TalonaTalona
Contact

Legal

Privacy Policy

This Privacy Policy explains what information Talona collects when you use our Service, how we use it, with whom we share it, and your rights over it.

You can reach us about anything in this policy at contact@talona.ai.

1. What we collect

Account data

When you sign up we store your email address, hashed password, your chosen username, and basic sign-in metadata such as the time of your last login. If you sign in with Google or GitHub, we receive your email, name, and a stable identifier from that provider.

Agent and integration data

When you build and run agents we store the agent's configuration, including its system prompt, the skills it uses, the schedule it runs on, and the integrations it connects to. We also store encrypted credentials for the third-party services you connect, and the inputs and outputs of your agent's runs. Credentials and other secrets are encrypted at rest with a key held outside the database.

Usage data

We collect logs and traces describing how you use the Service: which API calls you make, which agents you run, how long each step takes, and what errors occur. Some of this is collected through standard server logs, and some through observability tooling so that we can investigate failures.

Conversational data

Prompts you send to your agent, files you upload, and the outputs your agent produces are stored so the agent can resume conversations and so you can review past runs.

Payment data

If you upgrade to a paid plan we collect billing information (name, billing address, country, and VAT number where applicable) through a third-party payment processor. We do not store full card numbers.

2. How we use it

  • To provide and operate the Service: authenticate you, configure your agents, run them, deliver their outputs, store conversation history, and enforce your plan limits.
  • To secure the Service: detect and respond to abuse, fraud, and security incidents, and audit changes to your agents and integrations.
  • To communicate with you: send transactional email about your account, security notices, and important product changes. We will only send marketing email if you have opted in, and you can opt out at any time.
  • To improve the Service: analyse aggregate usage to understand which features are used and which fail. We do not use the contents of your prompts or your agent's outputs to train AI models.
  • To comply with legal obligations: respond to lawful requests, enforce our Terms, and defend legal claims.

3. Legal bases (EU and UK users)

If you are in the EU or the UK, the GDPR applies. We rely on the following legal bases:

  • Performance of a contract: to provide you with the Service you signed up for.
  • Legitimate interests: to keep the Service secure, prevent abuse, debug failures, and improve features. We balance these interests against your rights and stop where they would override.
  • Consent: for any optional processing such as marketing email. You can withdraw consent at any time.
  • Legal obligation: to comply with applicable law and respond to lawful requests from authorities.

4. Sharing

We do not sell your personal data. We share it only with subprocessors that help us run the Service, and only to the extent each subprocessor needs to do its job. Categories of subprocessors include:

  • Cloud hosting and managed compute, where we run the platform and your agents.
  • AI inference providers, where prompts are sent to be processed by AI models. Where supported by the provider, we have configured them not to retain prompts beyond the request and not to use them for model training.
  • Identity providers, where you choose to sign in with a third-party account.
  • Payment processing, for paid plans.
  • Email delivery, for transactional email.
  • Observability and error monitoring, for logs, metrics, and traces.

A current subprocessor list is available on request at contact@talona.ai.

We may also disclose data when required by law, court order, or a binding government request, where we have a good-faith belief that disclosure is necessary, and where we cannot lawfully challenge the request. Where lawful, we will notify affected users.

If Talona is acquired or merged, your data may transfer to the acquirer, subject to this Privacy Policy or a successor policy that is no less protective.

5. International transfers

Your data is primarily stored and processed in the European Union. Some subprocessors may process data outside the EU. Where this happens we rely on the European Commission's Standard Contractual Clauses or another lawful transfer mechanism, and we apply additional safeguards where appropriate.

6. Retention

Account data is kept for as long as your account is active. When you delete your account we delete or anonymise your personal data within 30 days, except for two categories:

  • Backups, which roll off on their own retention schedule (currently up to 90 days).
  • Records we are required to keep for tax, legal, or compliance reasons, or that we need to defend an active or threatened legal claim.

You can request earlier deletion of specific items at contact@talona.ai.

7. Security

We protect your data with industry-standard controls, including:

  • Transport encryption (TLS) for traffic between you, our services, and our subprocessors.
  • Encryption at rest for credentials, secrets, and other sensitive fields, using a key held outside the database.
  • Per-user isolation for OAuth tokens and per-agent isolation for deployed runtimes.
  • Authenticated and rate-limited service-to-service traffic between platform components.
  • Audit logging for sensitive actions.

No system is perfectly secure. If we ever experience a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and we will tell you without undue delay.

8. Your rights

If you are in the EU or the UK, GDPR gives you the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate personal data.
  • Erase your personal data, subject to our retention obligations.
  • Restrict or object to certain processing.
  • Receive a portable copy of personal data you provided to us.
  • Withdraw consent where we rely on consent, without affecting prior processing.
  • Lodge a complaint with your national data protection authority. If you are in Poland, this is the President of the Personal Data Protection Office (UODO).

If you are in California, you have analogous rights under the CCPA, including the right to know, the right to delete, the right to correct, and the right not to be discriminated against for exercising your rights. We do not sell or share personal data within the meaning of the CCPA.

To exercise any of these rights, write to contact@talona.ai. We will respond within the timeframes the law requires.

9. Cookies

Talona uses cookies and similar storage to keep you signed in and to remember your preferences. We do not use third-party advertising cookies. We may use a small set of analytics cookies to count visits and detect errors; you can refuse these from the cookie banner where one is shown.

10. Children

Talona is not intended for, and is not directed at, anyone under 16. We do not knowingly collect data from children. If you believe a child has given us their data, contact us and we will delete it.

11. Changes to this Policy

We may update this Policy from time to time. The current version is always at this URL with an updated "Last updated" date. For material changes we will notify you by email or in-product. If you keep using the Service after the change, you accept the new Policy.

12. Contact

For privacy questions, requests under your rights, or any other concern about how we handle your data, write to contact@talona.ai.