Privacy Policy

1. Who We Are

ExternAI Limited (“ExternAI”, “we”, “our”, or “us”) is a UK-based technology company building next-generation autonomous AI Agents.

We are the Data Controller for the personal data you provide when using our website, platform, or interacting with our services.

2. What Data We Collect

• Personal identifiers: name, email address, company name, role
• Usage data: clicks, page visits, scroll depth, form submissions
• Communication data: messages, prompts, feedback, support inquiries
• Technical data: IP address, device type, browser, OS
• AI input data: messages sent to AI Agents, including uploaded files
• Authentication data: session tokens, login activity

3. How We Use Your Data

• Provide access to our platform and Agents
• Respond to inquiries and support requests
• Improve agent performance through anonymized feedback
• Monitor and ensure platform security
• Conduct analytics to improve product experience
• Comply with legal obligations (e.g. UK GDPR)

4. Legal Basis for Processing

• Consent – when you explicitly agree (e.g. marketing signup)
• Contractual necessity – to provide requested services
• Legitimate interest – for platform improvement and security
• Legal obligation – if required by authorities

5. Who We Share Data With

We only share your data with trusted processors, including:

• AI Providers: OpenAI, Anthropic – for processing input through APIs
• Analytics tools: PostHog, Langfuse – to understand user behavior
• Hosting providers: Vercel, AWS, or similar (UK/EU-based when possible)
• Payment & access providers: Stripe, Airwallex (if used)

We may share data with additional service providers, as necessary for the operation of ExternAI. All subprocessors comply with applicable data protection laws.

This may include future integrations related to LLM development, multi-agent orchestration, or decentralized AI infrastructures, strictly for operational and platform functionality purposes.

We do not sell your data.

6. Cross-Border Transfers

Your data may be transferred outside the UK or EEA to partners (e.g. OpenAI in the US).

We ensure such transfers comply with UK GDPR via:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable
• Vendor Data Processing Agreements (DPAs)

7. Data Retention

• For active accounts: until account deletion or inactivity (12+ months)
• For AI input logs: anonymized after 30–90 days (unless explicitly needed)
• For legal and compliance purposes: up to 7 years

Where permitted, AI Agents may retain contextual memory per user or organization to enhance personalization. This memory is fully deletable upon request.

8. AI Systems & Automation Disclosure

• Your inputs may be processed by AI Agents running through OpenAI, Anthropic, or similar APIs.
• These agents are partially autonomous and may generate responses based on past context.
• No fully automated decisions with legal effects are made unless explicitly stated.
• Please note that some responses or outputs on our platform may be generated entirely or partially by AI systems. While we monitor performance, human review is not always applied.
• We may use anonymized user interactions to evaluate and improve the performance of autonomous AI systems, including through observability tools such as LangSmith, Langfuse or similar.

9. Your Rights

Under UK GDPR, you have the right to:

• Access the data we hold about you
• Request correction or deletion
• Object to processing or request restriction
• Request data portability
• Lodge a complaint with the ICO: ico.org.uk

Users may request a no-AI processing mode for certain interactions, where feasible.

10. Cookies & Tracking

We use essential cookies and limited analytics tracking (e.g. PostHog).

Where consent is required, a cookie banner will be shown.

You can manage cookie preferences via browser or platform settings.

Some third-party services integrated into our platform (e.g. payment providers or hosting services) may also set their own cookies or tracking mechanisms. These are governed by their respective privacy policies.

11. Data Security

• End-to-end encryption (HTTPS)
• API key vaulting (e.g. HashiCorp Vault)
• Agent-level access controls
• Audit logs and anomaly detection

12. Children’s Privacy

Our platform is not intended for users under 16.

We do not knowingly collect data from minors.

13. Changes to This Policy

We may update this policy to reflect platform or regulatory changes.

If significant changes are made, you will be notified via email or platform notice.

This Privacy Policy may evolve to reflect future developments in AI infrastructure, including LLM training, decentralized agents, or synthetic cognition.

14. Contact

For questions or privacy-related requests: