Privacy Policy

Last updated: March 30, 2026

Cintrico, Inc. ("Cintrico," "we," "us," or "our") operates the BOSS (Business Operating Studio Systems) platform available at cintri.co. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our platform, services, and related applications (collectively, the "Service"). By using the Service, you consent to the data practices described in this policy.

1. Information We Collect

We collect the following categories of information:

Personal Information

• Name, email address, and billing information provided during account registration
• Organization name, role, and team size for workspace configuration
• Payment and subscription details processed through Stripe
• Profile data including avatar, preferences, and notification settings

Usage Data

• Pages visited, features used, and actions taken within the platform
• Frequency and duration of sessions, studio interactions, and workflow executions
• Search queries, navigation patterns, and feature adoption metrics
• Error logs and performance data to diagnose and resolve technical issues

Device and Technical Information

• Browser type, operating system, device type, and screen resolution
• IP address, approximate geographic location, and time zone
• Referring URL and pages visited before and after accessing the Service

AI Interaction Data

• Prompts, instructions, and queries submitted to AI agents within your studios
• AI-generated outputs, including text, code, designs, and structured data
• Agent configuration, memory objects, and workflow context used during sessions
• Feedback signals such as ratings, regeneration requests, and edit patterns

2. How We Use Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and operate the BOSS platform, including AI agent execution, studio rendering, and workflow orchestration
• AI Model Improvement: To improve the quality, accuracy, and safety of AI-generated outputs across the platform, subject to your opt-out preferences
• Analytics and Performance: To monitor platform health, measure feature adoption, and identify areas for improvement
• Communication: To send transactional emails (billing, security alerts, service updates) and, with your consent, marketing communications about new features and product updates
• Security and Fraud Prevention: To detect, investigate, and prevent unauthorized access, abuse, and fraudulent activity
• Legal Compliance: To comply with applicable laws, regulations, and legal processes

3. Data Sharing and Disclosure

We do not sell your personal information. We do not rent, trade, or otherwise monetize your data to third parties. We share information only in the following circumstances:

• Service Providers: We use trusted third-party processors to operate the platform, including Supabase (database and authentication), Vercel (hosting and analytics), Anthropic and OpenAI (AI model providers), Google Cloud (infrastructure services), and Stripe (payment processing)
• Legal Requirements: When required by law, regulation, subpoena, court order, or governmental request
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the acquiring entity
• With Your Consent: When you explicitly authorize us to share your data with a third party
• Aggregated Data: We may share anonymized, aggregated data that cannot identify you for industry benchmarking and research purposes

4. AI-Specific Privacy Practices

BOSS relies on AI agents to power studios, automate workflows, and generate content. We take the following measures to protect your data in AI contexts:

• Data Isolation: Each workspace maintains strict data isolation. AI agents operating within your workspace cannot access data from other workspaces or organizations
• Model Training Opt-Out: You may opt out of having your AI interaction data used to improve our models. This setting is available in your workspace privacy settings and applies retroactively to previously collected interaction data
• Prompt Privacy: Prompts and instructions you submit to AI agents are processed in real time and are not stored beyond the session context window unless you explicitly save them
• Third-Party AI Providers: When your prompts are routed to third-party AI providers (Anthropic, OpenAI, Google), they are transmitted via encrypted channels and are subject to those providers' data processing agreements, which prohibit use of your data for model training
• Agent Memory: AI agents may retain session context and memory objects to improve continuity. You can view, edit, and delete agent memory at any time from your workspace settings

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention periods are as follows:

• Active Account Data: Retained for the duration of your subscription plus 90 days following cancellation to allow for reactivation
• AI Interaction Logs: Retained for 30 days in active storage, then archived for up to 12 months for quality assurance, unless you opt out
• Billing Records: Retained for 7 years as required by financial regulations
• Deleted Account Data: Upon account deletion request, all personal data is purged from active systems within 30 days. Backups are purged within 90 days. Certain anonymized, aggregated data may be retained indefinitely
• Legal Hold: Data subject to a legal hold or regulatory investigation may be retained beyond standard periods as required by law

6. Security Measures

We implement industry-standard security measures to protect your data:

• Encryption at Rest: All data stored in our databases is encrypted at rest using AES-256 encryption
• Encryption in Transit: All data transmitted between your browser and our servers is protected by TLS 1.3
• SOC 2 Compliance: We are pursuing SOC 2 Type II certification and maintain security controls aligned with the Trust Services Criteria
• Access Controls: Role-based access controls ensure that only authorized personnel can access sensitive systems and data. All access is logged and auditable
• Infrastructure Security: Our infrastructure is hosted on SOC 2-certified providers with network isolation, intrusion detection, and automated vulnerability scanning
• Incident Response: We maintain a documented incident response plan and commit to notifying affected users within 72 hours of a confirmed data breach

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete personal data
• Deletion: Request deletion of your personal data, subject to legal retention requirements
• Portability: Request your data in a structured, machine-readable format for transfer to another service
• Opt-Out: Opt out of marketing communications, AI model training data usage, and non-essential analytics
• Restriction: Request that we restrict processing of your data in certain circumstances
• Objection: Object to processing of your data based on legitimate interests

To exercise any of these rights, contact us at legal@cintri.co or use the privacy controls in your account settings. We will respond to your request within 30 days.

8. International Data Transfers

Cintrico is headquartered in the United States. If you access the Service from outside the United States, your data may be transferred to and processed in the United States and other jurisdictions where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission and participation in the EU-US Data Privacy Framework where applicable.

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at legal@cintri.co.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email, in-platform notification, or by posting a prominent notice on our website at least 30 days prior to the changes taking effect. Your continued use of the Service after the effective date of any updated policy constitutes your acceptance of the revised terms.

11. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Cintrico, Inc.
• Email: legal@cintri.co
• Website: cintri.co

For GDPR-specific inquiries, please see our GDPR Compliance page or contact our Data Protection Officer at legal@cintri.co.