Last updated: April 6, 2026
This Privacy Policy describes how Conducktor (“we,” “us,” or “our”) collects, uses, discloses, and protects information when you use our platform and services (collectively, “the Service”). By using the Service, you consent to the practices described in this policy. If you do not agree with this policy, do not use the Service.
Data Controller: Conducktor is the data controller for account information, usage telemetry, and platform data that we collect and process for our own purposes (authentication, billing, service improvement).
Data Processor: When you connect third-party services and AI assistants process data on your behalf (e.g., accessing your CRM data, querying your databases, executing tasks through your integrations), Conducktor acts as a data processor. You remain the data controller for all data that passes through connected services. We process such data solely in accordance with your instructions and configuration.
Account Information: When you create an account, we collect your email address, display name, and password (hashed with bcrypt). If you sign up via a third-party provider (e.g., Google, GitHub), we receive profile information authorized by that provider.
Connection Credentials: MCP server URLs, OAuth tokens (encrypted with Fernet AES-128), API keys, and connection metadata. All secrets are stored in an encrypted vault and never logged, displayed, or transmitted in plaintext.
Usage Telemetry: API call counts, tool invocation metadata, cost metrics, latency measurements, health check results, and approval workflow events. This data powers observability dashboards and billing calculations.
AI Interaction Data: When AI assistants execute tool calls on your behalf, we log tool names, timestamps, connection identifiers, and execution status for audit and governance purposes. We do not store the full content of AI prompts, model responses, or data retrieved from your connected third-party services, except as transiently necessary to process the request.
Device & Log Data: IP addresses, browser type, operating system, and referral URLs may be collected automatically for security monitoring and abuse prevention.
• Service Delivery: Route MCP requests, execute AI assistant tool calls, enforce governance policies, monitor connection health, and provide dashboards.
• Billing & Metering: Track usage for billing, quota enforcement, and consumption reporting.
• Security & Compliance: Detect anomalies, prevent abuse, maintain immutable audit logs, and respond to security incidents.
• Product Improvement: Analyze aggregated, anonymized usage patterns to optimize performance, improve features, and develop new capabilities. We never analyze individual request content for product improvement purposes.
• Communications: Send transactional emails (account verification, password resets, billing receipts) and, with your consent, product updates. You may opt out of non-transactional communications at any time.
We do NOT sell, rent, lease, or trade your personal information. We share information only in the following limited circumstances:
• Connected Services: When AI assistants invoke tools, we forward requests to the third-party servers you have configured (e.g., Microsoft, GitHub, Linear, Salesforce) using credentials you have authorized. We act solely as a conduit and do not control how those third parties process your data.
• Infrastructure Providers: We use third-party services for hosting (cloud providers), payment processing, and transactional email delivery. These providers are contractually obligated to protect your data.
• AI Model Providers: When processing AI interactions, prompts may be sent to third-party AI model providers (e.g., OpenAI, Anthropic). These providers have their own privacy policies and data processing terms. We recommend reviewing their policies.
• Legal Requirements: We may disclose information if required by law, subpoena, court order, or valid legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your data becomes subject to a different privacy policy.
Conducktor does not sell your personal information as defined under the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), or any similar state or international privacy law. We do not share your personal information for cross-context behavioral advertising. If you are a California resident and wish to exercise your rights under the CCPA, please contact us at privacy@conducktor.com.
Conducktor operates globally and may transfer, store, and process your data in countries other than your country of residence, including the United States. By using the Service, you consent to the transfer of your data to the United States and other jurisdictions that may not provide the same level of data protection as your home jurisdiction. Where required by applicable law, we implement appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) or other approved mechanisms.
• Active Accounts: Data retained for as long as your account is active and as necessary to provide the Service.
• Deleted Accounts: Upon account deletion, all personal data, vault secrets, and connection credentials are permanently and irreversibly deleted within 30 days.
• Audit Logs: Retained for 90 days by default, configurable up to 7 years for Enterprise plans with compliance requirements.
• Legal Obligations: We may retain certain information as required by applicable law, regulation, or legal process, even after account deletion.
We implement commercially reasonable technical and organizational measures to protect your data, including:
• Encryption: TLS 1.3 for data in transit; Fernet (AES-128) for secrets at rest.
• Access Control: Role-based access with least-privilege enforcement; workspace-level data isolation.
• Audit Trails: Immutable telemetry events for every connection change, policy update, tool call, and approval decision.
• Vulnerability Management: Regular security assessments, dependency updates, and penetration testing (Enterprise).
NOTWITHSTANDING THE ABOVE, NO METHOD OF TRANSMISSION OVER THE INTERNET OR METHOD OF ELECTRONIC STORAGE IS 100% SECURE. WHILE WE STRIVE TO PROTECT YOUR DATA, WE CANNOT AND DO NOT GUARANTEE ABSOLUTE SECURITY. YOU ACKNOWLEDGE AND ACCEPT THAT ANY TRANSMISSION OF DATA TO OR FROM THE SERVICE IS AT YOUR OWN RISK, AND CONDUCKTOR SHALL NOT BE LIABLE FOR ANY UNAUTHORIZED ACCESS, DATA BREACH, OR LOSS OF DATA THAT OCCURS DESPITE OUR COMMERCIALLY REASONABLE SECURITY MEASURES.
Depending on your jurisdiction (including rights under GDPR, CCPA/CPRA, VCDPA, and similar laws), you may have the right to:
• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your account and all associated personal data.
• Portability: Request your data in a structured, machine-readable format.
• Restriction: Request restriction of processing of your personal data in certain circumstances.
• Objection: Object to the processing of your personal data for certain purposes.
• Opt-Out of Sale/Sharing: We do not sell or share your data, but you may exercise this right at any time.
To exercise any of these rights, contact us at privacy@conducktor.com. We will respond within 30 days (or as otherwise required by applicable law). We will not discriminate against you for exercising your privacy rights.
We use minimal cookies: a single httpOnly session cookie for authentication. No third-party tracking pixels, analytics cookies, or advertising cookies are used. Local storage holds your authentication token for client-side API calls. We do not engage in cross-site tracking or behavioral advertising.
The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from a person under 18, we will take immediate steps to delete such information. If you believe we have collected information from a minor, please contact us at privacy@conducktor.com.
The Service integrates with third-party services and may contain links to third-party websites. We are not responsible for the privacy practices, security, or content of third-party services. When your AI assistants interact with connected services, those interactions are subject to the third party's own privacy policy and terms of service. We encourage you to review the privacy policies of all third-party services you connect.
TO THE MAXIMUM EXTENT PERMITTED BY LAW, CONDUCKTOR SHALL NOT BE LIABLE FOR ANY LOSS, DAMAGE, OR UNAUTHORIZED DISCLOSURE OF DATA THAT OCCURS: (A) AS A RESULT OF YOUR CONFIGURATION OF AI ASSISTANTS, CONNECTIONS, OR GOVERNANCE POLICIES; (B) THROUGH THIRD-PARTY SERVICES CONNECTED TO YOUR WORKSPACE; (C) DUE TO ACTIONS TAKEN BY AI ASSISTANTS ON YOUR BEHALF; (D) AS A RESULT OF EVENTS BEYOND OUR REASONABLE CONTROL; OR (E) DESPITE OUR COMMERCIALLY REASONABLE SECURITY MEASURES. LIABILITY FOR DATA PROCESSING MATTERS IS SUBJECT TO THE LIMITATIONS SET FORTH IN OUR TERMS OF SERVICE.
We may update this Privacy Policy from time to time. Material changes will be announced via email and/or in-app notification at least 30 days before taking effect. The “Last updated” date at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date of any modification constitutes your acceptance of the modified policy. If you do not agree with the updated policy, you must stop using the Service and may request deletion of your data.
For questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at: privacy@conducktor.com