Privacy Policy

This policy applies to information collected through ainativelang.com and its subdomains; any AINL applications, dashboards, or developer tools; our hosted runtime and API services; our marketing emails, newsletters, and waitlist communications; our consulting and enterprise engagement intake; our public GitHub repositories and issue trackers (where we are the controller); and any other context where we link to or reference this policy.

This policy does not apply to third-party sites, services, or repositories we link to, or to open-source community spaces operated by third parties where AINL participates but is not the controller.

We collect information in three main ways: information you give us directly, information collected automatically when you use the Services, and information from third parties.

We do not: buy third-party marketing lists, use ad-network tracking pixels across the web, sell your personal data, or use your workflow inputs to train general-purpose AI models without your explicit written consent.

We use the information we collect to:

We do not use personal information for automated decision-making that produces significant legal effects on you unless we have your consent or are required by law.

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with similar legal requirements, we rely on the following legal bases:

• Contract — processing necessary to provide the Services you requested or to take steps before entering a contract with you.
• Legitimate interests — analytics, security monitoring, product improvement, and fraud prevention, where those interests are not overridden by your rights.
• Legal obligation — compliance with applicable laws, regulatory requests, and court orders.
• Consent — marketing emails and non-essential cookies, where you have given clear affirmative consent. You may withdraw consent at any time without affecting prior processing.

Where we rely on legitimate interests, you may object to that processing. See Section 8 for how to exercise your rights.

We do not sell, rent, or trade your personal information. We share it only as described below.

We use cookies and similar technologies (local storage, session storage, pixels) on the Services.

We retain personal information only as long as necessary for the purposes described in this policy, unless a longer period is required by law. Our general retention schedule is shown in the table in Section 3.

When data is no longer needed, we delete or anonymize it in a manner that renders it unrecoverable. Backup copies may persist for up to 90 additional days before being purged on routine backup rotation schedules.

Depending on your jurisdiction, you may have some or all of the following rights regarding personal information we hold about you:

To exercise any right, email privacy@ainativelang.com with the subject line "Privacy Rights Request." We will respond within 30 days (or sooner as required by law). We may ask you to verify your identity before acting on a request.

If you are an EEA or UK resident and believe we have not addressed your concern adequately, you have the right to lodge a complaint with your local supervisory authority.

Unsubscribe: Every marketing email includes a one-click unsubscribe link. You can also email us to stop all marketing communications.

The Services are not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@ainativelang.com and we will promptly delete it.

AINL is operated in the United States, with primary operations based in the State of Texas. If you access the Services from outside the U.S., your information may be transferred to, stored in, and processed in the United States and other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on appropriate transfer mechanisms including the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreements (IDTAs) as required. We assess these transfers to ensure an essentially equivalent level of protection.

We implement and maintain technical and organizational security measures designed to protect personal information, including:

• Encryption in transit (TLS 1.2+ enforced; HSTS preload) and at rest for sensitive data stores.
• Access controls — role-based access, least-privilege principles, and multi-factor authentication for production systems.
• Network security — WAF, DDoS mitigation, rate limiting, and IP-based abuse prevention.
• Dependency management — automated vulnerability scanning and dependency audits.
• Incident response — a documented process for detecting, containing, and notifying affected parties of security incidents.

Despite these measures, no security system is impenetrable. In the event of a personal data breach that triggers notification obligations, we will notify you and applicable regulators as required by law.

To report a security vulnerability, please see our Security Disclosure Policy.

The Services may contain links to third-party websites, GitHub repositories, integrations, or embedded content. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

If you use AINL-hosted runtime services, API endpoints, or cloud-based workflow execution features, certain inputs may be processed on our infrastructure.

• We do not use your workflow inputs, prompts, or execution data to train or fine-tune general AI models shared across users.
• We may log execution metadata (timestamps, success/failure, latency) for operational and security purposes, subject to the retention schedule above.
• If you connect third-party models, adapters, or APIs, those providers' privacy policies govern their data handling.
• Enterprise customers may negotiate additional data processing agreements, including data residency, audit logging, and deletion guarantees.

We treat workflow data as sensitive and apply the same security controls described in Section 11.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights.

To submit a CCPA rights request, email privacy@ainativelang.com with "CCPA Request" in the subject line.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• update the “Last Updated” date at the top of this page;
• notify registered account holders by email at least 14 days before the changes take effect;
• for significant changes that affect how we use data you previously provided, seek fresh consent where required by law.

Your continued use of the Services after the effective date of the updated policy constitutes acceptance of the changes. If you do not agree, stop using the Services and request deletion of your data.

For privacy questions, rights requests, or concerns, contact us at: