Legal

Privacy Policy.

Last updated: April 2026 · Last reviewed: April 2026 · Next scheduled review: April 2027

This is a plain-language summary of how Foyla handles your data. If any of it matters to your procurement or legal team, reach out to [email protected] and we'll walk through it with you.

Who we are

Foyla, Inc. ("Foyla", "we", "us") is a Delaware corporation that operates the Foyla platform and the website you're on now. This policy covers what we collect, why, and what your rights are, and serves as our California "Notice at Collection."

When this policy applies

This policy applies when Foyla is the controller of your personal data — for example, when you visit our website, contact us, or use your own Foyla account.

It does not apply when Foyla is a processor acting on behalf of a business customer — for example, when your employer's AI employee processes data about you. In that case, your employer (or other Foyla customer) is the controller, their privacy policy governs, and our obligations are set out in our DPA with that customer. If you're unsure which situation applies to you, contact [email protected] and we'll help you route the request.

What we collect

Information you give us

Name, work email, and company when you contact us or book a scoping call.
Data you or your team send us to configure your AI employee — playbooks, SOPs, sample documents.
Credentials or API tokens you connect to your AI employee's deployment (stored encrypted, scoped to your tenant).

Information we collect automatically

Server-side access logs and aggregate page metrics for the website (pages viewed, referrer, rough location from IP). We do not use cross-site advertising trackers or behavioural advertising cookies. If we add a third-party analytics provider in future, we'll update this policy to name it.
Operational logs from your AI employee — actions taken, tool calls, errors — so we can debug and maintain reliability.

Sensitive personal information

We do not collect or process "sensitive personal information" as defined under CPRA (such as government identifiers, precise geolocation, racial or ethnic origin, union membership, genetic or biometric data, health data, or contents of mail, email, and text messages other than as needed to provide the service).

How we use it

We use your data to:

provide the Foyla service as described in your order form;
maintain reliability, security, and performance of the service, and debug issues;
respond to your inquiries and provide customer support;
communicate about new features, changes, and (where permitted) product updates;
meet our legal, tax, and regulatory obligations.

We do not sell personal information and do not share it for cross-context behavioural advertising. We do not train foundation models on your operational data, and we do not use your operational data to train any customer-facing machine-learning model on behalf of other customers.

Financial incentives

We do not offer financial incentives, price differences, or service differences in exchange for the retention or sale of personal information, within the meaning of Cal. Civ. Code §1798.125.

Who we share it with

Only the subprocessors we need to run the service — cloud infrastructure, foundation-model providers, transactional email, website analytics. The current list lives on our Subprocessors page. Every subprocessor is bound by written data-protection terms at least as strict as ours.

Where your data lives

By default, customer data is processed in the United States. EU-region or on-prem deployments are available on request. For EU/UK customers, transfers out of the EEA/UK are governed by the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, or an equivalent approved mechanism.

How long we keep it

We retain personal data only as long as needed for the purposes above or as required by law. Specifically:

Account and business-contact information: for the duration of the relationship plus up to 3 years, to service account-related questions and meet tax or statutory record-keeping rules.
Operational data from your AI employee: life of the contract plus 30 days, after which it is deleted or returned to you on request.
Audit logs of production actions: up to 7 years, or as required by customer contract or applicable law.
Server-side access logs and aggregate site metrics: 13 months.
Marketing contacts: until you unsubscribe or ask for deletion; we honour opt-outs immediately and remove you from active lists within 30 days.
Legal and compliance records (contracts, DPAs, security incident records): as required by applicable statutes of limitation.

Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or limit the use of your personal data, and to opt out of certain processing. This includes residents of California (CCPA/CPRA), Colorado, Connecticut, Virginia, Utah, and other US states with comprehensive privacy laws, as well as the EU/UK (GDPR). We do not sell personal information and do not engage in cross-context behavioural advertising. Email [email protected] and we'll handle your request within the timeframe required by applicable law (typically 30–45 days).

Your Privacy Choices

Foyla does not sell your personal information and does not share it for cross-context behavioural advertising. There is therefore no "Do Not Sell or Share" signal we need to act on for those purposes.

You can still exercise your state-law rights at any time:

Access, delete, correct, or port your data: email [email protected] with "Privacy Request" in the subject line. On portability requests, we'll provide your personal data in a commonly used, machine-readable format such as JSON or CSV.
Opt out of targeted advertising or profiling: not applicable — we don't do either.
Authorised agents: you can designate an agent to submit a request on your behalf; we'll verify the agent's authority before acting.
Appeals (Colorado, Connecticut, Virginia): if we deny your request, you may appeal by replying to our response; we'll review within 45 days.

Foyla honours the Global Privacy Control (GPC) browser signal as an opt-out of sale/sharing where applicable. We do not currently respond to browser Do Not Track (DNT) signals; GPC is the mechanism we use.

California Shine the Light

California residents may request information about any personal information we disclosed to third parties for their own direct-marketing purposes during the prior calendar year, under Cal. Civ. Code §1798.83. We do not disclose personal information for third-party direct marketing; to confirm or request details, email [email protected].

Security

A full write-up lives on our Security page. The short version: least-privilege access, encryption in transit and at rest, audit logging on every production action, and a human reviewer queue on every deployment.

Contact

Privacy questions and data-subject requests: [email protected]
All other legal matters: [email protected]