TheCompanyCompany
Get started
Back to home

Privacy Policy

Last updated

This Privacy Policy describes how The Company Company Inc., a Delaware corporation with its principal place of business at 1885 Mission St, San Francisco, CA 94103 ("Company," "Co," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal information (also called "personal data" in some jurisdictions) when you:

  • Access or use our AI-powered business operations platform and related services available at https://www.thecompany.company (the "Services");
  • Visit, interact with, or use our website, marketing pages, or communications; or
  • Communicate with us through email, support channels, or other means.

When we decide how and why to process personal information (for example, for account management, billing, or marketing), we act as a "business" under the California Consumer Privacy Act and "controller" under other privacy laws. When we process Customer Data on behalf of our business customers in order to provide the Services, we act as a "service provider" under the CCPA/CPRA and a "processor" under other applicable laws. Our processing of Customer Data in that capacity is governed by our agreement with the applicable customer, including any Data Processing Agreement ("DPA").

By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Services.

For information about how we process Customer Data on behalf of our business customers, please see the sections titled "Customer Data" and "Our Role as a Service Provider" below.

Information We Collect

Information You Provide

  • Account Information: Name, email address, password, and organization details when you create an account, as well as optional profile information (such as display name, avatar, role, and team membership). If you use Google Single Sign-On (SSO) on eligible plans, we receive your Google profile information (including name, email address, and profile picture) from Google when you authenticate.
  • Billing Information: Billing contact name, email address, billing address, tax identifiers (where applicable), and payment method details. We use third-party providers, including Autumn (which uses Stripe as a sub-processor), to process payments. We do not store full payment card numbers on our servers and only retain tokenized payment references and limited card metadata (such as last four digits and card type) as provided by our payment processors.
  • Customer Data: Any data, content, or information you submit through the Services in connection with your use, including data pulled from third-party tools you connect (for example, Slack, Google Workspace, Linear, GitHub, HubSpot, Mercury, LinkedIn, Twitter/X, and other integrations you authorize). Customer Data may include business records, communications, documents, project and ticket information, financial transaction data, and other information depending on the integrations and agent workflows you configure. You control what Customer Data is submitted to or generated through the Services.
  • Communications: Information you provide when you contact us for support, submit feedback, or otherwise communicate with us, including your name, email address, the content of your messages, and any attachments or files you choose to send.
  • Professional and Business Information: Company name, job title or role, department, team membership, and other professional information you provide when creating or managing a workspace or user account.
  • Third-Party Integration Credentials: When you authorize integrations with third-party services, we receive and store authentication credentials (such as OAuth access and refresh tokens and API keys) in encrypted form. We use these credentials only to connect to and act within those third-party services as necessary to perform the tasks and workflows you configure.

Information Collected Automatically

When you use the Services, we automatically collect certain information, including:

  • Log Data: IP address, browser type, operating system, referring URLs, pages visited, timestamps, access times, and information about your interactions with specific features of the Services.
  • Device Information: Device type, unique device identifiers, and operating system version, hardware model, browser type and version, screen resolution, and mobile network information (such as carrier and connection type).
  • Usage Data: Features used, actions taken, frequency and duration of activities, and performance data, including agent execution logs, tool calls, error logs, clickstream data, and other information about how you navigate and interact with the Services.
  • Geolocation Data: Approximate location derived from your IP address (for example, city, state, or region). We use this information to provide the Services, maintain security, comply with regional legal requirements, and understand where our users are located. We do not collect precise geolocation (such as GPS coordinates) unless you explicitly enable a feature that requires it.
  • Session Information and Recordings: We may use product analytics tools to collect information about how you use the Services, including through event tracking and, in some cases, session recordings that capture interactions such as mouse movements, clicks, scrolling, and page transitions. We configure these tools to avoid capturing passwords, payment card numbers, and other fields we designate as sensitive.

Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

  • Strictly Necessary: Required for the Services to function, including authentication and security cookies. These cannot be disabled. Without them, we cannot provide the Services.
  • Analytics: Used to understand how users interact with the Services. We use the following analytics services:
    • PostHog: Product analytics and session recording for understanding user behavior and improving the Services, measuring feature adoption, debugging issues, and improving user experience.
    • Vercel Analytics: Web performance and traffic analytics used to monitor page load times, request volumes, and performance metrics.

We do not use advertising or marketing cookies. We also do not use third-party advertising pixels (such as the Meta or TikTok pixel) in the Services.

You can manage analytics cookies through your browser settings or by contacting us at legal@thecompany.company. Disabling analytics cookies will not affect the functionality of the Services. Depending on your location, you may see additional cookie controls or banners when you visit our website, and you can use those controls to manage your preferences.

How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Services.
  • Process transactions and manage your subscription.
  • Send transactional communications, including service updates, security alerts, and support messages.
  • Respond to your requests, comments, and questions.
  • Monitor and analyze usage patterns and trends to improve the Services.
  • Detect, prevent, and address fraud, abuse, and security issues.
  • Comply with legal obligations and enforce our Terms of Service.
  • Develop new features and functionality.

More specifically, we use personal information for the following purposes:

  • Providing and operating the Services: Creating and managing accounts, authenticating users, executing agent workflows, connecting to third-party integrations you authorize, processing transactions, and providing customer support.
  • Improving and developing the Services: Monitoring and analyzing usage patterns, diagnosing, and fixing bugs, conducting research and development, and testing new features and improvements.
  • Security and abuse prevention: Detecting, investigating, and preventing fraudulent, harmful, or unauthorized activity; protecting the security and integrity of the Services, our users, and our infrastructure.
  • Communications: Sending transactional messages, service-related announcements, security alerts, technical notices, and administrative messages; responding to your inquiries and support requests.
  • Marketing and engagement: Sending you marketing emails or in-product messages about new features, offers, and events (where permitted by law). You can opt out of marketing communications at any time.
  • Compliance and legal obligations: Complying with applicable laws, regulations, legal processes, and government requests; enforcing our Terms of Service and other policies; and protecting our rights and the rights of others.
  • Business operations: Performing accounting, auditing, billing, reconciliation, and other internal business operations; planning and forecasting; and evaluating or conducting corporate transactions (such as mergers, acquisitions, or financing).

We do not use your Customer Data to train, fine-tune, or improve general-purpose AI or machine learning models, or for purposes unrelated to providing the Services to you. We may use aggregated or de-identified information derived from Customer Data for analytics, benchmarking, and improving the Services, provided that such information cannot reasonably be used to identify you or any individual.

AI and Automated Processing

Our Services include AI-powered features that process data to provide autonomous agent capabilities. In connection with these features:

  • AI Processing: Customer Data may be processed by AI models to generate outputs, make recommendations, and execute tasks as configured by the Customer. This processing is performed solely to provide the Services. The quality and accuracy of AI outputs depend on the data, prompts, and configurations you provide.
  • Third-Party AI Providers: We use third-party AI model providers (such as Anthropic) to power AI features. Customer Data sent to these providers is subject to our data processing agreements with them and is not used by these providers to train their models. The quality and accuracy of AI outputs depend on the data, prompts, and configurations you provide.
  • AI Logs: We may retain logs of AI inputs and outputs for a limited period to provide the Services, debug issues, and ensure quality. These logs are treated as Customer Data and subject to the same protections. We generally retain AI logs for the periods described in the "Data Retention" section below unless a longer period is required to resolve specific support or security issues.
  • Automated Decision-Making: Our AI features may make automated decisions or take automated actions based on Customer configurations. Customers are responsible for implementing appropriate human oversight as required by their use case and applicable law. You must not use AI-generated outputs as the sole basis for decisions that produce legal or similarly significant effects on individuals (such as employment, credit, housing, or healthcare decisions) without appropriate human review and additional safeguards.
  • No Model Training: We do not use Customer Data to train, fine-tune, or improve general-purpose AI or machine learning models. If we ever propose to use your information for training or fine-tuning our own models beyond providing the Services, we will obtain your explicit consent or provide a clear opt-out mechanism, as required by law.

Depending on your location, you may have rights to object to or opt out of certain automated processing or profiling that produces legal or similarly significant effects. See the "U.S. State Privacy Rights" and "California Residents (CCPA/CPRA and Similar Laws)" sections below for more information.

How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

  • Service Providers: With third-party vendors who perform services on our behalf (hosting, payment processing, analytics, AI model providers, email delivery), subject to confidentiality and data processing obligations and only for the purposes described in this Privacy Policy or in our agreement with your organization.
  • Legal Compliance: When required by law, regulation, legal process, or governmental request.
  • Safety and Rights: To protect the rights, property, or safety of the Company, our users, or others.
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, in which case your information may be transferred as part of the transaction, and we will take reasonable steps to require the recipient to honor this Privacy Policy or notify you of material changes.
  • With Your Consent: When you have given us explicit consent to share your information.

We may share aggregated or de-identified information that cannot reasonably be used to identify you with third parties for analytics, research, and similar purposes.

Our Role as a Service Provider

When we process Customer Data on behalf of our business customers, we act as a "service provider" as defined by the CCPA/CPRA. In this capacity, we:

  • Process Customer Data only for the business purposes specified in our agreement with the Customer.
  • Do not sell or share Customer Data.
  • Do not retain, use, or disclose Customer Data for any purpose other than performing the Services.
  • Do not combine Customer Data with personal information received from other sources, except as permitted by the CCPA.
  • Certify that we understand and will comply with these restrictions.

Data Security

We implement commercially reasonable technical and organizational measures to protect your information, including:

  • Encryption of data in transit (TLS) and at rest
  • Access controls and authentication mechanisms
  • Regular security reviews
  • Incident response procedures

However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a security incident that affects your personal information, we will notify you and/or your organization as required by applicable law and in accordance with our incident response procedures.

Data Retention

We retain personal information as follows:

  • Account Information: For the duration of your account plus 30 days after account deletion.
  • Billing Records: For 7 years after the transaction, as required by tax and financial regulations.
  • Log and Usage Data: For 12 months from collection.
  • AI Logs: For 90 days from generation unless longer retention is required to provide the Services or resolve issues.
  • Support Communications: For 3 years from resolution.
  • Aggregated/Anonymized Data: Indefinitely, as it cannot be used to identify you.

When data is no longer needed, we securely delete or anonymize it. In some cases, we may need to retain certain information for longer periods to comply with legal, tax, accounting, or security requirements, even after you close your account or we no longer provide Services to you.

U.S. State Privacy Rights

If you are a resident of a U.S. state with a comprehensive consumer privacy law, you may have some or all of the following rights over your personal information, subject to certain exceptions and limitations under applicable law. Similar rights may also be available to residents of other states if additional privacy laws come into effect.

  • Right to Know / Access: The right to confirm whether we are processing your personal information and to request access to that information, including the categories of personal information, the categories of sources, the purposes for processing, and the categories of third parties to whom we disclose it.
  • Right to Data Portability: The right to obtain a copy of certain personal information in a portable and, to the extent technically feasible, readily usable format so that it can be transmitted to another entity.
  • Right to Delete: The right to request that we delete personal information we collected from or about you, subject to certain exceptions (for example, when we must retain data to comply with law, to detect security incidents, or to protect against fraudulent or illegal activity).
  • Right to Correct: The right to request that we correct inaccurate personal information about you, taking into account the nature of the personal information and the purposes of the processing.
  • Right to Opt Out of Certain Processing: Depending on your state, the right to opt out of our processing of personal information for: (a) "targeted advertising," (b) the "sale" of personal information, and/or (c) "profiling" in furtherance of decisions that produce legal or similarly significant effects concerning you. We do not "sell" your personal information or engage in "targeted advertising" as those terms are defined in most state laws. If our practices change in the future, we will update this Privacy Policy and provide you with any required notices and choices (including any "Do Not Sell or Share" mechanisms).
  • Right to Limit Use and Disclosure of Sensitive Personal Information: In some states, the right to limit our use and disclosure of certain "sensitive" personal information. We collect limited sensitive personal information (such as account login credentials) as described in this Privacy Policy and use it only as reasonably necessary to provide the Services, maintain security, and comply with law. We do not use or disclose sensitive personal information for additional purposes that would give rise to a right to limit in most states' laws.
  • Right to Non-Discrimination / Non-Retaliation: The right not to be discriminated or retaliated against for exercising your privacy rights. We will not deny you goods or services, charge you different prices or rates, or provide you a different level or quality of services solely because you exercised your privacy rights.

Exercising Your U.S. State Privacy Rights

You or your authorized agent can submit a request to exercise your applicable privacy rights by emailing us at legal@thecompany.company with a clear description of your request and the state where you reside. We may need to verify your identity (and, where applicable, your agent's authority) before we act on your request. We will respond within the timeframes required by applicable law (typically 45 days, with the ability to extend once where permitted).

If we decline to act on your request, we will explain our decision. If your state law gives you the right to appeal our decision, you may do so by replying to our response or emailing us at legal@thecompany.company with "Privacy Rights Appeal" in the subject line. We will review your appeal and respond within the timeframe required by your state law (typically 45-60 days), explaining our decision. If additional states adopt similar privacy laws in the future, we will treat residents of those states in a manner consistent with this section and update this Privacy Policy as needed.

California Residents (CCPA/CPRA and Similar Laws)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), in addition to the rights described above. Residents of some other states (such as Virginia, Colorado, Connecticut, and similar "Virginia-model" states) have substantially similar rights, although the terminology and scope may differ.

  • Right to Know: You have the right to request that we disclose: (a) the categories of personal information we have collected about you; (b) the categories of sources from which the personal information is collected; (c) the business or commercial purpose for collecting or disclosing personal information; (d) the categories of third parties to whom we disclose personal information; and (e) the specific pieces of personal information we have collected about you.
  • Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (for example, when we must keep information to comply with a legal obligation, to detect or prevent security incidents, or to protect against malicious or illegal activity).
  • Right to Correct: You have the right to request that we correct inaccurate personal information about you, taking into account the nature of the personal information and the purposes of the processing.
  • Right to Opt Out of Sale/Sharing: We do not "sell" or "share" your personal information for cross-context behavioral advertising as those terms are defined in the CCPA/CPRA. If our practices change in the future, we will update this Privacy Policy and provide you with appropriate notice and choices, including any required "Do Not Sell or Share My Personal Information" mechanisms.
  • Right to Limit Use and Disclosure of Sensitive Personal Information: We collect certain "sensitive personal information" (such as account login credentials) as described above. We use this information only as reasonably necessary to provide the Services, secure your account, and comply with law, and not for additional purposes that would trigger the CCPA right to limit. If that ever changes, we will provide you with a way to exercise your right to limit such use or disclosure.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. This means we will not deny you goods or services, charge you different prices or rates, or provide you a different level or quality of services solely because you exercised your privacy rights.

To exercise any of these rights, contact us at legal@thecompany.company. We will verify your identity before processing your request and respond within 45 days as required by law. If we need more time (up to an additional 45 days), we will let you know. If we deny your request, you may have the right to appeal; you can email us with "California Privacy Appeal" in the subject line, and we will respond within the timeframe required by California law. Where other state laws provide similar appeal rights, we will handle those appeals in a manner consistent with this process and applicable law.

Categories of Personal Information Collected (as defined by the CCPA):

CategoryExamplesCollectedSourcesBusiness Purpose
IdentifiersName, email, IP addressYesDirectly from you; automatically from your deviceAccount creation, authentication, communications
Commercial informationSubscription records, billing historyYesDirectly from you; from payment processorsBilling, subscription management
Internet activityBrowsing history, interactions with ServicesYesAutomatically from your device and our ServicesService improvement, security, analytics
Geolocation dataApproximate location from IP addressYesAutomatically from your deviceService delivery, security
Professional informationCompany name, job titleYesDirectly from youAccount setup, personalization
Sensitive personal informationAccount login credentialsYesDirectly from youAuthentication, account security

Do Not Track Signals

Some browsers include a "Do Not Track" ("DNT") setting that can send a signal to the websites you visit, indicating that you do not want to be tracked. There is currently no common industry standard for how to interpret DNT signals, and we do not respond to DNT signals at this time. You can manage most tracking technologies used by the Services as described in the Cookies and Tracking Technologies section.

Certain U.S. state privacy laws (including in California and Colorado) require businesses to recognize browser- or device-level opt-out preference signals or universal opt-out mechanisms, such as Global Privacy Control ("GPC"), when those businesses "sell" or "share" personal information or engage in "targeted advertising" as defined by those laws. We do not currently sell personal information, share it for cross-context behavioral advertising, or use it for targeted advertising as those terms are defined under these laws.

However, to the extent required by applicable law, when we detect a valid GPC or similar recognized opt-out signal from your browser or device, we will treat that signal as a request to opt out of any sale, sharing, or targeted advertising that may apply to our future data practices. Because we do not currently engage in those activities, honoring such signals will have limited practical effect today but may impact certain non-essential analytics or tracking if our practices change.

International Data Transfers

Our Services are hosted in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States. By using the Services or providing us with information, you understand that your personal information may be transferred to, stored in, and processed in the United States and in other countries where our service providers operate, which may have different data protection laws than those in your country.

We do not currently market or offer the Services to individuals located in jurisdictions that impose additional data transfer or localization requirements (such as the European Economic Area, the United Kingdom, or Switzerland), and we do not represent that the Services comply with all laws of any non-U.S. jurisdiction. If you choose to access the Services from outside the United States, you do so on your own initiative and are responsible for compliance with any local laws that apply to you.

If, in the future, we intentionally expand to serve users in jurisdictions that require specific cross-border transfer mechanisms (such as Standard Contractual Clauses or participation in a Data Privacy Framework), we will implement appropriate transfer mechanisms to the extent required by applicable law and update this Privacy Policy accordingly.

The Services may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access. Your use of third-party services is governed by those services' own terms and privacy policies.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website with a revised "Last updated" date
  • Sending notice to the email address associated with your account, where practicable

Your continued use of the Services after the effective date of any changes constitutes acceptance of the updated policy. If you do not agree to the updated Privacy Policy, you must stop using the Services and may request that we delete your account.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:

You may also have the right to lodge a complaint with your local data protection authority or attorney general if you believe we have violated applicable privacy laws. However, we encourage you to contact us first so we can address your concerns.