Privacy Policy

Last updated: April 4, 2026

Control AI (“Control,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect information in connection with the Control web application, desktop software, and related services (the “Services”).

If you do not agree with this policy, please do not use the Services.

For how we use cookies and browser storage on our websites, see the Cookie Policy at /legal/cookies.

1. Who we are

The data controller for the Services is the Control AI entity identified in your order form or account agreement. For privacy requests, use the contact method published on our website or in your admin console.

2. Information we collect

2.1 Account and identity

• Name, email address, and profile details you provide
• Authentication events and session identifiers managed through our identity provider
• Billing and subscription records when you purchase paid plans

2.2 Service usage

• Chat messages, prompts, attachments, and agent outputs you send through the product
• Technical logs (for example IP address, device type, timestamps, error reports) needed to operate and secure the Services
• Usage metrics used for quotas, billing, and product improvement

2.3 Automation and screen-related data

Control is designed to complete tasks by interpreting on-screen context. Depending on your configuration:

• Desktop app: The client may capture or stream screen imagery, window metadata, and input events to drive automation locally and, if you enable related features, to paired cloud sessions or remote viewers.
• Cloud machines: Similar data may be processed on virtual machines you start from the dashboard.
• Model providers: When you connect third-party AI APIs, prompts and images may be transmitted to those providers under their policies.

We process this information to deliver the features you request, not for unrelated advertising profiling unless we separately obtain consent where required.

3. How we use information

We use personal information to:

• Provide, maintain, and secure the Services
• Authenticate users and prevent fraud or abuse
• Process payments and communicate about your account
• Improve reliability, performance, and safety (including training-resistant abuse detection)
• Comply with legal obligations and enforce our terms

We do not sell your personal information as “sale” is defined under the CCPA/CPRA categories of data broker activity. We may use aggregated or de-identified data that cannot reasonably identify you.

4. Legal bases (where applicable)

If the GDPR or similar laws apply, we rely on one or more of: performance of a contract, legitimate interests (for example security and product improvement, balanced against your rights), consent where required, and legal obligation.

5. Sharing and subprocessors

We share information with:

• Infrastructure and hosting vendors that run the Services
• Authentication, analytics, and payment providers as needed for those functions
• AI model providers you configure or that we integrate for default models
• Professional advisers (lawyers, auditors) when necessary
• Authorities when required by law or to protect rights and safety

A current list of key subprocessors may be provided on request or in your enterprise agreement.

6. International transfers

If we transfer personal data across borders, we use appropriate safeguards such as standard contractual clauses or equivalent mechanisms where required.

7. Retention

We retain information for as long as your account is active and as needed to provide the Services, comply with law, resolve disputes, and enforce agreements. Retention periods may differ by data category; you may request deletion subject to legal exceptions.

8. Security

We implement administrative, technical, and organizational measures designed to protect personal information. No method of transmission or storage is completely secure; you should use strong passwords and protect API keys.

9. Your rights

Depending on your location, you may have rights to access, correct, delete, or export personal information, and to object to or restrict certain processing. You may withdraw consent where processing is consent-based. To exercise rights, contact us using the published channel. You may also lodge a complaint with a supervisory authority.

10. Children

The Services are not directed to children under 16 (or the age required in your jurisdiction). We do not knowingly collect personal information from children.

11. Changes

We may update this Privacy Policy from time to time. We will post the revised version and update the “Last updated” date. Material changes may be communicated through the Services or by email.

12. Contact

For privacy inquiries or requests, contact Control AI using the official email or form designated on our website.

Note for legal review: Align this policy with your actual data flows (Supabase regions, model vendors, logging vendors), add a DPA/SCC package for enterprise customers, and insert entity name, address, and EU representative if applicable.