§ legal
Privacy Policy
Powerloom collects the minimum information needed to operate an agent governance platform: account identity, organization membership, and usage telemetry necessary for billing, audit, and security. We don't sell or share personal data with advertisers.
Effective May 5, 2026
1. Who we are
Powerloom is a control plane that lets organizations deploy and govern AI agent fleets. The Service is operated by Powerloom, Inc., a Delaware corporation ("Powerloom", "we", "us", "our").
This Privacy Policy explains what information we collect when you sign up for or use the Service at app.powerloom.org, what we do with it, and the choices you have. It applies to all users of the Service — administrators, individual users within a Powerloom-customer organization, and visitors to our public marketing site at powerloom.org.
2. What we collect
Information you provide directly
- Account identity— name, email address, and (for password-based accounts) a password hash. For single-sign-on accounts, your provider's opaque user id and the email address that provider returns.
- Organization information — workspace name, slug, and the organizational-unit structure you create.
- Onboarding profile— the optional answers you give to the signup wizard's "tell us about yourself" step (role, team size, why you're evaluating Powerloom). Used to seed your meta-agent and to help us prioritize product investments.
- Bring-your-own-key credentials — Anthropic, OpenAI, or other model-provider API keys you supply so your agents can invoke those services. Keys are encrypted at rest using AES-256-GCM with per-row authenticated additional data (AAD); the cleartext value is never persisted.
- Integration tokens — when you connect a third-party application (e.g., Slack, HubSpot, GitHub), we store the OAuth access and refresh tokens needed to interact with that service on your behalf. Same encryption envelope as BYOK keys.
Information we collect automatically
- Usage telemetry — agent invocation counts, session durations, tool-call traces, and error rates. Used for billing, capacity planning, and debugging.
- Audit log entries — administrative actions (creating agents, granting access, modifying policies) recorded with a hash-chained log so changes can be verified end-to-end. Required for compliance reporting in many customer environments.
- Technical metadata — IP address, user-agent string, and timestamps on authentication events. Used to detect abuse and (when configured) to enforce IP-allowlist policies.
Information we do not collect
- We do not collect biometric data, location data beyond coarse IP geolocation, or device fingerprints beyond what a standard server log captures.
- We do not load third-party advertising or social-media tracking pixels into the Service or onto our marketing pages.
- We do not read or scrape the contents of agent conversations or tool-call payloads beyond what you explicitly route through governed surfaces (audit, memory, approvals). The Service is a control plane, not a data lake.
3. Google sign-in (OAuth) data
When you sign in or sign up with Google, Powerloom requests the OAuth scopes openid email profile. From the userinfo endpoint we read and store:
- The Google subject identifier (
sub) — an opaque string that uniquely identifies the Google account. Stored so subsequent sign-ins resolve to the same Powerloom user. - Your email address — used to create or look up your Powerloom account.
- Your display name — used to pre-fill your profile during onboarding. You can change it at any time.
We do not request scopes beyond openid email profile for sign-in. We do not access Gmail, Google Drive, Calendar, Sheets, or any other Google service through the sign-in OAuth client. (A future Google Workspace integration, if you opt in, would be a separate OAuth app with its own scope grants and consent screen — the sign-in client and the workspace client are distinct.)
4. How we use information
- To operate the Service— authenticate you, enforce your organization's access policies, route your tool calls, and bill your account.
- To secure the Service — detect anomalous authentication patterns, block credential-stuffing attempts, and respond to abuse reports.
- To support you — when you contact us at support@powerloom.org, we use your email and any relevant logs to diagnose and resolve your issue.
- To improve the Service — aggregate, de- identified usage patterns may inform product decisions (e.g., which workflow templates customers most often clone). This category never includes content of your agent conversations or tool calls.
We do not use your information to train AI models. Powerloom does not train any foundation models; we route requests to third-party model providers (Anthropic, OpenAI, AWS Bedrock) using credentials you supply.
5. When we share information
We share information only in narrow, named circumstances:
- With model providers you choose— when you configure a BYOK Anthropic / OpenAI / Bedrock credential and invoke an agent, the agent's prompt and tool-call data are sent to that provider under their privacy terms. Powerloom acts as a passthrough; we do not retain a separate copy of every model request.
- With third-party integrations you connect — if you authorize a Slack, HubSpot, or GitHub integration, requests routed through that integration go to the third-party service under their terms.
- With sub-processors that operate our infrastructure — Amazon Web Services (compute, storage, data transit), Cloudflare (edge), Resend (transactional email). Each is bound by a data-processing agreement that limits processing to the purposes Powerloom directs.
- When required by law— in response to subpoenas, court orders, or other valid legal process. We will notify you before complying when we're permitted to do so.
- In a business transition — if Powerloom is acquired or merges, your information may transfer to the successor entity, subject to this Privacy Policy or one materially equivalent.
We never sell personal data. We do not share personal data with advertisers, data brokers, or marketing analytics companies.
6. How long we keep information
- Account information — for the life of your Powerloom account. When your account is deleted, identity fields are erased within 30 days; audit-log entries referencing your past actions are pseudonymized (your user id replaced with a tombstone) but the action records themselves are retained for the period your organization requires for compliance.
- BYOK credentials and integration tokens — for as long as the credential is active. When you delete a credential, the encrypted ciphertext is deleted within 24 hours of the next maintenance window.
- Telemetry and audit data— retained per your organization's configured retention policy (default 90 days for usage telemetry, indefinite for audit-log entries unless your organization explicitly purges).
- Server logs — IP-level access logs are kept for 30 days, then aggregated and discarded.
7. How we protect information
- All credentials and integration tokens are encrypted at rest with AES-256-GCM. Keys live in AWS KMS; Powerloom engineers never have direct access to cleartext credentials.
- All traffic between you and the Service uses TLS 1.2 or higher.
- Access to production infrastructure follows least-privilege principles. Administrative actions are audit-logged with a hash chain that detects after-the-fact tampering.
- We test for common web vulnerabilities and welcome responsible disclosure at security@powerloom.org.
8. Your rights
Depending on where you live, you may have the right to access, correct, delete, or export your personal data, and to object to certain processing. To exercise any of these rights, email privacy@powerloom.org from the address on your Powerloom account. We will respond within 30 days.
If you sign in with Google, you can revoke Powerloom's access at any time via your Google Account permissions page. Doing so prevents future sign-ins with that Google account but does not delete your Powerloom account; email us separately to delete the account itself.
9. Children's privacy
The Service is for business and developer use and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have, we will delete it.
10. International users
Powerloom is operated from the United States and processes data on infrastructure located in the United States. By using the Service, you consent to the transfer of your information to the United States, which may have different data-protection laws than your country of residence. We are working toward EU-region availability for customers who need data residency; contact sales@powerloom.org if this is a requirement.
11. Changes to this Policy
We may update this Privacy Policy from time to time. When we do, we'll change the "Effective" date at the top and, for material changes, notify account administrators by email at least 14 days before the change takes effect. Your continued use of the Service after the change indicates your acceptance of the updated Policy.
For privacy questions or to exercise the rights above: privacy@powerloom.org.
For security disclosures: security@powerloom.org.
For general support: support@powerloom.org.
Questions or concerns? Email privacy@powerloom.org (privacy questions, data requests) or legal@powerloom.org (terms-of-service questions). Powerloom, Inc., a Delaware corporation.
See also: Privacy Policy, Terms of Service.