— Legal
Privacy Policy
How we collect, use, and protect your information.
Palatai (“we,” “our,” or “us”), a product of On10 Solutions, LLC, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI company orchestration platform and related services (collectively, the “Service”).
This Privacy Policy applies to all information collected through our website (https://palatai.com), our web application (https://app.palatai.com), mobile applications, and any related communications. By accessing or using our Service, you agree to the collection and use of your information as described in this Privacy Policy.
1. Information We Collect
1.1 Personal Information
We may collect personal information that you voluntarily provide, including:
- Name, email address, phone number, and mailing address
- Account credentials (username and password)
- Payment and billing information
- Professional information (job title, company name, role within organization)
- Communication preferences
1.2 AI Interaction Data
As an AI platform, we collect data generated through your interactions with Palatai agents, including: prompts and instructions you provide to agents, outputs and actions taken by agents on your behalf, connected data sources and integrations you authorize, CRM records, customer interaction logs, and performance metrics generated by agent activity. This data is essential to the operation of the service and is used to execute tasks, improve agent performance, and provide you with analytics.
1.3 Business & Platform Data
To provide our AI orchestration services, we collect:
- Business configuration and settings
- Organization identifiers and slugs
- Task history and agent activity logs
- Connected integrations and tool configurations
- Documents and files uploaded to the platform
- Team member profiles, roles, and permissions
- Client records and project data
- Financial records (billing, subscription data)
1.4 Usage Information
We automatically collect certain information when you use our platform:
- Device information (type, operating system, browser)
- IP address and general location data
- Usage patterns and feature interactions
- Log data and analytics information
2. Legal Basis for Processing (GDPR Article 6)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal information only where we have a valid legal basis:
- Contractual Necessity: Processing necessary to perform our contract with you (providing the Palatai platform, managing your business data, processing payments, and fulfilling subscription obligations).
- Legitimate Interests: Processing necessary for our legitimate interests, such as improving our Service, fraud prevention, platform security, and marketing our services to existing customers. We balance these interests against your rights and freedoms.
- Consent: Where you have given us specific, informed consent for a particular processing activity, such as receiving marketing communications or enabling optional AI features. You may withdraw consent at any time.
- Legal Obligation: Processing necessary to comply with applicable laws, regulations, or legal processes (e.g., tax reporting, responding to lawful requests from public authorities).
3. How We Use Your Information
We use the collected information for the following purposes:
- Providing and improving our AI orchestration services
- Processing task schedules and sending reminders
- Generating performance reports and analytics
- Powering AI agent assistance and automated workflows
- Processing payments and managing subscriptions
- Communicating with you about your account and services
- Ensuring platform security and preventing fraud
- Complying with legal and regulatory requirements
- Analyzing usage to improve our products and services
4. Information Sharing
We do not sell your personal information to third parties. We may share your information in the following circumstances:
4.1 Service Providers
We work with third-party service providers who assist us in operating our platform, including cloud hosting, payment processing, email delivery, and analytics services. These providers are contractually obligated to protect your information and process it only as instructed.
4.2 Legal Requirements
We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership.
4.4 With Your Consent
We may share your information with third parties when you have given us your explicit consent to do so.
5. Data Security
We implement industry-standard security measures to protect your information, including:
- TLS 1.3 encryption for data in transit
- AES-256 encryption for data at rest
- Secure authentication and role-based access controls
- Regular security audits and monitoring
- Employee training on data protection practices
While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
5.1 Breach Notification
In the event of a data breach that affects your personal information, we will notify you and the appropriate regulatory authorities (including relevant EU supervisory authorities) as required by applicable law, including within 72 hours where required under GDPR.
6. Data Retention
We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Our retention criteria include:
- Account data: Retained for the duration of your active account. If you request account closure, your account is disabled immediately and permanently deleted after 90 days.
- Agent interaction logs: Retained for 12 months by default (configurable in your account settings).
- Financial and transaction data: Retained for 7 years as required by tax and accounting regulations.
- AI interaction data: Stored in your account. You control retention via account settings. Anthropic, our AI provider, may retain API interactions for up to 30 days for trust and safety review only — this data is never used for model training.
- Usage and analytics data: Retained for the duration of your account and deleted upon account closure.
You may request deletion of your data at any time by closing your account through Account Settings. Upon closure, your account is disabled immediately and all data permanently deleted after 90 days, except financial records which are retained for 7 years as required by law. To exercise your right to erasure, contact [email protected].
7. Your Privacy Rights
Depending on your location, you have the following rights regarding your personal information:
7.1 Access
You have the right to request information about the personal information we hold about you and to receive a copy of that information.
7.2 Correction
You have the right to request that we correct inaccurate or incomplete personal information about you.
7.3 Deletion
You have the right to request that we delete your personal information in certain circumstances.
7.4 Restriction of Processing
You have the right to request that we restrict the processing of your personal information in certain circumstances.
7.5 Data Portability
You have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
7.6 Objection
You have the right to object to the processing of your personal information where we rely on legitimate interests as our legal basis.
7.7 Withdraw Consent
Where we process your information based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
7.8 Automated Decision-Making
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
7.9 How to Exercise Your Rights
To exercise any of these rights, please contact our Data Protection Team at [email protected]. We will respond to your request within 30 days, or within the timeframe required by applicable law.
8. European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) or equivalent legislation.
8.1 Data Controller
On10 Solutions, LLC is the data controller for personal information collected through the Palatai platform. For business and team data that you enter into the platform, you are the data controller and we act as the data processor on your behalf.
8.2 EU/UK Representative
As On10 Solutions is established in the United States, we have designated a representative in the European Union in accordance with Article 27 of the GDPR. You may contact our EU representative at: [email protected]
8.3 Right to Lodge a Complaint
If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local Data Protection Authority (supervisory authority) if you believe that our processing of your personal information violates applicable data protection law. A list of EU supervisory authorities is available at https://edpb.europa.eu. For the UK, contact the Information Commissioner's Office (ICO) at https://ico.org.uk.
9. International Data Transfers
On10 Solutions is based in the United States, and we process and store information on servers located in the United States. If you are located outside the United States, your personal information may be transferred to, stored, and processed in a country different from your country of residence.
9.1 Legal Basis for Transfers
When we transfer personal information from the EEA, United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of protection, we use specific legal mechanisms including Standard Contractual Clauses (SCCs) approved by the European Commission, to ensure your data receives an adequate level of protection.
9.2 Data Storage Locations
Our data storage locations are:
- United States (primary)
- European Union (available for Enterprise clients located in the EEA)
- United Kingdom (available for Enterprise clients located in the UK)
Enterprise clients may select their preferred data storage region during onboarding. Contact our sales team for data residency options.
10. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete your information, the right to opt-out of the sale of your personal information, and the right to non-discrimination. We do not sell your personal information.
11. AI Features and Automated Processing
Palatai includes AI-powered features including autonomous task execution, content generation, and business intelligence. These features are powered by the Claude API, provided by Anthropic, PBC. The following explains how your data is handled in connection with AI features:
- How it works: When you use an AI feature, Palatai sends the minimum necessary context — such as your business configuration, relevant task history, or a specific document — to Anthropic's API to generate a response. Your full database is never bulk-uploaded to any AI service.
- No model training: Your data is not used to train AI models — by Palatai or by Anthropic. Under Anthropic's commercial API terms, customer data submitted via API is explicitly excluded from model training.
- AI data retention: You control how long your AI conversation history is stored via Account Settings > Preferences. You may choose not to retain any history beyond the next daily cleanup, or set a retention window of 30 days, 90 days, 6 months, or 1 year. Anthropic may retain API interactions for up to 30 days for trust and safety review, after which they are deleted.
- Data isolation: Each account's AI context is fully isolated. Your data is never shared with or visible to other Palatai users or used to inform responses for other accounts.
- No automated decisions: AI recommendations are advisory only. No automated decisions with legal or significant effects are made without human oversight. You always retain control over decisions, scheduling, and operations.
- Opt-out: You may disable AI features at any time through your account settings without affecting core platform functionality.
12. Cookies and Tracking
We use cookies and similar tracking technologies to enhance your experience on our platform. When you first visit our website, a cookie consent banner allows you to choose which categories to enable. You can change your preferences at any time via the “Cookie Settings” link in the footer.
Cookie Categories
- Essential (always active): Required for platform functionality including authentication, security tokens, and session management. Cannot be disabled.
- Analytics (opt-in): Help us understand how visitors use the site. You may decline these without affecting functionality.
- Marketing (opt-in): Used for personalized content and advertising measurement. You may decline these without affecting functionality.
- Preference (opt-in): Remember your settings and preferences such as theme and layout. You may decline these without affecting functionality.
Cookie Inventory
| Cookie Name | Category | Purpose | Duration |
|---|---|---|---|
| cookie-consent | Essential | Stores your cookie consent preferences | Persistent |
| __next* | Essential | Next.js framework session and routing | Session |
| _pal_anon, _pal_session | Analytics | Session and click tracking for heatmaps and session recordings | 1 year / Session |
| pal_uid | Analytics | Unique user identifier for analytics | 1 year |
| ANONCHK, MR, MUID, SM | Analytics | Analytics and cross-site tracking | Varies (session to 1 year) |
| pal_theme, pal_sidebar | Preference | UI theme and sidebar layout preferences | 1 year |
For users in the EEA and UK, we obtain your consent before placing non-essential cookies. You can manage your preferences at any time by clicking “Cookie Settings” in the website footer, or through your browser settings. Note that disabling essential cookies may affect platform functionality.
13. Third-Party Social Platform Integrations
Palatai allows you to connect your business's social media accounts so that your AI agents can publish content and retrieve engagement metrics on your behalf. This section describes exactly what data we collect from each platform, how we use it, where it is stored, and how you can remove it. We connect to these platforms only with your explicit authorization via each platform's OAuth flow.
13.1 Instagram & Facebook (Meta Platforms)
Palatai integrates with Meta's Graph API to support publishing to Instagram Business accounts and Facebook Pages.
What we collect. When you connect an Instagram or Facebook account, we collect and store:
- Instagram Business Account ID and account handle (@username)
- Linked Facebook Page ID and Page name
- Page Access Token (encrypted at rest)
- OAuth scopes granted at the time of connection
How we use it. We use this data solely to:
- Identify which Instagram or Facebook account is connected to your Palatai organization
- Publish content (captions and media) that you or your agents create within Palatai — every publish action requires explicit human approval through Palatai's Approvals queue before any API call is made to Meta
- Retrieve engagement metrics (views, likes, comments, shares) on posts published through Palatai, for display in your dashboard
- Display the connected account handle in your Settings so you can confirm the correct account is wired
What we do not do. We do not read, store, or process content from your Instagram or Facebook feed that was not created in Palatai. We do not access direct messages, Stories you did not publish through Palatai, or data belonging to your followers or their accounts.
Storage and security. Connection credentials (Page Access Tokens) are encrypted using AES-256 and stored in Palatai's database. They are never transmitted to third parties and are never used for advertising or profiling.
Retention and deletion. All Meta connection data is deleted immediately upon disconnection (via Settings → Integrations → Disconnect) or upon deletion of your Palatai organization. Token expiry also triggers automatic removal of the expired credential.
Your control. You may disconnect your Instagram or Facebook account at any time from Settings → Integrations. Upon disconnection, all stored tokens and associated connection data are permanently deleted from our database.
13.2 YouTube (Google)
Palatai integrates with the YouTube Data API v3 and YouTube Analytics API to support publishing to YouTube channels and retrieving video performance data.
What we collect. When you connect a YouTube account, we collect and store:
- YouTube Channel ID and channel title
- Channel handle (@customUrl), if set on the account
- Google OAuth access token (encrypted at rest)
- Google OAuth refresh token (encrypted at rest)
- OAuth scopes granted at the time of connection
How we use it. We use this data solely to:
- Identify which YouTube channel is connected to your Palatai organization
- Upload and publish video content created within Palatai — every publish action requires explicit human approval through Palatai's Approvals queue before any API call is made to YouTube
- Retrieve engagement metrics (views, likes, comments) on videos published through Palatai, for display in your dashboard
- Refresh access tokens using the stored refresh token when the access token expires
Google API Services User Data Policy. Palatai's use of information received from Google APIs (including YouTube Data API and YouTube Analytics API) adheres to the Google API Services User Data Policy, including the Limited Use requirements. YouTube user data is not used for advertising, is not transferred to third parties except as necessary to provide the features described here or as required by law, and is never used to develop, improve, or train generalized AI or ML models. For full Limited Use compliance details covering all Google integrations (including Google Calendar and Gmail), see Section 13.3 below.
Storage and security. Google OAuth tokens are encrypted using AES-256 and stored in Palatai's settings store. They are never shared with third parties and are never used for advertising or profiling.
Retention and deletion. All YouTube connection data is deleted immediately upon disconnection (via Settings → Integrations → Disconnect) or upon deletion of your Palatai organization. Refresh token revocation by Google also triggers automatic removal of the stored credential.
Your control. You may disconnect your YouTube account at any time from Settings → Integrations. You may also revoke Palatai's access directly from your Google Account security settings at myaccount.google.com/permissions.
13.3 Google Calendar & Gmail (Workspace Integrations)
Palatai integrates with the Google Calendar API (scopes: calendar.readonly, calendar.events) and the Gmail API (scope: gmail.modify) to allow your AI agents to read calendar availability, schedule and update calendar events, and manage email threads on your behalf.
Scope-by-scope purpose disclosure.
- calendar.readonly — Read-only access to your Google Calendar events. Used solely to check your availability and surface scheduling context to your Palatai agents (for example, to avoid booking a meeting over an existing event). No calendar data is written with this scope.
- calendar.events — Read and write access to your Google Calendar events. Used solely to create, update, and delete calendar events that you or your agents explicitly schedule as part of a task you have approved. Every calendar write action requires explicit human approval through Palatai's Approvals queue.
- gmail.modify — Read, send, delete, and manage your Gmail messages and labels (does not include permanent deletion of messages or access to account settings). Used solely to: read email threads that you direct an agent to process, draft and send replies that you have explicitly approved, and apply labels or archive threads as part of a workflow you have configured. Palatai never reads, scans, or processes your email in the background. Every email send and thread-management action requires explicit human approval.
Google API Services User Data Policy — Limited Use compliance. Palatai's use of information received from Google APIs, including Google Calendar and Gmail, adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- Limited to disclosed purposes. Google user data (including Calendar and Gmail data) is used only to provide or improve the user-facing features described in this policy. It is not used for any other purpose.
- No advertising. Google user data is not used for serving advertisements. We do not use Google user data for retargeting, personalized advertising, or interest-based advertising, and we do not share it with advertising networks, data brokers, or information resellers.
- No transfer to third parties except as necessary. Google user data is not transferred to others except: (a) as necessary to provide or improve the features disclosed in this policy; (b) to comply with applicable law; or (c) as part of a merger, acquisition, or sale of assets where the acquiring party agrees to be bound by these same restrictions and adequate prior notice is given to you.
- No use to develop, improve, or train generalized AI or ML models. Google user data — including all Calendar and Gmail data — is never used to develop, improve, or train generalized artificial intelligence or machine learning models, whether by Palatai or any third party to whom Palatai transfers that data. This prohibition applies to both Palatai's proprietary systems and to any AI provider (including Anthropic). Google user data is never included in AI model training pipelines.
- No humans read your Google data except in limited circumstances. Palatai employees and contractors do not access, read, or view your Google Calendar or Gmail data except: (a) with your affirmative agreement to view specific messages, events, or other data (for example, when you share a thread with our support team during a support request); (b) for security purposes, such as investigating a reported abuse or security incident; (c) to comply with applicable law; or (d) in aggregate, anonymized form that cannot be associated with any individual for internal operational purposes such as measuring feature usage.
What we collect and store. When you connect a Google account for Calendar or Gmail access, we collect and store:
- Your Google account email address (to identify the connected account in your Settings)
- Google OAuth access token (encrypted at rest using AES-256)
- Google OAuth refresh token (encrypted at rest using AES-256)
- OAuth scopes granted at the time of connection
- Transient calendar event data and email thread content fetched during active agent task execution — this data is processed in memory for the duration of the task and is not persistently stored unless you have explicitly configured an agent workflow that stores it as part of your Palatai task history
Retention and deletion. Google OAuth tokens are deleted immediately upon disconnection (via Settings → Integrations → Disconnect) or upon deletion of your Palatai organization. You may also revoke Palatai's access directly from your Google Account security settings at myaccount.google.com/permissions — revoking access there also triggers automatic removal of the stored credential in Palatai. Google Calendar and Gmail data that was transiently processed as part of a task does not persist beyond the task's retention window (default: 12 months, configurable in Account Settings).
Your control. You may disconnect your Google Calendar or Gmail integration at any time from Settings → Integrations. All stored tokens and connection data are permanently deleted upon disconnection. Disconnecting does not affect other Google integrations you may have connected (for example, YouTube).
13.4 TikTok
Palatai integrates with the TikTok Content Posting API (v2) to support publishing video content to TikTok creator accounts. This integration is currently pending TikTok App Review for production-tier access; publishing to real accounts requires TikTok's formal approval of our application.
What we collect. When you connect a TikTok account, we collect and store:
- TikTok open_id (TikTok's internal user identifier for the connected account)
- Display name (as returned by TikTok's User Info API)
- OAuth access token (encrypted at rest)
- OAuth refresh token (encrypted at rest), when issued by TikTok
- OAuth scopes granted at the time of connection
How we use it. We use this data solely to:
- Identify which TikTok account is connected to your Palatai organization
- Publish video content created within Palatai using TikTok's PULL_FROM_URL upload method — videos are served from palatai.com and pulled by TikTok during the publish step
- Retrieve basic engagement metrics (views, likes, comments, shares) on videos published through Palatai, for display in your dashboard
- Refresh access tokens using the stored refresh token when the access token expires
Human approval requirement. No content is ever posted to TikTok automatically or without human review. Every video must be explicitly approved by a human operator within Palatai's Approvals queue before the TikTok Content Posting API is called. Palatai does not support fully automated, unattended posting to TikTok.
TikTok Developer Terms compliance. Palatai's integration is built and operated in compliance with the TikTok Developer Terms of Service and the TikTok API Terms. We use only the scopes necessary to perform the functions described above (user.info.basic, video.publish, video.upload).
Storage and security. TikTok OAuth tokens are encrypted using AES-256 and stored in Palatai's database. They are never shared with third parties and are never used for advertising or profiling.
Retention and deletion. All TikTok connection data is deleted immediately upon disconnection (via Settings → Integrations → Disconnect) or upon deletion of your Palatai organization. Token expiry also triggers automatic removal of the expired credential.
Your control. You may disconnect your TikTok account at any time from Settings → Integrations. You may also revoke Palatai's access directly from your TikTok account security settings.
13.5 Principles Applying to All Platform Integrations
The following principles apply to every social platform integration Palatai offers, including those described above and any we may add in the future:
- No sale of platform data. We do not sell, rent, or trade any data obtained from social platform APIs to any third party, for any purpose.
- No cross-org data sharing. Platform data belonging to your organization is never shared with, visible to, or used to inform activity in any other Palatai organization.
- No feed scraping or passive collection. We do not read, store, or process any content from your social platforms beyond what is explicitly described above. We do not access your followers' data, your private messages, content published before you connected to Palatai, or content created by other users.
- No advertising or profiling. Platform data is never used to build advertising profiles, target advertisements, or infer sensitive characteristics about you or your audience.
- Minimum necessary access. We request only the OAuth scopes required for the specific functions described in this section. We do not request permissions we do not use.
- Human-in-the-loop publishing. All publishing actions across all social platforms require explicit human approval through Palatai's Approvals workflow. No content is posted automatically without a human operator reviewing and approving the post first.
- Encrypted storage. All OAuth tokens and platform credentials are encrypted at rest using AES-256 and are never stored in plaintext.
- Deletion on disconnect. Disconnecting a social platform account from Palatai permanently and immediately deletes all associated tokens and connection data from our database. This is true for all platforms.
14. Children's Privacy
Our services are not intended for individuals under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete it.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the “Last Updated” date, and sending an email notification to the address associated with your account. For material changes, we will provide notice at least 30 days before the changes take effect, where possible. Your continued use of our services after changes constitutes acceptance of the updated policy.
16. Summary of Your Rights by Region
| Region | Applicable Law | Key Rights |
|---|---|---|
| United States (California) | CCPA/CPRA | Know, Delete, Opt-out, Non-discrimination |
| European Union | GDPR | Access, Rectification, Erasure, Restriction, Portability, Objection, Complaint to supervisory authority |
| United Kingdom | UK GDPR | Access, Rectification, Erasure, Restriction, Portability, Objection, Complaint to ICO |
| Canada | PIPEDA | Access, Correction, Withdraw consent |
| Australia | Privacy Act | Access, Correction, Complaint |
17. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Palatai (On10 Solutions, LLC)
5005 West Laurel, Suite 100
Tampa, FL 33607
United States
Email: [email protected]
Phone: +1 813-252-1961
Data Protection Team
For privacy-specific inquiries or to exercise your privacy rights:
[email protected]EU / UK Representative
For users in the European Economic Area or United Kingdom:
[email protected]