You can also contact us with questions or requests concerning analytics data.

5. Connected services and credentials

When you connect a third-party account or service, we process credentials, tokens, identifiers, permissions, and data returned by that provider. Your configured agents may send Customer Content to and perform actions through the provider according to the permissions and instructions you set.

Review each provider's permissions, terms, and privacy policy before connecting it. You may disconnect a provider or revoke its credentials, but information already transmitted to that provider remains subject to its policies. We do not control third-party providers' independent processing.

6. International transfers

OrgSDK and its providers may process information in the United States, Australia, and other countries where they operate. Those countries may have privacy laws different from the laws where you live.

Where required, we use recognised legal mechanisms and safeguards for international transfers, which may include contractual protections and adequacy decisions. Contact us for more information about safeguards relevant to your personal information.

7. Data retention

We retain personal information for as long as reasonably necessary to provide the Services and for the purposes described in this policy. Retention depends on the type of information, account status, operational needs, legal obligations, security and fraud risks, dispute resolution, and backup cycles.

Account and Customer Content generally remain while an organisation is active. After cancellation or a verified deletion request, we delete or de-identify information from active systems unless retention is needed for billing, tax, legal, security, fraud-prevention, audit, dispute, or legitimate operational purposes. Residual copies may remain in protected backups until overwritten through ordinary backup cycles.

8. Children and minors

The Services are intended for businesses and are not directed to children. You must be at least 18 years old to create an account. We do not knowingly collect personal information directly from children. If you believe a child has provided personal information, contact us so we can investigate and delete it where appropriate.

9. Your privacy rights

Depending on where you live, you may have rights to request access to, correction of, deletion of, or a copy of personal information; restrict or object to processing; withdraw consent; opt out of certain disclosures or marketing; and appeal or complain to a privacy regulator.

You may update some account information through the Services, use unsubscribe links in marketing emails, or contact us to exercise a right. We may verify your identity and authority before completing a request. Rights may be limited by law, and we may retain information where required or permitted.

California privacy rights

California residents may have rights to know, access, correct, delete, and obtain a portable copy of personal information, and to opt out of sale or sharing for cross-context behavioural advertising. We do not sell personal information for money. We will not discriminate against you for exercising applicable privacy rights.

An authorised agent may submit a request where permitted by law. We may require proof of authority and verification of the consumer's identity.

10. Do-not-track and preference signals

Some browsers provide Do Not Track or Global Privacy Control signals, but there is not yet a universally accepted standard for responding to all such signals. The Services do not currently respond automatically to these signals. You can manage tracking through browser controls or contact us with an applicable privacy request.

11. Updates to this policy

We may update this policy as our products, providers, and legal obligations change. The date at the top identifies the latest revision. If changes are material, we may provide additional notice through the Services or by email as required by law.

12. Contact us

For questions, complaints, or privacy requests, contact:

OrgSDK

Email: [email protected]

You may also have the right to complain to the privacy or data-protection authority where you live.

13. Review, update, or delete your data

To request access to, correction of, export of, or deletion of personal information, email [email protected]. Include enough information for us to understand the request, but do not send passwords, API keys, OAuth tokens, or other secrets by email. We will verify and respond to the request in accordance with applicable law.

This Privacy Policy is effective as of July 10, 2026 and applies to users of OrgSDK.