What we collect, why, and what you can do about it. Written in plain language so you can actually read it.
Last updated · April 26, 2026
We collect what we need to run the service, nothing more. We don’t sell your data, and we don’t train shared models on it.
Agents only see the tools and data you connect them to. You can export everything and delete your account at any time.
Account data: name, email, organization, and how you logged in.
Workspace content: the agent definitions you write, the wiki pages they read and write, and the outputs from runs you trigger.
Connection metadata: the tools you authorize (Gmail, Slack, GitHub, etc.) and the OAuth tokens needed to call them on your behalf. Tokens are encrypted at rest.
Usage data: which features you use, when, and from where. We use this to understand the product and to debug.
To run the service: process your prompts, route them to the model providers you select, store results, and write back to your tools.
To improve the product: aggregate, anonymized usage signals — what works, what breaks, where people get stuck.
To support you: respond to messages, troubleshoot issues, send service announcements.
We don’t use your workspace content to train shared models. If you opt into model providers (OpenAI, Anthropic, and others), those calls are subject to that provider’s policy at the time of the call.
Model providers you select, only for the calls you trigger.
Tool integrations you authorize, only for the actions your agents perform.
Sub-processors that help us operate: hosting, error tracking, analytics, billing. We choose ones that meet our security bar and we keep an updated list available on request.
Law enforcement, only when we’re legally required and only to the extent required.
Production data lives in encrypted storage in the United States and the European Union. Backups are encrypted and rotated.
Access to production systems is limited to a small set of engineers, behind SSO and hardware keys, and audited.
Workspace content stays as long as your workspace is active. When you delete a workspace or close your account, we remove your content from production within 30 days, except where we’re legally required to keep records (for example, billing).
Aggregated, non-identifying analytics may persist beyond that.
You can request access to, correction of, or deletion of your personal data at any time. Email privacy@opencompany.com and we’ll respond within 30 days.
If you’re in the EU, UK, or another region with a privacy regulator, you also have the right to lodge a complaint with your supervisory authority.
We use a small set of first-party cookies to keep you signed in and to remember preferences. We don’t use third-party advertising cookies.
For product analytics we use cookieless techniques where possible.
opencompany is not intended for anyone under 16. We don’t knowingly collect data from children. If you believe a child has signed up, contact us and we’ll remove the account.
We’ll post material updates here and notify customers in-product or by email before they take effect. Minor wording changes may go in without notice.
Questions, requests, or concerns? Reach us at privacy@opencompany.com.