Wolfia Inc. Privacy Policy

1. Introduction and Scope

Welcome to Wolfia Inc. (Wolfia, we, us, our). This Privacy Policy explains how we collect, use, share, secure, and otherwise process information relating to identified or identifiable individuals (Personal Information) in connection with our business activities.

This policy applies when you visit our websites (e.g., wolfia.com, docs.wolfia.com), use the Wolfia Platform (our AI-powered answer engine and related features), interact with our marketing, sales, or support teams, or otherwise use our services (collectively, the Services).

This policy does not cover third-party websites, applications, or services that may integrate with or be linked from our Services (Third-Party Services). The use of the Wolfia Platform by business customers (Customers) is governed by our Terms of Service / MSA and, where applicable, a Data Processing Addendum (DPA). In relation to Service Data (data a Customer submits to or connects with the Platform), Wolfia acts primarily as a processor/service provider on behalf of the Customer, who acts as controller/business. This policy primarily describes how Wolfia processes Personal Information for its own purposes (where Wolfia is the controller), such as website visitor data, marketing contact information, and account administration data (Other Information). For more information on how Wolfia processes Service Data on behalf of Customers, see our Data Processing Addendum (DPA).

2. Personal Information We Collect

2.1 Information You Provide

Account & Profile. Name, email, phone, password, company, job title, and similar details.

Payment. We and/or our payment processors collect payment card/bank details, billing address, and transaction data. We do not store full payment card numbers.

Communications. Content of messages and related metadata when you contact us (email, support, forms, surveys, social).

Marketing. Subscription preferences, event/webinar registrations, downloads.

Careers. Application materials (resume/CV, history, references).

2.2 Information Collected Automatically

Log Data. IP address, device and browser info, OS, timestamps, referring/exit pages, and clickstream.

Usage Data. Features used, time on pages, actions taken, performance metrics, and error reports.

Cookies/Similar Tech. Essential, functional, analytics, and advertising cookies/pixels. We may also use visitor identification services that match website visitor data to publicly available business contact information. You can manage cookie preferences via our cookie consent banner or browser settings.

Location. General geolocation (e.g., city/country) inferred from IP; more precise location only if you enable it.

2.3 From Other Sources

Customers (Service Data). Customers may upload/connect data sources that include Personal Information about their users/contacts.

Third-Party Services. If you integrate services (e.g., Google Drive/Workspace, SSO, data repositories), we receive information per the permissions you grant. For Google Drive: we only access file metadata and the contents of documents you explicitly import into Wolfia. We do not scan or index other Drive files.

Partners/Public Sources. Business partners, data brokers, and public sites (e.g., LinkedIn) to supplement records or identify potential customers.

3. How We Use Personal Information (Legal Bases)

Provide and Manage Services (Contract; Legitimate Interests) — Operate, maintain, secure, and improve the Platform; create/manage accounts; process payments; provide support; honor the MSA. Google Drive: provide document search, summaries for imported files, and AI-powered Q&A in your private workspace.

Communicate (Legitimate Interests; Contract; Consent) — Respond to inquiries; send service notices (maintenance, security, policy updates); send marketing (where permitted/consented). Opt-out any time.

R&D (Legitimate Interests) — Analyze usage and feedback to improve features and UX. We favor aggregated/de-identified data. Google Drive content is not used to develop/train general AI models serving other users.

Security & Fraud (Legitimate Interests; Legal Obligation) — Detect, prevent, and respond to threats, abuse, and violations.

Legal Compliance (Legal Obligation) — Meet legal/regulatory requirements and lawful requests.

Operations & Analytics (Legitimate Interests) — Audits, reporting, and business administration.

Service Data Processing. For Service Data, we act on the Customer's documented instructions under the MSA and (where in place) the DPA. Customer is responsible for its legal bases and end-user disclosures.

AI Training Limitation. As stated in the MSA, Wolfia will not use Customer Service Data (indexed content or queries) to train general-purpose AI models offered externally by Wolfia or third parties, without explicit prior written consent. Aggregated, anonymized usage statistics may support service reliability/quality, but not external general-purpose model training. We do not use Personal Information transferred under the DPF to train general-purpose AI models without explicit prior written consent.

Automated Decision-Making and AI-Generated Content. Our Services use artificial intelligence and machine learning to generate responses to questions, complete security questionnaires, and produce other content. These AI systems analyze your content and queries using retrieval-augmented generation (RAG), vector embeddings, and large language models to provide relevant answers. The AI-generated output may influence business decisions (e.g., responses provided to customers or included in proposals). You have the right to review, edit, and approve all AI-generated content before use. We recommend human review and oversight for all AI outputs, particularly for consequential decisions. You may contact us at privacy@wolfia.com to request human review of any automated decision or to obtain information about the logic involved in our AI processing.

4. Sharing Personal Information

Service Providers (sub-processors). Cloud hosting, AI/LLM, identity, integrations, workflow orchestration, transactional email, observability, and analytics tools, listed at https://trust.wolfia.com/?tab=subprocessors. These sub-processors are bound by written contracts requiring them to provide at least the same level of protection for Personal Information as required by the DPF Principles. Wolfia remains liable under the DPF Onward Transfer Principle for the acts of these sub-processors that cause harm, unless Wolfia proves it is not responsible for the event giving rise to the damage.

Advertising & Analytics. We share usage data with advertising and analytics partners via cookies, pixels, and similar technologies for conversion measurement, audience building, and interest-based advertising. These partners process data under their own privacy policies. For Personal Information transferred to us under the DPF, we do not share data with advertising partners except under contracts that require equivalent protection, and EU/EEA/UK/Swiss individuals may opt out by contacting privacy@wolfia.com.

Per Customer Instructions. Service Data is shared as directed by the Customer (e.g., Authorized Users, third-party integrations).

Affiliates. Within the Wolfia group for compliant processing.

Business Transactions. In a merger, acquisition, financing, reorganization, bankruptcy, or sale, subject to confidentiality.

Legal/Safety. To comply with law or protect rights, property, or safety.

Aggregated/De-identified. May be shared for analytics or research.

With Consent. As disclosed at collection or with your approval.

For a complete and current list of our service providers and subprocessors, please visit our Trust Center.

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect Personal Information (e.g., encryption in transit and at rest, access controls, network monitoring, vulnerability management, security testing, employee training, and incident response). OAuth access and refresh tokens are stored in an encrypted, access-controlled secrets vault and are never written to application logs. All backups are encrypted at rest (AES-256).

No system is 100% secure. You are responsible for protecting your credentials and using secure networks.

6. Data Retention

We retain Personal Information as needed to provide the Services, comply with law, resolve disputes, and enforce agreements. Specific retention periods vary by data type:

Account and Profile Data: Retained for the duration of your relationship with Wolfia plus 7 years for legal and compliance purposes.

Usage Logs and Analytics: Retained for 30-90 days, or as needed for security monitoring and service improvement.

Payment and Transaction Records: Retained for 7 years to comply with tax and financial regulations.

Marketing and Communications Data: Retained until you unsubscribe or request deletion, plus 30 days to process the request.

Service Data: Retention governed by the MSA and Customer configuration. When you terminate your account, Service Data is retained for 30 days (data retrieval period), after which it is deleted from active systems.

Google Drive Integration: Files and metadata are retained until you: (a) delete the import; (b) disconnect Google; or (c) terminate your account—whichever occurs first.

Backups: When deletion is requested or appropriate, we delete or anonymize data from active systems; where immediate deletion is not possible (e.g., encrypted backups), we securely store and isolate it until purge. Encrypted backups are automatically purged on a 90-day rolling basis to ensure complete removal.

7. Your Rights and Choices

Depending on your location, you may have rights to access, correct, delete, restrict, port, or object to processing, and to withdraw consent where processing is based on consent. You may opt-out of marketing at any time via links in emails or by contacting us.

EU/EEA/UK/Switzerland (DPF). If you are an individual in the EU, EEA, UK, or Switzerland whose Personal Information was transferred to Wolfia in reliance on the DPF, you have the right to access your Personal Information, and to request correction, amendment, or deletion where it is inaccurate or has been processed in violation of the Principles. To exercise these rights, contact privacy@wolfia.com.

California (CCPA/CPRA). California residents may have additional rights, including access, deletion, and the right to opt-out of sale or sharing (as defined by law). We do not sell personal information as that term is commonly understood. We share data with advertising partners for cross-context behavioral advertising, including conversion measurement and retargeting. You may opt out of this sharing via our cookie consent banner or by contacting us. Submit requests via the contact methods below. If your request concerns Service Data we process for a Customer, we will direct you to the Customer, who controls that data.

You may also have the right to lodge a complaint with your local supervisory authority.

8. Children's Privacy

Our Services are not directed to children under 16 (or other applicable age). We do not knowingly collect Personal Information from children. If you believe a child provided us Personal Information, please contact us and we will delete it.

9. Third-Party Links

Our Services may link to third-party sites/services. Their practices are not covered by this Policy. Review their policies before providing information.

10. Google API Services User Data Policy

Wolfia's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use only the drive.readonly scope and access only the Google Drive files/folders you explicitly select to import. We do not scan or index other Drive content, use Drive data for advertising, or train external general-purpose AI models. You may revoke access at any time via Disconnect Google in your account settings or at https://myaccount.google.com/permissions. Revocation invalidates OAuth tokens and previously imported Drive files are queued for deletion within 24 hours. Encrypted backups are automatically purged on a 90-day rolling basis.

11. Changes to This Policy

We may update this Policy to reflect changes in practices, legal requirements, or services. The Last updated date shows the latest revision. For material changes, we will provide more prominent notice (e.g., email or in-product) and seek consent where required. If we intend to use Personal Information collected under the DPF for a purpose that is materially different from, but still compatible with, the purposes for which it was originally collected or subsequently authorized, we will offer a clear, conspicuous, and readily available means to opt out before such use.

12. EU-U.S. Data Privacy Framework

12.1 Participation and Scope.Wolfia Inc. is committed to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Wolfia Inc. has submitted its self-certification to the U.S. Department of Commerce and adheres to the EU-U.S. DPF Principles, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles (collectively, the DPF Principles) with regard to the processing of Personal Information received from the European Union, the European Economic Area, the United Kingdom (and Gibraltar), and Switzerland in reliance on the DPF. Wolfia’s certification status and listing may be confirmed on the Data Privacy Framework List. To learn more about the Data Privacy Framework program, and to view our certification once active, please visit https://www.dataprivacyframework.gov/.

12.2 Conflict of Terms. If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the Principles shall govern.

12.3 Notice and Choice for Sensitive Personal Information. Under the DPF Principles, sensitive Personal Information includes Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life or sexual orientation of the individual, criminal history, or biometric or genetic data. Wolfia will obtain affirmative express (opt-in) consent from individuals before processing sensitive Personal Information for purposes other than those for which it was originally collected or subsequently authorized, or before disclosing it (onward-transferring it) to a third party.

12.4 Onward Transfer Liability. Wolfia is responsible for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as an agent on its behalf. Wolfia remains liable under the DPF Principles if its agents process personal data inconsistently with the Principles, unless Wolfia proves it is not responsible for the event giving rise to the damage.

12.5 Independent Recourse Mechanism. In compliance with the DPF Principles, Wolfia commits to resolve DPF Principles-related complaints about our collection and use of your Personal Information. EU, EEA, UK, and Swiss individuals with inquiries or complaints regarding our handling of Personal Information received in reliance on the DPF should first contact Wolfia at privacy@wolfia.com.

If a privacy complaint or dispute relating to Personal Data received by Wolfia Inc. in reliance on the Data Privacy Framework (or any of its predecessors) cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here.

If a complaint or dispute cannot be resolved through our internal process, we have also agreed to cooperate with the EU and UK data protection authorities and the Swiss Federal Data Protection and Information Commissioner and to participate in the dispute resolution procedures of the panel established by such data protection authorities.

12.6 FTC Jurisdiction. Wolfia Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) with respect to its compliance with the DPF Principles.

12.7 Binding Arbitration.If your dispute or complaint related to your Personal Data that we received in reliance on the Data Privacy Framework cannot be resolved by us, nor through the dispute resolution mechanism mentioned above, you may have the right to require that we enter into binding arbitration with you under the Data Privacy Framework “Recourse, Enforcement and Liability” Principle and Annex I of the Data Privacy Framework.

12.8 Verification. Wolfia uses a self-assessment approach to verify ongoing compliance with the DPF Principles. Wolfia conducts this self-assessment at least annually, reviewing the accuracy of this Privacy Policy, the accessibility of recourse mechanisms, the effectiveness of internal procedures for handling complaints, and employee training. Wolfia maintains records of its self-assessments and will produce them to the U.S. Department of Commerce or other competent authorities upon request.

12.9 U.S. Government Access Requests. Wolfia responds to lawful U.S. government requests for Personal Information only as required by law. We challenge requests that we believe are overbroad, improper, or inconsistent with applicable law where we lawfully may do so. Wolfia commits to maintaining and publishing a transparency report describing the volume and nature of government data requests we receive, consistent with applicable legal restrictions.

12.10 Fallback Transfer Mechanisms. Where the DPF does not apply (for example, because the country of origin is not covered, or because Wolfia's DPF certification is suspended or revoked), Wolfia relies on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement and/or the UK Addendum to the SCCs, and equivalent safeguards recognized under Swiss data protection law to lawfully transfer Personal Information from the EU/EEA, UK, and Switzerland, as set out in Wolfia's Data Processing Addendum (DPA), available at https://wolfia.com/legal/dpa.

13. Contacting Wolfia

Email: privacy@wolfia.com

Mail: Wolfia Inc., Attn: Privacy Team, 10500 Avery Club Drive, Unit 6, Austin, TX 78717