UmamiAIUmamiAI
Sign inCreate account

Privacy Policy

Last updated: February 23, 2026

This Privacy Policy explains how UmamiAI ("UmamiAI", "we", "us") collects, uses, discloses, and protects information when you access or use the UmamiAI agentic platform (the "Service").

Quick links
Information we collectHow we use informationSharing & disclosuresData retentionSecurityYour rights & choices

1) Information we collect

Account and profile
  • Email address, password (stored as a secure hash by our auth provider), and basic profile fields.
  • Organization membership, roles (e.g., admin/member), and invite/acceptance metadata.
Customer content you submit
  • Agent prompts, system instructions, and configuration (including tool definitions).
  • Knowledge documents uploaded to enable retrieval-augmented generation (RAG).
  • Workflow definitions, approval requests, and any text you submit through the Service.
Usage, telemetry, and logs
  • Service activity (pages visited, actions taken), feature usage, and basic performance metrics.
  • Run traces and tool call metadata (e.g., timestamps, status, latency, error messages).
  • IP address, device/browser information, and coarse location derived from IP for fraud prevention and service security.
API keys and webhooks
  • API keys are stored as hashes; we may log key usage (e.g., last used time, request metadata).
  • Webhook endpoints, signing secrets (stored securely), delivery attempts, and response codes.
Cookies and similar technologies

We use cookies/session storage to keep you signed in, remember preferences, and protect the Service. You can control cookies through your browser settings; some features may not function without them.

2) How we use information

  • Provide, maintain, and secure the Service (authentication, access control, abuse prevention).
  • Operate agent runs, workflows, approvals, and audit trails you configure.
  • Process knowledge documents to create embeddings for retrieval (where enabled).
  • Deliver webhooks and provide delivery history for debugging and reliability.
  • Improve product performance and user experience (e.g., diagnosing errors, capacity planning).
  • Communicate with you about updates, security notices, and support requests.

3) Legal bases (EEA/UK)

If you are located in the European Economic Area or the United Kingdom, our processing is typically based on:

  • Contract: to provide the Service you request.
  • Legitimate interests: to secure and improve the Service, prevent abuse, and operate our business.
  • Consent: where required for certain cookies or communications.
  • Legal obligations: compliance with applicable laws (e.g., lawful requests).

4) Sharing and disclosures

We share information in limited circumstances:

  • Service providers (sub-processors) that help us host and operate the Service (e.g., database, authentication, hosting, observability).
  • Model providers when you run agents (we transmit prompts and context needed to generate outputs). You control what content is sent by configuring your agents and knowledge.
  • Legal and safety if required by law, to protect rights, investigate fraud, or respond to lawful requests.
  • Business transfers in connection with a merger, acquisition, or asset sale.

Note: in this scaffold, typical infrastructure includes a hosting provider (e.g., Vercel), a data platform (e.g., Supabase/Postgres), and optional AI model providers. Your deployed configuration may differ.

5) Data processing roles

UmamiAI generally acts as a processor for Customer Content (agent configs, knowledge documents, run inputs) and a controller for account, billing (if enabled), and service security data. If you are using the Service on behalf of an organization, you are responsible for ensuring you have appropriate rights and notices for content you upload.

6) Data retention

We retain personal data for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary by data type:

  • Account data: retained while your account is active and for a reasonable period after deletion.
  • Audit logs/traces: retained to support security and debugging, subject to org configuration.
  • Webhook delivery logs: retained to provide operational history and retries.

Your deployment can adjust retention (for example, by truncating run traces or disabling embeddings for certain content).

7) Security

We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit, role-based access control, and audit logging. No method of transmission or storage is 100% secure.

  • API keys are stored as hashes and are only shown once at creation time.
  • Row-level security (RLS) restricts data access to authorized org members.
  • Webhook signing helps recipients verify authenticity and integrity of events.

8) International transfers

We and our service providers may process and store information in countries other than your own. Where required, we use appropriate safeguards (such as contractual protections) to support international transfers.

9) Your rights and choices

Depending on your location, you may have rights to:

  • Access, correct, or delete certain personal data.
  • Object to or restrict certain processing.
  • Export your data (data portability), where applicable.
  • Withdraw consent where processing is based on consent.

You can update certain account details within the Service. For requests that require assistance, contact us at privacy@umamiai.com.

10) Children

The Service is not directed to children under 13 (or the age required by local law), and we do not knowingly collect personal information from children.

11) Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify you (for example, via the Service or email).

12) Contact

Questions about privacy? Email privacy@umamiai.com.

Template note: this policy is provided as a realistic starting point for your deployment. Have counsel review it for your jurisdiction, sub-processors, and commercial terms.