Privacy Policy

Overview

Amodal, Inc. ("Amodal," "we," "us") operates the Amodal platform, including our website (amodal.dev), APIs, SDKs, CLI tools, admin dashboard, and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, share, and protect information when you interact with the Service.

This policy applies to Amodal as a data controller for account and usage data. Processing of Customer Data (your end users' conversations) is governed by our Data Processing Agreement (DPA), available on request at hello@amodalai.com.

Information We Collect

Information You Provide

• Account information: name, email address, organization name, role
• Billing information: processed by Stripe. We do not store full payment card details.
• Support communications: emails, chat messages, and feedback you send us
• Form submissions: demo requests, contact forms, newsletter signups

Information Collected Automatically

• Usage data: API call volumes, session counts, feature usage, error logs
• Device and browser information: IP address, browser type, operating system, referring URL
• Cookies and similar technologies: session cookies for authentication (see Cookies section below)

Customer Data

When you use the Service, your end users' conversations with AI agents are processed through our platform. This data ("Customer Data") is owned by you. We process it solely to provide the Service. We do not use Customer Data to train AI models or for any purpose other than delivering the Service to you.

Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data under the following legal bases:

• Contractual necessity: processing required to provide the Service (account management, billing, service delivery)
• Legitimate interest: usage analytics, fraud prevention, service improvement, and security monitoring
• Consent: marketing communications and optional cookies. You can withdraw consent at any time.
• Legal obligation: compliance with applicable laws, tax requirements, and regulatory requests

How We Use Information

• To provide, maintain, and improve the Service
• To process transactions and send billing notifications
• To respond to support requests and communicate with you
• To monitor usage, enforce rate limits, and ensure platform stability
• To detect and prevent fraud, abuse, and security incidents
• To send product updates and marketing communications (with your consent, where required)
• To comply with legal obligations

What We Don't Do

• We do not sell your personal data or Customer Data to third parties
• We do not use Customer Data to train AI models
• We do not share Customer Data for advertising purposes (website visitor data may be used for advertising via the LinkedIn Insight Tag if you accept marketing cookies — see Cookies and the LinkedIn Advertising and Analytics section)
• We do not engage in automated decision-making that produces legal effects concerning you

Data Sharing

We may share your information with:

• Service providers (sub-processors): who process data on our behalf to operate the Service (see Sub-processors section below)
• AI model providers: Customer Data is sent to AI model providers (Anthropic, OpenAI, Google) for inference. These providers process data under their own data processing terms and do not use it for model training.
• Professional advisors: legal, accounting, and insurance advisors as needed
• Law enforcement: when required by valid legal process (subpoena, court order). We will notify you unless legally prohibited.
• Business transfers: in connection with a merger, acquisition, or sale of assets, with advance notice to you

Sub-processors

We use the following third-party service providers to operate the Service:

We will update this list when we add or change sub-processors and notify customers of material changes at least 30 days in advance.

International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures where appropriate. Our sub-processors maintain their own compliance mechanisms for international data transfers.

Enterprise customers requiring data residency within the EU can contact us to discuss self-hosted deployment options.

Data Retention

• Account information: retained for as long as your account is active
• Customer Data (conversation sessions): retained according to your plan settings. You can delete sessions at any time through the admin panel.
• Usage data: retained for up to 24 months for analytics and improvement purposes
• Billing records: retained as required by tax law (typically 7 years)
• Upon account termination: we retain your data for 30 days to allow for export, after which it is permanently deleted. Customer Data is deleted immediately upon request.

Data Security

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Credentials and secrets encrypted at rest, decrypted only in memory at runtime
• Role-based access controls for platform administration
• Regular security assessments and monitoring
• Incident response procedures with customer notification

If you discover a security vulnerability, please report it to hello@amodalai.com.

Your Rights

Depending on your location, you may have the following rights:

All Users

• Access and export your data at any time through the admin panel
• Request deletion of your account and associated data
• Opt out of marketing communications using the unsubscribe link in our emails
• Request information about what data we hold about you

EEA, UK, and Switzerland Residents (GDPR)

• Right to rectification: correct inaccurate personal data
• Right to erasure: request deletion of your personal data
• Right to restriction: limit how we process your data
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interest
• Right to withdraw consent: for processing based on consent
• Right to lodge a complaint with your local data protection authority

California Residents (CCPA/CPRA)

• Right to know: what personal information we collect, use, and disclose
• Right to delete: request deletion of your personal information
• Right to opt out of sale: we do not sell personal information
• Right to non-discrimination: we will not discriminate against you for exercising your rights
• Right to correct: request correction of inaccurate personal information
• Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes beyond what is necessary to provide the Service

To exercise any of these rights, contact us at hello@amodalai.com. We will respond within 30 days (or sooner where required by law).

Cookies

We use the following categories of cookies:

• Essential cookies: required for authentication, session management, and security. These cannot be disabled.
• Analytics cookies: help us understand how the Service is used (e.g., Google Analytics). You can opt out through our cookie banner or your browser settings.
• Marketing / Advertising cookies: used for campaign analytics, conversion tracking, and retargeting (e.g., LinkedIn Insight Tag). These are only set after you accept marketing cookies in our cookie banner.

You can change your choices at any time using our cookie banner or your browser settings.

Cookie list

LinkedIn Advertising and Analytics

We use the LinkedIn Insight Tag to better understand how visitors interact with our website after viewing or clicking LinkedIn ads. This helps us measure campaign performance, understand aggregate professional demographics, track conversions, and show relevant ads to visitors who have interacted with our website.

The LinkedIn Insight Tag may collect information such as page URL, referrer, timestamp, IP address, device and browser information, and interactions with our LinkedIn campaigns. LinkedIn may process this information in accordance with its own privacy policy.

You can manage your LinkedIn advertising preferences through your LinkedIn account settings. You may also manage or disable marketing cookies through our cookie banner or your browser settings. The LinkedIn Insight Tag is only loaded on your device after you accept marketing cookies in our cookie banner; if you reject or later withdraw consent, we stop sending data to LinkedIn from that point forward.

Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly.

Data Processing Agreement

Enterprise customers who require a Data Processing Agreement (DPA) for GDPR compliance or other regulatory requirements can request one at hello@amodalai.com. Our DPA covers: data processing scope, security obligations, sub-processor management, breach notification, data subject rights assistance, and data deletion upon termination.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before they take effect. Non-material changes (clarifications, formatting) may be made without notice.

Contact

Questions about this Privacy Policy or your data? Contact us at hello@amodalai.com.

Amodal, Inc.
San Francisco, CA
United States