Data Use Policy
Last updated: April 20, 2026
Data Use Policy
Effective Date: April 20, 2026
This Data Use Policy describes how AFK AI, Inc. ("AFK AI," "we," "us," or "our") collects, uses, retains, and processes data in connection with our websites, applications, APIs, products, and services, including Bridge, Unbox, hosted agents, integrations, and related workflows (collectively, the "Services").
This policy should be read alongside our Privacy Policy and Security Policy.
1. Data We Collect
Depending on how you use the Services, we may collect and process the following categories of data:
Account and profile information
- Name, username, display name, email address, employer or organization, job title, profile image, account identifiers, authentication-related information, and account settings.
Content and instructions
- Prompts, messages, files, attachments, documents, comments, requests, task instructions, generated outputs, notes, uploaded content, and other content you submit to or create through the Services.
Workspace and integration data
- Data made available through integrations enabled by you or your organization, such as messages, thread context, files, channels, reactions, issue metadata, pages, databases, repositories, commits, pull requests, documents, designs, calendars, email content, meeting content, and related metadata from supported third-party services. For example, Gmail integrations request read-only access to your email messages, including subjects, bodies, attachments, and metadata, in order to enable email-related features.
Usage, device, and log data
- IP address, browser type, device type, operating system, timestamps, crash reports, diagnostic information, API usage records, session activity, telemetry, audit logs, and feature interaction data.
Permissions and configuration data
- Granted permissions, integration scopes, token metadata, environment settings, agent configuration, scheduling data, saved preferences, memory state, workflow state, tool execution events, approval events, and records associated with feature access or use.
Voice, audio, and transcription data
- Audio you submit for speech-to-text or voice features, transcription output, diarization metadata, timestamps, and voice configuration data.
Biometric or voiceprint-adjacent data
- If you choose to use voice cloning or voice customization features, we may process voice samples and voice characteristics necessary to generate the requested feature. We do not use those materials for unrelated profiling or advertising.
Billing and transaction data
- Billing contact details, subscription information, invoices, payment status, and limited transaction metadata. Payment card information is generally processed by third-party payment providers rather than stored directly by us.
Support and communications data
- Information contained in support requests, feedback, survey responses, and communications with us.
Because the Services may accept free-form input and connected-workspace content, users may choose to submit information that includes sensitive personal data or other regulated information. Users and customer organizations are responsible for ensuring they have an appropriate legal basis and authorization before submitting such information.
2. Sources of Data
We collect data:
- directly from you;
- from your organization or workspace administrator;
- from third-party services that you or your organization connect to the Services;
- automatically through your use of the Services;
- from service providers that support authentication, billing, analytics, security, storage, communications, voice processing, and customer support;
- from publicly available sources where permitted by law.
3. How We Use Data
We use data for the following purposes:
To provide and operate the Services
This includes authenticating users, managing accounts, receiving and processing prompts, recordings, and files, generating outputs, maintaining conversations and task continuity, storing user-configured state, and enabling requested workflows and actions.
To carry out user-requested actions in connected services
Where enabled and authorized, the Services may access and process data from connected tools and services in order to retrieve information, generate drafts, send messages, upload files, create or update records, publish content, run workflows, search external sources, or otherwise complete user-requested tasks.
To support memory, continuity, and automation
This includes storing durable memory, semantic preferences, task state, workflow configuration, schedules, automation targets, and other state necessary to resume work, preserve context, and complete user-requested actions over time.
To enable remote, local, and hosted execution features
Where available and authorized, the Services may execute commands, read or write files, access connected environments, operate hosted or remote execution contexts, and perform related workflow actions. We log and monitor these activities for security, reliability, support, and audit purposes.
To enable content sharing and publishing
Where you choose to publish or share content, the Services may make files, pages, artifacts, outputs, or links available to designated recipients or, where expressly requested, to publicly accessible destinations.
To support voice, speech, and meeting features
This includes transcribing audio, generating speech, processing meeting recordings or summaries, and supporting optional voice features such as voice synthesis or voice customization.
To secure, monitor, and maintain the Services
This includes detecting and preventing fraud, abuse, spam, unauthorized access, misuse, and security incidents; maintaining audit logs and system integrity; and supporting backup, recovery, and operational resilience.
To communicate with you
This includes sending transactional notices, service-related updates, support responses, product notices, and administrative communications.
To improve and develop the Services
We may use usage, telemetry, diagnostic data, and limited content-derived signals to debug issues, improve reliability, measure performance, develop features, and evaluate the quality and safety of the Services, subject to applicable law, customer commitments, and contractual restrictions.
To comply with legal obligations and protect rights
We may process data to comply with applicable law, regulations, legal process, tax and accounting requirements, contractual obligations, and to protect the rights, safety, and property of AFK AI, our users, customers, and others.
4. AI, Automation, and Model Use Disclosures
Our Services include AI assistants, agentic workflows, automation features, voice features, integrations, and execution features that can act on user instructions. As a result:
- prompts, messages, instructions, recordings, files, and related context may be processed to generate outputs or perform requested actions;
- where integrations are enabled, the Services may retrieve or transmit relevant content and metadata from connected systems in order to complete requested tasks;
- we may maintain logs of actions taken through the Services, including tool usage, scheduling events, file handling, sharing or publishing events, environment actions, and system actions, for security, reliability, support, and audit purposes;
- authorized personnel may access limited data when necessary for support, incident response, abuse investigation, legal compliance, billing disputes, or quality assurance, subject to confidentiality and access controls.
Customer content is not used for model training
We do not use Customer Content or user-submitted content from the Services to train our own general-purpose models or third-party general-purpose AI models, except where a customer expressly requests a separate training or fine-tuning workflow and agrees to terms that specifically govern that use.
Automated decision-making
We do not engage in solely automated decision-making, including profiling, that produces legal or similarly significant effects on individuals without meaningful human involvement. Unless expressly stated otherwise for a specific feature, the Services are not intended to be the sole basis for decisions that produce legal or similarly significant effects on individuals. Customers and users remain responsible for appropriate human review where required.
5. Data Sharing and Disclosure
We may share or disclose data in the following circumstances:
Service providers and subprocessors
We may disclose data to vendors and subprocessors that help us host, operate, secure, analyze, support, and deliver the Services.
Our current or typical categories of subprocessors may include the following named providers, depending on product configuration and customer usage:
- Infrastructure and hosting: Google Cloud Platform and related cloud hosting providers
- Content delivery and edge storage: Cloudflare, including Cloudflare R2 and related edge services
- Model and AI inference providers: OpenAI and Anthropic
- Voice, speech, and audio providers: ElevenLabs and MiniMax
- Search and web retrieval providers: Exa
- Communications and integration providers: Slack, Google, GitHub, Discord, Telegram, Apple, Microsoft, Notion, Linear, Figma, and similar connected-service providers enabled by the user or customer
- Support, security, and analytics providers: service providers that help with support, authentication, monitoring, abuse prevention, and product analytics
A particular user or customer may not use all of these subprocessors. The actual subprocessors involved depend on the features enabled and the integrations connected.
Connected services at your direction
If you or your organization enable integrations or instruct the Services to send information to a third-party service, we may disclose relevant data to that service in order to complete the requested action.
Customer organizations and administrators
If you use the Services through a workspace, team, or enterprise account, authorized administrators for that organization may be able to access, review, export, modify, or delete certain workspace data associated with the account.
Legal and safety-related disclosures
We may disclose data when required to do so by law or when we reasonably believe disclosure is necessary to comply with legal obligations, protect rights or safety, investigate misconduct, or prevent fraud, abuse, or security incidents.
Corporate transactions
We may disclose data in connection with a merger, acquisition, financing, reorganization, bankruptcy, asset sale, or similar corporate transaction, subject to appropriate confidentiality and legal safeguards.
We do not sell data for monetary consideration. We do not share data for cross-context behavioral advertising.
6. Data Retention
We retain data for no longer than necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law. The following table describes our standard retention approach. Actual retention may vary where customers configure different retention settings, legal holds apply, or longer retention is necessary for security, fraud prevention, dispute resolution, or compliance.
| Data category | Standard retention period | Rationale |
|---|---|---|
| Account registration and profile data | For the life of the account, and up to 24 months after closure | Account recovery, fraud prevention, tax, audit, and dispute handling |
| Billing, invoices, and payment records | 7 years after the relevant transaction or account closure | Tax, accounting, financial reporting, and audit requirements |
| Support tickets and customer communications | Up to 3 years after closure of the support matter | Quality assurance, repeat-issue handling, and dispute management |
| Core service logs, audit logs, security logs, and abuse-prevention records | 12 months by default, and up to 24 months for security investigations | Security monitoring, incident response, abuse prevention, and forensic review |
| Prompt, message, file, and output content in active workspaces | Retained for the duration of the customer relationship unless deleted earlier by the customer or configured otherwise | Core service operation and workspace continuity |
| Durable memory, schedules, automation state, and saved workflow context | Retained until deleted by the user, customer, or administrator, or until the related account or workspace is deleted | Service continuity and user-requested automation |
| Temporary processing artifacts, cached files, transient execution state, and intermediate outputs | Typically deleted within 30 days unless promoted into persistent workspace state or required for debugging/security | Efficient operation and limited troubleshooting |
| Meeting recordings and uploaded audio | Retained until deleted by the user, customer, or administrator, subject to customer configuration; temporary transcoding artifacts are typically deleted within 30 days | User-directed storage and transcription workflows |
| Transcripts, meeting summaries, and speech-to-text output | Retained as workspace content until deleted by the user, customer, or administrator | Core service output |
| Voice samples used for voice cloning or custom voice features | Retained until the voice asset is deleted or the feature is disabled, and deleted within 30 days after deletion request propagation completes unless longer retention is legally required | Feature delivery and revocation handling |
| OAuth tokens, session tokens, and integration credentials | Retained only as long as required to maintain the integration or session; revoked or deleted when disconnected, expired, or replaced, subject to backup windows | Authentication and integration continuity |
| Backup data | Rolling encrypted backups typically retained for up to 35 days | Disaster recovery and business continuity |
| De-identified and aggregated data | May be retained longer where it cannot reasonably identify a person | Analytics, reliability, and product improvement |
7. International Data Transfers
We may process data in the United States, the European Economic Area, the United Kingdom, and other jurisdictions in which we or our service providers operate. Our primary hosting environment is in the United States, including hosting on Google Cloud Platform infrastructure located in the United States.
Where required by applicable law, we use appropriate safeguards for international data transfers, such as Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions, or other legally recognized transfer mechanisms, together with supplementary measures where appropriate. For most transfers of data from the EEA, Switzerland, or the UK to the United States, our primary transfer mechanism is the European Commission's Standard Contractual Clauses together with supplementary contractual, technical, and organizational safeguards as appropriate.
8. Contact Us
If you have questions about this Data Use Policy, please contact us at:
AFK AI, Inc.
Privacy Team
555 California St, Suite 3300
San Francisco, CA 94104
Email: privacy@cue.surf
Web: https://cue.surf/