Privacy Policy
Effective date: July 9, 2026
Version: 2026-07-09
This Privacy Policy explains how Calapi Inc. ("Provider," "we," "us," or "our") collects, uses, discloses, and otherwise processes Personal Information in connection with Fat Controller, including its websites, applications, APIs, software, account systems, and related services (collectively, the "Service").
"Personal Information" means information that identifies, relates to, describes, or could reasonably be linked with an identifiable person, subject to applicable law.
By accessing or using the Service, you acknowledge this Privacy Policy and agree to the processing described here to the extent consent is a valid legal basis. Where applicable law requires a different legal basis or separate affirmative consent, we will rely on that basis or seek that consent.
1. Scope
This Policy applies to Personal Information we process as a controller or business for our own purposes. In some business or enterprise contexts, we may process information on behalf of a customer under a separate agreement or data processing addendum; in that situation, the customer may control the processing and its privacy notice may also apply.
This Policy does not govern independent third-party services, model providers, websites, connectors, integrations, data sources, or applications. Their own terms and privacy practices apply.
2. Information we collect
Depending on how you use the Service, we may collect:
Account and identity information
Name, email address, username, organization, role, account identifiers, authentication status, and account preferences.
Billing and transaction information
Subscription status, plan, purchases, credits, invoices, transaction identifiers, tax information, billing address, and limited payment-related information. Payment card details may be processed directly by a payment processor rather than stored by us.
Device, network, and technical information
IP address, browser type, operating system, device identifiers, timestamps, request identifiers, referring URLs, language, approximate location derived from IP address, connection information, and similar technical data.
Usage and telemetry information
Features used, API endpoints called, models selected, token or compute counts, request duration, errors, latency, usage volumes, interaction events, security events, and similar operational metadata.
Content and communications
Information you submit in support requests, feedback, direct chats, prompts, files, messages, instructions, or other communications with us or with features of the Service.
Integration and third-party information
Information received from authentication providers, payment processors, connected services, model providers, connectors, business partners, or other third parties when you direct or authorize an integration or when necessary to operate the Service.
Security and abuse-prevention information
Authentication events, suspected fraud indicators, rate-limit events, malicious activity indicators, audit logs, and other data used to protect the Service and users.
3. How we collect information
We collect information:
- directly from you;
- automatically when you access or use the Service;
- from your organization or an account administrator;
- from third-party services you choose to connect;
- from service providers supporting authentication, billing, hosting, analytics, security, communications, or AI processing;
- from public sources where permitted by law.
4. How we use information
We may use Personal Information to:
- provide, operate, maintain, authenticate, and support the Service;
- create and administer accounts;
- route requests and provide integrations;
- calculate usage and billing;
- secure the Service, prevent fraud, investigate abuse, and enforce policies;
- monitor reliability, debug failures, and improve performance;
- respond to support requests and communicate with you;
- develop, test, analyze, and improve features;
- comply with law, legal process, and valid government requests;
- establish, exercise, or defend legal claims;
- protect users, third parties, the public, and our rights;
- conduct corporate transactions such as financing, merger, acquisition, reorganization, or sale of assets;
- send service, account, security, legal, and policy notices;
- send marketing communications where permitted by law and subject to available choices.
5. AI improvement and training
We distinguish between different kinds of content because they present different privacy and commercial expectations.
Direct first-party assistant interactions
Unless you opt out through available privacy settings, we may use direct conversations you initiate with first-party Fat Controller AI or assistant features, together with related feedback and limited metadata, to evaluate, develop, and improve our products and models.
Operational and local-system content
Command streams, local files, process output, credentials, machine state, configuration data, and other operational content are not treated as general-purpose training data merely because Fat Controller can access or process them. We do not use such operational content to train our general-purpose models by default.
When you explicitly submit content to an AI feature, the content may be transmitted to a selected model provider and processed according to applicable settings and provider practices. You are responsible for selecting an appropriate provider and data-control configuration.
Where content is sent to a third-party model provider, that provider may process content according to its own terms, privacy policy, retention settings, and training settings. We may provide controls or routing options for some providers, but we do not control a third party's independent practices.
You are responsible for not submitting Personal Information or confidential material to an AI feature unless you are authorized to do so and the feature's settings are appropriate for the information.
6. How we disclose information
We may disclose Personal Information to:
Service providers and subprocessors
Providers of hosting, databases, infrastructure, authentication, email, customer support, security, monitoring, analytics, payment processing, and professional services.
AI model and technology providers
When necessary to provide AI-assisted features or when you select or enable a model, route, or integration.
Third-party integrations you choose
When you direct the Service to connect to or exchange data with another service.
Your organization
If your account is part of an organization, authorized administrators may access account, usage, configuration, audit, or content information according to organizational settings and applicable agreements.
Legal and safety recipients
Government authorities, regulators, courts, law enforcement, counterparties, or other recipients when we reasonably believe disclosure is required by law or necessary to protect rights, safety, security, or the integrity of the Service.
Corporate transaction recipients
Potential or actual acquirers, investors, lenders, advisors, or successors in connection with a financing, merger, acquisition, reorganization, bankruptcy, or transfer of assets, subject to appropriate confidentiality measures where applicable.
We do not currently sell Personal Information for monetary consideration. We do not use operational content, command streams, or local-system content for targeted advertising.
7. Data retention
We retain Personal Information for as long as reasonably necessary for the purposes described in this Policy, including to provide the Service, maintain security, meet legal and accounting obligations, resolve disputes, prevent fraud, and enforce agreements.
Retention varies by data type, account status, settings, legal obligations, and operational need. Some records may remain in backups for a limited period. We may retain de-identified or aggregated information where permitted by law.
Account deletion does not necessarily require immediate deletion of every record. We may retain information where required or permitted for legal compliance, security, fraud prevention, billing, dispute resolution, backups, or establishment and defense of legal claims.
8. Security
We use administrative, technical, and organizational measures designed to protect information. No method of transmission, network, storage, or security control is completely secure, and we cannot guarantee absolute security.
You are responsible for protecting account credentials, API keys, devices, authentication factors, and the security of systems you connect to the Service.
9. Cookies and similar technologies
We may use cookies, local storage, SDKs, pixels, or similar technologies for authentication, security, preferences, analytics, and Service operation.
[IMPLEMENTATION REQUIRED: publish a cookie inventory and consent mechanism if non-essential cookies or jurisdictional requirements make this necessary.]
10. Your choices and privacy rights
Depending on where you live and applicable law, you may have rights to request access, correction, deletion, portability, restriction, or objection to certain processing, or to withdraw consent where processing is based on consent.
To submit a request, contact contactus@calapi.ai. We may need to verify your identity and may deny or limit a request where permitted by law.
You may:
- opt out of marketing email through the unsubscribe mechanism;
- manage available AI improvement or training settings;
- manage available integration and provider settings;
- request account deletion through available account controls or by contacting us.
We will not unlawfully discriminate against you for exercising an applicable privacy right.
11. U.S. state privacy disclosures
Residents of certain U.S. states may have additional rights under applicable state privacy laws. Depending on the law and our activities, these may include rights to know, access, correct, delete, obtain a portable copy, or opt out of certain targeted advertising, sale, sharing, or profiling activities.
[COUNSEL/IMPLEMENTATION REQUIRED: complete state-specific disclosures once entity, user geography, advertising stack, analytics stack, and data volumes are known.]
12. International transfers
We may process information in the United States and other countries where we or our service providers operate. Those countries may have different data-protection laws.
[COUNSEL/IMPLEMENTATION REQUIRED: add transfer mechanism disclosures and contractual commitments appropriate to actual user geography and subprocessors.]
13. Children
The Service is not directed to children under 13, and we do not knowingly collect Personal Information from children under 13. If you believe a child has provided Personal Information, contact contactus@calapi.ai.
Additional age restrictions may apply to particular features or jurisdictions.
14. Changes to this Privacy Policy
We may revise this Privacy Policy from time to time and, to the maximum extent permitted by applicable law, without prior notice. A revised Policy becomes effective when posted or on a later date stated in the Policy.
For material changes to how we collect, use, or disclose Personal Information, we may provide notice by email, in-product notice, account message, website notice, or other reasonable means when required by law or when we determine notice is appropriate. Where applicable law requires consent for a material change, we will seek it.
Your continued access to or use of the Service after a revised Policy becomes effective constitutes acknowledgment of the revised Policy and, where legally valid, agreement to the revised practices. A revised Policy will not retroactively expand our rights to previously collected Personal Information where prohibited by law.
You are responsible for keeping your account contact information current and reviewing the posted Policy periodically.
15. Contact us
Calapi Inc.
Privacy: contactus@calapi.ai
Legal: contactus@calapi.ai
If applicable:
Data Protection Officer / EU Representative: Not yet applicable