DelegateBack home

Privacy Policy

Last updated: May 10, 2026

This Privacy Policy describes how BirdAI ("we", "us", or "our") collects, uses, shares, and protects information when you use Delegate (the "Service"). It applies to personal data we process as a data controller under the EU General Data Protection Regulation (GDPR) and equivalent Romanian law. By using the Service, you acknowledge the practices described here.

1. Introduction

Delegate is an AI-assisted platform that runs agents, workflows, and scheduled tasks on your behalf, often using third-party tools and AI providers. Operating it requires processing personal data — both your own and, where you choose to share it, data about other people. This Policy explains what we collect, why, how long we keep it, and the rights you have over it.

2. Definitions

  • Service means Delegate, including the website, application, APIs, and any related features we operate.
  • Personal Data means any information relating to an identified or identifiable natural person.
  • Processing means any operation performed on personal data, such as collection, storage, use, transmission, or deletion.
  • Controller means the entity that determines the purposes and means of processing personal data.
  • Processor means an entity that processes personal data on behalf of a controller.
  • You means the individual using the Service, and where applicable, the organization on whose behalf you act.

3. Data Controller & Contact

BirdAI acts as the data controller for personal data processed through the Service in connection with your account. Where the Service processes content you submit on behalf of an organization or third parties, we generally act as a processor on your instructions, and you act as the controller of that data.

For privacy questions or to exercise your rights, contact us at contact@birdai.ro.

4. Information We Collect

4.1 Account information

Name, email address, organization, profile photo, authentication identifiers, and other information you provide when creating or managing an account.

4.2 Content

Prompts, instructions, files, attachments, task inputs and outputs, agent configurations, workflow definitions, conversation history, and any other content you submit to or generate through the Service.

4.3 Integration data

When you connect a third-party tool (such as a calendar, email, messaging, or storage provider), we receive only the data the integration scope authorizes. We use this data to perform the actions you request and do not access it for unrelated purposes.

4.4 Usage data

Logs, IP address, device and browser information, operating system, referrer URL, timestamps, feature usage, performance data, and interaction events.

4.5 Cookies & similar technologies

Cookies, local storage, and similar technologies we use to authenticate sessions, remember preferences, and measure usage. See section 15 for details.

4.6 Billing data

Plan, billing address, tax identifiers, transaction history, and payment metadata. Card details are handled by our payment processor; we do not store full card numbers.

5. How We Collect Information

  • Directly from you when you sign up, configure agents and workflows, submit content, or contact support.
  • Automatically through the Service, when you interact with it (logs, device data, cookies).
  • From third parties you authorize, such as identity providers, integrated tools, and payment processors.

6. Lawful Bases for Processing

Under the GDPR, we rely on the following lawful bases:

  • Contract: to provide the Service you request, including running agents, workflows, and integrations, and to bill you for them.
  • Legitimate interests: to operate, secure, debug, and improve the Service, prevent abuse, and communicate with you about the Service. We weigh these interests against your rights and freedoms.
  • Consent: for optional cookies, marketing communications, and processing that requires it. You may withdraw consent at any time.
  • Legal obligation: to comply with tax, accounting, anti-fraud, and other obligations.

7. How We Use Information

  • To provide, operate, and maintain the Service.
  • To process your prompts, run AI requests, execute workflows and scheduled tasks, and return outputs to you.
  • To bill you, account for credits, and prevent fraud and abuse.
  • To respond to support requests and send transactional messages.
  • To monitor performance, troubleshoot issues, and improve the Service in aggregate.
  • To enforce our Terms and protect the rights, safety, and integrity of the Service.
  • To comply with legal obligations and respond to lawful requests.

8. AI Processing & Third-Party Models

The Service routes prompts and relevant context to one or more AI model providers in order to generate AI Outputs. These providers act as our sub-processors and process the data under contractual terms that restrict use to providing inference services to us.

We do not use your content to train foundation models. We instruct our AI sub-processors to honour zero-retention or short-retention configurations where available, and we do not authorize them to use your content for their own model training.

AI Outputs are returned to you. They may be probabilistic and inaccurate; you should review them before relying on them, and you remain responsible for actions you or your agents take based on them.

9. Sharing of Information

We share personal data only:

  • With service providers acting as our processors under written agreements (see section 10).
  • With third-party tools you connect, at your direction and on your instructions, in order to perform the actions you request.
  • For legal reasons, when required by law, court order, or to protect rights, property, or safety.
  • In a corporate transaction such as a merger, acquisition, or asset sale, in which case we will provide notice and ensure the recipient honours commitments made in this Policy.
  • With your consent, for any other purpose disclosed at the time consent is obtained.

We do not sell personal data.

10. Sub-processor Categories

We rely on a limited set of vetted sub-processors to operate the Service. They process personal data only on our instructions and under data-protection commitments at least as protective as this Policy. The categories include:

  • AI model and inference providers — to generate AI Outputs.
  • Cloud hosting and infrastructure providers — to run our application, databases, and queues.
  • Authentication and identity providers — to manage sign-in and sessions.
  • Payment processors — to handle subscription and credit transactions.
  • Email and notification providers — to deliver transactional and account messages.
  • Analytics and product-telemetry providers — to measure usage and improve the Service.
  • Error monitoring and observability providers — to detect and investigate incidents.
  • Customer support and help-desk providers — to handle support tickets.

A current list of named sub-processors is available on request. We will provide reasonable advance notice of new sub-processors that have material access to personal data.

11. International Data Transfers

Some of our sub-processors operate outside the European Economic Area. Where personal data is transferred to a country that has not been recognized by the European Commission as providing an adequate level of protection, we rely on appropriate safeguards under the GDPR, primarily Standard Contractual Clauses, supplemented by additional technical and organizational measures where necessary. You may request a copy of the relevant safeguards by contacting us.

12. Data Retention

We keep personal data only for as long as we need it for the purposes described in this Policy or as required by law. Typical retention periods include:

  • Account information: while your account is active and for a limited period after closure to handle disputes and legal obligations.
  • Content: while your account is active, until you delete it, or until the related task or workflow completes, whichever is later.
  • Logs and usage data: typically up to 12 months, longer where required for security or legal investigations.
  • Billing records: for the period required by tax, accounting, and anti-fraud law (typically up to 10 years in Romania).

When you delete your account, we delete or anonymize personal data within a reasonable period, subject to backup rotation and any legal retention obligations.

13. Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit, encryption at rest where appropriate, access controls and least-privilege roles, audit logging, network segmentation, secure software development practices, and incident-response procedures. No system is fully secure, and we cannot guarantee the absolute security of personal data.

14. Your GDPR Rights

Subject to applicable law, you have the following rights with respect to your personal data. To exercise any of them, contact us at contact@birdai.ro. We may need to verify your identity before responding.

14.1 Right of access

You can request confirmation that we process your personal data and a copy of that data.

14.2 Right to rectification

You can ask us to correct inaccurate or incomplete personal data.

14.3 Right to erasure

You can ask us to delete your personal data, subject to legal retention requirements and other limited exceptions.

14.4 Right to restriction

You can ask us to restrict processing in specific circumstances, for example while we verify the accuracy of your data.

14.5 Right to data portability

You can request a structured, commonly used, machine-readable copy of personal data you provided to us, and ask us to transmit it to another controller where technically feasible.

14.6 Right to object

You can object to processing based on our legitimate interests, including for direct marketing purposes.

14.7 Right to withdraw consent

Where processing is based on consent, you can withdraw it at any time, without affecting the lawfulness of prior processing.

14.8 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. In Romania, the competent authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP).

15. Cookies & Tracking

We use the following categories of cookies and similar technologies:

  • Strictly necessary: required to operate the Service, authenticate sessions, and remember security preferences. These cannot be disabled.
  • Preference: remember choices such as theme, language, and recent views.
  • Analytics: help us understand how the Service is used and improve it.

You can control non-essential cookies through your browser settings or any cookie preferences we offer. Blocking certain cookies may impact functionality.

16. Analytics

We collect aggregated and pseudonymized analytics about how the Service is used. We use this information to monitor performance, prioritize improvements, and detect abuse. Where required by law, we obtain consent before setting analytics cookies.

17. Payments

Subscription and credit purchases are processed by our payment processor. We receive only transaction metadata (such as confirmation status, amount, and last four digits of the card) and do not store full payment-card numbers. The payment processor processes payment details under its own terms and privacy policy.

The Service may include links to websites or services we do not control. We are not responsible for their privacy practices, and we encourage you to review their policies.

19. Children's Privacy

The Service is not directed to individuals under the age of 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will take appropriate steps to delete it.

20. Automated Decision-Making

The Service produces AI Outputs and automated suggestions. These are advisory and intended to assist you. We do not use the Service to make decisions that produce legal or similarly significant effects on you solely by automated means within the meaning of GDPR Article 22. You remain responsible for reviewing AI Outputs and for any actions you or your agents take based on them.

21. Account Access Control

The Service includes role-, organization-, and workspace-level access controls so you can determine who within your organization can view or manage agents, workflows, integrations, and content. You are responsible for configuring these controls and for managing offboarding when team members leave.

22. Internal Security Practices

Internally, we apply least-privilege access for staff, require multi-factor authentication for systems handling personal data, log administrative actions, conduct security training, and revoke access promptly when a team member's role changes or ends. We periodically review our practices and update them as the Service evolves.

23. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify you through the Service or by email before the changes take effect. Your continued use of the Service after the effective date constitutes acknowledgement of the revised Policy.

24. Contact

For privacy questions or to exercise your GDPR rights, contact us at contact@birdai.ro.