Privacy Policy

Table of Contents

1. Applicability of This Privacy Policy
2. Information We Collect
3. Google User Data
4. How AI Processes Your Data
5. How We Use Your Information
6. Cookies and Tracking Technologies
7. How We Share Your Information
8. Data Security
9. Data Retention
10. International Data Transfers
11. Your Privacy Rights
12. Children's Privacy
13. Third-Party Links
14. Changes to This Privacy Policy
15. Contact Us

1. Applicability of This Privacy Policy

Weywadt Inc. (operating as m8tes) ("m8tes," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at m8tes.ai (our "Website"), use our autonomous AI agent platform (the "Service"), or otherwise interact with us.

Controller and Processor Roles

m8tes operates in two capacities depending on the type of data:

• Data Controller: For personal data we collect directly from you through your account, our Website, and your interactions with us (described in this Privacy Policy). This includes Account Information, Usage Data, and Communication Information.
• Data Processor: When our API customers submit data through the m8tes platform on behalf of their end users (including task instructions, run inputs/outputs, and end-user identifiers). We process this data ("Customer Data") on behalf of and under the instructions of our customers. Customer Data is governed by our Customer Agreement and Data Processing Agreement (DPA), not this Privacy Policy. Queries about Customer Data should be directed to the relevant m8tes customer who is the data controller.

This Privacy Policy governs the processing of personal data for which m8tes is the data controller. For API customers, a Data Processing Agreement is available upon request at privacy@m8tes.ai.

Please read this Privacy Policy carefully. By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you provide directly to us:

• Account Information: Email address, name, phone number (optional), and password when you create an account
• Agent Configuration: Agent names, roles, instructions, goals, and preferences you set for your autonomous teammates
• Task and Conversation Data: Instructions, queries, messages, and content you submit to our Service, including AI-generated responses
• Integration Credentials: When you connect third-party services, we collect and securely store authentication credentials (OAuth tokens, API keys)
• Billing Information: Payment information is processed by Stripe, our third-party payment processor. We store only transaction references, subscription status, and billing contact details
• Communication Information: When you contact us for support, provide feedback, or otherwise communicate with us, we collect the contents of those communications

2.2 Information We Collect Automatically

When you use our Service, we automatically collect certain information:

• Usage Data: Request timestamps, response times, token counts, execution metrics, task completion status, features used, and how you interact with the Service
• Log Data: IP addresses, request methods, URL paths, HTTP status codes, and error messages for security and diagnostic purposes
• Device Information: Browser type, operating system, device identifiers, and screen resolution
• Cost and Billing Metrics: API usage costs and execution time for billing and analytics
• Cookies and Similar Technologies: See Section 6 for details on how we use cookies and analytics tools

2.3 Information from API and SDK Usage

If you use our developer API or SDK, we additionally collect:

• API Key Metadata: Key identifiers, creation dates, and usage patterns (not the key values themselves)
• Webhook Configuration: Endpoint URLs, delivery status, and response codes for webhook integrations you configure
• SDK Telemetry: SDK version, request volume, and error rates

3. Google User Data (When You Connect Google Integrations)

This section only applies if you choose to connect Google services (such as Google Ads or Google OAuth) to your m8tes account. If you do not connect these integrations, we do not collect any Google user data.

3.1 What Google User Data We Collect

When you actively connect Google integrations to m8tes, we collect:

• Google Account Information: Your email address, name, and profile information provided during OAuth authentication
• Google Ads Customer IDs: The customer account identifiers you authorize us to access
• Authentication Credentials: OAuth tokens (access tokens and refresh tokens) required to authenticate your requests to Google's services

Important: We do not permanently store your Google Ads campaign data, metrics, or advertising information. We provide you with a query tool (GAQL - Google Ads Query Language) that allows you to retrieve data directly from Google on demand. Query results are temporarily processed to display to you but are not saved to our databases unless you explicitly save specific information within the Service.

3.2 How We Use Google User Data

We use Google user data solely to provide you with the services you requested:

• Authentication: To verify your identity and maintain your login session via Google OAuth
• Execute Queries: To run Google Ads Query Language (GAQL) queries on your behalf and retrieve advertising data you request
• Display Results: To process and display query results, campaign performance data, and metrics within our interface
• Maintain Access: To refresh authentication tokens and maintain authorized access to your connected Google Ads accounts

We do NOT use Google user data for:

• Training artificial intelligence or machine learning models
• Targeted advertising, personalized advertising, or retargeted advertising
• Selling to data brokers or information resellers
• Determining credit-worthiness or lending purposes
• Any purpose unrelated to providing or improving m8tes functionality

3.3 How We Share, Transfer, or Disclose Google User Data

We do not sell, rent, or transfer your Google user data to third parties. We only share Google user data in the following limited circumstances:

• With Google Services: We transmit authentication credentials and query requests to Google's APIs solely to execute the services you requested (e.g., running GAQL queries against your Google Ads accounts)
• With Your Consent: If you explicitly authorize us to share data with additional third-party services you connect
• Legal Compliance: If required by law, court order, or government regulation (as described in Section 7.3)

We do not transfer or disclose Google user data to third parties for purposes other than providing you with the m8tes Service functionality you requested.

3.4 Security of Google User Data

We protect your Google user data with industry-standard security measures:

• Encryption: All Google OAuth tokens (access tokens, refresh tokens) are encrypted at rest using authenticated symmetric encryption (Fernet — AES-128-CBC with HMAC-SHA256) and transmitted over secure TLS (HTTPS) connections
• Access Controls: Access to Google user data is restricted to authorized systems and personnel only
• Secure Storage: Authentication credentials are stored in encrypted database fields with strict access policies
• Token Management: We use short-lived access tokens and securely manage refresh token rotation

3.5 Retention and Deletion of Google User Data

We retain Google user data only as long as necessary:

• Authentication Credentials: Stored for as long as you maintain the Google integration connection. You may disconnect at any time through your account settings.
• Query Results: Temporarily processed for display but not permanently stored unless you explicitly save specific data
• Account Deletion: When you delete your m8tes account or disconnect the Google integration, we immediately delete all associated Google authentication credentials and any stored Google user data

You may request deletion of your Google user data at any time by emailing privacy@m8tes.ai or by disconnecting the Google integration in your account settings.

4. How AI Processes Your Data

m8tes is an AI-powered platform. Understanding how your data interacts with AI systems is important to us.

4.1 AI Service Provider

We use Anthropic's Claude API as our primary AI service provider. When you submit tasks, messages, or instructions to the Service, this content is sent to Anthropic's API for processing. Anthropic processes this data to generate responses and execute your agent's tasks.

Under Anthropic's commercial API terms, they do not use your inputs or outputs to train their AI models. Anthropic may retain API inputs and outputs for a limited period (typically 30 days) for trust and safety purposes, after which the data is deleted. For full details, refer to Anthropic's privacy policy and commercial terms. If you connect your own Anthropic (Claude) subscription, the runs you start interactively in the app are processed under your Anthropic account and the terms you have with Anthropic; background and inbound-triggered runs (for example from email, Slack, or scheduled tasks) use our commercial API terms.

We also use OpenAI's API for one lightweight feature: generating a short title for a task. We send a brief excerpt of your message and the agent's response (up to a few hundred characters each) to produce the title, and that excerpt may include content the agent generated from your data. We do not send your uploaded files to OpenAI, and under OpenAI's API terms your data is not used to train their models.

4.2 What Data Is Sent to AI

• Task instructions and conversation messages you submit
• Agent configuration (system prompts, instructions, goals)
• Context from connected tools and integrations needed to complete your tasks
• Conversation history within a run for continuity

4.3 Our Commitments

• No Model Training: Neither m8tes nor our AI providers use your content, conversations, or outputs to train AI models
• Human Oversight (Accountable Autonomy): Our agents can take actions in the tools you connect, but you stay in control. You choose each agent's permission mode, sensitive or high-impact actions can be routed to a responsible person for approval, and every run is recorded in your account history. We do not use these agents to make solely-automated decisions that produce legal or similarly significant effects about you without a meaningful way for you to obtain human review, express your point of view, and contest the outcome (GDPR Article 22). You can configure approval gates and intervene at any time.
• Sandbox Isolation: Agent executions run in isolated sandbox environments. Code and files generated during execution are confined to your account and are not accessible to other users

5. How We Use Your Information

We use the information we collect to:

• Provide and Improve the Service: Execute your tasks, run autonomous agents, and continuously improve our platform
• Process Transactions: Manage your subscription, process payments, and send billing-related communications
• Maintain Integrations: Connect to and authenticate with third-party services you authorize
• Security and Fraud Prevention: Detect, prevent, and address security incidents and fraudulent activity
• Customer Support: Respond to your questions, troubleshoot issues, and provide technical assistance
• Analytics and Development: Analyze usage patterns to improve features, develop new capabilities, and optimize performance
• Communications: Send you service-related notifications, updates, and (where permitted) marketing communications
• Compliance: Comply with legal obligations and enforce our terms of service

We may aggregate or de-identify personal information so that you can no longer be identified, and use such data for research, analytics, and improving our Service. We do not attempt to re-identify this information.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our Service, analyze usage, and improve your experience.

6.1 What We Use

• Essential Cookies: Required for authentication, session management, and security. These cannot be disabled without affecting Service functionality.
• Analytics (PostHog): We use PostHog for product analytics. In your browser, PostHog collects page views and interaction data — and, once you sign in, your email — only after you accept analytics cookies. Separately, our servers record pseudonymous product and usage events (such as account creation, run completions, and feature usage), keyed to an internal account ID and tagged with operational metadata such as your sign-in method, plan, and resource identifiers — but never your email or name — to operate and improve the Service. PostHog data is not shared with third parties for advertising.
• Visitor analytics (Apollo): We use Apollo's website-visitor tracking script across our site to understand traffic and identify interested businesses. It loads only after you accept analytics cookies, and may associate a visit with business contact information Apollo holds.
• Error Tracking (Sentry): We use Sentry to monitor application errors and performance. Sentry may collect technical data including browser type, error stack traces, and request metadata to help us diagnose and fix issues.

6.2 Your Choices

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all or some cookies, or to alert you when cookies are being sent. If you disable cookies, some parts of the Service may not function properly.

For EEA/UK users, we obtain consent before placing non-essential cookies on your device, in accordance with applicable law. You can change or withdraw your choice at any time using the "Your privacy choices" link in our website footer, which re-opens the consent options. Withdrawing is as easy as accepting.

Global Privacy Control (GPC): We honor the GPC browser signal. If your browser or extension sends GPC, we treat it as a request to opt out — analytics and visitor-tracking cookies stay off and we do not enable optional session-replay, without any further action from you.

Note on error monitoring: our error-tracking provider (Sentry) can record a masked session replay to help diagnose a crash. We enable session replay only after you accept analytics cookies, and it masks all text, form inputs, and media so your content is not captured.

7. How We Share Your Information

We do not sell your personal information. We may share your information with the following categories of recipients:

7.1 Sub-Processors and Service Providers

We engage the following categories of third-party service providers to help us operate and deliver the Service:

• Anthropic (LLM inference) — Powers our autonomous agents. Processes the task instructions, messages, and context you send to a teammate to generate responses.
• Daytona (sandbox compute) — Runs each agent in an isolated cloud sandbox. Processes run code, uploaded files, and tool input/output during execution.
• DigitalOcean (cloud hosting and database) — Hosts our application and databases, where platform data is stored at rest.
• Stripe (payments and billing) — Processes subscription and usage-based payments. Receives your billing contact and a tokenized payment method directly from you; we never store card numbers.
• Resend (transactional email) — Delivers verification, notification, and billing emails. Processes recipient email address and notification content.
• Composio (third-party integration brokerage) — Facilitates connections to third-party tools you authorize. Processes connection metadata and OAuth tokens for the apps you connect.
• OpenAI (task titles) — Generates a short title for each task. Processes a brief excerpt of your message and the agent's response (see Section 4).
• Slack (messaging, optional) — Delivers and receives agent messages in your connected Slack workspaces. Processes message content, sender identity, and workspace identifiers, only if you connect Slack.
• PostHog (product analytics) — Browser page views (and, once you sign in, your email) only after you accept analytics cookies, plus pseudonymous server-side product and usage events keyed to an internal account ID and tagged with operational metadata (sign-in method, plan, resource identifiers — never your email or name) to operate and improve the Service.
• Sentry (error monitoring) — Monitors application health. Processes error traces and request metadata, redacted of secrets.
• Google (OAuth sign-in and connected APIs) — Authenticates Google sign-in and connected services. Processes account identifiers and the data you authorize (e.g. Google Ads).
• Twilio (SMS, optional) — Sends and receives text messages. Processes your phone number and message content, only if you enable SMS.
• BlueBubbles (iMessage bridge, optional, self-hosted) — Routes iMessage content through a bridge that you host and control.
• Cal.com (demo scheduling) — Powers the "Book a demo" scheduler. Processes the name and email you submit when booking a demo.
• Apollo (website visitor analytics) — Runs a visitor-tracking script across our site, only after you accept analytics cookies. Processes visit data and may associate it with business contact information Apollo holds.

Except for optional channels you host yourself (such as the BlueBubbles iMessage bridge), all sub-processors are bound by contractual obligations to protect your data and may only process it for the purposes specified in our agreements with them. Our current list of sub-processors is published and kept up to date on our Security page.

7.2 Third-Party Integrations

When you connect third-party services to your agents, we share relevant data with those services as necessary to execute your tasks. These integrations are initiated by you and are subject to the privacy policies of those third-party services.

7.3 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe such action is necessary to:

• Comply with legal obligations
• Protect our rights, property, or safety
• Prevent fraud or security threats
• Protect the rights and safety of our users

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your personal information.

8. Data Security

We implement appropriate technical and organizational measures to protect your information:

• Encryption: We encrypt sensitive data including authentication tokens and third-party credentials both in transit (TLS) and at rest using authenticated symmetric encryption (Fernet — AES-128-CBC with HMAC-SHA256)
• Secure Authentication: Passwords are hashed with a salted, industry-standard one-way function and are never stored in plaintext. We support optional two-factor authentication (TOTP) and OAuth 2.0 sign-in, and automatically lock accounts after repeated failed logins
• Access Controls: We apply least-privilege access controls, restricting access to personal information to authorized personnel only
• Monitoring: We monitor our systems for security vulnerabilities and unauthorized access
• Sandbox Isolation: Agent code executions run in isolated sandbox environments to prevent cross-user data access

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

9. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy. Specific retention periods include:

• Account Information: Retained for the life of your account and deleted within 30 days of account deletion, unless required by law
• Task, Conversation, and Run History: Retained for the life of your account; we do not automatically expire your run history. Deleted or anonymized when you delete your account or upon request
• Zero-Data-Retention Mode (optional): If you enable zero-data-retention mode, the agent's conversation content, tool inputs and outputs, model reasoning, and generated reports are never written to our database — only run metadata (status, timing, token and cost counts, and which tools ran) is kept. Short content-derived labels, such as a task's generated title or the name of a file your agent saves, may still be stored
• Inbound Message Receipts: Delivery records used to de-duplicate inbound email, Slack, and iMessage events are automatically purged after 90 days
• Billing and Transaction Records: Retained for 7 years as required by tax and accounting regulations
• Server and Diagnostic Logs: Retained for up to 90 days for security and diagnostic purposes
• Analytics Data: Retained in aggregated or de-identified form indefinitely for product improvement

When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it by law. Conversation logs, task execution history, and agent configurations associated with your account will be deleted along with your account.

10. International Data Transfers

m8tes is headquartered in the United States. Your information may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have different data protection laws than your jurisdiction.

10.1 Transfer Mechanisms

When we transfer personal data from the European Economic Area ("EEA"), United Kingdom ("UK"), or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs): We use the European Commission-approved Standard Contractual Clauses to ensure appropriate safeguards for data transfers
• Adequacy Decisions: Where applicable, we transfer data to countries recognized as providing adequate data protection

10.2 Onward Transfers

We ensure that our sub-processors who receive personal data from the EEA, UK, or Switzerland are also bound by appropriate data transfer mechanisms. We remain accountable for the processing of personal data by our sub-processors.

11. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

11.1 General Rights

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information, subject to certain exceptions
• Data Portability: Export a copy of your data in a structured, machine-readable (JSON) format. For your protection, the export omits run conversation transcripts, which can contain credentials an agent accessed during a run
• Opt-Out: Opt out of marketing communications at any time

11.2 Rights for EEA/UK Users (GDPR)

If you are located in the European Economic Area or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Object: Object to processing of your personal information for direct marketing or legitimate interests
• Right to Restrict Processing: Request that we limit how we use your information
• Right to Withdraw Consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority

Legal Basis for Processing (GDPR)

We process your personal information on the following legal bases:

• Contractual Necessity: To create and maintain your account, provide the Service, process payments, and deliver customer support
• Legitimate Interests: To improve and develop our Service, analyze usage patterns, ensure security, and prevent fraud. We balance our interests against your privacy rights
• Legal Obligation: To comply with applicable laws, regulations, or legal processes
• Consent: For marketing communications, non-essential cookies, and any other processing where consent is required. You may withdraw consent at any time

11.3 Rights for US Residents (CCPA/State Privacy Laws)

If you are a resident of California or another US state with applicable privacy legislation, you may have additional rights:

• Right to Know: Request information about the categories and specific pieces of personal information we have collected, the sources of collection, the purposes for collection, and the categories of third parties with whom we share it
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: m8tes does not sell your personal information and does not share your personal information with third parties for cross-context behavioral advertising
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights

Categories of personal information we collect (as defined by the CCPA): identifiers (name, email, IP address), commercial information (transaction history, subscription status), internet activity (usage data, log data), and professional information (job title, company name where provided).

We do not sell personal information, and to our knowledge, we do not sell personal information of minors under 18 years of age.

11.4 How to Exercise Your Rights

If you have an account, you can export your data or permanently delete your account yourself at any time from your account settings, in the Danger zone section, with no request needed. You can also exercise any of these rights by emailing privacy@m8tes.ai. We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@m8tes.ai and we will delete such information.

13. Third-Party Links

Our Service may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy applies only to our Service. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of any third-party services you access through our platform.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will provide at least 30 days' advance notice of any material changes by:

• Posting the updated policy on this page
• Updating the "Last Updated" date at the top
• Sending you an email notification for significant changes

Your continued use of the Service after the changes take effect indicates your acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For EEA/UK Users: Weywadt Inc. (operating as m8tes) is the data controller of your personal information as described in this Privacy Policy. For inquiries about Customer Data processed on behalf of our API customers, please contact the relevant m8tes customer directly.