Bridge
Back to home

Privacy Policy

Last updated: April 20, 2026

Privacy Policy

Effective Date: April 20, 2026

AFK AI, Inc. ("AFK AI," "we," "us," or "our") respects your privacy and is committed to protecting personal data. This Privacy Policy explains how we protect and handle personal data when you use our websites, applications, APIs, products, and services, including Bridge, Unbox, hosted agents, integrations, and related workflows (collectively, the "Services").

For details on the categories of data we collect, how we use data, data sharing, and data retention, please see our Data Use Policy.

This Privacy Policy is intended to reflect applicable privacy and data protection requirements, including the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the UK Data Protection Act 2018, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), and similar U.S. state privacy laws, where applicable.

1. Scope

This Privacy Policy applies when you:

  • access or use the Services;
  • create an account or are invited to join a workspace;
  • interact with AI assistants, agents, workflows, automation features, or voice features provided through the Services;
  • connect third-party services such as Slack, Discord, Telegram, iMessage, Linear, Notion, GitHub, Google Workspace, Gmail, Figma, email, calendars, or similar tools;
  • submit prompts, messages, instructions, files, recordings, meeting content, or other content through the Services;
  • communicate with us, request support, or otherwise interact with us in connection with the Services.

This Privacy Policy does not apply to third-party products, services, or websites that maintain their own privacy notices.

2. Controller and Processor Roles

Depending on the context, AFK AI may act either as a data controller or as a processor/service provider.

  • When we act as a controller. We act as a controller when we determine the purposes and means of processing personal data for our own business purposes, such as account administration, billing, security, fraud prevention, service analytics, legal compliance, product improvement, and support.
  • When we act as a processor or service provider. We act as a processor or service provider when we process personal data on behalf of a customer organization and in accordance with that organization's instructions, such as when our customers use the Services to process workspace content, messages, files, recordings, connected-app data, or workflow activity.

If you use the Services through an organization, your organization may be the controller of certain personal data processed through the Services, and AFK AI may process that data on its behalf.

3. Legal Bases for Processing

Where GDPR or UK GDPR applies, we rely on one or more of the following legal bases:

  • Contract. Processing necessary to provide the Services, administer accounts, and perform our contractual obligations.
  • Legitimate interests. Processing necessary for purposes such as securing the Services, preventing abuse, supporting core functionality, improving performance, maintaining records, and responding to customer needs, provided those interests are not overridden by the rights and freedoms of data subjects. Our legitimate interests may include maintaining service continuity, preventing misuse of automation and remote execution features, and improving the reliability and safety of the Services.
  • Consent. Processing based on consent where required by law, including for certain optional features, certain voice or biometric-adjacent features, and non-essential cookies and similar technologies.
  • Legal obligation. Processing necessary to comply with legal, regulatory, accounting, tax, or law-enforcement obligations.
  • Other lawful bases. Where permitted, we may rely on other lawful bases recognized by applicable law, such as vital interests or public-interest grounds.

4. Cookies and Similar Technologies

We and our service providers may use cookies, local storage, SDKs, pixels, and similar technologies to:

  • authenticate users and maintain sessions;
  • remember settings and preferences;
  • secure the Services and detect abuse;
  • measure traffic, usage, and product performance;
  • support analytics, diagnostics, and feature improvement.

Where required by law, we will request consent before using non-essential cookies or similar technologies and provide mechanisms to manage cookie preferences. Where available, you can manage non-essential cookies and similar technologies through the cookie settings or privacy settings presented on our website or within the applicable product interface.

5. Security

We implement reasonable and appropriate technical and organizational safeguards designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure. These measures include encryption of personal data in transit using TLS 1.2 or higher and encryption of personal data at rest, access controls, logging and monitoring, environment isolation, incident response procedures, and vendor management controls.

No security measure is perfect, and we cannot guarantee absolute security.

6. Your Privacy Rights

Depending on your location and subject to applicable legal exceptions, you may have the right to:

  • request access to personal data we hold about you;
  • request correction of inaccurate personal data;
  • request deletion of personal data;
  • object to or request restriction of certain processing;
  • request data portability;
  • withdraw consent where processing is based on consent;
  • opt out of certain uses or disclosures where required by law;
  • lodge a complaint with a supervisory authority or regulator.

If you use the Services through an organization, some privacy requests may need to be directed to your organization as the relevant controller.

How to exercise your rights

You may submit privacy requests by emailing privacy@cue.surf or by contacting us through our support or contact form available on our website. We may need to verify your identity before processing your request.

Where GDPR or UK GDPR applies, we generally respond to valid requests within one month, subject to extensions permitted by law. Where CCPA/CPRA applies, we generally respond to verifiable consumer requests within 45 days, subject to extensions permitted by law. If we deny a request where appeal rights are available under applicable law, you may respond to the denial notice and request further review.

7. U.S. State Privacy Disclosures

Residents of California and certain other U.S. states may have privacy rights under applicable state law, including rights to know, access, correct, delete, and obtain a portable copy of certain personal data, and to opt out of certain sharing or targeted advertising practices where applicable.

We do not discriminate against individuals for exercising privacy rights granted by law.

California disclosures for the preceding 12 months

In the preceding 12 months, we have collected the following categories of personal information, as those categories are described under California law, depending on how the Services are used:

  • identifiers;
  • customer records information;
  • commercial information;
  • internet or other electronic network activity information;
  • geolocation data derived from IP address or device/network information at a general level;
  • audio, electronic, visual, or similar information, including recordings or uploaded media where used;
  • professional or employment-related information;
  • education information where provided by users or customers;
  • inferences drawn from the information above to provide the Services;
  • sensitive personal information, which may include account credentials, message or email contents, precise user-submitted files, voice samples used for voice features, and contents of certain communications, depending on feature usage.

For details on the sources of personal information, purposes of use, and categories of recipients, see our Data Use Policy.

We have not sold personal information in the preceding 12 months. We have not shared personal information for cross-context behavioral advertising in the preceding 12 months. We use sensitive personal information only as reasonably necessary to provide the Services, maintain security, prevent fraud, perform requested services, and comply with law.

California residents may designate an authorized agent to make rights requests on their behalf, subject to identity verification and applicable legal requirements. We do not currently offer financial incentives in exchange for personal information. Because we do not sell or share personal information for cross-context behavioral advertising, we do not operate a separate "Do Not Sell or Share My Personal Information" link at this time; California residents may still submit privacy requests using the methods described in Section 6.

8. Enterprise and Administrator Access

If you access the Services through a workspace, team, or enterprise account, your organization may control your use of the Services and may be able to:

  • provision and deprovision accounts;
  • access, review, export, modify, or delete workspace data;
  • configure integrations, logging, retention, and policy settings;
  • monitor use of the Services in accordance with applicable law and organizational policy.

If you have questions about how your organization processes your personal data through the Services, please contact your organization directly.

9. Children's Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal data from children under 13 in connection with consumer use of the Services without appropriate authorization. Where a higher minimum age is required by applicable law, that higher age standard will apply.

10. Third-Party Services

The Services may contain links to or integrations with third-party services. Those third parties maintain their own terms and privacy practices. We are not responsible for the privacy practices of third-party services except as required by law.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or data processing practices. Where required by law, we will provide notice of material changes through the Services, by email, or by other appropriate means.

12. Contact Us

If you have questions about this Privacy Policy or would like to exercise your privacy rights, please contact us at:

AFK AI, Inc.
Privacy Team
555 California St, Suite 3300
San Francisco, CA 94104
Email: privacy@cue.surf
Web: https://cue.surf/

AFK AI, Inc. does not currently designate a Data Protection Officer, EU representative, or UK representative for purposes of this Privacy Policy. If that changes, we will update this Privacy Policy with the relevant contact details.