Privacy Policy

At Anygraph, Inc. (“Anygraph,” “we,” “us,” or “our”), we believe privacy is a fundamental right, not a feature. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use Steve and our related services, including our websites at www.anygraph.ai and app.anygraph.ai (collectively, the “Service”).

This Privacy Policy applies to Anygraph's standard Service offerings. For enterprise customers with a Master Services Agreement (“MSA”) or Data Processing Agreement (“DPA”), the terms of those agreements govern our processing of your data and take precedence over this Privacy Policy to the extent of any conflict.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

Account Information. When you create an account, we collect:

• name;
• email address;
• organization name; and
• profile picture (if signing in via Google or Microsoft).

Payment Information. If you subscribe to a paid plan, our payment processor (Polar Software, Inc.) collects payment details. We do not store credit card numbers or bank account information on our servers.

Communications. If you contact us for support or inquiries, we collect your name, email address, and the content of your messages.

Feedback. If you voluntarily provide feedback about the Service, we may retain that feedback to improve our products. If your feedback includes specific inputs or outputs from Steve, we will only use that content for the purpose of addressing your feedback.

Inputs and Outputs. You may submit documents, data, and instructions to Steve (“Inputs”), which generate documents, analyses, and other materials (“Outputs”). Together, these are your “Content.”

• Content is processed in real-time to generate Outputs.
• Content is transmitted to AI model providers (see Section 3) solely to generate your requested Outputs.
• Content is retained on Anygraph servers after processing is complete for as long as you maintain an active account, unless you request its removal.
• Content is not used to train any AI models.
• Content is not accessed by Anygraph personnel except as required for technical support at your request.

For our desktop application, processing occurs on your device. Content is sent directly to the AI model provider and returned to your device without passing through Anygraph infrastructure.

Technical Information. When you access our website or Service, we automatically collect:

• IP address;
• browser type and version;
• operating system;
• device type;
• date and time of access;
• pages viewed and features used; and
• referring website.

Cookies and Analytics. We use cookies and similar technologies to operate the Service and understand how it is used. We use only essential cookies required for the Service to function. We do not use advertising cookies or sell your data to advertisers.

Information We Do Not Collect. We do not knowingly collect:

• Sensitive personal information (health data, biometric data, religious beliefs, etc.) unless you include it in your Content.
• Information from children under 18.
• Information for the purpose of selling to third parties.

How we use your information is displayed in the following table.

We do not use your Content to train AI models or for any purpose other than generating your requested Outputs.

To power Steve's AI capabilities, we use third-party AI model providers, including OpenAI and Anthropic. When you use Steve:

• Your Inputs are transmitted to the AI model provider to generate Outputs.
• The AI model provider processes your Inputs according to their terms and privacy policies.
• We select providers with strong privacy commitments who do not train on API customer data.

We currently only use OpenAI and Anthropic as AI model providers. OpenAI's API data usage policies confirm that data submitted through their API is not used to train their models, and they offer a 30-day data retention period for API inputs and outputs. See their Privacy Policy for details. Anthropic similarly does not train on customer data submitted through their API. See their Privacy Policy for details.

For enterprise customers requiring additional assurance, we offer:

• on-premise or VPC deployment with your own model infrastructure;
• dedicated model instances; and
• custom model provider arrangements.

We do not sell your personal information. We may share your information in the following limited circumstances.

Service Providers. We share information with third-party vendors who help us operate the Service. These providers are contractually obligated to use your information only to provide services to us and to protect your information.

AI Model Providers. As described in Section 3, your Content is transmitted to AI model providers to generate Outputs.

Legal Requirements. We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect rights, safety, or property.

Business Transfers. In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

With Your Consent. We may share information when you direct us to do so.

For enterprise customers, we maintain audit logs to support compliance and security requirements. Audit logs may include:

• User identifiers.
• Timestamps of actions.
• Types of operations performed.
• System events and errors.

Audit Log Retention.

• The default retention period: 365 days (1 year), consistent with SOC 2 Type II requirements.
• Custom retention periods are available per MSA.
• Audit logs are stored securely and access is restricted.

Specific audit trail terms, including data location, retention, and access controls, are governed by your MSA or Enterprise Agreement.

Content is retained on Anygraph servers after processing is complete for as long as you maintain an active account, unless you request its removal.

• Account information is retained for the duration of your account plus 30 days after deletion.
• Payment records are retained as required by tax and legal obligations.
• Communications and support tickets are retained for 3 years or as required for ongoing matters.
• Technical logs are retained for 90 days.
• Enterprise audit logs are retained for 365 days, or as specified in your MSA.

Upon account termination, we delete or anonymize your personal information within 30 days, except as required for legal compliance or legitimate business purposes.

We implement technical and organizational measures designed to protect your information.

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• We enforce role-based access controls to limit data access to authorized personnel.
• We conduct regular security assessments and penetration testing to identify and address vulnerabilities.
• We are pursuing SOC 2 Type II compliance (in progress).
• All employees complete security awareness training.

For on-premise or VPC deployments, security is managed within your infrastructure according to your security policies. No method of transmission or storage is completely secure. If you believe your account has been compromised, contact us immediately at founders@anygraph.ai.

Anygraph is headquartered in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. We transfer data in accordance with applicable legal requirements:

• From the EU or EEA or UK. We rely on Standard Contractual Clauses or other approved transfer mechanisms.
• From Malaysia. We comply with the Personal Data Protection Act 2010 (PDPA).
• From Singapore. We comply with the Personal Data Protection Act 2012 (PDPA).

For enterprise customers, we offer data residency options in the United States, Malaysia, and Singapore.

Depending on your location, you may have the following rights regarding your personal information:

• Access and Portability. Request a copy of the personal information we hold about you.
• Correction. Request correction of inaccurate personal information.
• Deletion. Request deletion of your personal information, subject to legal retention requirements.
• Restriction or Objection. Object to or request restriction of certain processing activities.
• Withdraw Consent. Where processing is based on consent, withdraw your consent at any time.
• Data Portability. Receive your data in a structured, commonly used format.
• Lodge a Complaint. File a complaint with your local data protection authority.

To exercise these rights, contact us at founders@anygraph.ai. We will respond within 30 days (or sooner if required by applicable law).

Account Settings. You can update your account information at any time through the Service.

Marketing Communications. You can opt out of marketing emails by clicking “unsubscribe” in any marketing email or contacting us.

United States. California residents under the CCPA or CPRA have the right to know what personal information we collect and how we use it, request deletion of their personal information, and opt out of the “sale” or “sharing” of personal information. We do not sell personal information or share it for cross-context behavioral advertising.

Malaysia. We comply with the Personal Data Protection Act 2010 (PDPA). As a data user, we process personal data only for lawful purposes directly related to our activities, provide notice of our data processing practices, ensure personal data is accurate and up to date, and protect it from loss, misuse, and unauthorized access. You have the right to access and correct your personal data.

Singapore. We comply with the Personal Data Protection Act 2012 (PDPA). We obtain consent for the collection, use, and disclosure of personal data, notify you of the purposes for which we process your data, protect it with reasonable security arrangements, and retain it only as long as necessary. You may withdraw consent for the collection, use, or disclosure of your personal data, subject to legal or contractual restrictions.

European Economic Area (EEA) and United Kingdom. For individuals in the EEA or UK, Anygraph acts as a data controller for account and usage data, and as a data processor for Content processed through the Service. Our legal bases for processing include contract performance (providing the Service), legitimate interests (improving the Service, security), legal obligation (compliance with laws), and consent (marketing communications). You have rights under GDPR including access, rectification, erasure, restriction, portability, and objection, and may lodge a complaint with your supervisory authority.

The Service is intended for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Notify you via email or through the Service.

Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

For data protection inquiries or to exercise your privacy rights, email Anygraph via the address above with the subject line “Privacy Request.”