LEGAL
Privacy Policy
Effective date: March 19, 2026 · Last updated: March 19, 2026
1. Introduction
Comy AI ("Comy", "we", "our", or "us") operates the agentic AI platform available at comy.ai, including the web application, desktop application, APIs, SDK, chat widget, and all related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our Service.
We are committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the EU AI Act (Regulation (EU) 2024/1689), and all other applicable data protection laws. By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
The data controller responsible for your personal data is:
Comy AI
Email: privacy@comy.ai
Website: https://comy.ai
3. Information We Collect
3.1 Account & Profile Data
When you register, we collect your name, email address, and authentication credentials. If you authenticate via third-party providers (Google, GitHub, Apple), we receive your basic profile information (name, email, profile picture) as permitted by those services.
3.2 Workspace & Organization Data
When you create or join a workspace, we collect workspace names, team member information, role assignments, and organizational settings that you configure.
3.3 AI Agent Data
When you create and operate AI agents, we process: agent configurations (name, role, personality, skills), conversation messages, task inputs and outputs, goals, memory entries, and any files or data you provide to your agents. This data is necessary to deliver the core functionality of the Service.
3.4 Usage & Telemetry Data
We automatically collect information about how you interact with the Service, including pages visited, features used, API calls made, agent execution logs, performance metrics, IP address, browser type, device information, and timestamps. We use this data to improve the Service, diagnose issues, and ensure security.
3.5 Payment & Billing Data
Payment processing is handled entirely by Stripe, Inc. We do not store your full credit card number, CVV, or bank account details. We retain only your Stripe customer ID, subscription plan, billing email, and transaction history for accounting purposes.
3.6 Communication Data
When you contact us via email or support channels, we collect the content of your communications and any attachments to respond to your inquiries.
3.7 Integration Data
When you connect third-party services (Slack, Discord, Telegram, WhatsApp, Vercel, GitHub, X/Twitter), we store OAuth tokens, API keys, and webhook configurations necessary for the integration. OAuth tokens and API keys are encrypted at rest using AES-256-GCM encryption.
4. Legal Basis for Processing (GDPR Art. 6)
We process your personal data based on the following legal grounds:
| Purpose | Legal Basis |
|---|---|
| Providing the Service (agent execution, task processing) | Contract performance (Art. 6(1)(b)) |
| Account management and authentication | Contract performance (Art. 6(1)(b)) |
| Payment processing and billing | Contract performance (Art. 6(1)(b)) |
| Service improvement and analytics | Legitimate interest (Art. 6(1)(f)) |
| Security, fraud prevention, abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications (if opted in) | Consent (Art. 6(1)(a)) |
| Tax and accounting records | Legal obligation (Art. 6(1)(c)) |
5. AI Data Processing & Automated Decision-Making
The core of our Service involves processing your inputs through AI language models to generate responses, complete tasks, and operate autonomous agents. We want to be fully transparent about how this works:
- Model Providers: Your agent conversations and task inputs are sent to third-party AI model providers (OpenAI, Anthropic, Google) for processing. We transmit only the minimum data necessary to fulfill your request.
- No Training on Your Data: We do not use your content to train our own AI models. Third-party providers process your data under their respective data processing agreements, which prohibit using API data for model training.
- Automated Decision-Making: AI agents may make automated decisions (task prioritization, goal planning, crew delegation) within the scope you configure. These decisions do not produce legal effects or similarly significant effects on individuals. You retain full control to review, override, or disable any automated behavior.
- Human Oversight: All AI agent actions can be configured to require human approval before execution. You can set approval policies per agent and per action type.
- Computer Vision: When using desktop automation features, screenshots are captured and processed by AI vision models. These images are used solely for task execution and are not retained beyond the session unless explicitly saved to your workspace.
6. Subprocessors & Third-Party Services
We share your data with the following categories of subprocessors, solely to provide the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Convex | Database & backend infrastructure | All application data |
| Vercel | Web hosting & CDN | IP address, browser metadata |
| OpenAI | AI model inference | Agent prompts & conversation content |
| Anthropic | AI model inference | Agent prompts & conversation content |
| Google (Gemini) | AI model inference | Agent prompts & conversation content |
| E2B | Sandboxed code execution & desktop automation | Code, files, screenshots |
| Stripe | Payment processing | Billing email, payment method |
| Resend | Transactional email | Email address, message content |
| Sentry | Error tracking | Error logs, anonymized stack traces |
We do not sell, rent, or trade your personal data to any third party. Data is shared only as necessary to operate the Service or comply with legal obligations.
7. International Data Transfers
Some of our subprocessors are located outside the European Economic Area (EEA). When transferring personal data internationally, we ensure adequate protection through:
- EU-U.S. Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions by the European Commission
- Your explicit consent where other safeguards are not available
8. Data Security
We implement industry-standard technical and organizational measures to protect your data:
- All data in transit is encrypted using TLS 1.2+
- Sensitive data at rest is encrypted using AES-256-GCM
- Integration credentials and API keys are stored in an encrypted vault
- Authentication uses secure OAuth 2.0 / OIDC protocols
- Access controls follow the principle of least privilege
- Regular security reviews and dependency auditing
- Automated threat detection and rate limiting
Despite our efforts, no method of electronic storage or transmission is 100% secure. If you discover a security vulnerability, please report it to security@comy.ai.
9. Data Retention
We retain data as follows:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Agent conversations & tasks | Duration of account (user-deletable) |
| Agent memory | Duration of account (user-deletable via "Reborn" feature) |
| Usage logs & analytics | 90 days (rolling) |
| Billing & transaction records | 7 years (legal requirement) |
| Desktop session screenshots | Duration of session (auto-deleted on session end) |
10. Your Rights Under GDPR
If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights regarding your personal data:
- Right of Access (Art. 15) — Request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16) — Request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten").
- Right to Restrict Processing (Art. 18) — Request that we limit the processing of your data.
- Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable format (JSON export).
- Right to Object (Art. 21) — Object to processing based on legitimate interests or for direct marketing.
- Right Not to be Subject to Automated Decisions (Art. 22) — Request human intervention for decisions made solely by automated processing.
- Right to Withdraw Consent (Art. 7) — Withdraw consent at any time where we rely on consent as the legal basis.
To exercise any of these rights, email us at privacy@comy.ai. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
11. Cookies & Tracking Technologies
We use only strictly necessary cookies for authentication and session management. We do not use advertising cookies, third-party tracking pixels, or analytics cookies that identify individual users. No consent banner is required for strictly necessary cookies under GDPR.
| Cookie | Purpose | Duration |
|---|---|---|
| Session token | Authentication | Session / 30 days |
| Locale preference | Language setting | 1 year |
12. Children's Privacy
The Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children. If we discover that we have inadvertently collected data from a child under 16, we will promptly delete it. If you believe a child has provided us data, contact privacy@comy.ai.
13. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. For material changes, we will notify you at least 30 days in advance via email or in-app notification. The "Last updated" date at the top will always reflect the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
14. Contact Us
For questions, concerns, or requests related to this Privacy Policy or your personal data:
Comy AI — Privacy Team
Email: privacy@comy.ai
Website: https://comy.ai