Skip to main content

Privacy Policy

Last updated: April 2026

1. Introduction

Alumia (“the Service”) is an AI agent platform operated by Hasna (“we”, “us”, “our”), a company registered and headquartered in Romania, European Union. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit alumia.com or use any of our services, including our web dashboard, APIs, and AI agents.

This policy applies to all users worldwide, including visitors, registered account holders, organization members, and API consumers. By accessing or using Alumia, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

We are committed to protecting your privacy and processing your data lawfully, fairly, and transparently in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Information We Collect

We collect information in several ways depending on how you interact with the Service.

2.1 Account and Profile Data

When you create an account, we collect:

  • Full name and email address
  • Password (stored as a salted, one-way hash — we never store plaintext passwords)
  • Organization name and billing details
  • Profile preferences and settings
  • Timezone and locale preferences

2.2 Agent Conversation Data

When you interact with AI agents on the platform, we collect and store:

  • Messages you send to agents and the responses they generate
  • Tool call inputs and outputs (e.g., when an agent executes a search, sends an email, or reads a file)
  • Session metadata including timestamps, model used, and token consumption
  • Agent configuration, instructions, and attached skills
  • Files, images, and documents you upload to agent conversations

2.3 Connector and Integration Data

When you connect third-party services (such as Gmail, Google Calendar, Slack, GitHub, or other applications) through our connector system, we collect:

  • OAuth tokens and refresh tokens required to maintain the connection
  • API credentials you provide for services that use API key authentication
  • Data retrieved from connected services when your agents access them (e.g., email contents, calendar events, messages)

We only access data from connected services when explicitly requested by you or your configured agents. We do not continuously monitor or scrape your connected accounts.

2.4 Payment and Billing Data

We use Stripe as our payment processor. When you subscribe to a paid plan or add credits to your wallet, Stripe collects and processes your payment information directly. We receive and store:

  • The last four digits of your payment card and its expiry date
  • Billing address and tax identifiers (e.g., VAT number)
  • Transaction history, invoice records, and subscription status

We never receive or store your full card number, CVV, or bank account details. All payment card data is handled exclusively by Stripe, which is PCI DSS Level 1 compliant.

2.5 Usage and Telemetry Data

We automatically collect certain technical information when you use the Service:

  • Pages viewed, features used, and actions performed within the dashboard
  • API endpoint calls, request timestamps, and response status codes
  • AI model usage, token consumption, and cost metrics
  • Session duration and frequency of use

2.6 Device and Browser Information

We collect standard technical data from your browser and device:

  • IP address and approximate geographic location (country/region level)
  • Browser type and version, operating system, and device type
  • Screen resolution and viewport dimensions
  • Referring URL and landing page
  • Error logs and performance metrics

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery and Operations

  • Providing, maintaining, and improving the Alumia platform and its features
  • Routing your messages to AI model providers and returning their responses
  • Executing agent tool calls and connector operations on your behalf
  • Managing your account, organizations, and team memberships

Billing and Financial Operations

  • Processing payments, issuing invoices, and managing subscriptions
  • Tracking usage-based consumption (AI tokens, API calls, hosting resources)
  • Applying credits, deductions, and wallet transactions

Security and Fraud Prevention

  • Detecting, preventing, and investigating unauthorized access or abuse
  • Enforcing rate limits, guardrails, and content policies
  • Monitoring for anomalous activity patterns

Product Improvement

  • Analyzing aggregated, anonymized usage patterns to improve the platform
  • Identifying and fixing bugs, performance bottlenecks, and reliability issues
  • Developing new features informed by how users interact with existing ones

Communication

  • Sending transactional emails (account verification, password resets, billing receipts)
  • Delivering security alerts and service notifications
  • Responding to your support requests and feedback
  • Sending product updates and announcements (which you can opt out of at any time)

Legal Basis for Processing (GDPR)

We process your personal data on one or more of the following legal bases:

  • Contract performance — processing necessary to provide the Service you signed up for
  • Legitimate interests — improving the Service, preventing fraud, and ensuring security, where these interests are not overridden by your rights
  • Consent — where you have given explicit consent (e.g., optional marketing emails)
  • Legal obligation — processing required to comply with applicable laws (e.g., tax records, fraud reporting)

4. AI Model Data Processing

Alumia is an AI agent platform that routes your conversations and agent tasks to third-party AI model providers. Understanding how your data flows through these providers is important.

4.1 How Conversation Data Flows to AI Providers

When you send a message to an AI agent, your message — along with relevant conversation context, system instructions, and tool outputs — is transmitted to one of our AI model providers for inference. The specific provider depends on the model you or your agent is configured to use.

4.2 Current AI Model Providers

We currently integrate with the following AI model providers:

  • Anthropic (Claude models)
  • OpenAI (GPT models)
  • Google (Gemini models)
  • Mistral AI (Mistral models)
  • xAI (Grok models)
  • DeepSeek (DeepSeek models)
  • Groq (hosted open-source models)
  • Cerebras (hosted open-source models)

Each provider has its own privacy policy and data handling practices. We encourage you to review their respective policies.

4.3 Training Opt-Out

We access all AI providers through their commercial API tiers, which contractually prohibit the use of customer data for model training. Your conversations, agent instructions, and tool outputs are not used by any AI provider to train, fine-tune, or improve their foundation models.

Where a provider offers an additional opt-out mechanism for data usage, we have enabled it. We regularly review our provider agreements to ensure this protection remains in place.

4.4 Data Retention by AI Providers

AI providers may temporarily retain input and output data for abuse monitoring and safety purposes in accordance with their own data retention policies. This retention is typically 30 days or less and is governed by our data processing agreements (DPAs) with each provider. After this period, providers delete the data from their systems.

4.5 Sensitive Data in Conversations

You should exercise caution when including sensitive personal data (such as government IDs, financial account numbers, or health information) in agent conversations, as this data will be transmitted to AI providers. We provide guardrail features that can help detect and redact sensitive information before it reaches model providers.

5. Connector Data

Alumia allows you to connect third-party applications and services so that your AI agents can take actions on your behalf. This section explains how connector data is handled.

5.1 What Connectors Do

Connectors enable agents to interact with external services such as email providers, calendars, project management tools, messaging platforms, CRM systems, and more. When you authorize a connector, you grant Alumia permission to access specific data and perform specific actions within that service, as defined by the OAuth scopes or API permissions you approve.

5.2 Data Flow Through Connectors

Data flows through connectors only when an agent actively executes a tool call. For example, if you ask an agent to “summarize my unread emails,” the agent will retrieve your email data through the Gmail connector, process it through an AI model to generate the summary, and return the result to you. We do not passively sync, index, or mirror data from your connected accounts.

5.3 Credential Storage

All connector credentials — including OAuth tokens, refresh tokens, and API keys — are encrypted at rest using AES-256 encryption before being stored in our database. The encryption key is managed separately from the database and is not accessible to application-level code at rest. You can revoke a connector's access at any time from your dashboard, which immediately deletes the stored credentials.

5.4 Third-Party Service Policies

Each third-party service you connect through Alumia has its own privacy policy and terms of service. We recommend reviewing these before authorizing a connector. Our access to your data in these services is governed by the permissions you grant during the OAuth authorization flow.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data to anyone. We do not share your data with advertisers. We share data only in the following limited circumstances:

6.1 Infrastructure and Service Providers

  • Amazon Web Services (AWS)— cloud infrastructure, compute, storage, and database hosting. Data is stored in EU regions. AWS acts as a data processor under our DPA.
  • Stripe— payment processing, subscription management, and invoicing. Stripe processes payment card data directly and is PCI DSS Level 1 compliant.

6.2 AI Model Providers

Conversation data is transmitted to AI model providers (Anthropic, OpenAI, Google, Mistral, xAI, DeepSeek, Groq, Cerebras) as described in Section 4. Each provider processes data under their respective data processing agreements with us.

6.3 Legal and Safety Disclosures

We may disclose your data if required to do so by law, regulation, legal process, or governmental request. We may also disclose data when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Alumia, our users, or the public.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

6.5 With Your Consent

We may share your data with third parties when you explicitly consent to such sharing, for example when you authorize a connector integration or enable a specific third-party feature.

7. Data Storage, Security, and Encryption

We take the security of your data seriously and implement multiple layers of protection.

7.1 Infrastructure

  • All data is hosted on Amazon Web Services (AWS) in European Union regions
  • Database instances run in private subnets with no direct public internet access
  • Automated daily backups with point-in-time recovery
  • Infrastructure is managed with Terraform for reproducibility and audit trails

7.2 Encryption

  • In transit — all data transmitted between your browser and our servers is encrypted using TLS 1.3
  • At rest — database volumes are encrypted using AES-256 via AWS EBS encryption
  • Connector credentials — OAuth tokens and API keys are additionally encrypted at the application level using AES-256 before storage
  • Passwords — user passwords are hashed using a one-way salted hashing algorithm and are never stored in plaintext

7.3 Access Controls

  • JWT-based authentication with short-lived access tokens and secure refresh token rotation
  • Row-Level Security (RLS) enforced at the database level, ensuring that every query is scoped to the authenticated user's organization
  • Role-based access control (RBAC) with granular permissions per organization
  • API keys are scoped to specific organizations and can be revoked at any time

7.4 Monitoring and Incident Response

  • Continuous monitoring of infrastructure and application health
  • Automated alerting for anomalous access patterns and security events
  • Defined incident response procedures with notification within 72 hours for data breaches affecting personal data, as required by GDPR

While we implement industry-standard security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any vulnerabilities or incidents that arise.

8. Cookies and Tracking

8.1 Essential Cookies Only

We use only strictly necessary cookies that are required for the Service to function. These include:

  • Authentication cookies — to maintain your login session
  • Preference cookies — to remember your settings (e.g., theme, locale, sidebar state)
  • Security cookies — to prevent cross-site request forgery (CSRF) and other attacks

8.2 No Third-Party Tracking

We do not use any third-party tracking cookies, advertising cookies, or analytics cookies from services like Google Analytics, Facebook Pixel, or similar. We do not participate in ad networks or retargeting programs.

8.3 Analytics

We use OpenTelemetry, a self-hosted observability framework, to collect usage analytics and performance metrics. This data is processed entirely on our own infrastructure — no analytics data is sent to third-party services. Analytics data is used solely for improving the performance and reliability of the Service.

8.4 Local Storage

We use browser local storage to persist certain UI preferences (such as sidebar width, active tab selections, and theme settings) to improve your experience. This data remains on your device and is not transmitted to our servers.

9. Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this policy, or as required by law.

9.1 Account Data

Your account data (profile, settings, organization membership) is retained for as long as your account remains active. When you delete your account, we delete your personal data within 30 days, except where we are required to retain it for legal, tax, or regulatory purposes.

9.2 Conversation and Session Logs

Agent conversation history and session data is retained for as long as your account is active. You can delete individual sessions or conversations at any time from your dashboard, which permanently removes the associated messages and tool call records within 7 days.

9.3 Usage Analytics

Aggregated, anonymized usage analytics and performance metrics are retained for up to 24 months for service improvement and capacity planning. These records cannot be traced back to individual users.

9.4 Billing Records

Transaction history, invoices, and billing records are retained for a minimum of 7 years after the transaction date, as required by Romanian and EU tax and accounting regulations.

9.5 Connector Credentials

Connector credentials (OAuth tokens, API keys) are deleted immediately when you disconnect a service. If you delete your account, all stored connector credentials are purged within 30 days.

9.6 Account Deletion

Upon account deletion, we initiate the following process:

  • Personal data and profile information — deleted within 30 days
  • Conversation history and agent data — deleted within 30 days
  • Connector credentials — deleted within 30 days
  • Backups containing your data — purged within 90 days as backup rotation occurs
  • Billing records — retained as required by law (up to 7 years)
  • Anonymized, aggregated analytics — retained (cannot be attributed to you)

10. International Data Transfers

Our primary data storage and processing infrastructure is located in the European Union (AWS EU regions). However, some data may be transferred outside the EU in the following circumstances:

  • AI model providers— some providers (e.g., OpenAI, xAI, Groq, Cerebras, DeepSeek) process data in the United States or other jurisdictions. When data is transferred to providers outside the EU, we rely on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs), or other appropriate safeguards as required by GDPR.
  • Stripe— payment data may be processed in the United States. Stripe is certified under the EU-U.S. Data Privacy Framework and has signed Standard Contractual Clauses.

Where data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, including:

  • EU-U.S. Data Privacy Framework certification of the receiving party
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission for the recipient country
  • Binding Corporate Rules where applicable

You can request information about the specific safeguards applied to transfers of your data by contacting us at [email protected].

11. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent local laws:

  • Right of access— you can request a copy of all personal data we hold about you, along with information about how it is processed.
  • Right to rectification— you can request that we correct any inaccurate or incomplete personal data.
  • Right to erasure (“right to be forgotten”)— you can request that we delete your personal data, subject to legal retention requirements.
  • Right to data portability— you can request your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and have it transmitted to another controller.
  • Right to restriction of processing— you can request that we limit how we process your data in certain circumstances, such as while a dispute about accuracy is resolved.
  • Right to object— you can object to the processing of your personal data where we rely on legitimate interests as the legal basis, including profiling based on legitimate interests.
  • Right to withdraw consent— where processing is based on your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.
  • Right to lodge a complaint— you have the right to lodge a complaint with a supervisory authority. In Romania, this is the Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP) at dataprotection.ro. You may also lodge a complaint with the supervisory authority in your country of residence.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.

We may ask you to verify your identity before processing your request to prevent unauthorized access to your data.

12. Your Rights Under CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:

  • Right to know— you can request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete— you can request that we delete your personal information, subject to certain exceptions (e.g., legal obligations, fraud prevention).
  • Right to correct— you can request that we correct inaccurate personal information.
  • Right to opt out of sale or sharing— we do not sell your personal information and we do not share it for cross-context behavioral advertising. There is nothing to opt out of.
  • Right to non-discrimination— we will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge you different prices, or provide a different quality of service because you exercised a privacy right.

To exercise your CCPA rights, contact us at [email protected]. We will verify your identity and respond within 45 days. You may also designate an authorized agent to submit requests on your behalf.

Categories of Personal Information Collected

For the purposes of CCPA disclosure, we collect the following categories:

  • Identifiers — name, email address, IP address, account ID
  • Commercial information — subscription plans, transaction history, billing records
  • Internet or electronic network activity — browsing history within the Service, API usage, feature usage
  • Professional or employment-related information — organization name and role (if provided)
  • Inferences — usage patterns derived from your interactions to improve the Service

13. Children's Privacy

Alumia is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at [email protected] and we will take steps to delete such information within 30 days.

If we become aware that we have collected personal data from a person under 18 without parental consent, we will delete that data promptly and terminate the associated account.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

  • We will update the “Last updated” date at the top of this page
  • For material changes that affect how your data is processed, we will notify you via email at least 30 days before the changes take effect
  • We will post a prominent notice on our website for significant changes
  • Previous versions of this policy will be made available upon request

Your continued use of the Service after any changes to this policy constitutes your acceptance of the updated terms. If you do not agree with the revised policy, you should discontinue use of the Service and delete your account.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Privacy inquiries: [email protected]

Data Protection Officer (DPO): [email protected]

General support: [email protected]

We aim to respond to all privacy-related inquiries within 5 business days. For formal data subject access requests (DSARs), we will respond within 30 days as required by GDPR.

16. Data Controller

For the purposes of the GDPR and other applicable data protection laws, the data controller responsible for your personal data is:

Hasna

Operating as Alumia

Romania, European Union

[email protected]

alumia.com

As the data controller, Hasna determines the purposes and means of processing your personal data. All third-party services that process data on our behalf (AWS, Stripe, AI model providers) act as data processors under our instructions and are bound by data processing agreements.