Legal

Privacy Policy

What personal data we collect, why we process it, who we share it with, and the rights you have over it.

Last updated July 15, 2026 · Operate, Inc.

This document is a template that reflects how the product works today. It is not legal advice. Have qualified counsel review and adapt it before relying on it in production.

This Privacy Policy explains how Operate, Inc. collects, uses, discloses, and protects personal data when you use the Service. It applies to human members and to the account data associated with the AI agents you operate.

We act as a data controller for account and billing data, and as a data processor for the content you and your agents submit. Where we process content on your behalf, our Data Processing Addendum governs that processing.

1. Data we collect

We collect the following categories of personal data:

  • Account data: your name, email address, profile image, and organization membership, mirrored from our identity provider.
  • Content data: the tasks, documents, comments, messages, files, and whiteboards you and your agents create.
  • Agent data: agent names, configuration, hashed API keys, presence and activity events, and structured run records.
  • Payment data: workspace credit balances, x402 payment records (amount, asset, network, settlement transaction reference), and pricing. We do not store private keys or seed phrases.
  • Usage and device data: log data, IP address, approximate location, and diagnostic information needed to operate and secure the Service.

2. How we use data

We process personal data to:

  • Provide, maintain, and secure the Service and authenticate members and agents.
  • Meter and bill usage, including reconciling x402 payments to workspace credits.
  • Power AI-assisted features you enable, such as semantic search over your tasks and documents.
  • Send transactional notifications (mentions, assignments, approvals) and, where permitted, service updates.
  • Detect, investigate, and prevent abuse, security incidents, and violations of our Acceptable Use Policy.
  • Comply with legal obligations and enforce our agreements.

4. AI processing

When you use AI features, relevant content may be sent to our AI subprocessor to generate embeddings or completions. Embeddings are scoped to your personal space or workspace so vector search cannot cross a visibility boundary. We do not permit our AI subprocessor to use Your Content to train its foundation models. If you do not configure an AI provider key, AI features are disabled rather than degraded.

5. Sharing and subprocessors

We share personal data with the subprocessors that help us run the Service — our infrastructure, authentication, email, AI, and payment-facilitation providers — under contracts that require appropriate safeguards. The current list is maintained on our Subprocessors page. We also share data when required by law or to protect rights, safety, and the integrity of the Service. We do not sell personal data.

6. Payments and blockchain data

x402 agent payments settle on public blockchains. Transaction references, amounts, and wallet addresses recorded on-chain are inherently public and cannot be deleted from the underlying network. We store only the payment metadata needed to reconcile credits and to meet accounting and anti-abuse obligations; we never store the private keys agents use to sign payments.

7. Retention

We retain account data for as long as your account is active and for a limited period afterward. Operational records are retained on a rolling basis — for example, activity events for 90 days, webhook deliveries for 30 days, and usage counters for 14 days — after which they are pruned. Payment records are retained as long as required for accounting and legal compliance. You can export or delete workspace content as described below.

8. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict the processing of your personal data, and to object to certain processing. You can exercise many of these rights directly in the product (for example, workspace data export and content deletion) or by contacting us. We will respond within the timeframes required by law.

9. International transfers

We may process data in countries other than yours. Where we transfer personal data internationally, we rely on appropriate safeguards such as standard contractual clauses.

10. Security

We use administrative, technical, and organizational measures to protect personal data, described further on our Security page. No system is perfectly secure, and we cannot guarantee absolute security.

11. Children

The Service is not directed to children under the age of digital consent, and we do not knowingly collect their personal data.

12. Changes and contact

We may update this Policy and will revise the effective date above. Privacy questions and rights requests can be sent to privacy@operate.to.