Privacy Policy

1. Information We Collect

We may collect the following categories of personal data when you use Platoona:

1.1 Information You Provide Directly

• Account Information:Email address, full name, organization name, job role, use case (personal or work), profile avatar, and account settings.
• Authentication Data:One-time password (OTP) codes for email verification, Google OAuth information (Google ID, email, profile name) and other sign-in data.
• Workspace Information:Workspace names, descriptions, member roles, invitation details, and related configuration data.
• AI Agent Data:Custom agent configurations including names, descriptions, objectives, tone preferences, system prompts, tool selections, and avatar images.
• Conversation Data:Messages, prompts, chat content, conversation titles, group settings, and file attachments shared in conversations with AI agents or other users.
• Task & Project Information:Task titles, descriptions (including rich text content), status, priority levels, due dates, assignees, tags, subtasks, and related metadata.
• Document & Knowledge Base Content:Knowledge base documents, folder structures, document titles, rich-text content, and document links, including content stored in Platoona Brain.
• Integration Credentials & Settings:OAuth tokens, API keys, connection information, and configuration for third-party services you authorize (e.g., Gmail, Google Calendar, Slack, GitHub, etc.).
• File Uploads:Files you upload, including images, documents, videos, audio files, and other media, as well as file metadata (filename, size, type).
• Workflow Automation & Flows:Flow configurations, trigger settings (schedules, webhooks, event-based triggers), automation logic, and execution history.
• Payment & Billing Information:Billing details and payment identifiers processed via Stripe (we do not store full credit card numbers; we receive transaction information, last 4 digits, and billing addresses as needed for invoicing and compliance).
• Communications:Feedback, bug reports, feature requests, customer support messages, email communications, and any other correspondence with us.

1.2 Information Collected Automatically

When you access or use the Services, we automatically collect certain information:

• Usage Information:Pages visited, features used, buttons clicked, flows executed, agents invoked, time spent on pages, and interaction patterns.
• Device Information:Device type, operating system, browser type and version, screen resolution, and device identifiers.
• Connection Data:IP address, approximate location (derived from IP), WebSocket and session identifiers, login timestamps, and session metadata.
• Log & Diagnostic Data:Server logs, API request and response logs, error reports, crash traces, and internal diagnostic information.
• Performance Data:Service performance metrics, latency, load times, and system availability metrics.

1.3 Information from Third-Party Sources

• OAuth Providers:Profile information from Google or similar services when you sign in via OAuth (e.g., name, email, profile picture, unique ID).
• Connected Integrations:Data accessed from services you connect (e.g., emails, calendar events, files, chat messages, CRM records) as required to perform the actions you explicitly configure or trigger.
• Payment Processors:Transaction details, billing status, payment method summary (e.g., last 4 digits of card), and subscription status from Stripe or similar providers.

2. How We Use Your Information

We use your information for the following purposes:

2.1 Service Delivery

• Provide, maintain, and improve our AI workspace platform and related Services
• Process AI agent requests and generate responses
• Execute workflow automations and integrations
• Manage tasks, documents, knowledge bases, and Platoona Brain data
• Facilitate real-time chat and collaboration
• Store and manage file uploads
• Enable multi-user workspaces and team collaboration

2.2 Account & Authentication

• Create and manage user accounts and workspaces
• Verify email addresses and authenticate users
• Send OTP codes and magic links for login
• Process workspace invitations and manage membership
• Manage access permissions, roles, and workspace admin controls

2.3 Billing & Payments

• Process subscription payments and manage billing cycles
• Handle invoices, refunds, and payment disputes
• Maintain accounting records and comply with tax laws
• Detect and prevent fraudulent or unauthorized transactions

2.4 Communications

• Send transactional messages (e.g., login codes, invitations, notifications)
• Respond to support requests and user inquiries
• Send service-related announcements and important updates
• With your consent, send newsletters and marketing communications (which you may opt out of at any time)

2.5 Service Improvement, Personalization & Analytics

• Analyze usage patterns and performance to improve usability
• Maintain context and personalization for your specific account and workspace only
• Develop and improve features (Agents, Flows, Brain, Integrations, Marketplace, etc.)
• Monitor system health, troubleshoot technical issues, and perform internal research and development

2.6 Security & Compliance

• Detect, prevent, and investigate fraud, abuse, and unauthorized access
• Enforce our Terms of Service and other policies
• Respond to legal requests and comply with applicable laws and regulations
• Protect the rights, property, and safety of Platoona, our users, and the public

3. Legal Bases for Processing (GDPR / UK GDPR)

For users in the EEA, UK, or similar jurisdictions, we rely on the following legal bases:

• Contractual Necessity:Processing that is necessary to provide the Services you sign up for (e.g., account creation, workspace access, running automations, processing payments).
• Legitimate Interests:Improving our Services, maintaining security, preventing abuse, and performing analytics in a way that respects your privacy.
• Consent:For certain activities (e.g., marketing emails, optional integrations, specific cookies) where we request your consent. You may withdraw consent at any time.
• Legal Obligations:Compliance with tax, accounting, and regulatory requirements, as well as responding to lawful requests from authorities.

4. AI Processing, No Training with User Data & Third-Party AI Providers

4.1 AI Data Processing

When you use AI agents in Platoona, your messages, prompts, uploaded files, Brain context, and relevant workspace data may be sent to third-party AI service providers to generate responses. This processing is essential for the core functionality of the platform.

We use your inputs to:

• Provide the requested AI responses and features
• Maintain relevant context for your sessions and workspace
• Personalize the experience for your account and workspace

4.2 How We Use AI

Platoona uses AI to power platform features such as the Flow Builder assistant, which helps you create and configure automation workflows. Additionally, users may optionally add AI nodes to their flows if they choose to do so — this is entirely user-initiated and user-controlled.

Important: Data from connected integrations (such as Google, Meta, LinkedIn, etc.) is not sent to AI providers by Platoona. Integration data flows only within the specific automation workflow you configure and is used solely for the intended integration functionality.

When you interact with AI features (e.g., chat with agents, use the Flow Builder assistant), we may send:

• User messages, prompts, and queries you directly provide to AI features
• Conversation history and relevant context within AI conversations
• File attachments you explicitly share in AI conversations (e.g., documents, images)
• Agent system prompts and instructions
• Workspace context (e.g., user names, task information, Brain data) when necessary for accurate AI responses

4.3 Third-Party Integration Data (Google, Meta, LinkedIn, etc.)

When you connect services like Google, Meta, LinkedIn, or similar providers:

• We access only the data that is necessary for the specific features you enable (e.g., reading calendar events, emails, or contacts to fulfill an automation you set up).
• We use such data only for the intended functionality you have requested (for example, syncing events, sending emails, or executing workflow actions).
• We do NOT send integration data to AI providers. Your Google, Meta, LinkedIn, or other third-party data remains within the integration workflow and is not transmitted to any AI models or AI service providers.
• We do not use third-party integration data for:
  • Sending to AI models or AI service providers
  • Advertising or cross-platform profiling
  • Training generalized AI models
  • Selling or renting to unrelated third parties

You may revoke access at any time via the third-party provider's settings or via Platoona's integration settings.

This clause is designed to align with the data protection expectations of Google OAuth, Meta Platform, LinkedIn, and similar providers.

5. Intellectual Property & User Content Ownership

5.1 Platform Ownership

All intellectual property related to the Services — including software, designs, workflows, models, algorithms, text, visual assets, trademarks, and branding — is owned by Kulp Labs Private Limited or its licensors.

5.2 User Content & Outputs

• You retain ownership of the inputs you provide (e.g., prompts, files, Brain entries, tasks, documents) and the outputs generated for you through the Services, to the extent permitted by law and by any applicable third-party model or content terms.
• We do not claim IP rights over your underlying business data, documents, or the content you create using Platoona, except for the limited license described below to operate the Service.

5.3 License to Operate the Service

You grant us a limited, worldwide, non-exclusive, royalty-free license to host, store, process, transmit, and display your content only as necessary to:

• Provide, maintain, and improve the Services
• Operate Agents, Flows, Integrations, and Brain
• Ensure security, troubleshoot issues, and perform backups

5.4 Feedback

If you provide feedback, suggestions, feature ideas, or comments about Platoona, you agree that we may use such feedback without restriction or compensation to you, to improve our Services.

6. Information Sharing and Disclosure

We share your information in the following circumstances:

6.1 With Your Consent

We share information when you explicitly authorize us to do so, such as:

• Connecting third-party integrations (e.g., Gmail, Slack, etc.) via OAuth
• Sharing workspace content with team members
• Publishing agents, flows, or assets to the Marketplace
• Executing integration actions in connected services

6.2 Within Your Workspace

Information shared within a workspace — including conversations, tasks, documents, Brain entries, agents, flows, and files — is visible to workspace members according to role-based permissions configured by workspace admins. See Section 7 for details.

6.3 Service Providers

We share information with third-party service providers that help us operate the Services, including:

• Cloud hosting providers (e.g., AWS)
• AI and machine learning providers
• Payment processors (e.g., Stripe)
• Email delivery services (SMTP providers)
• Search and web utilities (e.g., Exa, ScreenshotOne)
• Authentication providers (e.g., Google OAuth)

These providers are contractually obligated to use your information only to provide services to us and are prohibited from using it for their own independent purposes.

6.4 User-Connected Integrations

When you connect third-party services:

• You authorize us to access data from those services according to the scopes you approve.
• That data is processed solely to perform the actions you configure (e.g., read email, create calendar events).
• The third party's own privacy policy and terms of use also apply.

6.5 Legal Requirements

We may disclose your information if required by law or in the good-faith belief that such action is necessary to:

• Comply with legal processes, subpoenas, or court orders
• Respond to government, regulatory, or law-enforcement requests
• Investigate potential violations of our Terms of Service
• Detect, prevent, or address fraud, security, or technical issues
• Protect the rights, property, or safety of Platoona, our users, or the public

6.6 Business Transfers

If Platoona is involved in a merger, acquisition, financing, asset sale, restructuring, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice (e.g., via email or an in-product banner) of any change in ownership or use of your personal information.

6.7 Aggregated & De-Identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you, for research, analytics, statistics, or marketing purposes.

7. Team, Workspace Access & Platoona Brain

7.1 Workspace Access Controls

Platoona is designed for collaborative work:

• Any member added to a workspace may view, modify, or delete content within that workspace, depending on role-based permissions configured by the workspace administrator.
• This includes, but is not limited to:
  • Brain entries
  • Agents and their configurations
  • Flows and automation setups
  • Marketplace assets installed into the workspace
  • Tasks, conversations, files, and contextual history

Removing a user from a workspace does not automatically delete the content they created. Workspace administrators retain visibility and control over workspace-level data and configurations.

7.2 Platoona Brain & Persistent Memory Data

Platoona Brain stores information you intentionally save for long-term reference (e.g., organizational details, notes, preferences, client information, and workflow context).

Key principles:

• Brain data is visible to workspace members according to workspace permissions.
• Any authorized member may view, modify, or delete Brain entries.
• Brain data is used only to personalize and improve agent responses for your specific workspace.
• Brain entries are not used to train generalized models across customers.
• Brain data can be edited, cleared, or removed as needed.
• You may request deletion of Brain entries, subject to verification and technical feasibility.

8. Marketplace & Third-Party Integrations

The Platoona Marketplace may include Agents, Flows, templates, and integration connectors published by us or by third parties.

• When you install or use a third-party component, your data may be processed by systems operated by that third party.
• Such processing is governed by the third party's own privacy terms and policies, which we do not control.
• Platoona is not responsible for how third-party publishers handle, secure, or process your data.

You are responsible for reviewing third-party terms and privacy policies before enabling or interacting with those integrations.

9. Automation, Flow Execution Logs & Technical Diagnostics

To ensure reliable execution of automations and security of your workspace, Platoona may store:

• Execution logs and run histories
• Error logs, stack traces, and diagnostic information
• Input and output snippets associated with a Flow or Agent action
• Status information (e.g., pending, running, failed, completed)
• Timestamps and step-by-step tracking of automation steps
• Metadata exchanged with integrated services (e.g., message IDs, event IDs)

These logs are used for:

• Troubleshooting and debugging
• Reliability and performance improvements
• Abuse detection, security monitoring, and compliance
• Providing you and your team with transparency into automation behavior

Execution logs do not store plaintext passwords or OAuth credentials.

10. Storage of API Keys, OAuth Tokens & Integration Revocation

10.1 Credential Storage

When you connect external services:

• OAuth tokens and API keys are encrypted at rest and in transit.
• Credentials are used only to perform the actions you explicitly configure (e.g., read emails, send messages, sync data).
• We do not store external service passwords.
• We do not share your credentials with unrelated third parties.

10.2 Integration Disconnection & Revocation

You may disconnect any connected integration at any time:

• Upon disconnection, tokens and API keys are invalidated or removed from active use.
• Platoona immediately stops all data syncing and flow executions involving that integration.
• Data already synced into Platoona remains in your workspace until you or your admin delete it.

You can also revoke access via the third-party provider (e.g., Google's security settings), which will prevent further access by Platoona.

11. Data Storage, Security & Limited Human Access

11.1 Data Storage Location

• Your data is primarily stored on AWS servers in the Asia-Pacific region (ap-south-1, Mumbai, India).
• Files (including uploads, attachments, and avatars) are stored in AWS S3.

11.2 Security Measures

We implement industry-standard security measures, including:

• Encryption:TLS/HTTPS for data in transit and AES-256 or equivalent encryption for data at rest.
• Authentication & Access Controls:JWT-based authentication with access and refresh tokens, role-based access control (RBAC), and workspace-level permissions.
• Credential Protection:Encryption and strict access controls for OAuth tokens, API keys, and other credentials.
• Infrastructure Security:Network isolation, firewall protections, database segregation, automated patches and updates.
• Monitoring & Rate Limiting:Logging, anomaly detection, rate limiting to protect against brute-force attacks and abuse.

11.3 File Security

Files stored in S3 may use public but non-enumerable, obscure URLs:

• The URLs are difficult to guess, but anyone with the exact URL can access the file.
• For highly sensitive or confidential materials, we recommend not uploading them to the platform or using additional encryption before upload.

11.4 Limited Human Access Policy

Platoona employees do not access user content by default. Access may occur only when:

• Necessary to resolve a support request you initiate
• Required to investigate a security incident or abuse
• Needed to troubleshoot a technical failure significantly affecting users

Any such access:

• Is limited to the minimum scope and duration needed
• Occurs under strict confidentiality obligations
• Is logged and subject to internal controls

11.5 Security Limitations & Breach Notification

While we strive to protect your information, no system is completely secure. We cannot guarantee absolute security.

If we become aware of a data breach that affects your personal information:

• We will notify you and relevant authorities in accordance with applicable law (including within 72 hours for GDPR-covered incidents, where required).

12. Cookies, Local Storage & Tracking Technologies

12.1 Cookies We Use

We use cookies and similar technologies to operate and improve the Services:

• Essential Cookies:For authentication (e.g., auth_session), security, and core functionality. These are required for the platform to work.
  • Example: The auth_session cookie stores session data and tokens to keep you logged in (expires after ~7 days).
• Analytics & Performance Cookies (if used):To understand usage patterns and performance for improving the Service. We do not use third-party advertising cookies.
• Preference Cookies (if used):To remember your settings (e.g., theme preferences, language).

12.2 Local Storage

We may store in your browser's local storage:

• Authentication data (access and refresh tokens, user profile info)
• Selected workspace and UI state
• Feature state (e.g., Flow execution status, task filters, message cache)

12.3 Managing Cookies & Storage

You can control cookies via your browser settings. However:

• Disabling essential cookies or clearing local storage will log you out.
• Some features may not function properly without certain cookies or local storage entries.

12.4 Do Not Track

Our Services currently do not respond to "Do Not Track" signals, because we do not rely on third-party cross-site tracking for advertising.

13. Your Rights and Choices (GDPR, UK GDPR, CCPA/CPRA)

13.1 General Rights

Depending on your location, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Request deletion of your personal information (subject to legal retention requirements)
• Restrict or object to certain processing activities
• Request a portable copy of your data in a machine-readable format
• Withdraw consent where processing is based on consent

13.2 GDPR / UK GDPR Rights (EEA & UK Users)

You may also have:

• The right to lodge a complaint with your local data protection authority
• The right to object to processing based on legitimate interests
• The right to be informed about any automated decision-making (we do not use automated decision-making that produces legal or similarly significant effects)

13.3 CCPA/CPRA Rights (California Users)

If you are a California resident, you may have the right to:

• Right to Know:Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete:Request deletion of your personal information, subject to certain exemptions.
• Right to Correct:Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing:We do not sell personal information as defined under the CCPA/CPRA.
• Right to Non-Discrimination:We will not discriminate against you for exercising these rights.

13.4 Exercising Your Rights

To exercise any of the above rights, please contact us at support@platoona.com. We will respond within the timeframe required by applicable law (typically within 30 days).

13.5 Account Management

Within the product, you may:

• Update profile information (name, organization, role, avatar)
• Manage workspace members and roles (if you are an admin)
• Delete or modify messages, tasks, documents, agents, and Brain entries
• Disconnect third-party integrations and revoke OAuth tokens
• Leave or delete workspaces, subject to your role and admin policies

14. Data Retention

14.1 General Retention

We retain personal information for as long as necessary to:

• Provide the Services
• Fulfil the purposes outlined in this Privacy Policy
• Comply with legal, tax, and regulatory requirements
• Resolve disputes and enforce our agreements

14.2 Active Accounts

For active accounts, we generally retain data until you request deletion or close your account.

14.3 Deleted Accounts & Soft Deletion

When you request account deletion:

• Your account is deactivated and access is removed.
• Your data is soft deleted (marked as deleted) and excluded from active use.
• Certain data may remain in backups, logs, or archives for a limited period.

14.4 Hard Deletion Requests

You may request hard deletion of your data by contacting support@platoona.com. Where legally permissible, we will:

• Permanently delete your personal data from active systems
• Retain only what is required by law or necessary for legal claims or disputes
• Allow backup copies to expire and be overwritten in the normal course of business (typically within ~90 days)

14.5 Example Retention Periods

• OTP Codes: Deleted after expiration (e.g., 10 minutes) or successful use.
• Workspace Invitations: Deleted after expiration (e.g., 7 days) or acceptance.
• Log Data: Retained for up to ~90 days for security and troubleshooting.
• Payment Records: Retained as required by tax and accounting laws (often up to 7 years).

15. International Data Transfers

15.1 Data Storage Location

Platoona is operated from India, and primary storage is on AWS servers in Mumbai (ap-south-1).

15.2 Cross-Border Transfers

Your data may be transferred to and processed in other countries, including:

• The United States (e.g., for AI providers, email providers)
• The European Union or other regions, depending on our service providers' infrastructure

15.3 Safeguards

When data is transferred internationally, we implement safeguards such as:

• Data Processing Agreements with third-party processors
• Standard Contractual Clauses (SCCs) where required
• Technical and organizational security measures
• Encryption in transit and at rest

16. Children's Privacy

Platoona is not intended for individuals under the age of 18.

• We do not knowingly collect personal information from children under 18.
• If you are under 18, please do not use the Services or provide personal information.
• If we learn that we have collected data from a child under 18, we will delete it as quickly as possible.

If you believe we have collected information from a child, please contact support@platoona.com.

17. AI Output Disclaimer

Platoona's Agents and AI systems generate AI-produced content. By using these features, you acknowledge that:

• AI-generated content may contain errors, inaccuracies, outdated information, or unintended biases.
• AI outputs should be reviewed and validated by humans before being relied upon.
• AI outputs do not constitute professional, legal, financial, or medical advice.
• You are responsible for how you use AI-generated content and any decisions you make based on it.

Use of AI-generated content is at your own discretion and risk.

18. No Data Sales

We do not sell personal information to third parties.

For California and similar jurisdictions, we confirm that we do not "sell" personal information as defined by the CCPA/CPRA or similar laws, nor do we share it for cross-context behavioral advertising.

19. Indemnification

To the extent permitted by applicable law, you agree to indemnify and hold harmless Kulp Labs Private Limited, its directors, employees, and affiliates from and against any claims, damages, liabilities, losses, and expenses (including reasonable attorneys' fees) arising out of:

• Your misuse of the Services
• Your violation of this Privacy Policy or the Terms of Service
• Your infringement or violation of any third party's rights through content you upload or generate using Platoona

This section is intended to complement, not replace, similar provisions in our Terms of Service.

20. Force Majeure

We are not liable for any failure or delay in performing our obligations under this Privacy Policy or in providing the Services where such failure or delay results from events beyond our reasonable control, including:

• Natural disasters, pandemics, or extreme weather
• Acts of war, terrorism, or civil unrest
• Government actions or restrictions
• Internet or cloud infrastructure failures
• Power outages, strikes, or other labor disputes

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices or Services
• Changes in technology or security measures
• Changes in laws or regulatory guidance

When we make changes:

• We will update the "Last Updated" date at the top of this Privacy Policy.
• For material changes, we may provide additional notice (e.g., in-app banner, email notification).

Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated Privacy Policy, you must stop using the Services.

22. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We typically respond within a reasonable timeframe, usually within 30 days, or as required by applicable privacy laws.