Privacy Notice

This Privacy Notice describes how Natoma Labs, Inc. collects, uses, discloses, and protects personal information in connection with the Natoma Services.

Table of Contents

1. Scope, Definitions, and Applicability
2. Information We Collect
3. How We Use Information
4. How We Share Information
5. Data Retention
6. Your Rights and Choices
7. International Data Transfers
8. Security
9. Children’s Privacy
10. Changes to This Privacy Notice
11. Contact Information

1. Scope, Definitions, and Applicability

Natoma— “Natoma” or “we,” “us,” or “our” means Natoma Labs, Inc.

Natoma Platform— “Natoma Platform” or “Platform” means the software-as-a-service (SaaS) platform. The Platform includes all associated services, features, APIs, documentation, and support provided under a customer service agreement.

Services— “Services” means the Natoma Platform and all related services provided by Natoma.

This Privacy Notice applies to different categories of data subjects who interact with Natoma:

Website Visitors— Individuals who visit our website (natoma.ai) to browse information about our services, view documentation, or submit contact forms. This category includes individuals who have not yet established a business relationship with Natoma.

Prospective Customers— Individuals who have expressed interest in our services by requesting demos, downloading resources, or engaging in sales conversations but have not yet entered into a customer agreement.

Customers— Organizations that have entered into a service agreement with Natoma. This includes the designated administrators and authorized representatives who manage the customer account.

End Users— Individual employees, contractors, or authorized users within customer organizations who use the Natoma Services as part of their work activities through their organization’s subscription.

2. Information We Collect

The information we collect varies based on your relationship with Natoma:

2.1 Information Collected from Website Visitors

Automatically Collected Information:

• IP address and approximate geographic location
• Browser type, version, and operating system
• Pages visited, time spent on pages, and navigation patterns
• Referring website or source
• Device identifiers and usage data

Information Provided Voluntarily:

• Name and email address (when you complete a contact form)
• Company name and job title
• Phone number (if provided)
• Message content and any additional information you choose to provide

2.2 Information Collected from Prospective Customers

In addition to website visitor information, we may collect:

• Business contact details (name, email, phone, company)
• Communication preferences
• Information, transcripts, or recordings of sales calls, demos, and other business communications

2.3 Information Collected from Customers

Account and Billing Information:

• Account contact information and details
• Billing address and payment information (processed by third-party payment processors)

2.4 Information Collected from and About End Users

User Account Information:

• Name, email address, and phone number
• User profile information from connected applications (e.g. group membership, and role assignments)

Activity and Usage Information:

• User login information and authentication events
• Audit log information from connected services
• Platform usage patterns and feature utilization
• API request logs and system performance metrics

AI Agent Interaction Data:

When end users interact with AI agents through the platform, we process data that may contain personal information, including:

• Prompts and user inputs to AI agents
• AI-generated responses and outputs
• Contextual data retrieved from MCP integrations
• Application outputs from integrated tools
• System information accessed via MCP servers

2.5 Information Collected from Third-Party Platform Integrations

When customers integrate the Natoma Platform with workplace applications (such as Slack, CrowdStrike, Zoom, Google Services, Asana, or other platforms), we collect and process data, including personal information from those platforms as necessary to provide AI agent services.

Data types processed may include:

• User profiles
• Messages
• Documents
• Files
• Project or task tracking data
• Source code
• Business records
• Meeting transcripts
• System configurations, workspace or tenant information
• Contextual data
• Search queries

The specific data accessed depends on which platforms customers integrate, permissions granted during authorization, and how users interact with AI agents.

Important: Customers control integrations and can disconnect them at any time. Some integrations may process sensitive information such as proprietary code, confidential communications, customer data, or financial information. Customers remain responsible for configuring appropriate access controls.

3. How We Use Information

3.1 Website Visitors

We use information from website visitors to:

• Operate, maintain, and improve our website
• Analyze website usage patterns and optimize user experience
• Respond to inquiries submitted through contact forms
• Detect, prevent, and address technical issues
• Comply with legal obligations

3.2 Prospective Customers

We use information from prospective customers to:

• Provide information about our services and respond to inquiries
• Schedule and conduct product demonstrations
• Assess technical requirements and solution fit
• Send marketing communications (with appropriate consent)
• Facilitate the sales process and contract negotiation

3.3 Customers

We use customer information to:

• Provide, maintain, and improve the Services we provide
• Process billing and payments
• Provide customer support and technical assistance
• Communicate about service updates, security alerts, and administrative matters
• Monitor and analyze usage to improve service quality
• Develop new features and services
• Ensure security and prevent fraud
• Comply with legal and contractual obligations

3.4 End Users and Third Party Platform Integrations

We use end user information to:

• Enable access to the Natoma Platform for authorized users
• Facilitate AI agent interactions and MCP server connections
• Authenticate users and enforce access controls
• Process AI agent requests and deliver responses
• Generate logs for security, audit, and troubleshooting purposes
• Monitor platform performance and system health
• Provide technical support when requested by the customer organization
• Detect and prevent security threats and unauthorized access

4. How We Share Information

We may share personal information in the following circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who perform services on our behalf, including:

• Cloud infrastructure providers
• Payment processors for billing and transaction processing
• Customer support and communication platforms
• Analytics and monitoring services
• Security and fraud prevention services

For a list of our data subprocessors, please visit our Trust Center at https://natoma.ai/trust

4.2 AI Model Providers

When end users interact with AI agents through the Natoma Platform, we may share prompts, contextual data, and related information with third-party AI model providers (such as Google Gemini, or other large language model providers) to generate responses. This sharing is necessary to provide the core functionality of the platform.

Important: We select AI model providers that maintain strong data protection practices. However, customers should be aware that when using AI features, their data may be processed by these third-party providers in accordance with their respective privacy policies and terms of service.

4.3 Customer-Authorized Third Parties

When customers configure integrations with third-party applications through MCP servers, we facilitate connections to those applications as instructed by the customer. Data sharing in these circumstances is controlled by the customer’s configuration choices.

When customers integrate workplace platforms (Slack, GitHub, Google Workspace, Salesforce, and 70+ others), we process data through platform APIs to deliver AI functionality, and platform providers may process personal data per their own privacy policies.

4.4 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction.

4.5 Legal Requirements and Protection of Rights

We may disclose information if we believe it is necessary to:

• Comply with applicable laws, regulations, legal processes, or governmental requests
• Enforce our terms of service or other agreements
• Protect the rights, property, or safety of Natoma, our customers, or others
• Detect, prevent, or address fraud, security, or technical issues

4.6 Aggregated or De-Identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you for research, analytics, or other purposes.

5. Data Retention

We retain personal information for different periods depending on the category of data subject and the purposes for which the information is used:

5.1 Website Visitor Data Retention

• Contact form submissions: Until you request deletion
• Website analytics data: As determined by our third-party analytics providers’ policies

5.2 Prospective Customer Data Retention

• Sales and marketing data: Until you opt out
• Demo and evaluation data: Until you request deletion

5.3 Customer Data Retention

• Account information: Duration of customer relationship plus 7 years (for financial and legal compliance)
• Billing and payment records: 7 years from transaction date
• Support communications: Until you request deletion

5.4 End User Data Retention

• User account data: Duration of customer relationship, then deleted within 60 days of account termination or will be deleted upon request.
• AI agent user prompts: Duration of customer relationship, then deleted within 60 days of account termination or will be deleted upon request.

5.5 Third Party Platform Integration Data Retention

• Message/document content from third-party platforms: Duration of customer relationship, then deleted within 60 days of account termination or will be deleted upon request.
• Inputs and outputs from MCP tool calls: Duration of customer relationship, then deleted within 60 days of account termination or will be deleted upon request.
• Synced profile data: Duration of customer relationship, then deleted within 60 days of account termination or will be deleted upon request.

We may retain information for longer periods if required by law or to resolve disputes, enforce our agreements, or as otherwise permitted or required by applicable law.

6. Your Rights and Choices

Depending on your location and applicable law, you may have certain rights regarding your personal information:

6.1 Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:

• Right of Access: Request confirmation of whether we process your personal data and obtain a copy of that data
• Right to Rectification: Correct inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data in certain circumstances
• Right to Restriction of Processing: Request that we limit how we use your personal data
• Right to Data Portability: Receive your personal data in a structured, commonly used format and transmit it to another controller
• Right to Object: Object to our processing of your personal data for direct marketing or based on legitimate interests
• Right to Withdraw Consent: Where we rely on consent, withdraw it at any time

6.2 Rights Under US State Privacy Laws

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other US states with comprehensive privacy laws, you may have the following rights:

• Right to Know: Request information about the categories and specific pieces of personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the sale or sharing of personal information (Note: We do not sell personal information)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights
• Right to Limit Sensitive Data Processing: Request limitation on the use of sensitive personal information (where applicable)

6.3 How to Exercise Your Rights

To exercise any of the rights described above, you may contact us, as specified in Section 11. Contact Information at the bottom of this notice.

For End Users:Because we process your personal information on behalf of your employer or organization, we may need to verify your request with your organization before responding. In many cases, your organization’s administrator can assist you with accessing, correcting, or deleting your information.

We will respond to your request within the timeframes required by applicable law (typically 30-45 days). We may need to verify your identity before fulfilling your request.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable law.

6.4 Marketing Communications

You may opt out of receiving marketing communications from us by clicking the “unsubscribe” link in our emails or by contacting us at privacy@natomahq.com. Please note that even if you opt out of marketing communications, we will still send you transactional or administrative messages related to your use of our services.

7. International Data Transfers

Natoma is based in the United States. If you are accessing our services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we implement appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission
• EU-U.S. Data Privacy Framework (if applicable)
• Other legally approved transfer mechanisms

8. Security

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Multi-factor authentication and access controls
• Regular security assessments and penetration testing
• Employee security training and background checks
• Incident response and breach notification procedures
• SOC 2 Type II compliance (or other relevant certifications)

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining industry-standard security practices.

9. Children’s Privacy

Natoma’s Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete such information. If you believe we have collected information from a child, please contact us at privacy@natomahq.com.

10. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will provide notice on our website.

We encourage you to review this Privacy Notice periodically. Your continued use of our services after changes are posted constitutes your acceptance of the updated notice.

11. Contact Information

If you have questions, concerns, or requests regarding this Privacy Notice or our privacy practices, please contact us:

Natoma Privacy Team

Email: privacy@natomahq.com

Mailing Address: P.O. Box 3939, 1525 Miramonte Avenue, Los Altos, California 94024-999

For Customers with Data Processing Agreements:

If you are a customer with a separate Data Processing Agreement (DPA) or other Agreement, the terms of that agreement will govern our processing of personal information on your behalf and may supplement or supersede portions of this Privacy Notice.

For Platform Integration Specific Privacy Questions:

For questions specific to how we handle data from integrated platforms (Slack, GitHub, Google Workspace, etc.), please email privacy@natomahq.com with the platform name in your subject line.