Legal
Privacy Policy
Last updated: June 18, 2026
This Privacy Policy explains how Agent Astra, Inc. (“Agent Astra,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards information in connection with our website, applications, application programming interfaces, and related services (collectively, the “Services”). It also describes the privacy rights available to you and how to exercise them. We are committed to handling personal information responsibly and in accordance with applicable data protection laws, including the EU and UK General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act as amended (“CCPA/CPRA”).
1. Scope and Our Role
Agent Astra provides a business platform that ingests documents and uses automated and AI-assisted processing to extract and structure data for our business customers (each, a “Customer”). This Policy applies to visitors to our website, individuals who contact us or request a demo, and individuals who are authorized by a Customer to access the platform or to upload documents to it (“Authorized Users”).
Our role under data protection law depends on the data in question. For our website, marketing, account administration, and business communications, Agent Astra acts as a controller and determines how and why personal information is processed. For documents and other content that a Customer (or its Authorized Users or invited end users) submits to the platform, Agent Astra acts as a processorand processes that content only on the Customer's documented instructions and under a separate data processing agreement. In that arrangement, the Customer is the controller and is responsible for the lawful basis of the processing. Section 13 addresses this in more detail.
2. Information We Collect
Information you provide. When you contact us, request a demo, are onboarded, or communicate with us, we collect your name, business email address, company, role, the contents of your message, and any other information you choose to provide.
Account and access information. When access to the platform is granted, we collect identifiers and authentication data needed to create and secure accounts for Authorized Users, and records of access and configuration.
Documents and content.The platform processes documents and related content uploaded by or on behalf of a Customer, including by individuals a Customer invites to submit documents. This content may contain personal information about third parties. As described in Sections 1 and 13, we process such content as a processor on the Customer's behalf.
Technical and usage data. We automatically collect technical information such as IP address, device and browser characteristics, pages and features used, timestamps, and diagnostic and performance data, through cookies and similar technologies (see our Cookie Policy) and through server and application logs.
Information from third parties. We may receive information from our Customers, from service providers, and from publicly available sources, for example to verify business details or to administer accounts.
3. How We Use Information
As a controller, we use personal information to: provide, operate, maintain, and improve the Services; create and administer accounts and authenticate users; respond to inquiries and provide support; communicate about the Services, including service-related and, where permitted, marketing messages; analyze and improve usage, reliability, and performance; ensure security, prevent fraud and abuse, and protect our rights and those of others; and comply with legal obligations.
Where the GDPR applies, we rely on the following legal bases: performance of a contract; our legitimate interests in operating and improving the Services and securing them (balanced against your rights); your consent, where required (for example, certain cookies and marketing); and compliance with legal obligations.
4. Automated and AI-Assisted Processing
The platform uses automated processing, including artificial intelligence and machine-learning techniques, to read documents and to extract, classify, and structure data from them. AI-assisted output may contain errors or omissions and is intended to support, not replace, human judgment. Outputs are made available to the Customer for review and verification, and the Customer remains responsible for decisions made using them.
We do not use Customer documents or extracted data to train publicly available or general-purpose AI models, and we contractually require AI model providers that process this content on our behalf not to use it to train their models. We do not use solely automated processing to make decisions that produce legal or similarly significant effects about you without a lawful basis and appropriate safeguards.
5. How We Share Information
We do not sell your personal informationand we do not “share” it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We disclose information only as described here:
Service providers and subprocessors. We share information with vendors that perform functions on our behalf, under contracts that require them to protect the information and use it only to provide services to us. These include providers of cloud hosting and infrastructure; content delivery and network security; authentication; AI and document-processing; product analytics; error, performance, and uptime monitoring; incident and status communications; email delivery; and workflow integration. See Section 6.
With the relevant Customer. Where you are an Authorized User or invited end user, we make information available to the Customer that controls the relevant account.
Legal and protection. We may disclose information where required by law or legal process, to enforce our agreements, or to protect the rights, safety, and security of Agent Astra, our users, or the public.
Business transfers. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to the commitments in this Policy.
With your consent or at your direction.
6. Subprocessors
We engage third-party subprocessors to help deliver the Services. Where we act as a processor, our agreements provide general written authorization to engage subprocessors, bind each subprocessor to data protection obligations no less protective than those we accept, and require that we notify affected Customers of intended additions or changes and give them a reasonable opportunity to object on legitimate grounds. A current list of subprocessors and the categories of processing they perform is available to Customers on request at support@agentastra.ai.
7. International Data Transfers
We operate globally, and your information may be processed in the United States and other countries that may not provide the same level of data protection as your home jurisdiction. Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to countries that have not received an adequacy decision, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, together with supplementary measures where needed. A copy of the relevant safeguards is available on request at support@agentastra.ai.
8. Data Retention
We retain personal information for as long as necessary to provide the Services, to fulfill the purposes described in this Policy, and to comply with our legal, accounting, and reporting obligations. Retention periods depend on the nature of the information and the context in which it was collected. For content we process on a Customer's behalf, retention is governed by our agreement with that Customer and its instructions. When information is no longer needed, we delete it or anonymize it.
9. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information, including encryption of data in transit and at rest, access controls and least-privilege practices, network protection, logging and monitoring, and regular review of our controls. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a personal data breach, we will respond in accordance with applicable law and our contractual commitments.
10. Your Privacy Rights
Depending on where you live, you may have some or all of the following rights regarding your personal information.
EEA, UK, and Switzerland (GDPR). You may request access to, and rectification or erasure of, your personal information; restrict or object to processing; request data portability; and withdraw consent at any time without affecting prior processing. You also have the right to lodge a complaint with your local supervisory authority.
California (CCPA/CPRA). You may request to know, access, and delete personal information, correct inaccurate information, and opt out of the sale or sharing of personal information and the use of sensitive personal information beyond permitted purposes. As stated above, we do not sell or share personal information. You also have the right not to receive discriminatory treatment for exercising your rights.
To exercise your rights, contact us at support@agentastra.ai. We will verify your request and respond within the time required by applicable law. You may use an authorized agent where the law permits. If your information is processed by us on behalf of a Customer, we will refer your request to that Customer and assist them as required.
11. Cookies and Similar Technologies
We and our providers use cookies and similar technologies to operate and secure the Services, remember preferences, and understand and improve usage. Where required, we obtain consent before placing non-essential cookies. For details and your choices, see our Cookie Policy.
12. Children's Privacy
The Services are intended for businesses and are not directed to children. We do not knowingly collect personal information from children under the age of 16. If you believe a child has provided us with personal information, contact us at support@agentastra.ai and we will take appropriate steps to delete it.
13. Content Processed on Behalf of Customers
Where Agent Astra processes documents and content as a processor on behalf of a Customer, that Customer is the controller and is responsible for providing notice to and obtaining any necessary consents from the individuals whose information appears in that content, and for the lawful basis of the processing. We process such content only as instructed by the Customer and as set out in our data processing agreement. If you are an end user whose information was submitted to the platform by a business, please direct privacy requests to that business; we will support them as the law requires.
14. Changes to This Policy
We may update this Policy from time to time. When we make material changes, we will revise the “Last updated” date and, where appropriate, provide additional notice. Your continued use of the Services after an update takes effect constitutes acceptance of the revised Policy.
15. Contact Us
If you have questions about this Policy or our privacy practices, or wish to exercise your rights, contact us at support@agentastra.ai. You may also reach us by mail at Agent Astra, Inc., United States. For individuals in the EEA or UK, you may contact us at the same address to reach our data protection contact.