Wolfia Inc. Privacy Policy

1. Introduction and Scope

Welcome to Wolfia Inc. (Wolfia, we, us, our). This Privacy Policy explains how we collect, use, share, secure, and otherwise process information relating to identified or identifiable individuals (Personal Information) in connection with our business activities.

This policy applies when you visit our websites (e.g., wolfia.com, docs.wolfia.com), use the Wolfia Platform (our AI-powered answer engine and related features), interact with our marketing, sales, or support teams, or otherwise use our services (collectively, the Services).

This policy does not cover third-party websites, applications, or services that may integrate with or be linked from our Services (Third-Party Services). The use of the Wolfia Platform by business customers (Customers) is governed by our Terms of Service / MSA and, where applicable, a Data Processing Addendum (DPA). In relation to Service Data (data a Customer submits to or connects with the Platform), Wolfia acts primarily as a processor/service provider on behalf of the Customer, who acts as controller/business. This policy primarily describes how Wolfia processes Personal Information for its own purposes (where Wolfia is the controller), such as website visitor data, marketing contact information, and account administration data (Other Information).

2. Personal Information We Collect

2.1 Information You Provide

Account & Profile. Name, email, phone, password, company, job title, and similar details.

Payment. We and/or our payment processors collect payment card/bank details, billing address, and transaction data. We do not store full payment card numbers.

Communications. Content of messages and related metadata when you contact us (email, support, forms, surveys, social).

Marketing. Subscription preferences, event/webinar registrations, downloads.

Careers. Application materials (resume/CV, history, references).

2.2 Information Collected Automatically

Log Data. IP address, device and browser info, OS, timestamps, referring/exit pages, and clickstream.

Usage Data. Features used, time on pages, actions taken, performance metrics, and error reports.

Cookies/Similar Tech. Essential, functional, analytics, and (where applicable) advertising cookies/pixels. You can manage preferences via browser settings.

Location. General geolocation (e.g., city/country) inferred from IP; more precise location only if you enable it.

2.3 From Other Sources

Customers (Service Data). Customers may upload/connect data sources that include Personal Information about their users/contacts.

Third-Party Services. If you integrate services (e.g., Google Drive/Workspace, SSO, data repositories), we receive information per the permissions you grant. For Google Drive: we only access file metadata and the contents of documents you explicitly import into Wolfia. We do not scan or index other Drive files.

Partners/Public Sources. Business partners, data brokers, and public sites (e.g., LinkedIn) to supplement records or identify potential customers.

3. How We Use Personal Information (Legal Bases)

Provide and Manage Services (Contract; Legitimate Interests) — Operate, maintain, secure, and improve the Platform; create/manage accounts; process payments; provide support; honor the MSA. Google Drive: provide document search, summaries for imported files, and AI-powered Q&A in your private workspace.

Communicate (Legitimate Interests; Contract; Consent) — Respond to inquiries; send service notices (maintenance, security, policy updates); send marketing (where permitted/consented). Opt-out any time.

R&D (Legitimate Interests) — Analyze usage and feedback to improve features and UX. We favor aggregated/de-identified data. Google Drive content is not used to develop/train general AI models serving other users.

Security & Fraud (Legitimate Interests; Legal Obligation) — Detect, prevent, and respond to threats, abuse, and violations.

Legal Compliance (Legal Obligation) — Meet legal/regulatory requirements and lawful requests.

Operations & Analytics (Legitimate Interests) — Audits, reporting, and business administration.

Service Data Processing. For Service Data, we act on the Customer's documented instructions under the MSA and (where in place) the DPA. Customer is responsible for its legal bases and end-user disclosures.

AI Training Limitation. As stated in the MSA, Wolfia will not use Customer Service Data (indexed content or queries) to train general-purpose AI models offered externally by Wolfia or third parties, without explicit prior written consent. Aggregated, anonymized usage statistics may support service reliability/quality, but not external general-purpose model training.

Automated Decision-Making and AI-Generated Content. Our Services use artificial intelligence and machine learning to generate responses to questions, complete security questionnaires, and produce other content. These AI systems analyze your content and queries using retrieval-augmented generation (RAG), vector embeddings, and large language models to provide relevant answers. The AI-generated output may influence business decisions (e.g., responses provided to customers or included in proposals). You have the right to review, edit, and approve all AI-generated content before use. We recommend human review and oversight for all AI outputs, particularly for consequential decisions. You may contact us at privacy@wolfia.com to request human review of any automated decision or to obtain information about the logic involved in our AI processing.

4. Sharing Personal Information

Service Providers. Cloud hosting, payments, CRM, analytics, email, and support tools under contractual safeguards.

Per Customer Instructions. Service Data is shared as directed by the Customer (e.g., Authorized Users, third-party integrations).

Affiliates. Within the Wolfia group for compliant processing.

Business Transactions. In a merger, acquisition, financing, reorganization, bankruptcy, or sale, subject to confidentiality.

Legal/Safety. To comply with law or protect rights, property, or safety.

Aggregated/De-identified. May be shared for analytics or research.

With Consent. As disclosed at collection or with your approval.

For a complete and current list of our service providers and subprocessors, please visit our Trust Center.

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect Personal Information (e.g., encryption in transit and at rest, access controls, network monitoring, vulnerability management, security testing, employee training, and incident response). OAuth access and refresh tokens are stored in an encrypted, access-controlled secrets vault and are never written to application logs. All backups are encrypted at rest (AES-256).

No system is 100% secure. You are responsible for protecting your credentials and using secure networks.

6. Data Retention

We retain Personal Information as needed to provide the Services, comply with law, resolve disputes, and enforce agreements. Specific retention periods vary by data type:

Account and Profile Data: Retained for the duration of your relationship with Wolfia plus 7 years for legal and compliance purposes.

Usage Logs and Analytics: Retained for 30-90 days, or as needed for security monitoring and service improvement.

Payment and Transaction Records: Retained for 7 years to comply with tax and financial regulations.

Marketing and Communications Data: Retained until you unsubscribe or request deletion, plus 30 days to process the request.

Service Data: Retention governed by the MSA and Customer configuration. When you terminate your account, Service Data is retained for 30 days (data retrieval period), after which it is deleted from active systems.

Google Drive Integration: Files and metadata are retained until you: (a) delete the import; (b) disconnect Google; or (c) terminate your account—whichever occurs first.

Backups: When deletion is requested or appropriate, we delete or anonymize data from active systems; where immediate deletion is not possible (e.g., encrypted backups), we securely store and isolate it until purge. Encrypted backups are automatically purged on a 90-day rolling basis to ensure complete removal.

7. Your Rights and Choices

Depending on your location, you may have rights to access, correct, delete, restrict, port, or object to processing, and to withdraw consent where processing is based on consent. You may opt-out of marketing at any time via links in emails or by contacting us.

California (CCPA/CPRA). California residents may have additional rights, including access, deletion, and the right to opt-out of sale or sharing (as defined by law). We do not sell personal information as that term is commonly understood; any "sharing" for cross-context behavioral advertising (if used) will honor opt-out choices. Submit requests via the contact methods below. If your request concerns Service Data we process for a Customer, we will direct you to the Customer, who controls that data.

You may also have the right to lodge a complaint with your local supervisory authority.

8. Children's Privacy

Our Services are not directed to children under 16 (or other applicable age). We do not knowingly collect Personal Information from children. If you believe a child provided us Personal Information, please contact us and we will delete it.

9. Third-Party Links

Our Services may link to third-party sites/services. Their practices are not covered by this Policy. Review their policies before providing information.

10. Google API Services User Data Policy

Wolfia's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use only the drive.readonly scope and access only the Google Drive files/folders you explicitly select to import. We do not scan or index other Drive content, use Drive data for advertising, or train external general-purpose AI models. You may revoke access at any time via Disconnect Google in your account settings or at https://myaccount.google.com/permissions. Revocation invalidates OAuth tokens and previously imported Drive files are queued for deletion within 24 hours. Encrypted backups are automatically purged on a 90-day rolling basis.

11. Changes to This Policy

We may update this Policy to reflect changes in practices, legal requirements, or services. The Last updated date shows the latest revision. For material changes, we will provide more prominent notice (e.g., email or in-product) and seek consent where required.

12. Contacting Wolfia

Email: privacy@wolfia.com

Mail: Wolfia Inc., Attn: Privacy Team, 10500 Avery Club Drive Unit 6, Austin, TX 78717