Privacy Policy

Elio · Elio Labs Inc. · 2.0 · April 2026

This Privacy Policy describes how Elio Labs Inc.("Elio," "we," or "us") processes personal data when you use the Eliocloud application — including Ask Elio, specialist agents, workspace features, the Finance Assistant, CRM, integrations, and related services (collectively, the "Service"). By using the Service, you acknowledge this Policy. If you do not agree, do not use the Service.

1. Data controller

The controller is Elio Labs Inc., as identified in the Service or on our website. To exercise rights (access, rectification, erasure, objection, restriction, portability where applicable), use the same support channel or email indicated in the app.

2. Data we collect

Depending on how you use the Service, we may process:

  1. Account data: identifier, email, name or display name, password hash, preferences, and session-related metadata.
  2. Product usage: chats with agents, prompts, files or attachments you send, and technical logs (IP address, browser type, timestamps) for security and troubleshooting. Conversation text, long-term memory facts we store for personalization, automated thread summaries, and generated artifacts (e.g. documents or code panels) are encrypted at rest in our database using per-user encryption keys. Team channel messages use separate per-channel encryption. This reduces risk if storage media is exposed without valid application access.
  3. Credentials and integrations:when you connect external providers (e.g. Google Gmail, Microsoft 365/Outlook, Intuit QuickBooks), we store OAuth tokens and metadata needed to refresh access, encrypted at rest. Tokens for integrations such as Telegram, WhatsApp (where configured), Slack, and MCP server environment variables are also stored encrypted. We do not store those providers' passwords if you use OAuth only.
  4. Billing: if you pay for the Service, our payment processor (e.g. Stripe) may receive payment method and billing details; we store subscription identifiers, plan status, and promotion usage as needed to operate accounts.
  5. Finance Assistant: when you import bank or card statements, invoices, or receipts, we process file contents and extracted transaction fields (amounts, dates, merchants, categories) to provide categorization, review queues, exports, and optional QuickBooks sync. This data is tied to your account and workspace scope (personal or company profile) as you configure.
  6. Finance demo mode:the app may offer a purely illustrative "demo" view with sample transactions. That sample data is generated in your browser session for onboarding and is not uploaded as your financial records unless you turn demo mode off and import real data.
  7. Workspace & CRM: if you use organization workspaces, we process membership, roles, and content you add (e.g. CRM records, tasks, files) according to your workspace settings and invitations.

3. Purposes and legal bases (GDPR reference)

We process data to: provide the Service and perform our contract with you; maintain security, prevent abuse, and comply with law; improve and operate the platform; send operational communications about your account; and, where required, marketing with your consent. Bases may include contract, legitimate interests (security, product improvement), or legal obligation.

4. AI providers and subprocessors

To generate responses, the Service may send portions of your messages to third-party model providers (OpenAI, Anthropic, Google, or others you configure). Those providers are governed by their own policies and agreements. Avoid including unnecessary sensitive personal data in prompts. With BYOK (bring your own key), you may supply your own API credentials so that some model calls are billed and logged directly with the provider according to their terms.

5. Cookies and local storage

We may use cookies or local storage to maintain sessions (e.g. authentication signals) and preferences. Strictly necessary cookies for core functionality often do not require consent under many laws; analytics or marketing cookies, if used, will depend on your consent where required. Where we use Google advertising or measurement tags (e.g. Google tag / Google Ads), Google may set or read cookies or similar technologies as described in Google's policies; in regions that require it, we rely on your consent before enabling non-essential advertising or analytics cookies. See also our Cookie Policy.

6. Retention

We keep information for as long as needed for the purposes above, unless a longer retention period is required by law. You may request account deletion; some data may be retained in aggregated or anonymized form.

7. Security, encryption, and access

We implement technical and organizational measures designed to protect personal data, including encryption of sensitive fields at rest, access controls, rate limiting, and security reviews. No system is 100% secure; report suspected incidents through support.

7.1 Encryption at rest (summary)

  • Per-user content: chat messages (user and assistant), stored memory facts, thread summaries, and artifact bodies are encrypted before persistence using a key unique to your account; that key is itself encrypted with a platform master key.
  • Team channels: message bodies are encrypted with a channel key, stored encrypted at the platform level.
  • Secrets: API keys you add, OAuth token bundles, and similar credentials use platform-level encryption (separate from per-user message keys).

7.2 How the Service uses decrypted data

The application must decrypt content in memory to provide features you request (e.g. showing history, calling models, refreshing summaries). That is not the same as "unencrypted storage": data at rest in the primary database remains ciphertext without the keys and a running application with proper authorization.

7.3 Human and operational access

We do not sell your personal data for marketing. Access by our personnel is limited to what is needed to operate the Service, provide support when you contact us, investigate abuse or security incidents, and meet legal obligations. We do not treat user chats as a resource for unrelated browsing; subprocessors (such as model APIs) receive only what is sent to them as part of a request you or your agents initiate.

8. International transfers

We may process data on servers in the United States or other regions. If we act as a processor for your organization, standard contractual clauses or other mechanisms may apply as agreed.

9. Your rights

Depending on where you live (EU/EEA, California CPRA, or other laws), you may have additional rights. We will respond within legal timeframes. You may lodge a complaint with your local data protection authority.

10. Children

The Service is not directed at children under 16. If we learn we have collected children's data without a valid basis, we will delete it.

11. Changes to this policy

We post the current Policy at this URL and update the version label when we make substantive changes. Where required by law, we will notify you by email or in-product notice before or when changes take effect.

12. Contact

For privacy questions, data subject requests, or security reports, use the support channel or privacy contact published in the Service or at https://app.iamelio.ai.

Effective 2.0 · April 2026