OFIA · LEGAL

Privacy Policy

Last updated: April 29, 2026

This Privacy Policy describes how Ofia ("Ofia", "we", "us", or "our") collects, uses, discloses, and safeguards personal information when you (i) visit ofia.ai or any related Ofia web property (the "Site"), (ii) engage Ofia for consultancy, advisory, or implementation services, and (iii) interact with the Ofia software platform (the "Platform"). This policy is incorporated into our Terms of Service.

1. Who is Ofia?

Ofia is an AI agency and platform headquartered in the United States. We can be reached at contact@ofia.ai. For privacy-specific inquiries, requests under data-protection law, or to reach our data protection point of contact, use the same address with the subject line "Privacy Request."

2. Scope and Roles

We act in different roles depending on the context:

• Site visitors — we are an independent "controller" (GDPR) / "business" (CCPA) for personal information collected when you browse or contact us through the Site.
• Prospective and current clients — for personal information you share during sales, scoping, or contracting, we act as a controller. For personal data your organization makes available to us within the Platform during a paid engagement, we act as a "processor" / "service provider" on your behalf, governed by an Order and our Data Processing Addendum.
• End users of agents we operate for clients — interactions with agents we operate are processed under our client's instructions. Direct privacy requests should generally be addressed to the client; we will support those requests as required.

3. Information We Collect

3.1 Information from Site visitors

• Information you provide — name, work email, company, role, and the contents of any message when you contact us, request a demo, schedule a call, or submit a form.
• Automatically collected information — IP address, approximate location (city / region), device and browser type, language, referring URL, pages visited, time on page, and similar diagnostics. Collected through standard server logs and our analytics provider (PostHog).
• Cookies and similar technologies — strictly necessary cookies, analytics cookies (PostHog), and local storage to remember preferences. We do not use third-party advertising trackers and do not sell or share personal information for cross-context behavioral advertising.
• Investor / confidential surfaces — when you access gated areas such as /vc, we may log the username used and the time of access for security and audit purposes.

3.2 Information from clients during engagements

During a typical 4-week onboarding (and any ongoing engagement), we receive information your team shares with us so that we can encode your decision rights, norms, and operating rhythm into the Platform. This may include:

• names, titles, contact details, and reporting lines of personnel;
• documents, policies, playbooks, transcripts, recordings (only with your consent), and other artifacts you provide;
• integration credentials and access tokens needed to connect the Platform to your tools (which we store encrypted and use only for the agreed purpose);
• content of meetings, workshops, Slack/Teams channels, or shared workspaces that you choose to expose to us.

3.3 Information the Platform records during operation

The Platform operates AI agents bound to your encoded contract and observes their actions in order to refine that contract over time. For each engagement, the Platform may record:

• Agent action logs — what an agent did, which tool it called, what data it read or wrote, what trust contract was applied, and the outcome.
• Human-agent interaction logs — the prompts, replies, approvals, escalations, and overrides between your people and the agents.
• Refinement signals — derived metadata used to update the principles.toml, spaces hierarchy, and trust contracts (e.g., recurring override patterns, escalation outcomes).
• System telemetry — performance, error, and security telemetry needed to keep the Platform reliable.

4. How We Use Information

• Provide and operate the Services — respond to inquiries, run engagements, encode and refine your organizational contract, operate agents, and deliver Outputs.
• Improve the Site and Platform — measure performance, debug, prioritize features, and improve content. Where we use Platform data for product improvement, we do so on aggregated, anonymized, or de-identified data and never to train third-party AI models on Customer Data (see Section 8).
• Security, fraud, and abuse prevention — protect access- controlled areas, investigate incidents, and enforce our Terms.
• Legal and contractual obligations — comply with applicable law, respond to lawful requests, and exercise or defend legal claims.
• Communications — send transactional emails, respond to you, and (with your consent where required) send updates about Ofia.

Legal bases (GDPR/UK GDPR). We rely on (a) performance of a contract with you, (b) our legitimate interests in operating, improving, and securing our Site and Platform, (c) consent where required (e.g., for non-essential cookies in jurisdictions that require it), and (d) compliance with legal obligations.

5. Sharing and Subprocessors

We share personal information only as described below, and we do not sell personal information.

• Service providers / subprocessors. We share information with third parties who help us operate the Site and Platform, under written contracts that restrict their use to providing services to us.
• Affiliates. Companies under common control with Ofia, subject to this policy.
• Professional advisers. Lawyers, auditors, and insurers under duties of confidentiality.
• Business transfers. If Ofia is involved in a merger, financing, acquisition, or sale of assets, information may be transferred as part of that transaction.
• Legal and safety. Where required by law, court order, or to protect rights, property, or safety.

5.1 Current key subprocessors

Additional subprocessors may be engaged as the Services evolve. Material additions affecting client engagements will be communicated under the DPA.

6. International Transfers

Ofia is based in the United States and our subprocessors may also process personal information in the United States and other countries. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable), supplemented by additional measures where appropriate. Copies of the SCCs we use are available on request.

7. Retention

• Inquiry and contact records — retained as long as needed to respond to you and to maintain the relationship, then deleted on a rolling schedule.
• Engagement records — retained for the duration of the engagement and for a reasonable period afterward (typically up to seven years) to comply with legal, tax, and audit obligations.
• Platform Customer Data — retained for the duration of the Order and any period required to comply with law or to defend claims, then deleted or returned per the Order / DPA.
• Server and security logs — typically retained for a short rolling window (days to weeks) for security and debugging.
• Analytics — retained per our analytics provider's default settings, which we periodically review.

8. AI Training Disclosure

We do not use Customer Data, the contents of any principles.toml encoded for a client, or the substance of any human-agent interaction to train third-party foundation models. We contractually require third-party LLM subprocessors (including Anthropic and OpenAI) to abstain from training on data submitted via Ofia. Where we improve the Platform itself (for example, by tuning routing logic, evaluating agent policies, or refining our principles taxonomy), we do so on aggregated, anonymized, or de-identified operational metadata.

9. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS), encryption at rest for production stores, role-based access control, audit logging, vendor security review, and least-privilege production access. Confidential Site surfaces (e.g., /vc) are gated behind authentication. No system is perfectly secure; please do not transmit information you would not want recorded.

10. Your Privacy Rights

Depending on where you live, you may have rights to:

• access the personal information we hold about you and request a copy;
• correct or update inaccurate or incomplete data;
• delete personal information, subject to legal exceptions;
• object to or restrict certain processing;
• port your data to another service in a structured format;
• withdraw consent at any time where processing is based on consent.

10.1 EEA / UK / Swiss residents

You have the rights above under the GDPR / UK GDPR. You may also lodge a complaint with your local supervisory authority. Where Ofia processes personal data on behalf of a client (i.e., as a processor), please direct your request to that client; we will support them as required.

10.2 California residents

Under the California Consumer Privacy Act (as amended by the CPRA), you may request to know, delete, correct, and limit the use of sensitive personal information, and you have the right not to be discriminated against for exercising those rights. We do not sell personal information and do not share it for cross-context behavioral advertising. To exercise your rights, email contact@ofia.ai. You may use an authorized agent; we will verify the request before responding.

10.3 Other jurisdictions

Residents of other U.S. states with comprehensive privacy laws (Colorado, Connecticut, Virginia, Utah, Texas, and others) have analogous rights, which we will honor. Residents of Brazil, Canada, and other jurisdictions may also have rights under local law.

11. Regulated Data

We do not intend the Site or the Platform to be used for the processing of specially-regulated data (such as protected health information under HIPAA, payment card data subject to PCI-DSS, or government-classified information) unless we have agreed in writing in advance and signed any required addendum (e.g., a Business Associate Agreement). Please do not submit such data to us absent that agreement.

12. Children's Privacy

The Services are intended for business use and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

13. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent version. If we make a material change, we will provide reasonable notice (e.g., by posting a banner on the Site or emailing your account contact).

14. Contact

Questions, requests, or concerns about this policy? contact@ofia.ai