Privacy Policy

Last Updated: April 9, 2026

This Privacy Policy describes how Innogath ("Innogath," "we," "us," or "our") collects, uses, stores, shares, and protects personal information when you visit our website, create an account, or use our branch-first AI research workspace, including any related APIs, mobile applications, and integrations (collectively, the "Service"). It also explains the choices and rights you have with respect to your personal information. This Privacy Policy is incorporated into and forms part of our Terms of Service. If you do not agree with this Privacy Policy, please do not access or use the Service.

1. Scope of This Policy

This Privacy Policy applies to personal information processed by Innogath in connection with the Service, including when you visit our marketing website, sign up for an account, interact with our AI-powered research and authoring features, communicate with us, or engage with emails or other communications we send. It does not apply to third-party websites, products, or services that we do not own or control, even when linked from or integrated into the Service; those third parties have their own privacy policies that govern their practices.

If you use the Service on behalf of an organization (for example, a team, company, or educational institution), your organization is a separate data controller for the content you submit to shared workspaces, and additional or different privacy practices and contractual terms may apply.

2. Definitions

• Personal Data means any information relating to an identified or identifiable natural person.
• Processing means any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
• Service means the Innogath website, web application, mobile applications, APIs, and related tools we make available to you.
• User Content means prompts, messages, notes, files, documents, diagrams, and other material that you submit to or generate in the Service.
• AI Output means text, summaries, diagrams, code, and other content generated by AI features of the Service in response to your prompts and User Content.
• Data Controller means the entity that determines the purposes and means of the processing of personal data. For most of the Service's features, Innogath is the data controller.
• Data Processor means an entity that processes personal data on behalf of the data controller under a contractual relationship (for example, our cloud infrastructure and AI model providers).

3. Who We Are

Innogath is the data controller for personal information processed through the Service, except where your organization has established its own data controller relationship with you. You can contact us about this Privacy Policy or about any privacy matter at support@innogath.com.

4. Information We Collect

We collect personal information in three general ways: (a) information you provide directly to us; (b) information generated as you interact with the Service; and (c) information we receive from third parties.

4.1 Account Information. When you register or sign in, we collect your name, email address, profile image (if provided), password hashes or authentication identifiers, and account preferences. If you sign in using a third-party identity provider such as Google, we receive the basic profile information that you authorize that provider to share with us.

4.2 Workspace Content and User Content. As you use the Service, we collect and store the content you create or upload, including prompts, messages, branch chats, research reports, diagrams, canvases, notes, uploaded files, comments, project metadata, and other artifacts. We treat User Content as confidential and handle it in accordance with this Privacy Policy and our Terms of Service.

4.3 AI Interaction Data. When you use AI features of the Service, we process the prompts you submit, relevant User Content you choose to include, conversation history, model identifiers, feedback you provide on AI Output (for example, thumbs up/down), and metadata about each AI interaction (such as timestamps, token counts, and request identifiers). This information is used to return the AI Output to you, to operate the Service, and to investigate abuse or safety incidents.

4.4 Billing Information. If you subscribe to a paid plan, we collect subscription status, plan type, billing cycle, invoice references, and transaction metadata (such as amount, currency, and approximate location for tax purposes). We do not store full payment card numbers, bank account numbers, or payment credentials on our servers. These are collected and processed directly by our authorized Merchant of Record and its payment partners as described in Section 11.

4.5 Communications Data. When you contact us for support, reply to our emails, or provide feedback, we receive the contents of your messages and any attachments you include, along with metadata such as timestamps and email addresses.

4.6 Technical and Device Data. We automatically collect certain information from devices and browsers that connect to the Service, including IP address, approximate geolocation derived from IP, browser type and version, operating system, device identifiers, language preferences, referring URLs, pages viewed, features used, clickstream events, and dates and times of access. This information helps us operate the Service, measure performance, and detect abuse.

4.7 Cookies and Similar Technologies. We use cookies, local storage, and similar tracking technologies to keep you signed in, remember your preferences, secure your account, and measure how the Service is used. See Section 9 for details and your choices.

5. How We Use Personal Information

We process personal information for the following purposes:

• Service delivery. To create your account, authenticate you, present your workspaces, process your prompts through AI model providers, generate AI Output, and return results to you.
• Personalization. To remember your preferences, recent activity, and workspace state so that the Service feels continuous across sessions and devices.
• Billing and subscription management. To process paid subscriptions and renewals, issue receipts, calculate taxes, handle refund requests under our Refund Policy, and enforce plan limits.
• Communications. To send you transactional messages (such as security alerts, billing receipts, and important service announcements), respond to your inquiries, and, where you have opted in or where permitted by law, send optional newsletters and product updates.
• Product improvement. To measure performance, monitor reliability, debug errors, and understand feature usage in aggregate, so that we can improve the Service.
• Security and abuse prevention. To detect, prevent, investigate, and respond to fraud, abuse, security incidents, spam, policy violations, and unauthorized access.
• Legal compliance. To comply with applicable laws, regulations, court orders, and lawful requests from public authorities, and to establish, exercise, or defend legal claims.
• Corporate transactions. To facilitate a potential or actual merger, acquisition, financing, reorganization, or sale of assets, subject to the protections described in Section 12.

We do not sell your personal information, and we do not use User Content to show you advertising.

6. AI Processing, Model Providers, and Training Data Position

The Service uses third-party large language models and AI infrastructure to provide its core features. When you interact with an AI feature, the content of your prompt and any User Content you choose to include in that prompt is transmitted over secure connections to one or more of the following model providers:

• OpenAI (GPT family models and related services)
• Anthropic (Claude family models)
• Moonshot AI (Kimi family models)
• DeepSeek (DeepSeek family models)

We may add or change model providers over time and will update this Privacy Policy accordingly. Model providers act as data processors on our behalf, under contractual confidentiality and data protection obligations, and are permitted to use data we send them only to perform inference on our request and to meet legal and safety obligations.

No training on private workspace content. Innogath does not use private customer workspace content to train public foundation models. We have configured our integrations with model providers to disable opt-in training on prompts and content that we transmit on your behalf, where such controls are supported by the provider. Aggregated, anonymized, or de-identified telemetry that does not identify you or your organization may be used to measure and improve model selection, prompt design, and product quality.

Research and search features. Certain research features may transmit queries to a third-party web search API (for example, Serper) in order to retrieve publicly available information that is then processed by AI models to produce AI Output. Search queries are subject to the third party's own processing terms.

Abuse review. In rare cases, authorized Innogath personnel may review specific AI interactions to investigate reports of abuse, safety incidents, or bugs. Reviews are limited to the minimum data necessary and are logged under internal access controls.

7. Legal Bases for Processing (EU/EEA/UK)

If you are located in the European Union, European Economic Area, United Kingdom, or another jurisdiction that requires us to identify a legal basis for processing, we rely on the following bases:

• Performance of a contract. Processing necessary to provide the Service that you have requested, including account creation, AI feature delivery, and billing.
• Legitimate interests. Processing necessary for our legitimate interests in securing the Service, preventing fraud and abuse, improving product quality, and operating our business, provided that those interests are not overridden by your rights.
• Legal obligation. Processing necessary to comply with applicable law, including tax, accounting, consumer protection, and information requests from public authorities.
• Consent. Processing that requires your consent, for example certain marketing communications or non-essential cookies. You can withdraw consent at any time as described in Sections 9 and 14.
• Vital interests or public interest. Processing necessary to protect the vital interests of you or another person, or for reasons of substantial public interest, where applicable.

8. How We Share Personal Information

We share personal information only in the following circumstances:

• Service providers and processors. With trusted third parties that provide infrastructure, database hosting, authentication, AI inference, payment processing, email delivery, analytics, error monitoring, and customer support on our behalf, under contracts that restrict their use of the data to our instructions.
• Within your organization. If you are part of a team or organization workspace, content you share with other members and relevant account metadata may be visible to those members and to workspace administrators.
• Legal and safety reasons. When we believe in good faith that disclosure is necessary to comply with a legal obligation, respond to lawful requests from public authorities, protect the rights, property, or safety of Innogath, our users, or others, or prevent or investigate suspected fraud or abuse.
• Corporate transactions. In connection with a merger, acquisition, financing, due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, in each case subject to confidentiality protections and continuity of this Privacy Policy (or substantially similar protections) after the transaction.
• With your consent. When you direct us to share information with a third party, such as an integration that you have explicitly enabled.

We do not sell personal information. We do not share personal information with third parties for their own independent advertising or marketing purposes without your consent.

9. Cookies and Similar Tracking Technologies

Cookies are small text files stored on your device by your browser when you visit a website. Similar technologies include local storage, session storage, pixel tags, and software development kits (SDKs). We use these technologies for the purposes described below.

• Strictly necessary. Required to keep you signed in, maintain session state, remember your workspace, enforce security, and deliver the Service. These cannot be disabled without breaking the Service.
• Preferences. Used to remember your theme (light/dark), language, and other settings so you do not need to reconfigure them each visit.
• Analytics and performance. Used in aggregated form to understand feature usage, diagnose errors, and improve the Service. Where required by law, we only enable analytics cookies after you give consent through a cookie banner or similar mechanism.
• Fraud prevention. Used to detect unusual activity, protect against abuse, and secure billing events.

You can manage cookies through your browser settings, including deleting existing cookies and blocking future cookies. If you block strictly necessary cookies, parts of the Service may not function correctly. Mobile operating systems also provide controls for tracking preferences and advertising identifiers that you can use to limit certain data collection.

10. Third-Party Processors and Sub-Processors

To provide the Service, we engage trusted third parties as data processors or sub-processors. These include, among others, the categories and providers below. This list may change as we add or switch providers to improve reliability, security, or performance.

• Database, authentication, and object storage: Supabase
• Federated sign-in: Google (for Google OAuth authentication)
• AI model providers: OpenAI, Anthropic, Moonshot AI, DeepSeek
• Web search API: Serper
• Merchant of Record / payments: DODO Payments and its payment partners
• Cloud infrastructure and content delivery: hosting and edge providers used to run the Innogath website and application
• Email delivery: transactional email providers used for account, billing, and security messages
• Analytics, error monitoring, and logging: tools used in aggregate to measure Service performance and detect defects

Each processor is contractually bound to use the personal information we share only for the purposes we specify, to maintain appropriate security, and to delete or return the information when no longer needed. Where required, we rely on standard contractual clauses or equivalent legal mechanisms for international transfers as described in Section 12.

11. Payments and Financial Information

All payments for paid subscriptions are processed by our authorized Merchant of Record, DODO Payments, and its payment partners. When you subscribe, you provide your payment information directly to the Merchant of Record on its hosted checkout page. We do not receive or store full card numbers, CVV codes, bank account numbers, or other sensitive payment credentials. We receive subscription status, transaction identifiers, billing country, amounts, and refund outcomes so that we can provision the Service you have paid for, issue receipts, and respond to billing questions.

The Merchant of Record's own privacy practices govern the collection and processing of your payment information on its checkout pages. Please review the Merchant of Record's privacy policy for more information.

12. International Data Transfers

Innogath operates globally and uses service providers and infrastructure that may be located outside your country of residence. As a result, personal information we collect may be transferred to, stored in, and processed in countries whose data protection laws differ from those of your country. When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we use appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Agreement or Addendum, and supplementary measures where required. You may request a copy of applicable safeguards by contacting support@innogath.com.

13. Data Retention

We retain personal information only for as long as needed to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. The specific retention period depends on the nature of the data and the reason we hold it.

• Account data is retained for the lifetime of your account and for a reasonable period afterward to handle disputes, enforce agreements, and comply with tax and accounting obligations.
• User Content and workspace data are retained while your account is active. When you delete specific workspace items, we remove them from active storage and queue them for deletion or irreversible anonymization from backups on a rolling basis.
• Billing records are retained for the period required by applicable tax, accounting, and consumer protection laws (typically several years).
• Security logs and error telemetry are retained for a limited period (typically weeks to months) sufficient for incident response and debugging, after which they are deleted or aggregated.
• Marketing preferences and unsubscribe records are retained for as long as necessary to honor your choices.

When you request account deletion, we remove or irreversibly anonymize active workspace data, subject to the exceptions above. Please note that backups are retained for a limited additional period before they are overwritten.

14. Your Data Protection Rights

Depending on your location, you may have the following rights with respect to your personal information:

• Access. The right to request confirmation of whether we process your personal information and to obtain a copy of that information.
• Rectification. The right to request correction of inaccurate or incomplete personal information.
• Erasure ("right to be forgotten"). The right to request deletion of personal information, subject to exceptions such as legal obligations to retain records.
• Restriction. The right to ask us to limit how we process your personal information in certain circumstances.
• Objection. The right to object to processing based on legitimate interests or for direct marketing purposes.
• Data portability. The right to receive personal information you provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller where technically feasible.
• Withdrawal of consent. Where processing is based on consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.
• Complaint to a supervisory authority. The right to lodge a complaint with the data protection authority in your country of residence, place of work, or place of the alleged violation.

To exercise any of these rights, email support@innogath.com from the email address associated with your account. We may need to verify your identity before acting on a request. We will respond within the time frames required by applicable law. We will not discriminate against you for exercising any of these rights.

15. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), provides you with additional rights regarding your personal information. In the preceding twelve months, we have collected the categories of personal information described in Section 4, including identifiers, commercial information, internet or network activity information, geolocation information (at an approximate level), and inferences drawn from the foregoing, for the business purposes described in Section 5.

• Right to know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of the information, the purposes for collecting it, and the categories of third parties with whom we share it.
• Right to delete. You may request deletion of personal information we have collected from you, subject to exceptions such as completing a transaction, detecting security incidents, or complying with legal obligations.
• Right to correct. You may request correction of inaccurate personal information that we maintain about you.
• Right to opt out of sale or sharing. We do not sell personal information and do not share personal information for cross-context behavioral advertising. No opt-out is required because no such activity occurs.
• Right to limit use of sensitive personal information. We do not use sensitive personal information to infer characteristics about you beyond what is necessary to provide the Service.
• Right to non-discrimination. We will not deny, charge different prices for, or provide a different level of Service because you exercised any of these rights.

To exercise a California right, submit a request to support@innogath.com. We may verify your identity before responding. If you designate an authorized agent to make a request on your behalf, we will request proof of that authorization.

16. Do Not Track Signals

Some browsers transmit "Do Not Track" signals to websites you visit. Because there is no consensus industry standard for how to respond to these signals, we currently do not change our data collection practices in response to Do Not Track signals. You can still control tracking through the cookie and privacy controls in your browser and device as described in Section 9.

17. Automated Decision-Making and Profiling

The Service uses automated processing to deliver AI Output, to rank and suggest workspace content, and to detect fraud or abuse. These operations do not produce legal or similarly significant effects on you in the sense of Article 22 of the GDPR. We do not use personal information to make fully automated decisions that have a legal or similarly significant effect on you without human involvement.

18. Children's Privacy

The Service is not directed to children under the age of 13 (or the higher minimum age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided personal information to us, please contact support@innogath.com so that we can delete the account and associated information.

19. Business Customers and Data Processing Agreements

If you are an organizational customer and require a Data Processing Agreement ("DPA") that addresses processing of personal data under the GDPR, the UK GDPR, or similar laws, please contact support@innogath.com. We will provide a DPA template or negotiate terms appropriate to the scale and nature of your use of the Service.

20. Data Security and Breach Notification

We apply administrative, technical, and organizational safeguards designed to protect the confidentiality, integrity, and availability of personal information. These safeguards include encryption in transit for communications with our servers, access controls for employees and contractors, logging and monitoring of administrative actions, regular review of security configurations, and incident response procedures.

No method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authorities and, where required by applicable law, affected users without undue delay.

21. Third-Party Links and Services

The Service may contain links to websites and resources operated by third parties that are not controlled by us. Following these links may allow third parties to collect or share information about you. We are not responsible for the privacy practices or content of such third-party websites. We encourage you to review the privacy policies of every site you visit.

22. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, applicable law, or for other operational reasons. When we make material changes, we will update the "Last Updated" date at the top of this Privacy Policy and, where appropriate, provide additional notice by email, in-product notification, or a prominent notice on our website before the changes take effect. Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the updated terms.

23. How to Contact Us

If you have questions, concerns, or requests about this Privacy Policy or how we handle your personal information, please contact us at support@innogath.com. We aim to respond to privacy and data protection requests promptly and within any time frames required by applicable law.