Privacy Policy

1. Introduction

Welcome to PaperPin.ai ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI agent platform and services (collectively, the "Services").

PaperPin.ai is operated by PaperPin.ai, with data stored and processed in India. By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.

Contact Information:
Email: contact@paperpin.ai

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, and authentication credentials when you create an account
• Payment Information: Credit card details and billing information processed through our secure payment processors for credit purchases
• Profile Information: Organization name, workspace settings, and preferences
• Communications: Messages, support requests, and feedback you send to us

2.2 Information Collected Through Service Use

• Files and Documents: Files you upload to our RAG (Retrieval-Augmented Generation) system, including PDFs, presentations, documents, and other supported file types
• Conversation Data: Chat messages, file attachments, and interactions with AI agents
• Agent Configurations: Custom agent instructions, prompts, tools, and settings you create
• API and Integration Data: Custom API configurations, MCP server connections, and related metadata
• Usage Data: Credit consumption, AI model usage, feature utilization, and service interactions

2.3 Third-Party Integration Data

• Connected Apps: When you connect third-party applications (Gmail, GitHub, Calendar, Jira, Confluence, etc.), we may access data from these services as authorized by you
• Authentication Credentials: OAuth tokens and API keys managed securely through Composio.dev

2.4 Automatically Collected Information

• Technical Data: IP address, browser type, device information, operating system, and timestamps
• Analytics Data: Pages visited, features used, session duration, and interaction patterns
• Cookies and Tracking: Session cookies, authentication tokens, and preference cookies

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve our AI agent platform
• AI Processing: To process your requests through AI models and generate responses, documents, and automations
• RAG System: To store, index, and retrieve your files for intelligent AI-powered interactions
• Integrations: To connect with third-party apps and execute actions on your behalf through your configured agents
• Billing: To process payments, manage credits, and maintain transaction records
• Account Management: To authenticate users, manage workspaces, and maintain account security
• Communication: To send service updates, security alerts, and respond to support requests
• Analytics: To understand usage patterns, improve features, and optimize performance
• Security: To detect, prevent, and address fraud, abuse, and security issues
• Legal Compliance: To comply with legal obligations and enforce our terms of service

4. Data Storage and Security

4.1 Data Location

Your data is primarily stored and processed on servers located in India. We use industry-standard cloud infrastructure providers to ensure high availability and data redundancy.

4.2 Security Measures

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication through Composio.dev (SOC 2 and ISO 27001:2022 certified)
• Regular security audits and vulnerability assessments
• Access controls and role-based permissions
• Secure API key and credential management
• Automated backup and disaster recovery systems
• Monitoring and logging of system activities

4.3 Data Retention

We retain your information for as long as necessary to provide our Services:

• Account Data: Retained until account deletion
• Files and Documents: Retained until you delete them or close your account
• Conversation History: Retained according to your workspace settings
• Transaction Records: Retained for 7 years for legal and tax compliance
• Analytics Data: Aggregated and anonymized data may be retained indefinitely

5. Third-Party Services and Data Sharing

5.1 Service Providers

We share your information with trusted third-party service providers:

• Authentication: Composio.dev for secure OAuth and app integration management (SOC 2 and ISO 27001:2022 certified)
• AI Models: OpenAI, Anthropic, Google, Meta, and other LLM providers to process your AI requests
• Payment Processing: Stripe or similar payment processors for credit purchases
• Cloud Infrastructure: AWS, Google Cloud, or similar providers for hosting and storage
• Analytics: Usage analytics and monitoring services

5.2 Connected Applications

When you connect third-party apps (Gmail, GitHub, Calendar, Jira, Confluence, and 500+ others), we take your privacy and data security seriously. Authentication and app integration management is handled by Composio.dev, which is SOC 2 Type II and ISO 27001:2022 certified.

How We Handle Connected App Data:

• Limited Access: We only access the specific data and permissions you explicitly grant when connecting an app
• Purpose Limitation: Connected app data is used exclusively to execute the AI agent tasks you have authorized
• No Third-Party Sharing: We do not sell, share, or transfer your connected app data to any third parties except as necessary for providing the core functionality
• No Unauthorized Access: We will never access your connected app data for marketing, analytics, advertising, or any purpose other than the services you authorized
• No AI/ML Training: Your connected app data is not used to train, develop, or improve any AI or machine learning models beyond the immediate service delivery
• Revocable Anytime: You can disconnect any app integration at any time, which immediately revokes our access to that app's data

Composio Security & Compliance:

• SOC 2 Type II Certified: Rigorous security controls audited by independent third parties
• ISO 27001:2022 Certified: International standard for information security management
• Data Encryption: All authentication tokens and credentials are encrypted at rest and in transit
• OAuth 2.0 Standard: Industry-standard secure authorization protocol for all app connections
• Regular Security Audits: Continuous monitoring and vulnerability assessments
• Compliance: Full compliance with GDPR, CCPA, and other data protection regulations

For more information about Composio's security practices, visit trust.composio.dev

Special Disclosure for Google Workspace Apps:

When you connect Google Workspace apps (Gmail, Google Calendar, Google Drive, etc.), we comply with Google's API Services User Data Policy, including Limited Use requirements:

• We do not use Google user data for serving advertisements
• We do not sell Google user data to any third parties
• We do not use Google user data to develop or improve AI/ML models beyond immediate service delivery
• We do not transfer Google user data to any external services except as necessary for the platform's core functionality
• All Google API data processing is performed within our secure infrastructure

YouTube API Services:

If you use features that integrate with YouTube API Services, your use is also subject to Google's Privacy Policy. We comply with YouTube's Developer Policies:

• YouTube API data is retained for a maximum of 30 calendar days
• After 30 days, data is either refreshed from YouTube's servers or permanently deleted
• You can request immediate deletion of your YouTube-related data at any time
• No use of YouTube data for advertising purposes
• No unauthorized sale or sharing of YouTube user data

5.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal processes (subpoenas, court orders, etc.)
• Government or regulatory requests
• Protection of rights, property, or safety
• Enforcement of our terms of service

5.4 Business Transfers

If PaperPin.ai is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

6. Your Rights and Choices

6.1 Access and Control

You have the right to:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Export: Download your files, conversations, and agent configurations
• Opt-Out: Unsubscribe from marketing communications
• Revoke Access: Disconnect third-party app integrations at any time

6.2 Data Portability

You can export your data in standard formats through our platform settings or by contacting support.

6.3 Account Deletion

You may delete your account at any time. Upon deletion, we will remove your personal information and files, though some data may be retained for legal compliance or legitimate business purposes.

7. Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Essential Cookies: Required for authentication and core functionality
• Preference Cookies: To remember your settings and preferences
• Analytics Cookies: To understand how you use our Services
• Security Cookies: To detect fraud and protect your account

You can control cookies through your browser settings, though disabling essential cookies may affect service functionality.

8. International Data Transfers

While our primary data storage is in India, your data may be processed by third-party service providers (such as AI model providers) located in other countries. We ensure appropriate safeguards are in place for such transfers, including:

• Standard contractual clauses
• Data processing agreements
• Compliance with applicable data protection laws
• Security certifications (SOC 2, ISO 27001, etc.)

9. Age Restrictions

PaperPin.ai does not impose age restrictions for using our Services. However, users under the age of 18 should obtain parental or guardian consent before using our platform, particularly when providing personal information or connecting third-party accounts.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email for significant changes
• Post a notice on our platform

Your continued use of our Services after any changes indicates your acceptance of the updated Privacy Policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your inquiries within 30 days and work with you to address any privacy concerns.

12. Additional Rights for Specific Jurisdictions

12.1 European Union (GDPR)

If you are located in the EU, you have additional rights under GDPR including:

• Right to lodge a complaint with a supervisory authority
• Right to object to processing based on legitimate interests
• Right to restrict processing in certain circumstances
• Right to data portability in machine-readable format

12.2 California (CCPA)

If you are a California resident, you have rights under CCPA including:

• Right to know what personal information we collect and how it's used
• Right to delete personal information (subject to exceptions)
• Right to opt-out of sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your rights

12.3 India (DPDPA)

As our data is stored in India, we comply with the Digital Personal Data Protection Act:

• Processing personal data lawfully and transparently
• Obtaining consent for data processing activities
• Ensuring data accuracy and completeness
• Implementing appropriate security safeguards