Privacy Policy

When you enable ambient tracking features, the Services may automatically collect contextual data from your digital activity, including but not limited to: web page content and URLs, visible screen content, active application metadata, and document titles ("Ambient Data").

Data is encrypted in transit and at rest using AES-256 encryption and stored in your selected data region. You retain full ownership of all Derived Data and may access, export, or delete it at any time through the Services or by contacting us.

Ambient tracking features are disabled by default and require explicit opt-in. You may disable ambient tracking, limit its scope to specific applications or websites, or pause it temporarily through your account settings.

We do not use your data for advertising, user profiling, or any purpose other than providing the Services as described in this policy.

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following bases as defined in GDPR Articles 6(1)(a)–(f):

• Performance of a contract (Art. 6(1)(b)) — processing necessary to provide the Services you have requested, including account creation, content storage, ambient data processing, and billing.
• Legitimate interests (Art. 6(1)(f)) — processing for purposes such as improving the Services, ensuring security, and communicating relevant product information, where those interests are not overridden by your data protection rights. You may object to processing based on legitimate interests at any time.
• Consent (Art. 6(1)(a)) — where you have given explicit consent, such as for optional marketing communications or enabling ambient tracking features. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation (Art. 6(1)(c)) — processing necessary to comply with applicable laws, regulations, or lawful government requests.

Autographical integrates artificial intelligence capabilities powered by third-party providers, including OpenAI, L.L.C. and Anthropic, PBC (collectively, "AI Providers").

When you invoke AI-powered features, portions of your User Content or Derived Data relevant to the specific feature are transmitted to the applicable AI Provider via encrypted API connections for processing. This data is transmitted solely to generate the requested output and is not stored permanently by the AI Provider.

Our Data Processing Agreements with AI Providers contractually prohibit them from: (i) using your data to train, retrain, or fine-tune any machine learning model; (ii) retaining your data beyond the immediate processing request; (iii) sharing your data with third parties. These agreements include Zero Data Retention provisions.

Data transmitted to AI Providers is not associated with your account identity.

We engage third-party service providers ("Sub-processors") to assist in operating and improving the Services. Each Sub-processor is bound by a Data Processing Agreement that includes obligations substantially equivalent to those in this Privacy Policy regarding confidentiality, data security, and limitation of use.

We do not sell, rent, or trade your personal information. We may disclose your data in the following additional circumstances: (i) when required by law, regulation, legal process, or governmental request; (ii) in connection with a merger, acquisition, or sale of assets, in which case affected users will be notified; (iii) with your explicit consent.

Autographical is hosted on Amazon Web Services (AWS). Your User Content, Derived Data, and account data are stored in the data region you select at account creation or as modified through your account settings.

Certain operational data, including analytics, error monitoring, and support communications, may be processed in the United States regardless of your selected data region. Where personal data is transferred outside the European Economic Area (EEA) or United Kingdom, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision 2021/914).
• Data Processing Agreements with all Sub-processors that include equivalent technical and organizational protections.

You may request information about the specific safeguards applied to international transfers of your data by contacting us at privacy@autographical.ai.

We retain personal information only as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by applicable law.

Upon account deletion, we provide a 30-day recovery window, after which all User Content, Derived Data, and account information are permanently deleted from active systems. Encrypted backups containing deleted data are purged within an additional 30 days.

Billing records are retained for up to seven (7) years in accordance with applicable tax and accounting obligations. Usage and log data are retained in identifiable form for up to twelve (12) months, after which they are aggregated or anonymized such that individual identification is no longer possible.

We use cookies and similar technologies (including local storage and web beacons) to operate the Services, maintain session state, remember your preferences, and analyze usage patterns.

Essential cookies are strictly necessary for the operation of the Services and cannot be disabled. Analytics cookies are set only with your prior consent where required by applicable law (including Directive 2002/58/EC as implemented in EEA member states).

We do not use cookies for advertising or cross-site behavioral tracking. We do not currently respond to Do Not Track (DNT) browser signals, as there is no uniform industry standard for compliance.

If you are located in the EEA or UK, you have rights under the General Data Protection Regulation (GDPR) and applicable local law, including the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21).

To exercise any of these rights, contact us at privacy@autographical.ai. We will verify your identity and respond within thirty (30) days as required by GDPR Article 12(3). In complex cases, this period may be extended by an additional sixty (60) days, with prior notice.

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority under GDPR Article 77.

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), provides you with specific rights regarding your personal information.

Your California rights include: (i) Right to Know — request the categories and specific pieces of personal information collected; (ii) Right to Delete — request deletion of personal information, subject to statutory exceptions; (iii) Right to Correct — request correction of inaccurate personal information; (iv) Right to Opt-Out of Sale/Sharing — we do not sell personal information or share it for cross-context behavioral advertising as defined in CCPA §1798.140(ad); (v) Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact privacy@autographical.ai. We will verify your identity using a reasonable method before processing your request, and respond within forty-five (45) days as required by CCPA §1798.145.

We implement industry-standard technical and organizational measures to protect your personal information, including: encryption of data in transit (TLS 1.2+) and at rest (AES-256); role-based access controls and multi-factor authentication for internal systems; regular security assessments, penetration testing, and vulnerability scanning; and documented incident response procedures.

No method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a personal data breach, we will notify affected users and relevant supervisory authorities within the timeframes required by applicable law (72 hours under GDPR Article 33).

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Services. When we make material changes, we will: (i) update the "Last Updated" date at the top of this page; and (ii) provide you with prior notice via the Services or email at least fourteen (14) days before the changes take effect.

Your continued use of the Services after the effective date of a revised policy constitutes acceptance of the updated terms. If you do not agree to the revised policy, you must discontinue use of the Services and may request deletion of your account.