Privacy Policy

Table of Contents

1. Applicability of This Privacy Policy
2. Information We Collect
3. Google User Data
4. How AI Processes Your Data
5. How We Use Your Information
6. Cookies and Tracking Technologies
7. How We Share Your Information
8. Data Security
9. Data Retention
10. International Data Transfers
11. Your Privacy Rights
12. Children's Privacy
13. Third-Party Links
14. Changes to This Privacy Policy
15. Contact Us

1. Applicability of This Privacy Policy

m8tes, Inc. ("m8tes," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at m8tes.ai (our "Website"), use our autonomous AI agent platform (the "Service"), or otherwise interact with us.

Controller and Processor Roles

m8tes operates in two capacities depending on the type of data:

• Data Controller: For personal data we collect directly from you through your account, our Website, and your interactions with us (described in this Privacy Policy). This includes Account Information, Usage Data, and Communication Information.
• Data Processor: When our API customers submit data through the m8tes platform on behalf of their end users (including task instructions, run inputs/outputs, and end-user identifiers). We process this data ("Customer Data") on behalf of and under the instructions of our customers. Customer Data is governed by our Customer Agreement and Data Processing Agreement (DPA), not this Privacy Policy. Queries about Customer Data should be directed to the relevant m8tes customer who is the data controller.

This Privacy Policy governs the processing of personal data for which m8tes is the data controller. For API customers, a Data Processing Agreement is available upon request at privacy@m8tes.ai.

Please read this Privacy Policy carefully. By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you provide directly to us:

• Account Information: Email address, name, phone number (optional), and password when you create an account
• Agent Configuration: Agent names, roles, instructions, goals, and preferences you set for your autonomous teammates
• Task and Conversation Data: Instructions, queries, messages, and content you submit to our Service, including AI-generated responses
• Integration Credentials: When you connect third-party services, we collect and securely store authentication credentials (OAuth tokens, API keys)
• Billing Information: Payment information is processed by Stripe, our third-party payment processor. We store only transaction references, subscription status, and billing contact details
• Communication Information: When you contact us for support, provide feedback, or otherwise communicate with us, we collect the contents of those communications

2.2 Information We Collect Automatically

When you use our Service, we automatically collect certain information:

• Usage Data: Request timestamps, response times, token counts, execution metrics, task completion status, features used, and how you interact with the Service
• Log Data: IP addresses, request methods, URL paths, HTTP status codes, and error messages for security and diagnostic purposes
• Device Information: Browser type, operating system, device identifiers, and screen resolution
• Cost and Billing Metrics: API usage costs and execution time for billing and analytics
• Cookies and Similar Technologies: See Section 6 for details on how we use cookies and analytics tools

2.3 Information from API and SDK Usage

If you use our developer API or SDK, we additionally collect:

• API Key Metadata: Key identifiers, creation dates, and usage patterns (not the key values themselves)
• Webhook Configuration: Endpoint URLs, delivery status, and response codes for webhook integrations you configure
• SDK Telemetry: SDK version, request volume, and error rates

3. Google User Data (When You Connect Google Integrations)

This section only applies if you choose to connect Google services (such as Google Ads or Google OAuth) to your m8tes account. If you do not connect these integrations, we do not collect any Google user data.

3.1 What Google User Data We Collect

When you actively connect Google integrations to m8tes, we collect:

• Google Account Information: Your email address, name, and profile information provided during OAuth authentication
• Google Ads Customer IDs: The customer account identifiers you authorize us to access
• Authentication Credentials: OAuth tokens (access tokens and refresh tokens) required to authenticate your requests to Google's services

Important: We do not permanently store your Google Ads campaign data, metrics, or advertising information. We provide you with a query tool (GAQL - Google Ads Query Language) that allows you to retrieve data directly from Google on demand. Query results are temporarily processed to display to you but are not saved to our databases unless you explicitly save specific information within the Service.

3.2 How We Use Google User Data

We use Google user data solely to provide you with the services you requested:

• Authentication: To verify your identity and maintain your login session via Google OAuth
• Execute Queries: To run Google Ads Query Language (GAQL) queries on your behalf and retrieve advertising data you request
• Display Results: To process and display query results, campaign performance data, and metrics within our interface
• Maintain Access: To refresh authentication tokens and maintain authorized access to your connected Google Ads accounts

We do NOT use Google user data for:

• Training artificial intelligence or machine learning models
• Targeted advertising, personalized advertising, or retargeted advertising
• Selling to data brokers or information resellers
• Determining credit-worthiness or lending purposes
• Any purpose unrelated to providing or improving m8tes functionality

3.3 How We Share, Transfer, or Disclose Google User Data

We do not sell, rent, or transfer your Google user data to third parties. We only share Google user data in the following limited circumstances:

• With Google Services: We transmit authentication credentials and query requests to Google's APIs solely to execute the services you requested (e.g., running GAQL queries against your Google Ads accounts)
• With Your Consent: If you explicitly authorize us to share data with additional third-party services you connect
• Legal Compliance: If required by law, court order, or government regulation (as described in Section 7.3)

We do not transfer or disclose Google user data to third parties for purposes other than providing you with the m8tes Service functionality you requested.

3.4 Security of Google User Data

We protect your Google user data with industry-standard security measures:

• Encryption: All Google OAuth tokens (access tokens, refresh tokens) are encrypted at rest using AES-256 encryption and transmitted over secure HTTPS connections
• Access Controls: Access to Google user data is restricted to authorized systems and personnel only
• Secure Storage: Authentication credentials are stored in encrypted database fields with strict access policies
• Token Management: We use short-lived access tokens and securely manage refresh token rotation

3.5 Retention and Deletion of Google User Data

We retain Google user data only as long as necessary:

• Authentication Credentials: Stored for as long as you maintain the Google integration connection. You may disconnect at any time through your account settings.
• Query Results: Temporarily processed for display but not permanently stored unless you explicitly save specific data
• Account Deletion: When you delete your m8tes account or disconnect the Google integration, we immediately delete all associated Google authentication credentials and any stored Google user data

You may request deletion of your Google user data at any time by emailing privacy@m8tes.ai or by disconnecting the Google integration in your account settings.

4. How AI Processes Your Data

m8tes is an AI-powered platform. Understanding how your data interacts with AI systems is important to us.

4.1 AI Service Provider

We use Anthropic's Claude API as our primary AI service provider. When you submit tasks, messages, or instructions to the Service, this content is sent to Anthropic's API for processing. Anthropic processes this data to generate responses and execute your agent's tasks.

Under Anthropic's commercial API terms, they do not use your inputs or outputs to train their AI models. Anthropic may retain API inputs and outputs for a limited period (typically 30 days) for trust and safety purposes, after which the data is deleted. For full details, refer to Anthropic's privacy policy and commercial terms.

4.2 What Data Is Sent to AI

• Task instructions and conversation messages you submit
• Agent configuration (system prompts, instructions, goals)
• Context from connected tools and integrations needed to complete your tasks
• Conversation history within a run for continuity

4.3 Our Commitments

• No Model Training: Neither m8tes nor our AI providers use your content, conversations, or outputs to train AI models
• No Automated Decision-Making: We do not use AI to make automated decisions that produce legal effects or similarly significant effects concerning you without human involvement
• Sandbox Isolation: Agent executions run in isolated sandbox environments. Code and files generated during execution are confined to your account and are not accessible to other users

5. How We Use Your Information

We use the information we collect to:

• Provide and Improve the Service: Execute your tasks, run autonomous agents, and continuously improve our platform
• Process Transactions: Manage your subscription, process payments, and send billing-related communications
• Maintain Integrations: Connect to and authenticate with third-party services you authorize
• Security and Fraud Prevention: Detect, prevent, and address security incidents and fraudulent activity
• Customer Support: Respond to your questions, troubleshoot issues, and provide technical assistance
• Analytics and Development: Analyze usage patterns to improve features, develop new capabilities, and optimize performance
• Communications: Send you service-related notifications, updates, and (where permitted) marketing communications
• Compliance: Comply with legal obligations and enforce our terms of service

We may aggregate or de-identify personal information so that you can no longer be identified, and use such data for research, analytics, and improving our Service. We do not attempt to re-identify this information.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our Service, analyze usage, and improve your experience.

6.1 What We Use

• Essential Cookies: Required for authentication, session management, and security. These cannot be disabled without affecting Service functionality.
• Analytics (PostHog): We use PostHog, a product analytics platform, to understand how users interact with our Service. PostHog collects usage data such as pages visited, features used, and interaction patterns. This data helps us improve the Service. PostHog data is not shared with third parties for advertising.
• Error Tracking (Sentry): We use Sentry to monitor application errors and performance. Sentry may collect technical data including browser type, error stack traces, and request metadata to help us diagnose and fix issues.

6.2 Your Choices

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all or some cookies, or to alert you when cookies are being sent. If you disable cookies, some parts of the Service may not function properly.

For EEA/UK users, we obtain consent before placing non-essential cookies on your device, in accordance with applicable law.

7. How We Share Your Information

We do not sell your personal information. We may share your information with the following categories of recipients:

7.1 Sub-Processors and Service Providers

We engage the following categories of third-party service providers to help us operate and deliver the Service:

• Anthropic (AI processing) — Powers our autonomous agents. Processes task instructions, messages, and conversation data to generate responses.
• Stripe (payment processing) — Processes subscription payments and manages billing. Receives payment method details directly from you.
• PostHog (product analytics) — Collects usage data to help us understand and improve the Service.
• Sentry (error monitoring) — Monitors application health and collects error data for diagnostics.
• Cloud Infrastructure Provider (hosting) — Hosts our application, databases, and computing resources.
• Email Service Provider (communications) — Sends transactional emails such as verification, notifications, and billing receipts.
• Composio (third-party integrations) — Facilitates connections to third-party tools and services you authorize your agents to use.

All sub-processors are bound by contractual obligations to protect your data and may only process it for the purposes specified in our agreements with them.

7.2 Third-Party Integrations

When you connect third-party services to your agents, we share relevant data with those services as necessary to execute your tasks. These integrations are initiated by you and are subject to the privacy policies of those third-party services.

7.3 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe such action is necessary to:

• Comply with legal obligations
• Protect our rights, property, or safety
• Prevent fraud or security threats
• Protect the rights and safety of our users

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your personal information.

8. Data Security

We implement appropriate technical and organizational measures to protect your information:

• Encryption: We encrypt sensitive data including authentication tokens and third-party credentials both in transit (TLS) and at rest (AES-256)
• Secure Authentication: Passwords are hashed using industry-standard algorithms and we support OAuth 2.0 for third-party authentication
• Access Controls: We restrict access to personal information to authorized personnel only, using role-based access controls
• Monitoring: We monitor our systems for security vulnerabilities and unauthorized access
• Sandbox Isolation: Agent code executions run in isolated sandbox environments to prevent cross-user data access

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

9. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy. Specific retention periods include:

• Account Information: Retained for the life of your account and deleted within 30 days of account deletion, unless required by law
• Task and Conversation Data: Retained for the life of your account. Deleted when you delete your account or upon request
• Run Execution Logs: Retained for up to 90 days for debugging and support, then automatically purged
• Billing and Transaction Records: Retained for 7 years as required by tax and accounting regulations
• Server Logs: Retained for up to 90 days for security and diagnostic purposes
• Analytics Data: Retained in aggregated or de-identified form indefinitely for product improvement

When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it by law. Conversation logs, task execution history, and agent configurations associated with your account will be deleted along with your account.

10. International Data Transfers

m8tes is headquartered in the United States. Your information may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have different data protection laws than your jurisdiction.

10.1 Transfer Mechanisms

When we transfer personal data from the European Economic Area ("EEA"), United Kingdom ("UK"), or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs): We use the European Commission-approved Standard Contractual Clauses to ensure appropriate safeguards for data transfers
• Adequacy Decisions: Where applicable, we transfer data to countries recognized as providing adequate data protection

10.2 Onward Transfers

We ensure that our sub-processors who receive personal data from the EEA, UK, or Switzerland are also bound by appropriate data transfer mechanisms. We remain accountable for the processing of personal data by our sub-processors.

11. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

11.1 General Rights

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information, subject to certain exceptions
• Data Portability: Request a copy of your data in a structured, machine-readable format
• Opt-Out: Opt out of marketing communications at any time

11.2 Rights for EEA/UK Users (GDPR)

If you are located in the European Economic Area or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Object: Object to processing of your personal information for direct marketing or legitimate interests
• Right to Restrict Processing: Request that we limit how we use your information
• Right to Withdraw Consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority

Legal Basis for Processing (GDPR)

We process your personal information on the following legal bases:

• Contractual Necessity: To create and maintain your account, provide the Service, process payments, and deliver customer support
• Legitimate Interests: To improve and develop our Service, analyze usage patterns, ensure security, and prevent fraud. We balance our interests against your privacy rights
• Legal Obligation: To comply with applicable laws, regulations, or legal processes
• Consent: For marketing communications, non-essential cookies, and any other processing where consent is required. You may withdraw consent at any time

11.3 Rights for US Residents (CCPA/State Privacy Laws)

If you are a resident of California or another US state with applicable privacy legislation, you may have additional rights:

• Right to Know: Request information about the categories and specific pieces of personal information we have collected, the sources of collection, the purposes for collection, and the categories of third parties with whom we share it
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: m8tes does not sell your personal information and does not share your personal information with third parties for cross-context behavioral advertising
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights

Categories of personal information we collect (as defined by the CCPA): identifiers (name, email, IP address), commercial information (transaction history, subscription status), internet activity (usage data, log data), and professional information (job title, company name where provided).

We do not sell personal information, and to our knowledge, we do not sell personal information of minors under 18 years of age.

11.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@m8tes.ai. We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@m8tes.ai and we will delete such information.

13. Third-Party Links

Our Service may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy applies only to our Service. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of any third-party services you access through our platform.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will provide at least 30 days' advance notice of any material changes by:

• Posting the updated policy on this page
• Updating the "Last Updated" date at the top
• Sending you an email notification for significant changes

Your continued use of the Service after the changes take effect indicates your acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For EEA/UK Users: m8tes, Inc. is the data controller of your personal information as described in this Privacy Policy. For inquiries about Customer Data processed on behalf of our API customers, please contact the relevant m8tes customer directly.