Privacy Policy

We collect information to provide and improve the Service. The types of information we collect include:

Account Information

• Name, email address, and authentication credentials
• Organization name and configuration
• Billing information (processed and stored by Stripe)
• Profile and workspace preferences

Usage Data

• Platform interaction data (features used, pages visited, actions taken)
• Agent configuration and workflow data
• Credit consumption and billing events
• Device information, browser type, and IP address

Agent Interaction Data

• Messages and instructions sent to AI agents
• Agent outputs, tool calls, and execution logs
• Files and documents processed by agents within your workspace
• Integration data flowing through connected third-party services

We use the information we collect to:

• Provide, maintain, and improve the Chorus platform
• Process AI agent tasks and deliver results within your workspace
• Process payments and manage your subscription and credits
• Send transactional communications (account verification, billing notifications, security alerts)
• Analyze usage patterns to improve platform performance and reliability
• Detect, prevent, and respond to security incidents, fraud, and abuse
• Comply with legal obligations

We do not use your data or agent interactions to train our AI models unless you explicitly opt in.

AI agents on the Chorus platform process data in unique ways compared to traditional SaaS applications. Here is how we handle agent data:

• Sandboxed execution: Each agent operates in an isolated sandbox environment. Data processed by one agent cannot be accessed by another agent or organization
• Integration data flows: When agents interact with third-party services through connected integrations, data flows between those services and the agent's sandbox. This data is governed by both our Privacy Policy and the third-party service's privacy policy
• LLM processing: Agent reasoning involves sending prompts and context to large language model providers. We select providers with strict data processing agreements and do not allow them to use your data for model training
• Execution logs: Agent actions, tool calls, and outputs are logged for auditability and are accessible through your Command Center

We do not sell your personal information. We share data only in the following circumstances:

• Connected integrations: When you connect third-party services (via OAuth or API keys), data is shared with those services as directed by you and your configured agents
• LLM providers: Agent reasoning requires processing through large language model providers under strict data processing agreements
• Infrastructure providers: We use cloud hosting, database, and sandbox providers to operate the Service, all under data processing agreements
• Payment processing: Billing information is shared with Stripe for payment processing
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request
• Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

• Account data is retained for the duration of your account and for 30 days after account deletion
• Agent execution logs are retained based on your organization's configured retention policy
• Usage and analytics data is retained in aggregated, anonymized form for up to 24 months
• Billing records are retained as required by applicable tax and financial regulations

You may request deletion of your data at any time (see Section 7 — Your Rights).

We implement industry-standard security measures to protect your data:

• Encryption: Data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
• Sandbox isolation: Each AI agent runs in an isolated execution environment, preventing cross-agent or cross-organization data access
• Access control: Role-based access control and granular permissions govern who can access data within your organization
• Credential storage: Integration credentials are encrypted and stored separately from application data
• Monitoring: We maintain comprehensive logging and monitoring to detect and respond to security incidents

For more details about our security practices, please visit our Security page.

Depending on your location, you may have the following rights regarding your personal data:

GDPR Rights (EEA Residents)

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate personal data
• Right to erasure: Request deletion of your personal data
• Right to data portability: Request your data in a structured, machine-readable format
• Right to restrict processing: Request limitation on how we process your data
• Right to object: Object to our processing of your personal data

CCPA Rights (California Residents)

• Right to know what personal information is collected, used, and shared
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at support@chorus.app. We will respond to your request within 30 days.

We use cookies and similar technologies to:

• Essential cookies: Maintain your session, authenticate your identity, and ensure the platform functions correctly
• Analytics cookies: Understand how you use the platform so we can improve performance and features
• Preference cookies: Remember your settings and preferences across sessions

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Service.

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

If you believe that a child under 16 has provided us with personal information, please contact us at support@chorus.app.

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

When we transfer data internationally, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, data processing agreements with all service providers, and technical measures such as encryption to protect your data regardless of where it is processed.

We may update this Privacy Policy periodically. When we make material changes, we will notify you by email or through an in-app notification and update the "Last updated" date at the top of this page.

We encourage you to review this Privacy Policy regularly to stay informed about how we protect your data.

If you have any questions about this Privacy Policy or our data practices, please contact us: