Terms of Serivce
Effective date: January 31, 2026
This Privacy Notice describes how Natoma Labs, Inc. collects, uses, discloses, and protects personal information in connection with the Natoma Services.
Table of Contents
Scope, Definitions, and Applicability
Information We Collect
How We Use Information
How We Share Information
Data Retention
Your Rights and Choices
International Data Transfers
Security
Children's Privacy
Changes to This Privacy Notice
Contact Information
1. Scope, Definitions, and Applicability
For purposes of this Privacy Notice:
Natoma
"Natoma" or "we," "us," or "our" means Natoma Labs, Inc.
Natoma Platform
"Natoma Platform" or "Platform" means the software-as-a-service (SaaS) platform. The Platform includes all associated services, features, APIs, documentation, and support provided under a customer service agreement.
Services
"Services" means the Natoma Platform and all related services provided by Natoma.
This Privacy Notice applies to different categories of data subjects who interact with Natoma:
Website Visitors
Individuals who visit our website (natoma.ai) to browse information about our services, view documentation, or submit contact forms. This category includes individuals who have not yet established a business relationship with Natoma.
Prospective Customers
Individuals who have expressed interest in our services by requesting demos, downloading resources, or engaging in sales conversations but have not yet entered into a customer agreement.
Customers
Organizations that have entered into a service agreement with Natoma. This includes the designated administrators and authorized representatives who manage the customer account.
End Users
Individual employees, contractors, or authorized users within customer organizations who use the Natoma Services as part of their work activities through their organization's subscription.
2. Information We Collect
The information we collect varies based on your relationship with Natoma:
2.1 Information Collected from Website Visitors
Automatically Collected Information:
IP address and approximate geographic location
Browser type, version, and operating system
Pages visited, time spent on pages, and navigation patterns
Referring website or source
Device identifiers and usage data
Information Provided Voluntarily:
Name and email address (when you complete a contact form)
Company name and job title
Phone number (if provided)
Message content and any additional information you choose to provide
2.2 Information Collected from Prospective Customers
In addition to website visitor information, we may collect:
Business contact details (name, email, phone, company)
Communication preferences
Information, transcripts, or recordings of sales calls, demos, and other business communications
2.3 Information Collected from Customers
Account and Billing Information:
Account contact information and details
Billing address and payment information (processed by third-party payment processors)
2.4 Information Collected from and About End Users
User Account Information:
Name, email address, and phone number
User profile information from connected applications (e.g. group membership, and role assignments)
Activity and Usage Information:
User login information and authentication events
Audit log information from connected services
Platform usage patterns and feature utilization
API request logs and system performance metrics
AI Agent Interaction Data:
When end users interact with AI agents through the platform, we process data that may contain personal information, including:
Prompts and user inputs to AI agents
AI-generated responses and outputs
Contextual data retrieved from MCP integrations
Application outputs from integrated tools
System information accessed via MCP servers
2.5 Information Collected from Third-Party Platform Integrations
When customers integrate the Natoma Platform with workplace applications
(such as Slack, CrowdStrike, Zoom, Google Services, Asana, or other platforms,
We collect and process data, including personal information from those platforms as necessary to provide AI agent services.
Data types processed may include:
User profiles
Messages
Documents
Files
Project or task tracking data
Source code
Business records
Meeting transcripts
System configurations, workspace or tenant information
Contextual data
Search queries
The specific data accessed depends on which platforms customers integrate, permissions granted during authorization, and how users interact with AI agents.
Important: Customers control integrations and can disconnect them at any time. Some integrations may process sensitive information such as proprietary code, confidential communications, customer data, or financial information. Customers remain responsible for configuring appropriate access controls.
3. How We Use Information
3.1 Website Visitors
We use information from website visitors to:
Operate, maintain, and improve our website
Analyze website usage patterns and optimize user experience
Respond to inquiries submitted through contact forms
Detect, prevent, and address technical issues
Comply with legal obligations
3.2 Prospective Customers
We use information from prospective customers to:
Provide information about our services and respond to inquiries
Schedule and conduct product demonstrations
Assess technical requirements and solution fit
Send marketing communications (with appropriate consent)
Facilitate the sales process and contract negotiation
3.3 Customers
We use customer information to:
Provide, maintain, and improve the Services we provide
Process billing and payments
Provide customer support and technical assistance
Communicate about service updates, security alerts, and administrative matters
Monitor and analyze usage to improve service quality
Develop new features and services
Ensure security and prevent fraud
Comply with legal and contractual obligations
3.4 End Users and Third Party Platform Integrations
We use end user information to:
Enable access to the Natoma Platform for authorized users
Facilitate AI agent interactions and MCP server connections
Authenticate users and enforce access controls
Process AI agent requests and deliver responses
Generate logs for security, audit, and troubleshooting purposes
Monitor platform performance and system health
Provide technical support when requested by the customer organization
Detect and prevent security threats and unauthorized access
4. How We Share Information
We may share personal information in the following circumstances:
4.1 Service Providers
We share information with trusted third-party service providers who perform services on our behalf, including:
Cloud infrastructure providers
Payment processors for billing and transaction processing
Customer support and communication platforms
Analytics and monitoring services
Security and fraud prevention services
For a list of our data subprocessors, please visit our Trust Center at https://natoma.ai/trust
4.2 AI Model Providers
When end users interact with AI agents through the Natoma Platform, we may share prompts, contextual data, and related information with third-party AI model providers (such as Google Gemini, or other large language model providers) to generate responses. This sharing is necessary to provide the core functionality of the platform.
Important: We select AI model providers that maintain strong data protection practices. However, customers should be aware that when using AI features, their data may be processed by these third-party providers in accordance with their respective privacy policies and terms of service.
4.3 Customer-Authorized Third Parties
When customers configure integrations with third-party applications through MCP servers, we facilitate connections to those applications as instructed by the customer. Data sharing in these circumstances is controlled by the customer's configuration choices.
When customers integrate workplace platforms (Slack, GitHub, Google Workspace, Salesforce, and 70+ others), we process data through platform APIs to deliver AI functionality, and platform providers may process personal data per their own privacy policies.
4.4 Business Transfers
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction.
4.5 Legal Requirements and Protection of Rights
We may disclose information if we believe it is necessary to:
Comply with applicable laws, regulations, legal processes, or governmental requests
Enforce our terms of service or other agreements
Protect the rights, property, or safety of Natoma, our customers, or others
Detect, prevent, or address fraud, security, or technical issues
4.6 Aggregated or De-Identified Information
We may share aggregated or de-identified information that cannot reasonably be used to identify you for research, analytics, or other purposes.
5. Data Retention
We retain personal information for different periods depending on the category of data subject and the purposes for which the information is used:
5.1 Website Visitor Data Retention
Contact form submissions: Until you request deletion
Website analytics data: As determined by our third-party analytics providers' policies
5.2 Prospective Customer Data Retention
Sales and marketing data: Until you opt out
Demo and evaluation data: Until you request deletion
5.3 Customer Data Retention
Account information: Duration of customer relationship plus 7 years (for financial and legal compliance)
Billing and payment records: 7 years from transaction date
Support communications: Until you request deletion
5.4 End User Data Retention
User account data: Duration of customer relationship, then deleted within 60 days of account termination or will be deleted upon request.
AI agent user prompts: Duration of customer relationship, then deleted within 60 days of account termination or will be deleted upon request.
5.5 Third Party Platform Integration Data Retention
Message/document content from third-party platforms: Duration of customer relationship, then deleted within 60 days of account termination or will be deleted upon request.
Inputs and outputs from MCP tool calls: Duration of customer relationship, then deleted within 60 days of account termination or will be deleted upon request.
Synced profile data: Duration of customer relationship, then deleted within 60 days of account termination or will be deleted upon request.
We may retain information for longer periods if required by law or to resolve disputes, enforce our agreements, or as otherwise permitted or required by applicable law.
6. Your Rights and Choices
Depending on your location and applicable law, you may have certain rights regarding your personal information:
6.1 Rights Under GDPR (EEA, UK, Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:
Right of Access: Request confirmation of whether we process your personal data and obtain a copy of that data
Right to Rectification: Correct inaccurate or incomplete personal data
Right to Erasure: Request deletion of your personal data in certain circumstances
Right to Restriction of Processing: Request that we limit how we use your personal data
Right to Data Portability: Receive your personal data in a structured, commonly used format and transmit it to another controller
Right to Object: Object to our processing of your personal data for direct marketing or based on legitimate interests
Right to Withdraw Consent: Where we rely on consent, withdraw it at any time
6.2 Rights Under US State Privacy Laws
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other US states with comprehensive privacy laws, you may have the following rights:
Right to Know: Request information about the categories and specific pieces of personal information we collect, use, and disclose
Right to Delete: Request deletion of your personal information, subject to certain exceptions
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out: Opt out of the sale or sharing of personal information (Note: We do not sell personal information)
Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights
Right to Limit Sensitive Data Processing: Request limitation on the use of sensitive personal information (where applicable)
6.3 How to Exercise Your Rights
To exercise any of the rights described above, you may contact us, as specified in Section 11. Contact Information at the bottom of this notice.
For End Users: Because we process your personal information on behalf of your employer or organization, we may need to verify your request with your organization before responding. In many cases, your organization's administrator can assist you with accessing, correcting, or deleting your information.
We will respond to your request within the timeframes required by applicable law (typically 30-45 days). We may need to verify your identity before fulfilling your request.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable law.
6.4 Marketing Communications
You may opt out of receiving marketing communications from us by clicking the "unsubscribe" link in our emails or by contacting us at privacy@natomahq.com. Please note that even if you opt out of marketing communications, we will still send you transactional or administrative messages related to your use of our services.
7. International Data Transfers
Natoma is based in the United States. If you are accessing our services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.
When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we implement appropriate safeguards, including:
Standard Contractual Clauses approved by the European Commission
EU-U.S. Data Privacy Framework (if applicable)
Other legally approved transfer mechanisms
8. Security
We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
Encryption of data in transit and at rest
Multi-factor authentication and access controls
Regular security assessments and penetration testing
Employee security training and background checks
Incident response and breach notification procedures
SOC 2 Type II compliance (or other relevant certifications)
While we strive to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining industry-standard security practices.
9. Children's Privacy
Natoma’s Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete such information. If you believe we have collected information from a child, please contact us at privacy@natomahq.com.
10. Changes to This Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will provide notice on our website.
We encourage you to review this Privacy Notice periodically. Your continued use of our services after changes are posted constitutes your acceptance of the updated notice.
11. Contact Information
If you have questions, concerns, or requests regarding this Privacy Notice or our privacy practices, please contact us:
Natoma Privacy Team
Email: privacy@natomahq.com
Mailing Address: P.O. Box 3939, 1525 Miramonte Avenue, Los Altos, California 94024-999
For Customers with Data Processing Agreements:
If you are a customer with a separate Data Processing Agreement (DPA) or other Agreement, the terms of that agreement will govern our processing of personal information on your behalf and may supplement or supersede portions of this Privacy Notice.
For Platform Integration specific Privacy Questions
For questions specific to how we handle data from integrated platforms (Slack, GitHub, Google Workspace, etc.), please email privacy@natomahq.com with the platform name in your subject line.