Privacy Policy

Effective Date: March 17, 2026 · Last Updated: April 22, 2026

This Privacy Policy describes how AINativeLang Inc., a Delaware corporation ("AINL," "we," "us," or "our"), doing business as AI Native Lang, collects, uses, discloses, and protects information about you when you visit ainativelang.com or use any of our products (including the ArmaraOS desktop application), hosted services, APIs, documentation, or related offerings (collectively, the "Services").

Please read this policy carefully. By using the Services, you acknowledge the practices described here. If you do not agree, stop using the Services and contact us to request deletion of any information we hold about you.

Jump to section

1. Scope 2. What We Collect 2.4 Product analytics 3. How We Use It 4. Legal Basis (GDPR)5. Sharing & Disclosure 6. Cookies & Tracking 6.4 After you decline or withdraw 7. Retention 8. Your Rights 9. Children 10. International Transfers 11. Security 12. Third-Party Links 13. AI & Workflow Data 14. Changes to This Policy 15. Contact & DPO

1. Scope

This policy applies to information collected through ainativelang.com and its subdomains; the ArmaraOS desktop application and related product telemetry we describe in Section 2.4; any AINL applications, dashboards, or developer tools; our hosted runtime and API services; our marketing emails, newsletters, and waitlist communications; our consulting and enterprise engagement intake; our public GitHub repositories and issue trackers (where we are the controller); and any other context where we link to or reference this policy.

This policy does not apply to third-party sites, services, or repositories we link to, or to open-source community spaces operated by third parties where AINL participates but is not the controller.

2. Information We Collect

We collect information in three main ways: information you give us directly, information collected automatically when you use the Services, and information from third parties.

2.1 Information You Provide

Contact and identity — name, email address, job title, company name, when you fill in a waitlist, contact, enterprise inquiry, or account registration form.
Communications — the content of messages you send us via email, forms, or support channels.
Payments — billing address and payment method details, processed by our payment processor (we do not store raw card numbers).
Account credentials — username and hashed password if you create an account.
User Content — code, prompts, workflow definitions, configuration, or other inputs you submit to hosted Services.
Professional information — company size, use-case description, or other details you voluntarily share in inquiry forms.

2.2 Information Collected Automatically

Usage data — pages visited, navigation paths, time on page, feature interactions, and referrer URL.
Device and browser data — browser type and version, operating system, screen resolution, language preference.
Network data — IP address, approximate geographic location (city/country level), and ISP.
Performance data — page load times, error rates, and API response times.
Cookies and similar technologies — see Section 6 for full detail.

2.3 Information from Third Parties

Analytics providers — aggregated traffic and behavior data from first-party analytics tools.
Payment processors — confirmation of payment status; we do not receive raw card data.
OAuth identity providers — if you sign in with GitHub or another identity provider, we receive the identifier, email, and public profile information those services share with us.
Publicly available information — publicly visible GitHub profile or organization data where relevant to a support request or enterprise engagement.

2.4 Product analytics (PostHog) — website and ArmaraOS

We use PostHog as a product analytics provider to understand how visitors use ainativelang.com and how users interact with the ArmaraOS desktop application (including its embedded dashboard). For our current PostHog project configuration, this includes (where you have consented on the website, or where separate in-product controls apply on desktop):

Autocapture — automatic capture of common interactions (for example clicks, form submissions, and navigation signals) and page views, subject to our masking and privacy settings in PostHog;
Session replay — recordings of on-page interactions to debug UX and reproduce issues; we configure masking so passwords and many fields are not replayed in clear text;
Heatmaps — aggregate visualizations of where users click and scroll to prioritize improvements;
Web vitals and product-quality signals — performance and reliability metrics where enabled;
Pseudonymous identifiers (for example, a randomly generated distinct ID in browser or app storage), device or app version, and coarse technical context;
Custom events — fewer, named events we emit for specific actions (for example product-download clicks).

PostHog processes this data on our behalf under our instructions. Our PostHog Cloud project for US analytics is configured to use infrastructure in the United States, with primary hosting aligned to AWS US East (Ohio) (us-east-2). On this marketing site, we send analytics through our own first-party path (same-origin relay) where configured to reduce third-party blocking, but data is still processed by PostHog under the deployment described above. We use this processing to operate and improve the website and ArmaraOS, not to sell your personal information. We configure capture and masking to avoid sending the content of private prompts, chats, or secrets as analytics payload; nonetheless, replay and rich interaction data can be sensitive, which is why consent (where required) and opt-outs matter. Where required, we rely on your consent or legitimate interests as described in Section 4. On ArmaraOS, you may be able to opt out via in-product settings (for example, Settings → System); on the website, use Cookie preferences or DNT as described in Section 6.

We do not: buy third-party marketing lists, use ad-network tracking pixels across the web, sell your personal data, or use your workflow inputs to train general-purpose AI models without your explicit written consent.

3. How We Use Your Information

We use the information we collect to:

Category	Examples	Purpose	Retention
Service delivery	Account setup, API access, runtime execution	Provide the features you requested	Duration of account + 90 days after closure
Communications	Waitlist confirmations, product updates, support replies	Respond to inquiries; send relevant updates	3 years from last interaction
Security & abuse prevention	Rate-limit enforcement, fraud detection, IP logging	Protect users and infrastructure	Up to 12 months rolling
Analytics & improvement	PostHog—page views, autocapture, heatmaps, session replay (where consented on web or enabled in desktop), web vitals, custom events	Measure adoption and improve the Services	Per PostHog project settings; aggregated summaries longer where appropriate
Legal & compliance	Billing records, dispute evidence, law-enforcement requests	Meet legal obligations; defend claims	7 years or as required by law
Marketing (opt-in only)	Newsletter, product announcements	Share relevant AINL news with consenting users	Until unsubscribe + 30 days

We do not use personal information for automated decision-making that produces significant legal effects on you unless we have your consent or are required by law.

4. Legal Basis for Processing (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with similar legal requirements, we rely on the following legal bases:

Contract — processing necessary to provide the Services you requested or to take steps before entering a contract with you.
Legitimate interests — analytics, security monitoring, product improvement, and fraud prevention, where those interests are not overridden by your rights.
Legal obligation — compliance with applicable laws, regulatory requests, and court orders.
Consent — marketing emails and non-essential cookies, where you have given clear affirmative consent. You may withdraw consent at any time without affecting prior processing.

Where we rely on legitimate interests, you may object to that processing. See Section 8 for how to exercise your rights.

6. Cookies and Tracking Technologies

We use cookies and similar technologies (local storage, session storage, pixels) on the Services.

6.1 Types We Use

Strictly necessary — required for the site to function (session state, CSRF tokens, security nonces). Cannot be disabled.
Functional — remember your preferences (e.g., theme, language). Disabled if you decline optional cookies.
Analytics — with consent where required, PostHog on ainativelang.com may use pseudonymous identifiers, autocapture, pageviews, heatmaps, session replay, web vitals, and similar product metrics as described in Section 2.4. In the ArmaraOS desktop app, separate in-product controls may apply. We tailor masking and event configuration to reduce collection of chat content and secrets, but replay and rich interaction data can still be sensitive—see Section 2.4.
Marketing — we do not currently use third-party ad or retargeting cookies. If this changes, we will update this policy and request consent.

6.2 Your Choices

You can manage cookie preferences through the cookie consent banner on your first visit, the "Cookie preferences" link in the site footer, your browser settings, or by emailing hello@ainativelang.com. Disabling strictly necessary cookies may break core functionality.

6.3 Do Not Track

We honor browser-level Do Not Track (DNT) signals to the extent technically feasible by disabling non-essential analytics collection when a DNT header is present. We do not use cross-site tracking or behavioral advertising.

7. Data Retention

We retain personal information only as long as necessary for the purposes described in this policy, unless a longer period is required by law. Our general retention schedule is shown in the table in Section 3.

When data is no longer needed, we delete or anonymize it in a manner that renders it unrecoverable. Backup copies may persist for up to 90 additional days before being purged on routine backup rotation schedules.

8. Your Rights and Choices

Depending on your jurisdiction, you may have some or all of the following rights regarding personal information we hold about you:

Right	What it means	Applies under
Access	Request a copy of personal data we hold about you.	GDPR, CCPA, UK GDPR
Correction	Ask us to correct inaccurate or incomplete data.	GDPR, UK GDPR
Deletion	Request erasure ("right to be forgotten") where no legitimate basis for retention remains.	GDPR, CCPA, UK GDPR
Portability	Receive your data in a structured, machine-readable format.	GDPR, UK GDPR
Restriction	Ask us to pause processing while a dispute is resolved.	GDPR, UK GDPR
Objection	Object to processing based on legitimate interests or for direct marketing.	GDPR, UK GDPR
Opt-out of sale	We do not sell personal data; opt-out is not applicable.	CCPA
Non-discrimination	We will not penalize you for exercising your privacy rights.	CCPA
Withdraw consent	Revoke consent for optional processing at any time.	GDPR, UK GDPR, general

To exercise any right, email hello@ainativelang.com with the subject line "Privacy Rights Request." We will respond within 30 days (or sooner as required by law). We may ask you to verify your identity before acting on a request.

If you are an EEA or UK resident and believe we have not addressed your concern adequately, you have the right to lodge a complaint with your local supervisory authority.

Unsubscribe: Every marketing email includes a one-click unsubscribe link. You can also email us to stop all marketing communications.

9. Children's Privacy

The Services are not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at hello@ainativelang.com and we will promptly delete it.

10. International Data Transfers

AINL is operated in the United States, with primary operations based in the State of Texas. If you access the Services from outside the U.S., your information may be transferred to, stored in, and processed in the United States and other countries where our service providers operate.

Product analytics sent through our PostHog Cloud project for the website is processed in the United States (aligned with our PostHog deployment in AWS US East (Ohio), us-east-2), subject to PostHog’s infrastructure and subprocessors as described in their documentation and our data processing arrangements.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on appropriate transfer mechanisms including the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreements (IDTAs) as required. We assess these transfers to ensure an essentially equivalent level of protection.

11. Security

We implement and maintain technical and organizational security measures designed to protect personal information, including:

Encryption in transit (TLS 1.2+ enforced; HSTS preload) and at rest for sensitive data stores.
Access controls — role-based access, least-privilege principles, and multi-factor authentication for production systems.
Network security — WAF, DDoS mitigation, rate limiting, and IP-based abuse prevention.
Dependency management — automated vulnerability scanning and dependency audits.
Incident response — a documented process for detecting, containing, and notifying affected parties of security incidents.

Despite these measures, no security system is impenetrable. In the event of a personal data breach that triggers notification obligations, we will notify you and applicable regulators as required by law.

To report a security vulnerability, please see our Security Disclosure Policy.

12. Third-Party Links and Services

The Services may contain links to third-party websites, GitHub repositories, integrations, or embedded content. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

13. AI, Workflows, and Hosted Runtime Data

If you use AINL-hosted runtime services, API endpoints, or cloud-based workflow execution features, certain inputs may be processed on our infrastructure.

We do not use your workflow inputs, prompts, or execution data to train or fine-tune general AI models shared across users.
We may log execution metadata (timestamps, success/failure, latency) for operational and security purposes, subject to the retention schedule above.
If you connect third-party models, adapters, or APIs, those providers' privacy policies govern their data handling.
Enterprise customers may negotiate additional data processing agreements, including data residency, audit logging, and deletion guarantees.

We treat workflow data as sensitive and apply the same security controls described in Section 11.

14. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights.

Categories of Personal Information Collected

In the past 12 months we have collected: identifiers (name, email, IP address); internet or other electronic network activity (browsing behavior on our site); commercial information (purchase records); professional or employment-related information (company, job title from inquiry forms); and inferences drawn from the above to understand preferences and improve the Services.

No Sale or Sharing for Cross-Context Advertising

We do not sell personal information and do not share it for cross-context behavioral advertising purposes. If this changes, we will provide a "Do Not Sell or Share My Personal Information" mechanism and update this policy.

Shine the Light

California Civil Code § 1798.83 permits California residents to request information about personal data disclosed to third parties for direct marketing purposes. We do not disclose personal data for direct marketing purposes, so no such disclosure report is available.

To submit a CCPA rights request, email hello@ainativelang.com with "CCPA Request" in the subject line.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

update the “Last Updated” date at the top of this page;
notify registered account holders by email at least 14 days before the changes take effect;
for significant changes that affect how we use data you previously provided, seek fresh consent where required by law.

Your continued use of the Services after the effective date of the updated policy constitutes acceptance of the changes. If you do not agree, stop using the Services and request deletion of your data.

16. Contact Us

For privacy questions, rights requests, or concerns, contact us at:

AINativeLang Inc.

AI Native Lang — Delaware corporation

Email (privacy, legal, and related requests): hello@ainativelang.com

Security disclosures: /security-policy

EEA / UK residents may also contact the relevant national data protection authority if they are not satisfied with our response.