Privacy policy

Last updated: June 5, 2026

This Privacy Policy explains how CoreAI handles personal information in connection with CoreAI (the "Service"). It applies to the Service, related websites, support communications, and administrative interfaces. If your organization has a separate written agreement, order form, or data processing addendum with us, that agreement controls where it conflicts with this policy.

Information we collect

We collect and process the following categories of information:

  • Account and authentication information: names, email addresses, organization membership, roles, approval status, sign-in identifiers, SSO/SAML or OAuth metadata, and authentication events needed to provide secure access.
  • Tenant, admin, and authorization information: workspace settings, project membership, RBAC and IAM configuration, policy mappings, connector administration, audit events, billing or usage configuration, and other records needed to administer a tenant.
  • Customer content: prompts, chat messages, generated outputs, files, documents, images, libraries, system prompts, agent instructions, agent configurations, project artifacts, evaluations, annotations, and other materials submitted to or produced through the Service.
  • Connector-authorized content: data that users or administrators authorize the Service to access from third-party systems, such as email, calendars, files, collaboration tools, source code systems, project management tools, databases, storage services, webhooks, and custom APIs.
  • Usage, security, and audit logs: timestamps, feature interactions, API requests, run metadata, tool-call metadata, access logs, IP-derived approximate location, device and browser information, error reports, abuse-prevention signals, and events required for security, auditability, and tenant isolation.
  • Support and communications: messages, contact details, attachments, and diagnostic information you provide when requesting help, reporting issues, or discussing the Service with us.

How we use information

We use information to:

  • Provide, operate, secure, troubleshoot, and improve the Service;
  • Authenticate users, enforce access controls, and preserve tenant isolation;
  • Execute agent runs, workflows, retrieval, tool calls, evaluations, and integrations that users or administrators request;
  • Maintain audit logs, security records, observability, reliability, and incident response;
  • Provide customer support, send service notices, and respond to administrative requests;
  • Comply with legal obligations, enforce agreements, and protect the Service and its users.

Customer content and AI processing

Customer content may be processed by AI model providers, infrastructure providers, and other subprocessors only as needed to provide requested Service functionality, subject to applicable contractual controls. Users are responsible for ensuring they have permission to submit content and connect third-party systems to the Service.

The Service may generate outputs from user prompts, uploaded content, connected data, and configured tools. AI outputs can be inaccurate or incomplete, and users should review outputs before relying on them in business, legal, medical, financial, security, or other high-impact contexts.

Integrations and third-party services

The Service can connect to third-party systems when an authorized user or administrator enables an integration or provides credentials. We process tokens, scopes, connector settings, and authorized content to perform requested actions. Third-party systems remain governed by their own terms and privacy notices, and your organization controls which integrations are approved for its tenant.

Observability, logs, and sensitive data

We use logs, traces, metrics, and error reporting to monitor reliability, performance, security, and product quality. We design these systems to limit unnecessary exposure of prompts, outputs, connector payloads, credentials, secrets, and other sensitive content. Some diagnostic records may still include metadata or excerpts needed to investigate a support request, security event, failed run, or service issue.

Sharing and subprocessors

We do not sell personal information. We may share information with service providers and subprocessors that help us provide hosting, storage, databases, security, analytics, observability, support, communications, AI model processing, and connected-service functionality. We may also disclose information when required by law, to protect rights and safety, to prevent abuse, or as part of a merger, acquisition, financing, or similar corporate transaction.

Retention

We retain information for as long as needed to provide the Service, meet security and audit requirements, comply with legal obligations, resolve disputes, enforce agreements, and support business continuity. Retention periods may vary by data type, tenant configuration, customer agreement, legal requirement, backup schedule, and whether data is needed for security, compliance, or dispute purposes.

Your choices and rights

Depending on your location and relationship to the Service, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal information, and to appeal or lodge a complaint with a regulator. If you use the Service through an organization, submit requests through your organization administrator when the organization controls the relevant data. You may also contact us at support@coreai.turing.com.

International transfers

We and our subprocessors may process information in countries other than where you are located. Where required, we use appropriate safeguards for international transfers, such as contractual commitments or other transfer mechanisms recognized by applicable law.

Security

We use technical and organizational safeguards designed to protect information, including access controls, tenant isolation, audit logging, encryption in transit, administrative controls, and monitoring. No system is completely secure, and users should use approved identity providers, protect credentials, and promptly report suspected security issues.

Children

The Service is intended for business and organizational use. It is not directed to children under 13 or the minimum age required by applicable law, and we do not knowingly collect personal information from children.

Changes to this policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date above and provide additional notice when required by law or contract.

Contact

For privacy questions or requests, contact support@coreai.turing.com. For general support, see our Contact page. This policy should be read together with our Terms of service.