Skip to content

Privacy policy

Short version: we keep only what runs your account, your infrastructure data stays in the EU, payment data is handled by Paddle (UK) under the UK adequacy decision, and we never sell it.

Published · Updated

Who we are

Paperclip.inc OÜ operates the hosted product at Paperclip.inc. For your account, billing, and usage data we are the data controller. For the content you put into the product so your agents can act on it (issues, routines, skills, prompts, approvals, and the context they need), we act as a processor on your behalf: you decide what goes in and why, and our handling is governed by our data processing agreement.

Entity
Paperclip.inc OÜ
Registry code
17517227
Address
Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia
Privacy contact
privacy@paperclip.inc

What we collect

Account information (name, email, billing identifiers from our payments provider). Telemetry tied to the organization (agent runs, costs, errors, login events). The content of issues, routines, skills, and approvals created inside the product.

We collect privacy-friendly, cookieless website analytics (which pages and features are used) without tracking you across sites. With your consent, we also collect heatmaps and session recordings that play back how the site and product are used, with typed input masked. You can decline recordings, and withdraw consent at any time. The "Cookies and analytics" section below explains this in full.

We do not collect third-party browsing history, device location, contact lists, microphone or camera input, or any signal from outside the product itself.

Why we process it, and our legal basis

Under the GDPR we rely on a specific legal basis for each purpose:

Run the account and agents
Performance of our contract with you.
Telemetry, error monitoring, security, and service improvement
Our legitimate interest in keeping the product reliable and safe, balanced against your rights.
Cookieless website analytics
Our legitimate interest in understanding usage, with no cookies or cross-site tracking.
Heatmaps and session recordings
Your consent, which you can withdraw at any time.
Billing, tax, and accounting records
Compliance with our legal obligations, and performance of our contract.
Product or marketing email, where applicable
Your consent, which you can withdraw at any time.

When agents process the content you provide, that processing is on your instructions as the controller. You determine the legal basis for the people whose data you put into the product.

What we send to model providers

When an agent runs, the prompt and required context are routed through Tensorix, a European inference provider that keeps the request inside the European Union. You can also point an agent directly at a self-hosted endpoint if you run your own. We do not send billing data, team membership, or unrelated organization content along with the request. We route requests only to model endpoints in the European Union, or to a self-hosted endpoint you control.

Model provider data handling is governed by the provider that serves the request. Where a provider or route supports zero data retention and no training on inputs, we prefer it and pass that setting through, and we surface what is enabled in the org settings page so an org admin can see it. We do not control, and do not promise on behalf of, how every downstream provider handles a request, which is why those settings are visible to you.

Paperclip provides an AI system. We do not use your personal data to make solely automated decisions that produce legal or similarly significant effects about you. Agents carry out tasks that you configure and start, and you stay in control of what they do.

Subprocessors

We use a small, named set of subprocessors to run the service. We do not sell or rent customer data, and we do not advertise.

Note: Paddle (UK) appears below for completeness, but Paddle is an independent controller for payment and tax data, not a subprocessor under our data processing agreement. It is covered by the UK adequacy decision and governed by its own terms.

Hetzner
Cloud hosting and managed database, in the European Union.
Cubbit
Object storage and backups. A European (Italian) company storing data across the EU.
Paddle
Payments, as merchant of record (checkout, billing, VAT, invoicing). Paddle.com Market Ltd, United Kingdom, covered by the UK adequacy decision. Paddle is its own controller for the payment and tax data it handles.
Tensorix
EU model gateway for inference, hosted in the European Union. A European (Irish) company that keeps requests inside the EU.
mailbox.org
Email mailboxes and inbound (receiving) email. A European (German) company, EU-hosted.
Scaleway
Transactional email sending (waitlist, onboarding, notifications). A European (French) company (Scaleway S.A.S., Paris, Iliad group), hosted in Paris (fr-par).
Plausible
Cookieless website analytics. A European (Estonian) company; sets no cookies and needs no consent.
Mouseflow
Heatmaps and session recordings. A European (Danish) company. Runs only with your consent.

We update this list when it changes. We do not provide data to anyone else except to comply with a valid legal request, in which case the affected org is notified unless we are legally prohibited from doing so.

Where your data is hosted, and transfers

Your data is hosted in the European Union. All processing subprocessors are established and hosted in the EU/EEA. Paddle (United Kingdom) is not a subprocessor but an independent controller for payment data, covered by the UK adequacy decision. We do not transfer your data outside the European Economic Area except to Paddle for payment processing and to any self-hosted model endpoint you choose to configure, which is under your control.

Retention

Active accounts: kept as long as the account exists. Deleted accounts: 30 days for backups, then purged. Audit logs: 12 months by default, configurable for enterprise customers up to 7 years for compliance use cases. Session recordings: up to 90 days, then deleted. Product analytics events: up to 12 months. Billing and tax records are kept for as long as the law requires.

Your rights

You can export, delete, or correct stored data at any time from settings, or by emailing privacy@paperclip.inc. Where we rely on your consent, such as for analytics and session recordings, you can withdraw it at any time, which stops future processing without affecting what happened before.

If you are in the EU or UK, you have the right to access your data, to have it corrected or erased, to restrict or object to processing, and to data portability. We respond within one month, and may extend by up to two further months for complex or numerous requests, in which case we tell you within the first month. You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee), and you may also contact the authority where you live.

If you are a California resident, you have the right to know, delete, and correct your personal information, and to not be discriminated against for exercising those rights. We do not sell or share personal information as those terms are defined under California law. We respond to verifiable requests within 45 days, and may extend once when reasonably necessary.

We confirm your identity against your authenticated account before acting on a request, so that we do not disclose data to the wrong person.

Cookies and analytics

We use Plausible, a cookieless, EU-hosted analytics tool, to understand which pages and features are used. It sets no cookies, collects no personal data, and does not track you across sites, so it runs without a consent banner. For heatmaps and session recordings we use Mouseflow, a European company. Because recordings are more revealing, we ask for your consent first and load Mouseflow only if you accept; if you decline, nothing from it loads, and you can withdraw consent at any time.

Session recordings play back how pages are used, so we can see what is confusing or broken. We mask typed input by default, and inside the product we also mask on-screen text, so a recording shows interaction, not content. We do not use recordings to read what you or your users put into agents.

We set no advertising or cross-site tracking cookies, and we do not sell or share data for advertising. Logged-in product sessions also use a first-party session cookie and a CSRF token cookie. Those keep you signed in and protect the session, so they are set without consent as strictly necessary cookies.

Changes to this policy

When this policy changes we post the new version here and update the date above. For changes that materially affect how we handle your data, we give notice in the product or by email before they take effect.

Contact

Privacy questions and rights requests go to privacy@paperclip.inc. Security reports go to security@paperclip.inc.

Entity of record: Paperclip.inc OÜ (registry code 17517227), Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia.