Privacy Policy

Last updated: July 3, 2026

Introduction

Onpilot AI ("Onpilot," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at onpilot.ai, our platform, APIs, and related services (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Services.

Our Role (Controller / Processor)

Onpilot plays two different roles depending on the data involved, and your rights are exercised accordingly:

  • As a controller for the account, billing, website, and product-usage data we collect to run our business (for example, your name, email, and how you use the dashboard), we decide the purposes and means of processing and are responsible under this policy.
  • As a processor (service provider) for the content, documents, and end-user data our customers upload or connect to build and operate their AI agents ("Customer Data"), we process it only on the customer's documented instructions under our Data Processing Addendum. If you are an end user or data subject of one of our customers, that customer is the controller and you should direct privacy requests to them; we will assist them in responding.

Information We Collect

Information you provide to us

  • Account information: name, email address, company name, and password when you create an account.
  • Billing information: payment method details processed securely through Stripe. We do not store full card numbers on our servers.
  • Content and data: any data, documents, or content you upload to configure or train your agents.
  • Communications: information you provide when you contact our support team or respond to surveys.

Information collected automatically

  • Usage data: pages visited, features used, API call volumes, token consumption, and interaction patterns.
  • Device information: browser type, operating system, IP address, and device identifiers.
  • Cookies and similar technologies: see our Cookie Policy for details.

Information from third parties

We may receive information from authentication providers (e.g., Google OAuth) when you choose to sign in using a third-party service.

How We Use Your Data

We use the information we collect to:

  • Provide, operate, and maintain our Services.
  • Process transactions and send related billing information.
  • Improve and personalize your experience, including AI model performance.
  • Communicate with you about updates, security alerts, and support messages.
  • Detect, prevent, and address technical issues, fraud, or abuse.
  • Comply with legal obligations and enforce our terms.
  • Generate aggregated, anonymized analytics to improve our platform.

We do not sell your personal data for money, and we do not "sell" or "share" personal information for cross-context behavioural advertising as those terms are defined under California law. See California Privacy Rights for how we treat analytics and opt-out preference signals.

Data Sharing

We may share your information only in the following circumstances:

  • Service providers: trusted third parties that help us operate our Services (e.g., hosting, payment processing, email delivery). These providers are contractually obligated to protect your data.
  • Legal requirements: when required by law, court order, or governmental regulation.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, with appropriate notice to you.
  • With your consent: when you explicitly authorize us to share your information.

Sub-processors

Our current sub-processors include:

ProviderPurposeLocation
Amazon Web Services (AWS)Cloud infrastructure and hostingGlobal
CloudflareCDN, DDoS protection, DNSGlobal
StripePayment processingUnited States
ResendTransactional email deliveryUnited States

Data Retention

We retain your personal data only for as long as necessary to provide our Services and fulfil the purposes described in this policy. When you delete your account:

  • Account data is deleted within 30 days of the deletion request.
  • Agent training data and conversation logs are permanently removed within 30 days.
  • Billing records may be retained for up to 7 years to comply with tax and accounting obligations.
  • Aggregated, anonymized data that cannot identify you may be retained indefinitely.

Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Regular security assessments and penetration testing.
  • Role-based access controls and principle of least privilege.
  • Continuous monitoring and automated threat detection.

For more details, see our Security page.

Cookies

We use cookies and similar tracking technologies to enhance your experience. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Under GDPR (EEA/UK residents)

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your personal data ("right to be forgotten").
  • Restriction: request restriction of processing in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests or direct marketing.
  • Withdraw consent: withdraw consent at any time where processing is based on consent.

Under Canadian data protection law

If you are located in Canada, you have rights under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, including the right to access, correct, and withdraw consent for the processing of your personal data.

To exercise any of these rights, contact us at privacy@onpilot.ai. We will verify your request and respond within the timeframe required by applicable law (generally 30 days; up to 45 days for California requests, extendable where permitted). We do not discriminate against you for exercising your rights.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you specific rights. This section supplements the rest of this policy.

Categories of personal information

In the preceding 12 months we have collected the following categories of personal information (as defined in the CCPA): identifiers (e.g. name, email, IP address); commercial information (e.g. plan and transaction records); internet or network activity (e.g. usage and device data); and the content you provide to configure your agents. We collect it from you, your devices, and your chosen authentication providers, for the business purposes described in How We Use Your Data.

Sale / sharing of personal information

We do not sell your personal information for money. We do not knowingly "share" personal information for cross-context behavioural advertising. To the extent our use of analytics cookies could be considered "sharing" under California law, you can opt out as described below. We do not sell or share the personal information of minors under 16.

Sensitive personal information

We do not use or disclose sensitive personal information for purposes that would require us to offer a "Limit the Use of My Sensitive Personal Information" option beyond the limited purposes permitted by the CCPA.

Your California rights

  • Right to know and access the personal information we collect, use, and disclose.
  • Right to delete personal information, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information.
  • Right to limit the use of sensitive personal information.
  • Right to non-discrimination for exercising your rights.

How to exercise them

You may submit a request through at least two methods: (1) email us at privacy@onpilot.ai, or (2) use the in-product privacy controls in your account settings. You may use an authorized agent to submit a request on your behalf with proof of authorization.

Opt-out preference signals. We honour the Global Privacy Control (GPC) signal for browsers that send it, and treat it as a valid request to opt out of sale/sharing for that browser. A cookie banner alone is not an opt-out method for sale/sharing; the GPC signal and the request methods above are.

Automated Decisions & AI Processing

Onpilot is an AI platform. Our customers configure AI agents that process the content and connected data they choose, on their instructions, to generate responses and take actions they define. As a processor, we do not use Customer Data to make decisions that produce legal or similarly significant effects about individuals on our own behalf.

We do not use your account data to make solely automated decisions that produce legal or similarly significant effects about you without a legal basis and appropriate safeguards. Where a customer uses our platform for automated decision-making or profiling, that customer is the controller and is responsible for the required transparency, safeguards, and rights. Onpilot does not use Customer Data to train its own general-purpose models. Where third-party AI providers process Customer Data on our behalf, we use configurations and contractual protections intended to prevent use of that data to train the provider's general models.

International Transfers

We are based in Canada and use sub-processors located in Canada and the United States. Your data may be transferred to and processed in countries other than your country of residence. Where we transfer personal data out of the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum and Swiss addendum where relevant). Details of the safeguards are available in our Data Processing Addendum and on request.

Complaints

If you have a concern about how we handle your personal data, please contact us first at privacy@onpilot.ai so we can try to resolve it. You also have the right to lodge a complaint with a supervisory authority:

  • EEA/UK residents: your local data protection authority. Where we are required to designate a representative under GDPR Article 27, their contact details will be published here and are available on request.
  • Canada: the Office of the Privacy Commissioner of Canada (OPC) or your applicable provincial privacy commissioner.
  • California: the California Privacy Protection Agency or the California Attorney General.

Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

  • Privacy / data protection: privacy@onpilot.ai (our privacy contact handles data-subject and consumer requests)
  • General: info@onpilot.ai
  • Company: Onpilot AI Inc.
  • Address: Toronto, Ontario, Canada

© 2026 Onpilot AI. All rights reserved.