Privacy Policy

How EmergentOS collects, uses, shares, and protects personal information.

1. Introduction

1.1 This Privacy Policy explains how EmergentOS Inc (“Emergent,” “we,” “us”) collects, uses, shares, and protects personal information in connection with the EmergentOS platform, our websites, and related services (the “Service”).

1.2 EmergentOS is used both by individuals in a personal capacity and by organisations and their personnel. Our role under data-protection law depends on how the Service is used:

• Consumers and our own operations. For individuals who use the Service directly, and for our websites, marketing, billing, account administration, and security, Emergent acts as a controller and this Policy governs.
• Organisational customers. For personal data that a customer organisation submits into the platform, Emergent generally acts as a processor on that organisation’s behalf. That processing is governed by the EmergentOS Data Processing Addendum, and the customer organisation’s own privacy notice will usually apply to its personnel.

1.3 Please also read the EmergentOS Terms (the Consumer Terms of Service or the Master Subscription Agreement, as applicable) and the Acceptable Use Policy, which govern use of the Service.

2. Information We Collect

2.1 Information you provide

• Account and contact information — such as name, email, employer or organisation, role, and telephone number.
• Billing information — billing contact and, where relevant, payment details processed by our payment provider.
• Inputs and content — prompts, files, and other content submitted to the Service (for organisational use, generally processed as described in Section 1.2 and the Data Processing Addendum).
• Communications — information you provide when you contact us, request support, or take part in research, events, or design-partner programmes.

2.2 Information collected automatically

• Usage and log data — features used, actions taken, dates and times of access, and error and performance data.
• Device and connection data — IP address, browser and device type, operating system, and approximate location derived from IP address.
• Cookies and similar technologies — used on our websites and in the Service as described in Section 9 and our Cookie Policy.

2.3 Information from other sources

We may receive information from our customers (for example, when an organisation creates accounts for its personnel), from service providers, and from publicly available or third-party sources used for security, verification, or business-development purposes.

2.4 Sensitive information

The Service is not intended to receive special-category or sensitive personal data. You should not submit such data unless it has been expressly agreed in writing with Emergent. Before any data is used to analyse or improve the Service, it is screened to remove personally identifiable and sensitive information.

2.5 Google API Limited Use

When you connect a Google Workspace account, EmergentOS receives Google user data only with your authorisation and through the scopes you approve. EmergentOS's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. This applies to raw Google API data and data derived from it. We use Google Workspace data only to provide and improve user-facing features in EmergentOS, do not sell Google user data, do not use it for advertising, and do not use it to train foundation models.

3. How We Use Information

Where Emergent acts as a controller, we use personal information to:

• provide, operate, maintain, and secure the Service;
• authenticate users, administer accounts, and provide customer support;
• process transactions and manage billing;
• monitor, analyse, and improve the Service, including its reliability, safety, and performance;
• detect, investigate, and prevent fraud, abuse, security incidents, and violations of our policies or applicable law;
• communicate with you about the Service, including service and security notices and, where permitted, marketing;
• comply with legal obligations and enforce our agreements; and
• carry out research and development to improve our products and services.

4. Artificial-Intelligence Processing and Model Training

4.1 AI processing. The Service uses artificial-intelligence models, including models provided by third-party AI Providers, to generate Outputs. Inputs and related content are processed by these models to deliver the Service. Artificial-intelligence systems are not perfect and Outputs may be inaccurate or unsuitable; the Service should not be used for sensitive data or as the sole basis for significant decisions.

4.2 Model training. Emergent does not use customer or user Inputs or Outputs to train foundation models, and the AI Providers we use are engaged on terms that do not permit them to train their models on our customers’ or users’ Inputs or Outputs. Before any data is used to analyse or improve the Service, it is screened to remove personally identifiable and sensitive information. We may use de-identified or aggregated data, and usage and telemetry data, to analyse, secure, and improve the Service.

4.3 Human review. Limited human review of content may occur where reasonably necessary to provide support, investigate suspected violations of our policies or law, address security or safety issues, or improve the Service, subject to confidentiality safeguards and consistent with the Data Processing Addendum.

5. Legal Bases for Processing

Where the UK GDPR or EU GDPR applies and Emergent is a controller, we rely on the following legal bases:

6. How We Share Information

We do not sell personal information. We share personal information only as described below.

• Service providers and sub-processors — vendors that help us operate the Service, including hosting, infrastructure, analytics, payment, communications, and the AI Providers listed in Section 7.
• Within the customer organisation — with the customer that administers an Authorized User’s account, consistent with that customer’s instructions and policies.
• Corporate transactions — in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.
• Legal and safety — where reasonably necessary to comply with law or legal process, enforce our agreements, or protect the rights, safety, and security of Emergent, our users, or the public.
• With your direction or consent — where you ask us to share information or otherwise consent.

7. AI Providers and Key Sub-processors

The Service relies on third-party providers, including the AI Providers below, each used for different functions within the Service. This list reflects the position as at the date of this Policy and is kept current; the Data Processing Addendum contains the authoritative sub-processor list for customer personal data.

8. International Transfers

8.1 Emergent operates internationally, and personal information may be processed in the United States, the United Kingdom, the European Economic Area, and other countries where we or our service providers operate.

8.2 Where we transfer personal information from the UK or EEA to a country that does not provide an equivalent level of protection, we use an appropriate transfer mechanism, such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, together with any additional safeguards required. You may contact us at info@emergentos.ai for more information about these safeguards.

9. Cookies and Similar Technologies

We use cookies and similar technologies on our websites and in the Service to keep you signed in, remember preferences, measure usage, and improve and secure the Service. Where required by law, we ask for your consent to non-essential cookies and provide controls to manage them. Our Cookie Policy provides further detail and describes how to manage your choices.

10. Data Retention

10.1 We retain personal information for as long as needed to provide the Service, for the purposes described in this Policy, and to comply with legal, accounting, and security obligations. As a general guide: account and profile information is retained for the life of your account; user content is retained until you delete it or close your account, followed by a 30-day export window; usage and analytics data is retained for up to 24 months; and billing records are retained for up to 7 years to meet tax and accounting obligations.

10.2 Retention of customer-account Inputs and Outputs for organisational customers is governed by the customer’s configuration and the Data Processing Addendum. On termination, customer data is handled as described in the applicable Terms and the Data Processing Addendum. When personal information is no longer required, we delete or de-identify it.

11. Security

We maintain technical and organisational measures designed to protect personal information against unauthorised access, loss, misuse, and alteration, including access controls, encryption in transit and, where appropriate, at rest, monitoring, and personnel training. No system is completely secure; we cannot guarantee absolute security, and you are responsible for keeping your credentials confidential.

12. Your Rights and Choices

12.1 Rights. Depending on your location and applicable law, you may have rights to access, correct, delete, or receive a copy of your personal information, to object to or restrict certain processing, to withdraw consent, and to lodge a complaint with a supervisory authority. Where the UK or EU GDPR applies, these include the rights of access, rectification, erasure, restriction, portability, and objection. UK residents may complain to the Information Commissioner’s Office (ICO); EU residents may complain to their local supervisory authority.

12.2 US state privacy rights. Residents of certain US states may have rights to know, access, correct, delete, and limit the use of their personal information, and a right to opt out of certain sharing. We do not sell personal information or use it for cross-context behavioural advertising.

12.3 Exercising rights. To exercise a right, contact us at info@emergentos.ai. We will respond as required by law. If your personal information was provided through a customer organisation, we may direct your request to that organisation, which controls the relevant data. We will not discriminate against you for exercising your rights.

12.4 Marketing choices. You may opt out of marketing communications at any time using the unsubscribe link or by contacting us; we will still send service and security notices.

13. Children

The Service is intended for individuals who are at least 18 years old. It is not directed to children, and we do not knowingly collect personal information from children. If we learn that we have collected such information, we will delete it.

14. Changes to this Policy

We may update this Policy from time to time. We will post the updated Policy with a new effective date and, for material changes, provide additional notice as required by law or the applicable Terms.

15. Contact Us

For questions about this Policy or our privacy practices, or to exercise your rights, contact: