Privacy Policy

Corporate Labs — AI Agent Organization Platform

Last Updated: March 23, 2026 Effective Date: March 23, 2026

1. Introduction

Corporate Labs ("Company," "we," "us," or "our") is committed to protecting the privacy and personal data of our users. This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use the Corporate Labs platform and related services (the "Service").

This Privacy Policy applies to all users of the Service regardless of location, and is designed to comply with the Israeli Privacy Protection Law, 5741-1981, as amended (including Amendment No. 13) ("Israeli Privacy Law"), the European Union General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws.

Corporate Labs is based in Israel. For the purposes of the GDPR, Corporate Labs acts as the data controller with respect to the personal data we collect from you.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, and password (managed via our authentication provider, Clerk).
• Organization Data: Organization names, business goals, descriptions, budget configurations, and communication channel preferences you create within the Service.
• Agent Configurations: AI agent names, job titles, system prompts, model selections, and knowledge base content you define.
• Human Agent Data: Names, job titles, email addresses, phone numbers, departments, start dates, and photographs you enter for human agent profiles within your organizations.
• Uploaded Documents: PDF, DOCX, TXT, CSV, and MD files you upload to agent knowledge bases, which are parsed, chunked, and stored as text.
• Prompts and Chat Messages: Text prompts you submit through the chat interface, which are routed to AI agents for processing.
• Payment Information: Billing details processed through our third-party payment processor. We do not directly store credit card numbers.
• Communications: Emails, support requests, and other communications you send to us.

2.2 Information Collected Automatically

• Usage Data: Pages viewed, features used, click patterns, time spent on pages, and interaction sequences.
• Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Log Data: Server logs including access times, error logs, and API request metadata.
• Cookies and Similar Technologies: We use cookies, local storage, and similar technologies as described in Section 8.

2.3 Information from Third Parties

• Authentication Provider (Clerk): Authentication tokens, session data, and account verification information.
• AI Model Providers: We receive API response metadata (token counts, latency, error codes) from third-party AI providers when processing your requests. We do not receive personal data from AI providers about you.
• Payment Processor: Transaction confirmation, billing status, and fraud prevention signals.

2.4 Sensitive Data

We do not intentionally collect sensitive personal data (such as biometric data, genetic data, health information, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation). If you choose to include such information in your prompts, uploaded documents, or agent configurations, you do so at your own risk and acknowledge that such data may be processed by third-party AI providers in accordance with their respective privacy policies.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Operating the Service

• Creating and managing your account.
• Processing your prompts and routing them through AI agent hierarchies.
• Sending your prompts to third-party AI model providers and delivering responses.
• Storing and managing your organization configurations, agent data, and knowledge bases.
• Tracking credit usage and enforcing budget limits.

3.2 Improving the Service

• Analyzing usage patterns to improve features, performance, and user experience.
• Identifying and fixing bugs, errors, and security vulnerabilities.
• Conducting aggregated, anonymized analytics on Service usage.

3.3 Communications

• Sending transactional emails (account verification, password resets, billing confirmations).
• Sending service-related notifications (budget alerts, circuit breaker events, system updates).
• Sending marketing communications (only with your explicit consent, and with an opt-out mechanism in every message).

3.4 Security and Fraud Prevention

• Detecting, investigating, and preventing unauthorized access, fraud, and abuse.
• Enforcing our Terms of Service and Acceptable Use Policy.

3.5 Legal Compliance

• Complying with applicable laws, regulations, court orders, and legal processes.
• Establishing, exercising, or defending legal claims.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area ("EEA"), United Kingdom, or any jurisdiction that requires a legal basis for processing personal data, we rely on the following bases:

• Performance of a Contract: Processing necessary to provide the Service to you pursuant to our Terms of Service (Article 6(1)(b) GDPR).
• Legitimate Interests: Processing for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud, where those interests are not overridden by your rights and freedoms (Article 6(1)(f) GDPR).
• Consent: Processing based on your freely given, specific, informed, and unambiguous consent, such as for marketing communications (Article 6(1)(a) GDPR).
• Legal Obligation: Processing necessary to comply with our legal obligations under applicable law (Article 6(1)(c) GDPR).

5. How We Share Your Information

We do not sell your personal data to third parties. We share your information only in the following circumstances:

5.1 Third-Party AI Model Providers

When you use the Service, your prompts and relevant context are sent to third-party AI model providers (such as OpenAI, Anthropic, and Google AI) for processing. These providers process your data in accordance with their own privacy policies and terms of service. We encourage you to review the privacy policies of any AI providers you configure.

5.2 Service Providers

We share your information with trusted third-party service providers who assist us in operating the Service, including:

• Clerk — Authentication and identity management.
• Payment Processors — Billing and payment processing.
• Cloud Infrastructure Providers — Hosting, storage, and database services.
• Analytics Providers — Aggregated usage analytics.

These providers are contractually bound to use your information only for the purposes of providing services to us and to maintain appropriate security measures.

5.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

6. International Data Transfers

Corporate Labs is based in Israel. Israel has been recognized by the European Commission as providing an adequate level of data protection. However, your data may be transferred to and processed in countries outside of Israel or the EEA, including the United States, where our third-party AI providers and infrastructure providers may be located.

When we transfer personal data outside of Israel or the EEA, we ensure that appropriate safeguards are in place, including:

• Transfers to countries with an adequacy decision from the European Commission or the Israeli Privacy Protection Authority.
• Standard Contractual Clauses ("SCCs") approved by the European Commission.
• Other lawful transfer mechanisms as required by applicable law.

You may request a copy of the safeguards we use for international data transfers by contacting us at privacy@corporate-labs.ai.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained for the duration of your account and for thirty (30) days following account deletion to allow for data export.
• Usage and Log Data: Retained for up to twenty-four (24) months for analytics and security purposes, then anonymized or deleted.
• Payment Records: Retained for up to seven (7) years as required by applicable tax and accounting laws.
• AI Prompts and Outputs: Retained for the duration of your account. Deleted within thirty (30) days of account termination.
• Uploaded Documents: Retained for the duration of your account. Deleted within thirty (30) days of account termination or upon your request.

When data is no longer needed, we securely delete or anonymize it using industry-standard methods.

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

• Strictly Necessary Cookies: Required for the Service to function (authentication, session management, security). These cannot be disabled.
• Analytics Cookies: Help us understand how users interact with the Service. These are used only with your consent where required by law.
• Preference Cookies: Remember your settings and preferences (such as language or display preferences).

8.2 Cookie Management

You can manage your cookie preferences through your browser settings. Note that disabling strictly necessary cookies may impair the functionality of the Service. For users in the EEA, we will obtain your consent before placing non-essential cookies.

8.3 Do Not Track

We currently do not respond to "Do Not Track" browser signals, as there is no industry-wide standard for this mechanism. However, you may use the cookie management options described above.

9. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

9.1 Rights Under Israeli Privacy Law

• Right to access your personal data held in our databases.
• Right to request correction of inaccurate data.
• Right to request deletion of your data.
• Right to object to the use of your data for direct marketing.

9.2 Rights Under GDPR (EEA/UK Users)

• Right of Access: Request a copy of your personal data.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to Be Forgotten"): Request deletion of your data, subject to legal retention obligations.
• Right to Restrict Processing: Request that we limit how we use your data.
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to Object: Object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority.

9.3 Rights Under CCPA/CPRA (California Residents)

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
• Right to Delete: Request deletion of your personal information, subject to exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

9.4 Exercising Your Rights

To exercise any of the rights described above, please contact us at privacy@corporate-labs.ai. We will respond to your request within thirty (30) days (or within the timeframe required by applicable law). We may need to verify your identity before fulfilling your request.

10. Data Security

We implement and maintain appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption at Rest: Sensitive data fields (including API keys) are encrypted using AES-256-GCM.
• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Access Controls: Role-based access controls and multi-tenant isolation ensure that your data is accessible only to authorized parties.
• Infrastructure Security: We use industry-standard cloud infrastructure with regular security audits, vulnerability assessments, and penetration testing.
• Incident Response: We maintain an incident response plan and will notify affected users and relevant authorities of a data breach in accordance with applicable law (within 72 hours for GDPR-covered breaches).

While we strive to protect your personal data, no system is completely secure. We cannot guarantee the absolute security of your information.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at privacy@corporate-labs.ai, and we will take steps to delete such information promptly.

12. Third-Party Links and Services

The Service may contain links to third-party websites or services that are not operated by us. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access.

13. Data Protection Officer

In accordance with the Israeli Privacy Law (Amendment No. 13) and the GDPR, we have designated a Privacy Protection Officer. You may contact our Privacy Protection Officer at:

Privacy Protection Officer Corporate Labs Email: dpo@corporate-labs.ai

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will provide notice of material changes by posting the updated policy on our website and, where feasible, notifying you by email at least thirty (30) days before the changes take effect.

Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

15. CCPA-Specific Disclosures

15.1 Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA: identifiers (name, email, IP address), commercial information (transaction and billing records), internet or electronic network activity (usage data, log data), and professional or employment-related information (only as voluntarily provided in human agent profiles).

15.2 Sources

We collect personal information directly from you, automatically through your use of the Service, and from third-party service providers (authentication, payment processing).

15.3 Business Purpose

We collect and use personal information for the business purposes described in Section 3 of this Privacy Policy.

15.4 No Sale or Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Corporate Labs Email: privacy@corporate-labs.ai Data Protection Officer: dpo@corporate-labs.ai Website: https://corporate-labs.ai

For complaints related to data protection, you may also contact:

• Israel: The Privacy Protection Authority (PPA) — https://www.gov.il/en/departments/the_privacy_protection_authority
• EU/EEA: Your local supervisory authority — https://edpb.europa.eu/about-edpb/about-edpb/members_en
• California: The California Attorney General — https://oag.ca.gov/privacy

This Privacy Policy is effective as of the date stated above.