Privacy Policy

1) Information we collect

A) Information you provide

• Account information: name, email address, organization details (if applicable), and account permissions/role.
• Customer content: content you upload, submit, or create in the Services (including documents/files and messages).
• Support communications: messages you send to us (e.g., support requests, feedback).

B) Information collected automatically

• Usage and log data: IP address, timestamps, pages/screens viewed, actions taken in the app, and general device/browser information (typical server logs).

No third-party analytics or session replay (currently): We currently do not use third-party analytics tools or session replay tools.

2) How we use information

We use personal information to:

• Provide and operate the Services (including document processing and retrieval features)
• Authenticate users and administer accounts and organizations
• Maintain security, prevent abuse, and troubleshoot issues
• Provide customer support and respond to requests
• Improve reliability and performance of the Services
• Comply with legal obligations and enforce our terms

3) AI processing and embeddings

Percheron uses AI features to process Customer Content. This may include:

• Sending full documents, excerpts, and embeddings to an AI provider to perform requested functionality (such as summarization, extraction, or retrieval-augmented responses).
• Creating a summary ("context surface") of a document using an AI model and storing an embedding of that summary for retrieval.

Customer Content may include personal information depending on what you upload or submit.

4) How we share information

A) Service providers (subprocessors)

We share personal information with vendors that help us run the Services. These providers are permitted to process information only to provide services to us.

Current key subprocessors:

OpenAI retention note: OpenAI's API documentation indicates that "abuse monitoring logs" may be retained for up to 30 days by default, and longer if legally required.

B) Legal and safety

We may disclose information if we reasonably believe it's necessary to:

• Comply with law, legal process, or lawful requests
• Protect the rights, safety, and security of users, our business, or the public
• Detect, prevent, or address fraud, abuse, or security incidents

C) Business transfers

If we're involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction.

5) Data retention

We retain personal information only as long as needed for the purposes described in this policy.

Account closure definition

For purposes of this policy, "account closure" means: (1) cancellation of the subscription and (2) deletion of the organization by the organization owner, which results in a soft delete of the organization within the Percheron application.

Retention periods

• Customer content (documents, messages, uploads): deleted 60 days after account closure (unless we are required to retain it longer by law or to resolve disputes).
• Audit logs: retained for 1 year for security and accountability.

6) Security

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information. We encrypt stored data at rest by default, including uploaded files. No system is perfectly secure, but we work to protect data against unauthorized access and misuse.

7) Your choices and rights

Depending on where you live, you may have rights to:

• Access information we hold about you
• Correct inaccurate information
• Delete information (subject to legal and operational exceptions)
• Object / opt out of certain processing (where applicable)
• Appeal a rights request decision (where required)

To submit a request, email privacy@percheronai.com. We may verify your identity before fulfilling requests.

8) California privacy disclosures

If you are a California resident, you may have rights under the California Consumer Privacy Act as amended (CCPA/CPRA), including rights to know, delete, correct, and opt out of certain "sale" or "sharing" as those terms are defined by law. California's updated CCPA regulations are effective January 1, 2026.

Do we sell personal information? We do not sell personal information for money.

Do we share personal information for cross-context behavioral advertising? We currently do not use third-party analytics or advertising tools for cross-context behavioral advertising.

Categories of personal information (examples)

• Identifiers (e.g., name, email address, IP address)
• Internet/network activity (e.g., log data)
• Customer content you submit/upload (may include personal information depending on what you upload)

9) Colorado & other US state privacy laws

Some states (including Colorado) provide privacy rights and require transparent notice about data practices and how to exercise rights. We honor applicable rights requests as required by law.

10) International users

We are based in the United States, and your information may be processed in the United States and other locations where our service providers operate.

If you are in the EEA/UK, transparency obligations (e.g., GDPR Article 13) generally require providing clear notice about what we collect, why, retention, and rights.

11) Children

The Services are not directed to children under 13 (or under 16 in some jurisdictions). We do not knowingly collect personal information from children.

12) Changes to this policy

We may update this policy from time to time. We will update the "Effective date" and post the revised policy. If changes are material, we will provide additional notice as required.