Privacy Policy

1. Introduction

Connic ("Connic", "we", "us", or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, retain, and protect information when you use our website, our platform, APIs, SDK, and related services (collectively, the "Services").

This Privacy Policy applies to all users of our Services, including visitors to our website, registered users, and customers. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the practices described in this Privacy Policy, please do not use our Services.

We designed this Privacy Policy to comply with applicable data protection laws, including but not limited to the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the UK General Data Protection Regulation (UK GDPR), the Brazilian General Data Protection Law (LGPD), and other applicable privacy legislation. Where specific rights or requirements apply only to residents of certain jurisdictions, we have noted this in the relevant sections.

Connic operates as a hosting and deployment platform for AI agents. It is important to understand the distinction between data that we process as a "data controller" (data about you as our customer) and data that we process as a "data processor" on your behalf (data that passes through your deployed agents). This Privacy Policy primarily addresses the former; our processing of customer data on your behalf is governed by our Data Processing Agreement and your instructions as the data controller.

2. Data Controller Information

For the purposes of applicable data protection laws, Connic is the data controller responsible for the processing of your personal data as described in this Privacy Policy. This means we determine the purposes and means of processing your personal data.

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your data protection rights, you can contact us at:

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we have appointed a Data Protection Officer (DPO) who can be contacted at dpo@connic.co for matters related to data protection and privacy.

3. Information We Collect

We collect information from and about you in several ways, as described below. The specific information we collect depends on how you interact with our Services.

3.1 Information You Provide Directly

We collect information that you voluntarily provide to us when you:

• Create an Account: When you register for an account, we collect your name, email address, and password. If you register using a third-party authentication provider (such as GitHub or Google), we receive your name, email address, and profile information from that provider.
• Set Up Your Profile: You may choose to provide additional information such as your company name, job title, profile picture, phone number, and other details.
• Subscribe to Paid Services: When you upgrade to a paid subscription, we collect billing information including your payment card details (processed by our payment processor), billing address, company name, and tax identification numbers where applicable.
• Use the Platform: We collect the content you upload, create, or deploy through our Services, including agent configurations, tool code, environment variables, knowledge base content, and any other User Content as defined in our Terms of Use.
• Contact Us: When you contact our support team, submit feedback, participate in surveys, or communicate with us in any way, we collect the information you provide in those communications.
• Participate in Events: If you register for webinars, workshops, or other events, we collect your registration information.

3.2 Information Collected Automatically

When you access or use our Services, we automatically collect certain information, including:

• Device and Browser Information: We collect information about the device and browser you use to access our Services, including device type, operating system, browser type and version, device identifiers, screen resolution, and language preferences.
• Log Data: Our servers automatically record information when you access our Services, including your IP address, access times, pages viewed, links clicked, the page you visited before navigating to our Services, and other system activity.
• Usage Information: We collect information about how you use our Services, including actions you take in your account, features you use, API calls made, agent runs executed, resources consumed, and performance metrics.
• Location Information: We may infer your general location based on your IP address. We do not collect precise geolocation data unless you explicitly provide it.
• Cookies and Similar Technologies: We use cookies, web beacons, pixels, and similar tracking technologies to collect information about your interactions with our Services. See Section 10 for more details on our use of cookies.

3.3 Information from Third Parties

We may receive information about you from third parties, including:

• Authentication Providers: If you choose to sign in using a third-party authentication service (such as GitHub, Google, or other OAuth providers), we receive your name, email address, and profile information from that service.
• Version Control Platforms: When you connect a repository to our platform, we receive information about your repositories, branches, and commit history necessary to provide the Services.
• Payment Processors: Our payment processor may provide us with limited information about your payment method, such as the last four digits of your card number and billing address, for verification and fraud prevention purposes.
• Business Partners: We may receive information from business partners with whom we offer co-branded services or engage in joint marketing activities.
• Public Sources: We may collect information from publicly available sources, such as public profiles on professional networking sites, to enhance our records.

3.4 Data Processed Through Your Agents

When you deploy agents on our platform, those agents may process data that you or your end users provide to them (collectively, "Customer Data"). For this Customer Data:

• You Are the Data Controller: You determine what data your agents collect and process, and you are responsible for ensuring that such processing complies with applicable laws.
• We Act as Data Processor: We process Customer Data only as necessary to provide the Services and in accordance with your instructions. Our processing of Customer Data is governed by our Data Processing Agreement.
• Limited Access: We do not access Customer Data except as necessary to provide and maintain the Services, prevent or address technical or security issues, respond to support requests, or as required by law.

4. How We Use Your Information

We use the information we collect for various purposes, depending on the nature of the information and your interactions with our Services. Below we describe our purposes for processing and the legal bases we rely on under applicable data protection laws.

4.1 To Provide and Maintain the Services

We use your information to:

• Create, maintain, and secure your account
• Process your transactions and manage your subscription
• Deploy, execute, and manage your agents
• Provide technical support and respond to your inquiries
• Send you service-related communications, including confirmations, invoices, technical notices, updates, security alerts, and administrative messages
• Authenticate your identity and authorize access to our Services

Legal Basis (GDPR): Performance of a contract with you; our legitimate interests in operating our business.

4.2 To Improve and Develop the Services

We use your information to:

• Understand how users interact with our Services
• Identify trends, usage patterns, and areas for improvement
• Develop new features, products, and services
• Conduct research and analysis to improve user experience
• Test and troubleshoot new features before release
• Generate aggregated, anonymized, or de-identified data for analytical purposes

Legal Basis (GDPR): Our legitimate interests in improving our Services; where appropriate, your consent.

4.3 To Communicate with You

We use your information to:

• Respond to your comments, questions, and support requests
• Send you marketing communications about products, services, features, and events that may interest you (where you have opted in or where permitted by law)
• Send you newsletters, product updates, and announcements
• Invite you to participate in surveys, feedback sessions, or research
• Notify you about changes to our Services or policies

Legal Basis (GDPR): Your consent (for marketing communications); our legitimate interests in communicating with our users; performance of a contract.

4.4 To Ensure Security and Prevent Fraud

We use your information to:

• Detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activities
• Monitor for and protect against violations of our Terms of Use and Acceptable Use Policy
• Verify identity and prevent unauthorized access
• Investigate suspicious activities and enforce our policies
• Protect the rights, property, and safety of Connic, our users, and the public

Legal Basis (GDPR): Our legitimate interests in protecting our Services and users; compliance with legal obligations.

4.5 To Comply with Legal Obligations

We use your information to:

• Comply with applicable laws, regulations, legal processes, and governmental requests
• Respond to lawful requests from public authorities, including law enforcement
• Establish, exercise, or defend legal claims
• Fulfill our tax, accounting, and reporting obligations
• Enforce our agreements and protect our legal rights

Legal Basis (GDPR): Compliance with legal obligations; our legitimate interests in protecting our legal rights.

4.6 With Your Consent

We may use your information for other purposes with your explicit consent. When we rely on consent as the legal basis for processing, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

5. How We Share Your Information

We do not sell your personal data. We may share your information in the following circumstances:

5.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Cloud Infrastructure Providers: We use cloud infrastructure services to host our platform and store data.
• Payment Processors: We use third-party payment processors to process payments. We do not store complete payment card information on our servers.
• Analytics Providers: We use analytics services to help us understand how users interact with our Services.
• Customer Support Tools: We use third-party tools to manage customer support communications.
• Email Service Providers: We use third-party services to send transactional and marketing emails.
• Authentication Providers: We use third-party authentication services to manage user login and access.

These service providers are contractually bound to use your information only for the purposes of providing services to us and are required to maintain appropriate security measures to protect your information.

5.2 Business Transfers

If Connic is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data.

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal requests, including:

• To comply with a subpoena, court order, or other legal process
• To respond to requests from government agencies or law enforcement
• To enforce our Terms of Use, policies, and agreements
• To protect the rights, property, or safety of Connic, our users, or others
• To detect, prevent, or address fraud, security, or technical issues

When legally permitted, we will attempt to notify you before disclosing your information in response to legal requests, unless doing so would be prohibited by law, futile, or would pose a risk of harm.

5.4 With Your Consent

We may share your information with third parties when you give us explicit consent to do so. For example, you may authorize us to share information with a third-party integration that you choose to connect with our Services.

5.5 Aggregated or De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you. Such information is not subject to this Privacy Policy. We may use and share aggregated data for any purpose, including research, analytics, marketing, and improving our Services.

5.6 Affiliates

We may share information with our affiliates, subsidiaries, and related companies for purposes consistent with this Privacy Policy. Our affiliates are required to honor this Privacy Policy.

6. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. The retention period may vary depending on the context of the processing and our legal obligations.

6.1 Retention Periods

• Account Information: We retain your account information for as long as your account is active. After account deletion, we may retain certain information for up to thirty (30) days to allow for account recovery, and thereafter retain only information necessary for legal compliance, dispute resolution, or fraud prevention for up to seven (7) years.
• User Content: User Content is retained for as long as your account is active. Upon account deletion, User Content is deleted within thirty (30) days, except for backup copies which may persist for up to ninety (90) days.
• Agent Run Logs: Logs of agent executions are retained according to your subscription tier, typically ranging from seven (7) days to ninety (90) days.
• Billing Information: We retain billing records for as long as required by applicable tax and accounting laws, typically seven (7) years.
• Communication Records: Records of support communications are retained for up to three (3) years after the communication.
• Marketing Data: If you opt out of marketing communications, we retain your email address on our suppression list to ensure we do not contact you for marketing purposes.

6.2 Criteria for Determining Retention Periods

When determining the appropriate retention period for personal data, we consider:

• The nature and sensitivity of the personal data
• The purposes for which we process the data
• Whether we can achieve those purposes through other means
• Our legal, regulatory, tax, accounting, or other obligations
• Potential risks of harm from unauthorized use or disclosure
• Guidance from data protection authorities

7. Data Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction.

7.1 Security Measures

Our security measures include, but are not limited to:

• Encryption: We use encryption to protect data in transit (TLS/SSL) and at rest (AES-256 or equivalent).
• Access Controls: We implement strict access controls based on the principle of least privilege, ensuring that only authorized personnel can access personal data.
• Authentication: We use strong authentication mechanisms, including support for multi-factor authentication (MFA) for user accounts.
• Monitoring: We continuously monitor our systems for suspicious activity and security threats.
• Regular Security Assessments: We conduct regular security assessments, vulnerability scans, and penetration testing.
• Employee Training: Our employees receive regular training on data protection and security best practices.
• Incident Response: We maintain incident response procedures to quickly identify, contain, and remediate security incidents.
• Vendor Management: We evaluate the security practices of our service providers and require them to maintain appropriate security measures.

7.2 Your Security Responsibilities

While we work hard to protect your personal data, security is a shared responsibility. You can help protect your account by:

• Using a strong, unique password
• Enabling multi-factor authentication
• Keeping your login credentials confidential
• Logging out of shared devices
• Notifying us immediately if you suspect unauthorized access to your account
• Securing your API keys and rotating them regularly

7.3 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority in accordance with applicable law (typically within 72 hours of becoming aware of the breach). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly, unless doing so would require disproportionate effort, in which case we will make a public communication or similar measure.

8. International Data Transfers

Connic operates globally, and your personal data may be transferred to, stored, and processed in countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country.

8.1 Transfer Mechanisms

When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we use appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses as approved by the European Commission to transfer personal data to third countries.
• UK International Data Transfer Agreement: For transfers from the UK, we use the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs.
• Adequacy Decisions: Where available, we rely on adequacy decisions made by the European Commission or UK Government recognizing that certain countries provide adequate protection for personal data.
• Supplementary Measures: Where necessary, we implement additional technical and organizational measures to ensure an equivalent level of protection for transferred data.

8.2 Transfer Impact Assessments

Before transferring personal data to a third country, we conduct transfer impact assessments to evaluate the level of protection in the destination country and implement appropriate supplementary measures where needed. You may request a copy of the safeguards we use for international transfers by contacting us at privacy@connic.co.

9. Your Rights and Choices

Depending on your location and applicable law, you may have certain rights regarding your personal data. We respect these rights and will respond to your requests in accordance with applicable law.

9.1 Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR:

• Right of Access: You have the right to request access to your personal data and receive a copy of the personal data we hold about you, along with information about how we process it.
• Right to Rectification: You have the right to request that we correct any inaccurate personal data or complete any incomplete personal data we hold about you.
• Right to Erasure ("Right to be Forgotten"): You have the right to request that we delete your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
• Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where technically feasible.
• Right to Object: You have the right to object to the processing of your personal data based on our legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to Withdraw Consent: Where we rely on your consent to process personal data, you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable law.
• Rights Related to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you, except in certain circumstances defined by law.

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected the information, the business or commercial purposes for collecting or selling the information, and the categories of third parties with whom we share the information.
• Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale/Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising. We do not sell personal information in the traditional sense, but some data sharing for advertising purposes may constitute a "sale" or "sharing" under California law.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit our use and disclosure of sensitive personal information to uses necessary for performing services or providing goods.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your privacy rights.

Financial Incentives: We do not offer financial incentives for the collection, sale, or deletion of personal information.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. We may require verification of your identity and confirmation that you authorized the agent to act on your behalf.

9.3 Rights Under Other Privacy Laws

If you are located in other jurisdictions with applicable privacy laws (such as Brazil under LGPD, Virginia under VCDPA, Colorado under CPA, Connecticut under CTDPA, or others), you may have similar rights to access, correct, delete, or port your personal data. We will respond to your requests in accordance with applicable local law.

9.4 How to Exercise Your Rights

To exercise any of the rights described above, you may:

• Email us at privacy@connic.co
• Use the data export or account deletion features in your account settings (where available)
• Contact our Data Protection Officer at dpo@connic.co

We will respond to your request within the timeframes required by applicable law (typically 30 days under GDPR, 45 days under CCPA). We may need to verify your identity before processing your request. In certain circumstances, we may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive.

9.5 Communication Preferences

You can manage your communication preferences as follows:

• Marketing Emails: You can opt out of marketing emails by clicking the "unsubscribe" link in any marketing email or by updating your preferences in your account settings. Please note that even if you opt out of marketing emails, we may still send you service-related communications.
• Push Notifications: You can disable push notifications through your browser or device settings.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our Services. This section explains what cookies we currently use and what we may use in the future.

10.1 What Are Cookies

Cookies are small text files that are stored on your device when you visit a website. They are widely used to make websites work more efficiently and to provide information to website owners. We use both session cookies (which expire when you close your browser) and persistent cookies (which remain on your device until they expire or you delete them).

10.2 Cookies We Currently Use

Currently, we only use strictly necessary cookies that are essential for the operation of our Services:

• Session Cookies: These cookies maintain your session state as you navigate our platform.
• Authentication Cookies: We use Auth0 for authentication, which sets cookies necessary to keep you logged in and verify your identity.
• Payment Processing Cookies: Stripe, our payment processor, sets cookies necessary for secure payment processing and fraud prevention.

These strictly necessary cookies do not require your consent under GDPR and similar privacy regulations, as they are essential for the basic functioning of our Services.

10.3 Analytics

We use Umami, a self-hosted, privacy-friendly analytics solution, to understand how visitors interact with our Services. Umami does not use cookies, does not collect personal data, and does not track users across websites. All analytics data is aggregated and anonymous.

10.4 Other Cookies We May Use

In addition to strictly necessary cookies, we may use the following types of cookies:

• Functional Cookies: These cookies enable enhanced functionality and personalization, such as remembering your preferences and language settings.
• Analytics Cookies: We may use third-party analytics services (such as Google Analytics) that set cookies to help us understand how visitors interact with our Services.
• Marketing Cookies: We may use marketing and advertising cookies (such as those from HubSpot or similar platforms) to deliver relevant content and measure the effectiveness of our marketing campaigns.

Where we use non-essential cookies, we will implement appropriate consent mechanisms as required by applicable law.

10.5 Other Tracking Technologies

In addition to cookies, we may use other tracking technologies, including:

• Web Beacons (Pixels): Small transparent images embedded in web pages or emails that allow us to track page views and email opens.
• Local Storage: Browser-based storage that allows us to store data locally on your device.

10.6 Your Cookie Choices

You have several options to control or limit how cookies are used:

• Cookie Banner: Where we use non-essential cookies, we display a cookie banner when you first visit our website, allowing you to accept or reject these cookies.
• Browser Settings: Most browsers allow you to control cookies through their settings. You can set your browser to refuse cookies or delete cookies that have already been set.
• Opt-Out Links: Some third-party services provide their own opt-out mechanisms. For example, you can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
• Do Not Track: Some browsers offer a "Do Not Track" setting. We currently do not respond to Do Not Track signals, as there is no industry standard for how to respond to such signals.

Please note that disabling strictly necessary cookies may affect the functionality of our Services, as they are required for core features like authentication and payment processing.

11. Children's Privacy

Our Services are not intended for children under the age of 18. We do not knowingly collect personal data from children under 18. If you are a parent or guardian and you believe your child has provided us with personal data, please contact us at privacy@connic.co. If we become aware that we have collected personal data from a child under 18 without verification of parental consent, we will take steps to delete that information from our servers.

We comply with the Children's Online Privacy Protection Act (COPPA) in the United States and similar laws in other jurisdictions that protect children's privacy online.

12. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by Connic. This Privacy Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party services you access through our Services.

We are not responsible for the privacy practices, content, or security of any third-party websites or services. Any information you provide to third parties is governed by their respective privacy policies.

When you choose to integrate third-party services with our platform (such as LLM providers, version control systems, or authentication providers), you may be sharing information with those services. Please review the privacy policies of those services to understand how they handle your data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this Privacy Policy
• Notify you by email (if you have provided us with your email address)
• Display a prominent notice on our website or within our Services
• Where required by law, obtain your consent to the changes

We encourage you to review this Privacy Policy periodically to stay informed about our data practices. Your continued use of our Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

For significant changes that materially affect your rights, we will provide notice at least thirty (30) days before the changes take effect. If you do not agree with the revised Privacy Policy, you should stop using our Services and may request deletion of your account.

14. California-Specific Disclosures

This section provides additional disclosures required under California law.

14.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: Name, email address, account name, IP address, and similar identifiers.
• Commercial Information: Records of services purchased, subscription history, and payment information.
• Internet or Network Activity: Browsing history, information on interactions with our website and services, and usage data.
• Geolocation Data: General location inferred from IP address.
• Professional or Employment Information: Job title and company name (if provided).
• Inferences: Inferences drawn from the above categories to create a profile about preferences and characteristics.

14.2 Sources of Personal Information

We collect personal information from:

• Directly from you when you provide it
• Automatically when you use our Services
• Third parties such as authentication providers, payment processors, and analytics services

14.3 Business or Commercial Purposes for Collection

We collect personal information for the purposes described in Section 4 of this Privacy Policy, including providing our Services, improving our Services, communicating with you, security and fraud prevention, and legal compliance.

14.4 Sale and Sharing of Personal Information

We do not "sell" personal information in the traditional sense. However, under California law, certain data sharing for advertising purposes may constitute a "sale" or "sharing" of personal information. To opt out of such sharing, please contact us at privacy@connic.co or adjust your cookie preferences.

14.5 Retention

We retain personal information as described in Section 6 of this Privacy Policy.

14.6 Shine the Light

California Civil Code Section 1798.83 permits California residents to request information regarding the disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all legitimate requests within one month. If your request is particularly complex or you have made multiple requests, it may take us longer, in which case we will notify you and keep you updated on the progress.

Right to Lodge a Complaint: If you are located in the EEA, UK, or Switzerland and believe we have violated your data protection rights, you have the right to lodge a complaint with your local supervisory authority. However, we encourage you to contact us first so we can try to resolve your concerns.