PRIVACY POLICY - FULGURAI Last Updated: November 16, 2025 ================================================================================ IMPORTANT: This Privacy Policy explains how FulgurAI collects, uses, and protects your personal data. We are committed to transparency and your privacy rights under GDPR and applicable data protection laws. ================================================================================ 1. INTRODUCTION FulgurAI ("we," "our," or "us") provides an AI-powered automation platform that creates intelligent agents to automate your tasks. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our service at https://fulgurai.com. This policy is governed by the General Data Protection Regulation (GDPR) and French data protection law. For legal entity details, see Section 10 (Legal Information) at the end of this document. ================================================================================ 2. WHAT INFORMATION WE COLLECT ================================================================================ 2.1 ACCOUNT INFORMATION When you create a FulgurAI account, we collect: - Email address (via Google OAuth authentication) - Name (from your Google account profile) - Profile picture (optional, from Google account) - Account creation date and last login 2.2 INTEGRATION DATA When you connect third-party services to FulgurAI, we access and process data according to the permissions you grant: GOOGLE SERVICES: - Google Drive: Files and folders you specify for agent processing (read access), files created by agents (write access) - Gmail: Emails and attachments matching your specified filters (subject, sender, date range), email sending capabilities for agent results - Google Sheets: Spreadsheet data you designate for reading or writing - Google Calendar: Calendar events you choose to read or create via agents - Google Docs: Document content you specify for reading or generating SLACK: - Workspace information: Workspace name, team ID, channels - Message sending: Agents send messages to channels you specify - File uploads: Agents can upload files to your Slack workspace - User information: User names and email addresses for agent operations NOTION: - Pages and databases: Content from pages/databases you explicitly share with FulgurAI - Workspace information: Workspace name and ID - Content creation: New pages, database entries created by agents EMAIL (IMAP): - Email credentials: IMAP server, username, password (encrypted) - Email messages: Messages matching your filters - Attachments: Files attached to emails processed by agents 2.3 AGENT DATA - Agent code: Python code generated during agent creation - Execution logs: stdout, stderr, and execution status - Output files: Files created by agents during execution - Execution history: Timestamps, duration, success/failure status - Chat messages: Conversations during agent creation and iteration 2.4 PAYMENT INFORMATION - Payment details: Processed by Stripe (we do NOT store credit card numbers) - Billing information: Name, billing address, email for invoices - Transaction history: Payment dates, amounts, subscription status 2.5 USAGE DATA - Technical data: IP address, browser type, device information - Analytics: Pages visited, features used, time spent - Performance data: Agent execution times, success rates, error logs ================================================================================ 3. HOW WE USE YOUR INFORMATION ================================================================================ 3.1 PRIMARY USES - Provide the Service: Create, execute, and manage automation agents - Process Your Data: Execute agents on data from your integrated services - Store Results: Save agent outputs, execution logs, and generated files - Facilitate Integrations: Connect to and interact with third-party services on your behalf 3.2 SERVICE IMPROVEMENT - Improve reliability: Analyze failures to enhance agent success rates - Optimize performance: Monitor execution times and costs - Develop features: Understand usage patterns to build requested features - Fix bugs: Debug issues using execution logs and error reports 3.3 COMMUNICATION - Service emails: Agent execution results, error notifications - Account updates: Password changes, security alerts - Billing: Payment confirmations, invoices, subscription changes - Support: Responses to your inquiries - Marketing: Product updates and new features (you can opt out) 3.4 LEGAL BASIS FOR PROCESSING (GDPR) Purpose | Legal Basis ---------------------------------|---------------------------------------- Providing the service | Performance of contract Processing integrated data | Your explicit consent (via OAuth) Payment processing | Performance of contract Service improvement | Legitimate interest Security and fraud prevention | Legitimate interest and legal obligation Marketing communications | Consent (you can opt out) ================================================================================ 4. HOW WE SHARE YOUR INFORMATION ================================================================================ 4.1 THIRD-PARTY SERVICE PROVIDERS We share data with trusted third parties who help us provide the service: Service Provider | Purpose | Data Shared | Location -----------------|--------------------------|---------------------------------------|---------- E2B (e2b.dev) | Code execution sandboxes | Agent code, execution environment, | USA | | temporary files | Anthropic | AI agent creation | Chat messages, sample files, | USA (Claude API) | | generated code | Browserbase | Web scraping | URLs to scrape, browser interactions | USA Stripe | Payment processing | Billing information, payment methods | USA (GDPR compliant) Google APIs | Drive, Gmail, Sheets, | Data you authorize via OAuth | USA (GDPR compliant) | Calendar, Docs access | | Slack API | Workspace integration | Messages, files sent by agents | USA (GDPR compliant) Notion API | Page/database access | Content you share with FulgurAI | USA (GDPR compliant) 4.2 INTERNATIONAL DATA TRANSFERS Your data may be transferred to and processed in the United States and other countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place: - Standard Contractual Clauses (SCCs): We use EU-approved SCCs with service providers - Privacy Shield successors: Where applicable, we rely on adequacy decisions - Encryption: Data is encrypted in transit (TLS) and at rest (AES-256-GCM) 4.3 WE DO NOT SELL YOUR DATA We never sell, rent, or trade your personal information to third parties for marketing purposes. 4.4 LEGAL REQUIREMENTS We may disclose your information if required by law, court order, or government request, or to: - Comply with legal obligations - Protect our rights, property, or safety - Prevent fraud or security threats - Protect users' safety ================================================================================ 5. HOW WE STORE AND SECURE YOUR DATA ================================================================================ 5.1 DATA STORAGE - Database: PostgreSQL database hosted on secure servers - Location: European Union (primary), with backups - Encryption: All sensitive data encrypted at rest using AES-256-GCM - Access tokens: OAuth tokens encrypted before storage 5.2 SECURITY MEASURES - Transport encryption: All connections use TLS 1.2 or higher - Authentication: OAuth 2.0 for third-party integrations - Access control: Role-based access, principle of least privilege - Monitoring: Continuous security monitoring and logging - Sandboxing: Agent code runs in isolated E2B sandboxes - Regular audits: Security reviews and penetration testing 5.3 DATA RETENTION Data Type | Retention Period ---------------------------------|---------------------------------------------- Account information | Until account deletion + 30 days Agent code and configurations | Until agent deletion or account closure Execution logs | 90 days (for debugging and analytics) Output files | Until manually deleted or account closure Payment records | 7 years (legal requirement for accounting) Integration tokens | Until you disconnect the integration Backups | 30 days (then permanently deleted) After account deletion: All personal data is permanently deleted within 30 days, except payment records retained for legal compliance. ================================================================================ 6. YOUR PRIVACY RIGHTS (GDPR) ================================================================================ Under the General Data Protection Regulation (GDPR) and French data protection law, you have the following rights: 6.1 RIGHT OF ACCESS Request a copy of all personal data we hold about you, including: - Account information - Agent configurations and code - Execution history - Integration connections 6.2 RIGHT TO RECTIFICATION Correct inaccurate or incomplete personal data. You can update most information directly in your account settings. 6.3 RIGHT TO ERASURE ("RIGHT TO BE FORGOTTEN") Request deletion of your personal data. You can delete your account at any time through account settings or by contacting us. 6.4 RIGHT TO RESTRICTION OF PROCESSING Request that we limit how we process your data in certain circumstances. 6.5 RIGHT TO DATA PORTABILITY Receive your data in a structured, commonly used, machine-readable format (JSON/CSV) and transfer it to another service. 6.6 RIGHT TO OBJECT Object to processing based on legitimate interests or for direct marketing purposes. 6.7 RIGHT TO WITHDRAW CONSENT Withdraw consent for data processing at any time (e.g., disconnect integrations, opt out of marketing emails). 6.8 RIGHT TO LODGE A COMPLAINT File a complaint with your data protection authority: - France: Commission Nationale de l'Informatique et des Libertés (CNIL) - www.cnil.fr - EU: Your local data protection authority 6.9 HOW TO EXERCISE YOUR RIGHTS To exercise any of these rights, contact us at: - Email: contact@fulgurai.com or security@fulgurai.com - Subject line: "GDPR Request - [Your Right]" - Response time: We will respond within 30 days ================================================================================ 7. COOKIES AND TRACKING ================================================================================ 7.1 COOKIES WE USE Cookie Type | Purpose | Duration -------------------------|--------------------------|-------------------------------- Session cookies | Keep you logged in | Session (deleted when you close browser) Authentication cookies | Verify your identity | 30 days Preference cookies | Remember your settings | 1 year 7.2 THIRD-PARTY ANALYTICS We may use analytics services to understand how users interact with FulgurAI. These services may set their own cookies. You can opt out through browser settings or privacy extensions. 7.3 MANAGING COOKIES You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features. ================================================================================ 8. CHILDREN'S PRIVACY ================================================================================ FulgurAI is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we discover we have collected data from a child, we will delete it immediately. If you believe a child has provided us with personal information, please contact us at security@fulgurai.com. ================================================================================ 9. CHANGES TO THIS PRIVACY POLICY ================================================================================ We may update this Privacy Policy from time to time to reflect: - Changes in our practices - Legal or regulatory requirements - New features or integrations NOTICE OF CHANGES: We will notify you of significant changes by: - Updating the "Last Updated" date at the top - Sending an email to your registered address - Displaying a prominent notice on our website Your continued use of FulgurAI after changes constitute acceptance of the updated policy. ================================================================================ 10. DATA BREACH NOTIFICATION ================================================================================ In the event of a data breach that may affect your personal information, we will: - Notify affected users within 72 hours of discovery - Notify relevant data protection authorities as required by law - Provide details about the breach and steps we're taking - Offer guidance on protecting yourself ================================================================================ CONTACT US ================================================================================ For questions about this Privacy Policy or our data practices, contact us: EMAIL: - General inquiries: contact@fulgurai.com - Privacy/security: security@fulgurai.com - GDPR requests: security@fulgurai.com POSTAL ADDRESS: FulgurAI 4 Place Louis Chazette 69001 Lyon France ================================================================================ 10. LEGAL INFORMATION ================================================================================ DATA CONTROLLER (GDPR Article 13) Legal Entity: Pierre Henri Jean Humblot, Entrepreneur Individuel Business Registration: SIREN 823 531 157, SIRET 823 531 157 00019 Business Activity: 62.01Z - Programmation informatique Registered Address: 4 Place Louis Chazette, 69001 Lyon, France Tax Residence: Czech Republic Contact: contact@fulgurai.com JURISDICTION This Privacy Policy is governed by French data protection law and the General Data Protection Regulation (GDPR). Any disputes relating to data protection are subject to the jurisdiction of the courts of Lyon, France, or your local data protection authority. SUPERVISORY AUTHORITY France: Commission Nationale de l'Informatique et des Libertés (CNIL) Website: www.cnil.fr EU: Your local data protection authority ================================================================================ © 2025 FulgurAI. All rights reserved. ================================================================================