Privacy Policy

We collect the following categories of personal data:

• Account data — your name, email address, organisation, and authentication identifiers
• Workspace data — the content you connect to your Workspace (documents, messages, transcripts, files, and so on), the questions you ask, the answers Open42 generates, and the Skills you save
• Usage data — request logs, request metadata, IP address, browser and device information, and feature usage
• Billing data— billing contact, billing address, and payment status (card details are processed by our payment processor; we don't store them ourselves)
• Communications — emails and messages you send to us

We use personal data to:

• provide, operate, and improve the Service
• authenticate you and secure your account
• bill you for paid plans
• communicate with you about your account, security, and product updates
• investigate and prevent fraud, abuse, or security incidents
• comply with legal obligations

We do not sell your personal data. We do not use the contents of your Workspace to train shared or third-party models.

We rely on the following legal bases for processing:

• Performance of a contract — to deliver the Service you subscribed to
• Legitimate interests — to secure, improve, and operate the Service, where those interests are not overridden by your rights
• Consent — for optional features (such as marketing emails) where you have opted in
• Legal obligation — where processing is required by applicable law

We share personal data with vetted sub-processors that help us run the Service. Our current sub-processors include:

• Anthropic, PBC — model inference (United States)
• OpenAI, L.L.C. / OpenAI Ireland Ltd — model inference (United States / Ireland)
• Composio — connector orchestration and OAuth
• Supabase Inc. — authentication and metadata storage
• Fly.io (Hashbang Industries Inc.) — cloud infrastructure for per-Workspace runtimes
• Stripe Payments Europe Ltd — payment processing

We require each sub-processor to apply appropriate technical and organisational measures to protect your data. A current list is available on request to [email protected]. We'll notify customers in advance of any material change to our sub-processor list.

Some of our sub-processors are based outside the United Kingdom. When personal data leaves the UK, we rely on appropriate safeguards — including the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or adequacy decisions — depending on the destination.

Each Workspace runs on its own gbrain runtime with its own database. There is no shared retrieval layer between Workspaces. Where you bring your own API keys, those keys are stored separately and never reach the Workspace runtime — all model traffic flows through a per-Workspace egress proxy that resolves the real key at request time.

We retain personal data for as long as we need to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. After you terminate your account, you can export Your Content for thirty (30) days, after which we may delete it from active systems. Backup copies may persist for a limited period in line with our backup schedule before being deleted.

Under UK GDPR you have the right to:

• access the personal data we hold about you
• have inaccurate personal data corrected
• request erasure, subject to legal exceptions
• restrict or object to certain processing
• receive your personal data in a portable format
• withdraw consent at any time, for processing based on consent

To exercise these rights, email [email protected].

We apply appropriate technical and organisational measures to protect personal data — including encryption in transit, encrypted secrets at rest, role-based access controls, and per-tenant isolation. No system is perfectly secure; if a personal data breach is likely to result in a risk to your rights and freedoms, we'll notify the ICO and affected customers as required by law.

We use a small number of strictly necessary cookies to keep you signed in and to remember your session preferences. We do not use third-party advertising or cross-site tracking cookies.

The Service is not intended for anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we'll delete it.

We may update this Privacy Policy from time to time. If the changes are material, we'll let you know in advance — by email or in the product. The “Last updated” date above will always reflect the current version.

For questions about this Policy, to exercise your rights, or to request our current sub-processor list, email [email protected] or write to Interface Labs Ltd, 124 City Road, London, England, EC1V 2NX.