Privacy Policy

4.1 Directly From You

We collect data you provide directly when you create an Account, fill in forms, communicate with support, configure integrations, or otherwise interact with the Platform.

4.2 Automatically

We collect data automatically through cookies, server logs, and similar technologies when you access or use the Platform. See Section 14 for details on cookies and tracking technologies.

4.3 From AI Providers

We receive AI-generated outputs from Anthropic when your prompts and inputs are processed through our AI Agents.

4.4 From Third-Party Integrations

When you connect third-party services (such as GitHub, Slack, Google, or Notion) to the Platform, we receive data from those services as authorised by you through OAuth or API credentials.

4.5 From Third-Party Authentication Providers

If you use single sign-on (SSO) or social login to create or access your Account, we receive profile information from the authentication provider, such as your name, email address, and profile picture.

We process your personal data for the following purposes:

• Service Delivery: To provide, operate, and maintain the Platform, including AI Agent execution, cloud deployments, and third-party integrations.
• Account Management: To create and manage your Account, authenticate your identity, and manage your preferences.
• AI Processing: To transmit prompts to AI Providers, receive and deliver AI-generated outputs, and manage Agent configurations.
• Billing: To process payments, manage subscriptions, generate invoices, and handle billing-related inquiries.
• Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
• Compliance: To comply with applicable laws, regulations, and legal processes.
• Communication: To send you service-related notices, updates, security alerts, and support messages.
• Analytics: To analyse usage patterns, monitor performance, and improve the Platform.
• Enforcement: To enforce our Terms of Service and other agreements.
• Legal Obligations: To fulfil our legal and regulatory obligations, including tax reporting and record-keeping requirements.

6.1 Under UAE PDPL

We process personal data under the following legal bases provided by the UAE Personal Data Protection Law:

• Consent: Where you have given clear consent for us to process your personal data for a specific purpose.
• Contractual Necessity: Where processing is necessary for the performance of a contract with you or to take pre-contractual steps at your request.
• Legal Obligation: Where processing is necessary for compliance with a legal obligation to which CloudStation is subject.
• Legitimate Interest: Where processing is necessary for the legitimate interests pursued by CloudStation, provided those interests are not overridden by your rights and freedoms.
• Public Interest: Where processing is necessary for reasons of public interest.

6.2 Under GDPR (EEA/UK/Swiss Data Subjects)

For data subjects in the European Economic Area, United Kingdom, and Switzerland, we process personal data under the following legal bases:

• Article 6(1)(a) - Consent: Where you have given consent to the processing of your personal data for one or more specific purposes (e.g., marketing communications, optional analytics).
• Article 6(1)(b) - Performance of Contract: Where processing is necessary for the performance of the contract between you and CloudStation (e.g., providing the Platform services, managing your Account).
• Article 6(1)(c) - Legal Obligation: Where processing is necessary for compliance with a legal obligation (e.g., tax reporting, regulatory compliance).
• Article 6(1)(f) - Legitimate Interests: Where processing is necessary for the purposes of the legitimate interests pursued by CloudStation, including:
  • Improving and optimising the Platform
  • Ensuring network and information security
  • Preventing fraud and abuse
  • Internal analytics and reporting

7.1 How AI Data Flows

When you use AI Agents on the Platform, data flows through the following steps:

1. You submit a prompt or instruction to an AI Agent through the Platform.
2. The Platform processes and prepares the prompt, including any relevant context from your Agent configuration and connected integrations.
3. The prepared prompt is transmitted to Anthropic's API for AI processing.
4. Anthropic processes the prompt and returns the AI-generated output to the Platform.
5. The Platform delivers the output to you and logs relevant metadata (timestamps, token usage, execution status).

7.2 Anthropic as Sub-Processor

Anthropic acts as a sub-processor for AI-related data processing. Key terms of this arrangement include:

1. No Training: Anthropic does not use your prompts or outputs to train its models.
2. Retention: Anthropic retains prompt and output data for up to 7 days for safety monitoring and abuse prevention purposes.
3. Safety Monitoring: Anthropic may review data for trust and safety purposes in accordance with its usage policies.
4. Security Measures: Anthropic maintains industry-standard security measures to protect data during processing and short-term retention.

7.3 AI Data Retention by CloudStation

CloudStation retains AI interaction data (prompts, outputs, and execution metadata) for the duration of your Account. Upon Account termination, AI interaction data is deleted in accordance with Section 11.

7.4 Sensitive Data and AI

We strongly caution against submitting special categories of personal data (such as health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation) through AI Agents. CloudStation does not design its AI features for the processing of special category data, and you are responsible for ensuring compliance with applicable data protection laws if you choose to submit such data.

8.1 Data Flows Through Integrations

When you connect third-party services to the Platform, the following types of data may flow through integrations:

• Messages and communications (e.g., Slack messages, WhatsApp messages, Telegram messages)
• Code repositories and related metadata (e.g., GitHub)
• Documents, notes, and workspace data (e.g., Google Drive, Notion)
• Calendar events and scheduling data (e.g., Google Calendar)
• Authentication tokens and API credentials
• MCP Server connection data

8.2 User Responsibility for Integration Data

You are responsible for:

1. Ensuring you have the necessary rights and authorisations to connect third-party services and share data with the Platform;
2. Reviewing the privacy policies and terms of service of each third-party service you connect;
3. Ensuring that any personal data processed through integrations complies with applicable data protection laws;
4. Managing the permissions and access levels granted to integrations;
5. Revoking integration access when it is no longer needed.

8.3 AI Agent Access to Integration Data

AI Agents may access data from connected integrations to execute tasks on your behalf. This access is governed by the permissions you configure and the Agent's scope of operation. You should review and configure Agent permissions carefully to ensure that Agents only access the data necessary for their intended tasks.

9.1 Categories of Recipients

We may share your personal data with the following categories of recipients:

• Anthropic - AI model provider; processes prompts and generates outputs.
• Cloud Infrastructure Providers - Hosting, compute, storage, and networking services.
• Payment Processors - Payment processing, billing, and fraud prevention.
• Email Service Providers - Transactional and marketing email delivery.
• Analytics Providers - Website and platform usage analytics.
• Security Providers - Threat detection, DDoS protection, and security monitoring.
• Professional Advisors - Legal, accounting, and consulting services as needed.

9.2 Sub-Processor List

A current list of sub-processors is available upon request by contacting [email protected]. We will notify Users of any changes to our sub-processor list in accordance with our Data Processing Agreement.

9.3 Legal Disclosures

We may disclose your personal data if required to do so by law or in response to valid requests by public authorities. Specifically, we may disclose data:

1. To comply with a legal obligation or lawful government request;
2. To protect and defend the rights or property of CloudStation;
3. To prevent or investigate possible wrongdoing in connection with the Platform;
4. To protect the personal safety of Users or the public.

9.4 Business Transfers

If CloudStation is involved in a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will provide notice before your personal data becomes subject to a different privacy policy.

9.5 No Sale of Personal Data

CloudStation does not sell your personal data to third parties. We do not engage in the sale, rental, or trading of personal data for monetary or other valuable consideration.

10.1 Data Storage and Processing Locations

Your personal data may be stored and processed in the following locations:

• United Arab Emirates: Primary business operations and data processing.
• European Union / EEA: Cloud infrastructure and data processing for EU-based Users.
• United States: AI processing (Anthropic), cloud infrastructure, and certain sub-processor services.
• Other Locations: As necessary for the provision of the Platform, subject to appropriate safeguards.

10.2 Transfer Mechanisms Under UAE PDPL

For international transfers of personal data originating in the UAE, we rely on the following mechanisms:

1. Transfers to countries with adequate levels of data protection as determined by UAE authorities;
2. Contractual clauses that provide appropriate safeguards for personal data;
3. Consent of the data subject where required;
4. Transfers necessary for the performance of a contract between the data subject and CloudStation;
5. Transfers necessary for important reasons of public interest.

10.3 Transfer Mechanisms Under GDPR

For international transfers of personal data originating in the EEA, United Kingdom, or Switzerland, we rely on the following mechanisms:

1. Standard Contractual Clauses (SCCs): EU Commission-approved SCCs for transfers to third countries.
2. UK International Data Transfer Addendum: The UK Addendum to the EU SCCs for transfers from the United Kingdom.
3. Supplementary Measures: Additional technical and organisational measures where required based on the assessment of the laws and practices of the destination country.
4. Transfer Impact Assessments: We conduct Transfer Impact Assessments (TIAs) to evaluate the level of protection afforded to personal data in the destination country.

10.4 Anthropic Data Transfers

AI interaction data transmitted to Anthropic may be processed in the United States. CloudStation ensures appropriate transfer mechanisms are in place, including Standard Contractual Clauses and supplementary measures as necessary, to protect your data during such transfers.

11.1 Retention Periods

We retain your personal data for the following periods:

• Account Data: Duration of the Account plus 90 days after termination.
• Usage Data: 24 months from collection.
• AI Interaction Data: Duration of the Account.
• Agent Configuration Data: Duration of the Account plus 30 days after termination.
• Cloud Deployment Data: Duration of the Account plus 30 days after termination.
• Billing and Transaction Data: 7 years from the date of the transaction (to comply with tax and accounting regulations).
• Communication Data: 3 years from the date of the last communication.
• Security Logs: 12 months from collection.
• Cookie Data: See Section 14 for cookie-specific retention periods.

11.2 Retention After Account Termination

After your Account is terminated:

1. We will delete or anonymise your personal data within the retention periods specified above, unless longer retention is required by law;
2. Billing and transaction data will be retained for 7 years to comply with applicable tax and accounting regulations;
3. Security logs may be retained for up to 12 months for fraud prevention and security purposes;
4. Anonymised and aggregated data that does not identify you may be retained indefinitely for analytics and service improvement.

11.3 Anthropic Retention

Anthropic retains prompt and output data for up to 7 days for safety monitoring and abuse prevention. CloudStation does not control Anthropic's retention practices, but ensures appropriate data processing agreements are in place.

12.1 Technical Measures

We implement the following technical measures to protect your personal data:

• Encryption at Rest: All personal data stored on our systems is encrypted using AES-256 encryption.
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Access Controls: Role-based access controls (RBAC) limit access to personal data to authorised personnel only.
• Multi-Factor Authentication: MFA is required for access to internal systems and administrative functions.
• Secrets Management: API keys, tokens, and credentials are stored in secure secrets management systems and are never stored in plaintext.
• Network Security: Firewalls, intrusion detection systems, and network segmentation protect our infrastructure.
• Vulnerability Management: Regular vulnerability scanning and patching of systems and dependencies.
• Penetration Testing: Periodic penetration testing conducted by independent security firms.
• Logging and Monitoring: Comprehensive logging and real-time monitoring of access to personal data and security events.

12.2 Organisational Measures

• Security Training: All employees receive regular data protection and security awareness training.
• Data Protection Policies: Internal policies and procedures govern the handling and protection of personal data.
• Incident Response: A documented incident response plan is in place for identifying, containing, and remediating data breaches.
• Vendor Assessment: Third-party vendors and sub-processors are assessed for data protection compliance before engagement.

12.3 User Responsibilities

You are responsible for:

• Maintaining the confidentiality of your Account credentials;
• Using strong, unique passwords and enabling multi-factor authentication where available;
• Ensuring that data you upload or process through the Platform does not violate applicable data protection laws;
• Notifying CloudStation promptly if you suspect any unauthorised access to your Account.

13.1 Rights Under UAE PDPL

Under the UAE Personal Data Protection Law, you have the following rights:

1. Right of Access: The right to request access to the personal data we hold about you.
2. Right to Rectification: The right to request correction of inaccurate or incomplete personal data.
3. Right to Erasure: The right to request deletion of your personal data, subject to legal retention requirements.
4. Right to Restrict Processing: The right to request that we limit the processing of your personal data in certain circumstances.
5. Right to Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format.
6. Right to Object: The right to object to the processing of your personal data in certain circumstances.
7. Right to Withdraw Consent: Where processing is based on consent, the right to withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

13.2 Additional Rights Under GDPR

In addition to the rights above, data subjects in the EEA, United Kingdom, and Switzerland have the following additional rights:

1. Right to Lodge a Complaint: The right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.
2. Right Not to be Subject to Automated Decision-Making: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
3. Right to Information About International Transfers: The right to be informed about the appropriate safeguards relating to the transfer of your personal data to a third country or international organisation.

13.3 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at [email protected]. We will respond to your request within the following timeframes:

• UAE PDPL: Within 20 business days of receiving your request.
• GDPR: Within one month of receiving your request, with the possibility of extension by up to two additional months for complex requests.

We may request proof of identity before processing your request to ensure the security of your personal data.

13.4 Complaints

If you are not satisfied with our response to your request, you may:

1. Contact us again at [email protected] to escalate your concern;
2. Lodge a complaint with the UAE Data Office under the UAE PDPL;
3. Lodge a complaint with the relevant supervisory authority in the EEA, United Kingdom, or Switzerland under the GDPR;
4. Seek judicial remedy in accordance with applicable law.

14.1 Types of Cookies

We use the following types of cookies:

• Strictly Necessary Cookies: Essential for the operation of the Platform. These cookies do not require your consent and cannot be disabled.
• Functional Cookies: Enable enhanced functionality and personalisation, such as remembering your preferences. These require your consent.
• Analytics Cookies: Help us understand how visitors interact with the Platform by collecting and reporting information anonymously. These require your consent.
• Marketing Cookies: Used to track visitors across websites to display relevant advertisements. These require your consent.

14.2 Cookie Management

You can manage your cookie preferences through the following methods:

1. Our cookie consent banner displayed when you first visit the Platform;
2. Your browser settings, which allow you to block or delete cookies;
3. Third-party opt-out tools provided by analytics and advertising networks.

14.3 Third-Party Cookies

Some cookies are placed by third-party services that appear on our pages. We do not control these third-party cookies and recommend that you check the relevant third-party websites for more information about their cookies and how to manage them.

14.4 Do Not Track

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. There is currently no universally accepted standard for how companies should respond to DNT signals. At this time, CloudStation does not respond to DNT signals, but we will continue to monitor developments in this area.

The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 18 years of age. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data as soon as possible.

If you believe that we have inadvertently collected personal data from a child under 18, please contact us at [email protected] so that we can take appropriate action.

16.1 Notification to Users

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and in any event within 48 hours. Our notification will include:

1. A description of the nature of the breach, including the categories and approximate number of data subjects and records affected;
2. The likely consequences of the breach and the measures taken or proposed to address the breach;
3. Contact details for our data protection team for further information.

16.2 Notification to Authorities

We will notify relevant data protection authorities in accordance with applicable law:

• UAE PDPL: We will notify the UAE Data Office immediately upon becoming aware of a breach that poses a risk to data subjects.
• GDPR: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of data subjects.

17.1 Universal DPA

All Users benefit from our standard Data Processing Agreement (DPA), which governs our processing of personal data on your behalf and includes appropriate safeguards required by applicable data protection laws.

17.2 Enterprise DPA

Enterprise customers may request a customised DPA that includes additional provisions tailored to their specific requirements. Customisation options include:

1. Custom data retention periods;
2. Specific security requirements and audit rights;
3. Detailed sub-processor management and notification procedures;
4. Custom data breach notification timelines;
5. Specific international data transfer mechanisms;
6. Additional representations and warranties.

To request a customised Enterprise DPA, please contact us at [email protected].

18.1 Notification of Changes

We may update this Privacy Policy from time to time. When we make changes, we will:

1. Update the "Last Updated" and "Effective Date" at the top of this Privacy Policy;
2. Notify you of material changes via email or through a prominent notice on the Platform.

18.2 Effective Date of Changes

Material changes to this Privacy Policy will take effect 30 days after notification, unless a longer notice period is required by applicable law. Non-material changes (such as formatting corrections or clarifications) may take effect immediately upon posting.

18.3 Continued Use

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the Platform and close your Account.