Powabase Privacy Policy
Effective Date: October 1, 2025 Last Updated: April 30, 2026
This Privacy Policy ("Policy") describes how Agentic Enterprise Solutions, Inc. ("Agentic," "Powabase," "we," "our," or "us") collects, uses, discloses, and protects information in connection with the Powabase platform, our website at https://powabase.ai (the "Site"), our APIs, SDKs, command-line tools, dashboards, and any related products or services (collectively, the "Services").
Powabase is an all-in-one development platform for building AI-native applications. Our customers are typically developers, engineering teams, and businesses ("Customers") who use Powabase to build, deploy, and operate their own applications, including those that incorporate retrieval-augmented generation (RAG), AI agents, and workflow automation. Those Customer applications, in turn, may be used by the Customer's own users ("End Users").
This Policy is incorporated into our Terms of Service and, where applicable, our Data Processing Addendum (DPA). Capitalized terms not defined here have the meanings given in the Terms of Service.
If you do not agree with this Policy, please do not access or use the Services.
1. Scope and Roles
Powabase processes two broad categories of information, and our role with respect to each is different:
Account Data. Information about Customers and the individuals who administer or use a Customer account on the Services (such as developers, admins, billing contacts). For this category, Agentic acts as the controller (or, under U.S. state laws, the business).
Customer Data. Content, files, code, embeddings, prompts, model outputs, agent execution traces, and any other data that Customers (or their End Users) submit to, generate within, or store on the Services in the course of building or running their applications. This includes any personal data that Customers choose to upload or that flows through Customer applications. For Customer Data, Agentic acts as a processor (or, under U.S. state laws, a service provider), processing such data on behalf of, and under the instructions of, the Customer pursuant to our DPA and Terms of Service.
If you are an End User of a Customer's application, the Customer — not Agentic — is the controller of your personal data. Please refer to that Customer's privacy policy and direct privacy requests to them. Agentic will support Customers in responding to such requests as required by applicable law and our DPA.
2. Modifications to This Policy
We may update this Policy from time to time. The "Effective Date" at the top reflects the most recent revision. Material changes will be communicated through the Services (for example, by in-product notice, email to the account owner, or notice on the Site) at least thirty (30) days before they take effect, unless a shorter period is required by law. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.
3. Information We Collect
3.1 Account Data (we are the controller)
| Category | Examples |
|---|---|
| Identifiers | Name, email address, username, account password (hashed), authentication identifiers (e.g., SSO subject IDs) |
| Billing information | Billing contact, billing address, tax identifiers, payment method tokens (we do not store full card numbers — see Section 6) |
| Professional information | Employer, job title, role on the account |
| Communications | Messages sent to support, sales, or community channels, including any attachments |
| Usage and telemetry | API request metadata, dashboard activity, project and workflow names, build and deploy logs, error and crash diagnostics, feature usage, performance metrics |
| Device and network information | IP address, browser type and version, operating system, device identifiers, time zone, referring/exit pages |
| Cookies and similar technologies | See Section 9 |
3.2 Customer Data (Customer is the controller; we are the processor)
When a Customer uses Powabase to build or run an application, the following types of data are typically processed through the Services on behalf of the Customer:
- Source files, configuration, and code uploaded to projects
- Documents, datasets, and other content ingested into RAG pipelines, including derived chunks and vector embeddings
- Prompts, completions, tool invocations, and other inputs and outputs exchanged with large language models
- Agent execution traces, intermediate reasoning steps, tool-call logs, and workflow run histories
- Connected data source contents accessed by Customer applications (e.g., databases, object storage, third-party APIs the Customer chooses to integrate)
- End User identifiers and any personal data the Customer chooses to process through its application
Customers determine what Customer Data is submitted to the Services. Agentic does not require Customers to submit any particular type of personal data, and Customers are responsible for ensuring they have the legal basis to do so.
3.3 Information from Third Parties
We may receive information about Customers and account users from:
- Identity providers (e.g., Google, GitHub, Microsoft, Okta) when a user signs in via SSO
- Payment processors (e.g., Stripe) confirming payment status and providing tokenized payment references
- Analytics and product telemetry providers that help us understand Service usage
- Marketing and enrichment providers that supplement business contact information for prospective and existing Customers (e.g., company size, industry)
- Public sources such as company websites and professional networks, when relevant to sales and account management
4. How We Collect Information
We collect information in three principal ways:
Directly from you, when you create or manage an account, configure a project, contact us, respond to a survey, attend an event, or otherwise interact with us.
Automatically, when you use the Services, through server logs, cookies, SDK telemetry, and similar technologies. This includes API call metadata, dashboard interactions, and Service performance data.
From third parties, as described in Section 3.3.
For Customer Data specifically, we collect it only because the Customer (or End User acting through the Customer's application) has chosen to submit it to the Services.
5. How and Why We Use Information
5.1 Account Data
We use Account Data for the following purposes and on the following legal bases (where GDPR or similar laws apply):
| Purpose | Legal basis |
|---|---|
| To provide, operate, secure, and maintain the Services | Performance of contract |
| To authenticate users and prevent unauthorized access | Performance of contract; legitimate interests in security |
| To bill Customers and process payments | Performance of contract; legal obligation |
| To provide customer support and respond to inquiries | Performance of contract; legitimate interests |
| To monitor Service performance, debug, and improve reliability | Legitimate interests |
| To develop and improve features, including aggregate analytics | Legitimate interests |
| To send transactional and administrative communications | Performance of contract |
| To send product updates, marketing, and event invitations (subject to opt-out) | Legitimate interests; consent where required |
| To comply with legal obligations and respond to lawful requests | Legal obligation |
| To enforce our Terms of Service and protect against fraud, abuse, and security incidents | Legitimate interests |
5.2 Customer Data
We process Customer Data only as instructed by the Customer and as necessary to provide the Services, including to:
- Store, route, transform, and serve Customer Data through Powabase infrastructure
- Generate and store vector embeddings, indexes, and other derived artifacts that the Customer's application requires
- Pass relevant Customer Data to LLM and other AI subprocessors selected by the Customer (see Section 7)
- Execute agent workflows and produce execution traces accessible to the Customer
- Provide logging, observability, and debugging tools to the Customer
- Monitor for abuse, security threats, and violations of our Acceptable Use Policy
- Respond to support requests from the Customer
- Comply with legal obligations
We do not use Customer Data to train, fine-tune, or otherwise improve any general-purpose machine learning model owned by Agentic or by any third party. We do not sell Customer Data. We do not share Customer Data with third parties for their own marketing or advertising purposes.
We may use de-identified or aggregated information derived from Service operations (such as system performance metrics) to improve the Services, provided such information cannot reasonably be used to identify any individual or Customer.
6. AI Subprocessors and Model Providers
Powabase integrates with third-party large language model providers and other AI service providers ("AI Subprocessors") so that Customers can build AI-native applications. The specific AI Subprocessors used for any given workload depend on the Customer's configuration.
When a Customer's application invokes an AI Subprocessor through Powabase, relevant inputs (such as prompts, retrieved context chunks, and tool definitions) are transmitted to that subprocessor. We have entered into agreements with our AI Subprocessors that include commitments regarding data handling, including, where available, that data submitted via API will not be used to train the subprocessor's foundation models.
AI Subprocessors and other subprocessors include, as of the Effective Date, OpenAI, Anthropic, Google, Mistral, PaddleOCR, IONOS, OpenRouter, Exa, Firecrawl, and AWS.
Customers are responsible for:
- Selecting which AI Subprocessors to use within their projects
- Determining what data is appropriate to send to those subprocessors
- Obtaining any necessary consents from End Users
- Configuring data residency, retention, and other controls offered by Powabase or the underlying subprocessor
7. How We Share Information
We do not sell personal information. We share information only as described below.
Service providers and subprocessors. We share information with vendors that help us operate the Services, including cloud infrastructure providers, AI Subprocessors, payment processors, analytics providers, customer support tools, communications providers, and security vendors. These providers are bound by contractual obligations to protect the information and use it only to provide services to us.
Within the Customer's account. Information associated with a Customer account (including projects, logs, and Customer Data) is accessible to authorized users of that account as configured by the Customer's administrators.
Business transfers. If Agentic is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections and continued application of this Policy or an equivalent.
Legal and safety. We may disclose information when we have a good-faith belief that disclosure is required or permitted by law, necessary to enforce our agreements, or necessary to protect the rights, property, or safety of Agentic, our Customers, or others. We will challenge overbroad legal demands where appropriate and, where legally permitted, notify the affected Customer.
With your direction or consent. We share information at your direction or with your consent, including when you choose to integrate the Services with third-party tools.
8. International Data Transfers
Agentic is headquartered in the United States, and our primary infrastructure and personnel are located in the United States. When you use the Services, information may be transferred to, stored in, and processed in countries other than your own.
Private deployments are governed separately. Private deployments reside on infrastructure at your chosen location. No data will be transferred out of your designated hosting location under the dedicated hosting agreement.
For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to countries that have not received an adequacy decision, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms.
9. Cookies and Similar Technologies
We and our service providers use cookies, web beacons, local storage, and similar technologies to operate the Site and dashboard, remember preferences, authenticate users, measure performance, and understand usage. We do not use these technologies for cross-site advertising.
You can control cookies through your browser settings. Disabling cookies may affect the availability or functionality of parts of the Services, particularly the dashboard. We currently do not respond to "Do Not Track" browser signals, because there is no industry consensus on how such signals should be interpreted; however, we honor opt-out signals required by applicable law (such as the Global Privacy Control where required).
10. Data Retention
We retain Account Data for as long as the Customer maintains an active account and for a reasonable period thereafter to comply with legal obligations, resolve disputes, enforce agreements, and maintain business records.
We retain Customer Data in accordance with the Customer's configuration and instructions, the applicable subscription plan, and our DPA. On termination of a Customer account, Customer Data is deleted or returned in accordance with the DPA, subject to limited retention required by law or for legitimate backup-cycle purposes.
We retain logs, telemetry, and security-relevant records for the period necessary to operate, secure, and improve the Services.
11. Security
We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, and destruction. These include:
- Encryption of data in transit using TLS and encryption of data at rest
- Logical isolation of Customer environments
- Role-based access control, least-privilege provisioning, and multi-factor authentication for personnel
- Continuous monitoring, vulnerability management, and incident response processes
- Regular backups and disaster recovery testing
- Secret scanning and protections for API keys and credentials handled by the Services
- Personnel security training and confidentiality obligations
Powabase is in the process of becoming SOC 2 Type II and ISO/IEC 27001 certified.
No system is perfectly secure. If we become aware of a security incident affecting personal data, we will notify affected Customers and, where required, regulators and individuals, in accordance with applicable law.
12. Your Privacy Rights
Depending on where you live, you may have rights with respect to personal data we hold about you, including:
- Access — to confirm whether we process personal data about you and obtain a copy
- Correction — to correct inaccurate personal data
- Deletion — to request deletion of personal data, subject to exceptions
- Portability — to receive personal data in a portable format
- Restriction or objection — to restrict or object to certain processing
- Withdraw consent — where processing is based on consent
- Non-discrimination — for exercising your rights
- Lodge a complaint — with a supervisory authority
For Account Data, contact us using the details in Section 14.
For Customer Data (including data about End Users of a Customer's application), please contact the relevant Customer, who acts as the controller. We will assist Customers in responding to such requests as set out in our DPA.
12.1 California residents
If you are a California resident, you have the rights described above under the California Consumer Privacy Act, as amended by the CPRA. We do not sell personal information and do not "share" personal information for cross-context behavioral advertising as those terms are defined under California law. We do not knowingly process the personal information of consumers under 16 for sale or sharing. You may designate an authorized agent to make a request on your behalf, subject to verification.
12.2 EEA, UK, and Swiss residents
The legal bases on which we rely are described in Section 5. Where we rely on legitimate interests, you may obtain further information about the balancing test by contacting us. You may lodge a complaint with your local supervisory authority; in the UK, this is the Information Commissioner's Office (ICO).
12.3 Other U.S. states
Residents of states with comprehensive privacy laws (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others as such laws come into effect) have rights similar to those above. We honor opt-outs of "targeted advertising," "sale," and "profiling" as defined under those laws to the extent applicable; we do not engage in such activities with respect to personal data we control.
13. Children
The Services are intended for businesses and developers and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact hello@powabase.ai and we will take appropriate steps to delete it. Customers building applications that may be used by children are responsible for compliance with applicable children's privacy laws (such as COPPA in the United States) and for obtaining required parental consent.
14. Contact Us
If you have questions about this Policy or our privacy practices, or if you wish to exercise your rights, please contact us at:
Email: hello@powabase.ai Data Protection Officer / Privacy Lead
For Customers in the EEA or UK that require an Article 27 representative, please contact us for current designation details.
15. Filing a Complaint
We aim to resolve any privacy concerns directly. If you are unsatisfied with our response, you may contact a supervisory authority in your jurisdiction. EU residents may contact their national Data Protection Authority; UK residents may contact the Information Commissioner's Office; California residents may contact the California Privacy Protection Agency or the California Attorney General.
This Policy is intended to be read together with our Terms of Service.