Privacy Policy

Effective Date: February 22, 2026

Communa Inc · 99 Wall Street, Suite 1199, New York, NY 10005

1. Introduction

This Privacy Policy describes how Communa Inc ("Communa," "we," "us," or "our") collects, uses, processes, stores, and protects personal information when you use the Communa platform, APIs, agents, documentation, and related services (collectively, the "Services").

We are committed to transparency. This policy explains your rights and our obligations regarding your data. By using the Services, you acknowledge that you have read and understood this Privacy Policy.

Communa Inc is a corporation organized under the laws of the State of Delaware and operating from 99 Wall Street, Suite 1199, New York, NY 10005-4301. For privacy inquiries, you can reach us at support@communa.io.

2. Our Role: Data Controller and Data Processor

Depending on the context, Communa acts in different capacities with respect to personal data:

2.1 When We Are a Data Controller

We act as a data controller when we collect and process data for our own purposes, such as:

  • Account registration and authentication
  • Billing and payment processing
  • Service improvement, analytics, and security monitoring
  • Communications with you (support, product updates, legal notices)

2.2 When We Are a Data Processor

We act as a data processor when you use our Services to process data through your AI agents. In this capacity:

  • You are the data controller — you determine the purpose and means of processing
  • We process data only as instructed by you through your agent configurations and usage
  • Data processed by agents (including files, emails, scraped content, and captured data) is your data and your responsibility
  • You are responsible for ensuring a valid legal basis for any personal data your agents process

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (if provided)
  • Authentication identifiers from third-party OAuth providers (e.g., Google, GitHub)
  • Organization or team information (if applicable)

3.2 Agent and Platform Usage Data

When you use the Services, we automatically collect:

  • Agent configurations, skill definitions, and automation settings
  • Chat messages between you and your agents
  • Agent execution logs, action histories, and error reports
  • Sandbox environment metadata (not the contents of your files unless necessary for service provision)
  • API call metadata (timestamps, endpoints, response codes)
  • Credit usage and billing events

3.3 Data Processed by Agents

Your agents may process various types of data on your behalf, including:

  • Files you upload or that agents create
  • Emails sent and received by agents
  • Data scraped or extracted from websites
  • Structured data captured in agent databases
  • Third-party service responses and API data

This data is processed according to your instructions. We do not independently determine how this data is used.

3.4 Credentials

If you store credentials (API keys, passwords, tokens) in the credential vault, those credentials are encrypted at rest. We employ best-effort measures to prevent credential values from being exposed in AI model contexts, but cannot guarantee absolute concealment.

3.5 Technical and Device Data

We automatically collect standard technical data:

  • IP address
  • Browser type and version
  • Operating system
  • Device identifiers
  • Referring URLs
  • Pages visited and features used
  • Time and date of access

3.6 Cookies and Tracking Technologies

We use cookies and similar technologies for authentication, session management, and analytics. We use:

  • Essential cookies: Required for authentication and core platform functionality. Cannot be disabled.
  • Analytics cookies: Help us understand how the Services are used. You may opt out through your browser settings.

We do not use advertising cookies. We do not sell your data. We do not engage in cross-site behavioral tracking for advertising purposes.

4. How We Use Your Information

We use the information we collect to:

  • Provide, operate, maintain, and improve the Services
  • Authenticate your identity and manage your account
  • Process payments and manage credits
  • Execute your agent instructions and automation tasks
  • Monitor for abuse, fraud, and security threats
  • Respond to your support requests and communications
  • Send service-related notices (security alerts, billing, Terms updates)
  • Generate aggregated, anonymized analytics to improve the platform
  • Comply with legal obligations

We do not use your User Content (files, agent data, emails) to train our AI models. We do not sell, rent, or trade your personal information.

5. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing your personal data are:

Processing ActivityLegal Basis
Account creation and managementPerformance of contract (Art. 6(1)(b))
Providing the ServicesPerformance of contract (Art. 6(1)(b))
Processing paymentsPerformance of contract (Art. 6(1)(b))
Security monitoring and fraud preventionLegitimate interests (Art. 6(1)(f))
Service improvement and analyticsLegitimate interests (Art. 6(1)(f))
Service-related communicationsLegitimate interests (Art. 6(1)(f))
Legal complianceLegal obligation (Art. 6(1)(c))
Marketing communications (if any)Consent (Art. 6(1)(a))

6. How We Share Your Information

We may share your information in the following circumstances:

6.1 Service Providers and Subprocessors

We use third-party service providers to help operate the Services. These providers process data on our behalf and are contractually bound to use it only for the purposes we specify. Categories of subprocessors include:

  • Cloud infrastructure: Hosting, storage, and compute providers
  • AI model providers: For natural language processing and agent reasoning capabilities
  • Authentication: Identity verification and OAuth providers
  • Payment processing: Billing and subscription management
  • Email delivery: Transactional and agent email services
  • Analytics: Anonymized usage analytics

6.2 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

6.4 With Your Consent

We may share information with your explicit consent or at your direction.

7. International Data Transfers

The Services are operated from the United States. If you access the Services from outside the United States, your data will be transferred to and processed in the United States and potentially other jurisdictions where our service providers operate.

For transfers from the EEA, UK, or Switzerland to countries that have not received an adequacy decision, we rely on appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with our subprocessors
  • Additional technical and organizational measures as appropriate

We implement reasonable technical and organizational measures to protect your data during transfer and processing. However, we do not currently hold SOC 2, ISO 27001, or formal GDPR certifications. We are transparent about this and are continuously improving our security posture.

8. Data Security

We implement reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS) and sensitive data at rest
  • Credential encryption with best-effort LLM concealment
  • Isolated sandbox environments per agent
  • Access controls and authentication mechanisms
  • Regular security reviews and monitoring

No method of transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. You acknowledge that you provide your data at your own risk.

9. Data Retention

We retain your personal information for as long as:

  • Your account is active and you are using the Services
  • Necessary to provide you with the Services
  • Required to comply with our legal, regulatory, or contractual obligations
  • Necessary to resolve disputes, enforce our agreements, or protect our rights

When you delete your account or request data deletion, we will delete or anonymize your personal information within a reasonable timeframe, except where retention is required by law. Agent execution logs and anonymized analytics data may be retained for a longer period.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information:

10.1 Your Rights

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request that we delete your personal information, subject to certain exceptions.
  • Right to Correct: You may request that we correct inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

10.2 Exercising Your Rights

To exercise your CCPA/CPRA rights, contact us at support@communa.io. We will verify your identity before processing your request. We will respond within 45 days as required by law.

10.3 Categories of Information

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA: identifiers (email, name, IP address), commercial information (billing records), internet or network activity (usage logs, browsing data), and professional information (organization name, if provided). We have not sold any personal information.

11. Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal exceptions.
  • Right to Restriction: Request restriction of processing in certain circumstances.
  • Right to Data Portability: Request a machine-readable copy of your data.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
  • Right to Lodge a Complaint: You may file a complaint with your local data protection authority.

To exercise these rights, contact us at support@communa.io. We will respond within 30 days as required by GDPR.

12. AI-Specific Data Practices

Given the AI-centric nature of our Services, we want to be transparent about how data interacts with AI systems:

12.1 AI Model Providers

We use third-party AI model providers (such as Anthropic, OpenAI, and others) to power agent reasoning and computer-use capabilities. When your agents execute tasks, relevant context (including your prompts, agent instructions, and in-scope data) may be sent to these providers for inference. These providers operate under their own data processing agreements and privacy policies.

12.2 No Training on Your Data

We do not use your User Content (files, agent configurations, captured data, or emails) to train, fine-tune, or improve AI models. Your data is used solely for providing the Services.

12.3 Agent Sandbox Data

Each agent operates in an isolated sandbox environment. Files, databases, and data within an agent's sandbox are accessible only to that agent and to you. Sandbox environments are ephemeral by nature, and data persistence is managed according to your agent and automation configurations.

12.4 Screen and Action Data

When agents use computer-use capabilities, screenshots and action logs may be captured for execution purposes, debugging, and replay functionality. This data is associated with your account and treated as User Content.

13. Children's Privacy

The Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information promptly. If you believe a minor has provided us with personal data, please contact us at support@communa.io.

14. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. There is currently no industry standard for how to respond to DNT signals, and we do not currently alter our data collection practices in response to DNT signals. If a standard is established, we will review and update our practices accordingly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Services or by other reasonable means (such as email). The "Effective Date" at the top of this page indicates when the policy was last revised. Your continued use of the Services after any changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Communa Inc
99 Wall Street, Suite 1199
New York, NY 10005-4301
Email: support@communa.io

For GDPR-related inquiries, you may also contact your local data protection authority.