Privacy Policy

AI Model Training and Development

In Short: We believe in the ethical and legal training of AI models.

We deploy several open-source AI foundational models within our applications, including models that have been fine-tuned by our engineers. We DO NOT use the Google Workspace APIs to train, develop, or improve generalized AI and/or ML models. When we use AI systems for automated decision-making or profiling that may have legal or similarly significant effects, we will notify you and provide mechanisms to opt-out, contest decisions, or request human review as required by applicable laws.

What Personal Information Do We Collect?

In Short: We collect Personal Information that you provide and disclose to us, with specific purposes and legal bases for each category.

We collect Personal Information that you voluntarily provide and disclose to us when, among other things, you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you communicate with and contact us.

The Personal Information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use.

Categories of Personal Information We Collect

Sensitive Personal Information. We may collect sensitive personal information only with your explicit opt-in consent and only for specific, disclosed purposes. We do NOT use sensitive personal information for targeted advertising, especially for users under 18 years of age, in compliance with Maryland's Online Data Privacy Act and similar state laws.

Social Media Login Data. We may provide you with the option to register with us using your existing social media account details, such as your LinkedIn, Facebook, X (formerly known as Twitter), or other social media account. If you choose to register in this way, we will collect the information described in the section called "HOW DO WE HANDLE YOUR SOCIAL LOGINS?" below.

All Personal Information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such Personal Information.

Information Collected Automatically

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information.

Like many businesses, we also collect information through cookies and similar technologies. We honor universal opt-out signals, including Global Privacy Control (GPC), as required by Delaware, New Jersey, and other state privacy laws.

How Do We Process Your Information?

In Short: We process your Personal Information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your Personal Information for other purposes with your consent.

We process your Personal Information for a variety of reasons, depending on how you interact with our Services, including:

• To provide and maintain our Services pursuant to our contract with you
• To respond to user inquiries and provide customer support based on our contract and legitimate business interests
• To improve and develop our Services based on legitimate business interests and, where required, your consent
• To ensure security and prevent fraud based on legitimate business interests and legal obligations
• To comply with legal obligations as required by applicable law
• For artificial intelligence and automated decision-making with appropriate safeguards and opt-out mechanisms

Automated Decision-Making and Profiling

We may use automated systems, including AI, to make decisions or create profiles that could affect you. When such processing may produce legal or similarly significant effects, we will:

• Provide clear notice of the automated processing
• Offer the right to opt-out of such processing
• Enable you to contest automated decisions
• Provide access to human review when legally required

What Is Our Legal Basis for Processing?

In Short: We only process your Personal Information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law.

To process your Personal Information, we require a valid legal basis pursuant to applicable law for doing so. This may include:

• Consent: Where you have given clear, informed consent
• Contract: To perform our contractual obligations to you
• Legitimate interests: For our legitimate business purposes, balanced against your rights
• Legal obligations: To comply with applicable laws and regulations
• Vital interests: To protect life or physical safety
• Public interest: For tasks carried out in the public interest

When and With Whom Do We Share Your Personal Information?

In Short: We may share Personal Information in specific situations described in this section and/or with the following third parties.

We may need to share your Personal Information in the following situations:

• Service Providers: With third-party vendors who provide services on our behalf, subject to strict data processing agreements
• Business Transfers: In connection with mergers, acquisitions, or asset sales, with advance notice as required by law
• Legal Requirements: When required by law, court order, or to protect our rights and safety
• With Your Consent: For any other purpose with your explicit consent

We do NOT sell your personal information as defined by applicable privacy laws. We do NOT share personal information for cross-context behavioral advertising without explicit opt-in consent.

Data Protection Assessments

In Short: We conduct risk assessments for high-risk data processing activities.

In compliance with Maryland, Delaware, and other state requirements, we conduct data protection assessments for processing activities that present heightened risks to consumers, including:

• Processing sensitive personal information
• Processing personal information for targeted advertising
• Processing personal information for the sale to third parties
• Processing personal information for profiling that may result in unfair or discriminatory treatment

Do We Use Cookies and Other Tracking Technologies?

In Short: We may use cookies and other tracking technologies to collect and store your Personal Information, with respect for your preferences and universal opt-out signals.

We may use cookies and similar tracking technologies to access or store information. We recognize and honor universal opt-out signals, including:

• Global Privacy Control (GPC)
• Browser-based Do Not Track signals
• Other legally recognized opt-out mechanisms

Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice.

How Do We Handle Your Social Logins?

In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.

Our Services offer you the ability to register and log in using your third-party social media account details. When you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the provider concerned, but will often include your name, email address, friends list, and profile picture.

We will use the information we receive only for the purposes that are described in this privacy notice or that are otherwise made clear to you on the relevant Services.

Is Your Information Transferred Internationally?

In Short: We may transfer, store, and process your Personal Information in countries other than your own, with appropriate safeguards.

We are headquartered in the United States. If you are accessing our Services from outside the United States, please be aware that your Personal Information may be transferred to, stored, and processed by us and our service providers in other countries.

For transfers outside the European Economic Area, we implement appropriate safeguards such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by relevant authorities
• Other legally recognized transfer mechanisms

How Long Do We Keep Your Information?

In Short: We keep your Personal Information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law.

We will only keep your Personal Information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law. Different categories of personal information have different retention periods based on their purpose:

• Account Information: Until account closure plus 30 days for account-related issues
• Usage Data: 12 months from collection
• Communications: 3 years or as required by law
• Sensitive Information: Only as long as necessary for the specified purpose, then securely deleted

When we have no ongoing legitimate business need to process your Personal Information, we will either delete or anonymize such information.

How Do We Keep Your Information Safe?

In Short: We aim to protect your Personal Information through a system of organizational and technical security measures.

We have implemented appropriate technical, administrative, organizational and physical security measures designed to protect the security of any Personal Information we process. These measures include:

• Encryption of data in transit and at rest
• Access controls and authentication systems
• Regular security assessments and updates
• Employee training on data protection
• Incident response procedures

However, no electronic transmission or storage system can be guaranteed to be 100% secure. You should only access the Services within a secure environment.

Do We Collect Information from Minors?

In Short: We do not knowingly collect data from or market our Services to children under 18 years of age, and we provide enhanced protections for minors.

The Services are not directed to or intended for use by children under 18 years of age. We do not knowingly solicit data from or market our Services to children under 18 years of age.

‍Enhanced Minor Protections: In compliance with Maryland's Online Data Privacy Act and similar laws:

• We do NOT use personal information for targeted advertising to users under 18
• We do NOT sell or share personal information of users under 18
• We implement age-appropriate design standards where applicable

If we learn that Personal Information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records.

What Are Your Privacy Rights?

In Short: In some regions, you have rights that allow you greater access to and control over your Personal Information.

Depending on your location, you may have the following rights:

Universal Rights

• Access: Request what personal information we hold about you
• Correction: Update or correct your personal information
• Deletion: Request deletion of your personal information
• Portability: Obtain a copy of your information in a usable format
• Opt-Out: Opt out of sales, sharing, targeted advertising, or profiling
• Restriction: Limit certain uses of your personal information
• Object: Object to processing based on legitimate interests

Additional Rights by Jurisdiction

European Economic Area/UK (GDPR):

• Right to object to processing
• Right to withdraw consent
• Right to lodge complaints with supervisory authorities
• Rights regarding automated decision-making

California (CCPA/CPRA):

• Right to know categories and sources of personal information
• Right to opt-out of sales and sharing
• Right to correct inaccurate information
• Right to limit use of sensitive personal information
• Protection against discrimination for exercising rights

Other U.S. States (2025 Laws):

Residents of Delaware, Maryland, Minnesota, Tennessee, and other states with comprehensive privacy laws have similar rights to those outlined above.

Universal Opt-Out Signal Recognition

In Short: We recognize and honor universal opt-out signals as required by law.

Our systems are configured to recognize browser-based universal opt-out signals, including:

• Global Privacy Control (GPC)
• Other legally recognized opt-out mechanisms

When we detect such signals, we will treat them as valid requests to opt-out of the sale or sharing of your personal information and targeted advertising, as required by applicable state laws.

Controls for Do-Not-Track Features and Advertising

In Short: You have choices with respect to your Personal Information and advertising.

Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference. We honor DNT signals and similar privacy controls.

You may also opt out of interest-based advertising through:

• Industry opt-out pages
• Individual advertiser opt-out mechanisms
• Platform-specific privacy controls

Do We Make Updates to This Notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this privacy notice from time to time. The updated version will be indicated by an updated "Last updated" date. If we make material changes, we may notify you by:

• Prominently posting a notice of such changes
• Sending direct notification via email
• Other methods reasonably likely to reach you

Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may email us at hello@iterate.ai or contact us by post at:

Iterate.ai
3031 Tisch Way
San Jose, California, United States 95128

For EU/EEA Residents: If you are located in the European Economic Area and believe we are unlawfully processing your Personal Information, you have the right to complain to your local data protection authority.

How Can You Review, Update, or Delete the Data We Collect from You?

Based on the applicable laws of your country, state, or province, you may have the right to request access to the Personal Information we collect from you, change that information, or delete it. To request to review, update, or delete your Personal Information, please contact us at hello@iterate.ai.

Response Time: We will respond to your request within the timeframes required by applicable law, typically within 30 days.

Verification: We may need to verify your identity before processing your request. We will only use personal information provided in verification for that purpose and will delete it afterward.

No Discrimination: We will not discriminate against you for exercising your privacy rights.

This privacy policy has been updated to comply with 2025 privacy law requirements, including new state privacy laws, GDPR enforcement guidance, and CCPA/CPRA amendments.