Privacy Policy

Last Updated: May 2, 2026

At Poliglot Inc. ("we," "our," or "us"), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you visit our website (https://poliglot.io) and use Poliglot OS, our operating system for AI-native execution.

Poliglot is a B2B platform. Most data in your workspace belongs to your organization. Poliglot processes it on your behalf, not for its own purposes. Where we act as a processor under GDPR, or a service provider under CCPA/CPRA, a Data Processing Agreement (DPA) governs that relationship and supersedes this policy to the extent of any conflict. Enterprise customers may request the DPA at legal@poliglot.io.

1. Information We Collect

We distinguish between information collected through our marketing website and information processed within your Poliglot OS workspace.

Marketing website (poliglot.io). We collect standard web analytics data to understand site usage and improve content. The marketing site uses a third-party analytics provider in anonymous mode only.

  • Direct Identifiers: Name, email, and phone number submitted through waitlist, contact, or demo forms.
  • Anonymous Analytics: IP address, browser type, referrer, and page-view data are processed by PostHog to produce aggregate visitor counts, page popularity, and within-session funnels. No persistent identifier is stored on your device for this purpose; analytics state is held in memory for the duration of the browser session and is not written to cookies or local storage.

Poliglot OS workspace. During the Beta period, public cloud workspaces are instrumented with operational analytics so we can evaluate functionality and better support customers. Private cloud and customer-VPC workspaces are not subject to this expanded collection. Data processed inside the workspace is customer data that your organization controls; categories of data collected are described in Section 2.

  • Workspace Data: Operating-model definitions, engagement state, action payloads, execution history, and business objects owned by your organization. Poliglot processes this data on your instruction and claims no rights over it.
  • Connected-System Credentials: Credentials for third-party integrations are encrypted in your browser before transmission, using X25519 ECDH and XChaCha20-Poly1305. They are stored server-side under envelope encryption with managed keys and decrypted only transiently during an action that requires them. Plaintext is never persisted to disk.
  • Integration Data: Data pulled from the systems you connect (e.g., your GL, your practice-management tool, your CRM). Accessed solely to execute the workflows you or your agents initiate.
  • Financial Data: Subscription and billing data is processed by our third-party payment processor; we do not store raw card data.

2. How We Use Workspace Data

Poliglot OS executes operating models authored by your organization. To do that, it must read from and write to the systems you have connected, and preserve execution history so your agents have context across sessions.

  • Processing on Your Instruction: Integration data is accessed solely to execute the actions your workflows initiate. We do not scrape, mine, aggregate, or resell connected-system data for any other purpose.
  • Execution History: Workspace state and execution history are retained for continuity and audit. You may delete workspace data at any time. Once deleted, it is purged from active records. Residual copies in our immutable, encrypted system backups are overwritten and permanently destroyed within thirty (30) days.
  • Operational Logs: Operational logs (request traces, error events, infrastructure telemetry) are retained for 365 days by default in production environments and are not used to reconstruct workspace contents.
  • No Training on Customer Data: Poliglot does not train, fine-tune, or evaluate AI models on your workspace data, integration data, or execution history. This commitment is absolute and applies to every deployment tier. Poliglot does not ship or sell proprietary models; inference is always executed by third-party model providers, whether you connect one yourself (BYOM) or use our Managed Model Router.
  • Product Telemetry: We collect operational telemetry, for example action counts, error rates, latency, and feature usage, to operate and improve the Service. Telemetry is aggregated and does not contain workspace contents or integration data.

3. Third-Party AI Models (BYOM and Managed Router)

Inference in Poliglot OS is always executed by third-party model providers. You may run in one of two modes:

  • Bring Your Own Model (BYOM). You connect a provider account you hold (e.g., OpenAI, Anthropic, or a cloud-hosted endpoint such as Bedrock). You control that provider relationship and its terms.
  • Managed Model Router. Poliglot holds agreements with a set of supported providers and routes inference on your behalf. Routing policy is configurable per workspace.

In either mode, prompts, relevant context, and action payloads are transmitted to the selected provider to produce completions.

  • Contracted Terms: In the Managed Router mode, Poliglot contracts with the underlying providers for zero data retention and no training on customer data where those terms are offered, and passes them through in our DPA. In BYOM, those terms flow from your own agreement with the provider.
  • Provider Policies Control: Providers that do not offer those terms process data under their own policies. We disclose which Managed Router providers offer which terms so you can scope routing accordingly.
  • Workspace-Controlled: Routing mode, the set of approved providers, and the option to route inference through a private endpoint are configurable per workspace.

4. Data Processing Agreement, Subprocessors, and Residency

  • DPA: Enterprise customers may execute a Data Processing Agreement covering GDPR, CCPA/CPRA, and applicable state privacy laws. The DPA includes processing instructions, subprocessor obligations, and standard contractual clauses for cross-border transfers. Request it at legal@poliglot.io.
  • Subprocessors: We maintain a current list of subprocessors available at legal@poliglot.io on request. Material changes are notified in advance per the DPA.
  • Residency: Public cloud workloads currently run in US regions. Private cloud and customer-VPC deployments run in the region you select; data does not leave that region.

If you are located in the European Economic Area, we process personal data under:

  • Contractual Necessity: To provide the Services as agreed.
  • Legitimate Interests: To secure the platform and operate telemetry.
  • Consent: Where required, for marketing communications.

6. California Privacy Rights (CCPA/CPRA)

  • Right to Access and Delete: You may request access to, or deletion of, your personal information.
  • No Sale, No Sharing: We do not sell or share personal information for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals.
  • No Automated Decision-Making or Profiling: We do not use your personal information or integration data for automated decision-making, behavioral profiling, or inference of sensitive characteristics.

7. Contact

Privacy requests and DPA inquiries: privacy@poliglot.io