Privacy Policy

• We collect the data you give us (account, billing, briefs, connected-app credentials), data your usage generates (logs, device, telemetry), and the content your coworkers produce.
• We use it to run the service, support you, bill you, keep things secure, and improve features.
• We do not sell your personal data and we do not use your content to train foundation models for anyone else's benefit.
• We share data only with the subprocessors we need to run the service (listed below) and where the law requires.
• You can access, correct, export, or delete your data at any time — see Your rights.

The data controller (under GDPR) and organisation responsible (under PDPA) is Caminu Pte. Ltd., a private company limited by shares incorporated in Singapore.

We have appointed a Data Protection Officer ("DPO") as required by the PDPA. You can reach the DPO at dpo@caminu.com.

Information you give us directly

• Account — name, email address, password (hashed), workspace name, optional profile picture.
• Briefs and content — the briefs, prompts, messages, files, and other inputs you submit to coworkers, and the outputs they generate.
• Connected-service authorisations — OAuth tokens, API keys, or other credentials you provide so coworkers can access apps you connect (e.g. Gmail, Stripe, Notion, WhatsApp). We do not see your password for those services — we store short-lived tokens that grant scoped access.
• Billing — name on card, billing address, and country. We do not store full card numbers — they are handled directly by Stripe.
• Support — anything you tell us when you contact support.

Information we collect automatically

• Service logs — events your account generates (sign-in, coworker created, task started, task completed), timestamps, and request metadata.
• Device and connection — IP address, user agent, device type, approximate location derived from IP, language preference.
• Traces — for each coworker run we keep a step-by-step trace so you (and we, for support and abuse investigation) can audit what happened.
• Telemetry — aggregate performance, error, and usage metrics needed to keep the service reliable.

Information from third parties

• Data your coworker reads from a Connected Service in the course of performing the work you briefed (e.g. the emails it triages, the invoices it categorises).
• Limited profile information from identity providers if you sign in with one (e.g. Google).

• To provide the service — create accounts, build and run coworkers, connect to third-party apps, generate outputs, send notifications.
• To support you — respond to your questions, investigate issues, recover lost work.
• To bill you — process payments, send invoices, calculate usage, recover unpaid amounts.
• To keep things secure — detect and prevent fraud, abuse, bot activity, and security incidents; protect the rights and safety of users and others.
• To improve the service — understand which features are used, fix bugs, build new capabilities, train internal evaluation and abuse-detection models on aggregated/anonymised signals.
• To communicate — send service updates, security alerts, billing notices, and (only with your consent or where legally permitted) product-news emails you can opt out of any time.
• To comply with law — respond to lawful requests, meet tax and accounting requirements, enforce our terms.

To run a coworker, Caminu transmits relevant portions of your briefs, prompts, and connected-service data to large-language-model providers (currently Anthropic and OpenAI, accessed via the Vercel AI Gateway, with provider choice depending on the task). Those providers act as our subprocessors, are bound by contract to process your data only on our documented instructions, and have committed to zero data retention on the API tier we use — meaning your inputs and outputs are not stored by the provider after the request completes and are not used to train their general models.

We do not use your Content or Outputs to train foundation models owned by Caminu or by any third party for the benefit of other customers. We may use aggregated, de-identified signals (e.g. error rates, latency, abuse patterns) for service operations.

We share personal data only with the following categories of recipients:

Subprocessors

We update this list as our infrastructure evolves. You can ask for the current list at any time at dpo@caminu.com.

Connected services you authorise

When you connect an app (e.g. Gmail), we share with that app only what is needed for your coworker to perform the actions you have briefed.

Legal disclosures

We may disclose personal data where required by law, court order, or binding regulatory request, or where necessary to protect our or a third party's rights, safety, or property. Where legally permitted, we will give you notice first.

Corporate transactions

If Caminu is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred to the successor or buyer, subject to confidentiality undertakings and to this policy.

What we don't do

We do not sell or rent your personal data. We do not "share" it for cross-context behavioural advertising as defined by the CPRA.

Caminu is operated from Singapore, with hosting and subprocessors in the United States, the European Union, and other regions. Where we transfer personal data from Singapore, the EU/EEA, the UK, or Switzerland to a country that has not received an adequacy decision, we rely on:

• Standard Contractual Clauses (EU SCCs, UK Addendum, Swiss SCCs as applicable) with each affected subprocessor;
• Comparable contractual safeguards required by the PDPA for transfers from Singapore (Section 26);
• Additional measures (encryption in transit and at rest, access controls, minimisation) where appropriate to the risk.

You can request a copy of the transfer safeguards in place at dpo@caminu.com.

After the relevant period we delete or anonymise the data. Where deletion is technically infeasible (e.g. immutable backups), we isolate and protect it until deletion is possible.

You have the right to:

• Access a copy of your personal data we hold;
• Correct inaccurate or incomplete data;
• Delete your data (subject to legal retention obligations);
• Export your data in a portable format;
• Restrict or object to certain processing where grounded in our legitimate interests;
• Withdraw consent at any time for processing based on consent (this does not affect prior processing);
• Lodge a complaint with a supervisory authority — in Singapore, the Personal Data Protection Commission (pdpc.gov.sg); in the EU/EEA, your local data-protection authority; in the UK, the Information Commissioner's Office.

California residents (CCPA / CPRA)

You have additional rights to know the categories of personal information collected, to delete personal information, to correct inaccurate information, to opt out of "sale" or "sharing" (we do neither), and to non-discrimination for exercising these rights. Authorised agents may submit requests on your behalf with verifiable permission.

To exercise any right, email dpo@caminu.com. We may need to verify your identity before responding and will reply within the time limit set by the applicable law (typically 30 days, extendable where the law allows).

Caminu uses a small number of cookies and similar technologies:

• Strictly necessary — for sign-in, session management, security (e.g. CSRF protection).
• Functional — to remember your preferences (e.g. theme, last-visited area).
• Product analytics — first-party aggregate usage (privacy-respecting, no cross-site tracking) so we can improve the service. Where required by law, we ask your consent before setting these.

We do not use cookies for third-party advertising and we do not load third-party ad-network pixels.

We implement administrative, technical, and physical safeguards including:

• TLS 1.2+ for data in transit and AES-256 for data at rest;
• Role-based access controls and least-privilege principles for internal access;
• Strong-authentication for our staff;
• Audit logging, monitoring, and intrusion-detection on production systems;
• Isolation of each customer's coworkers and data;
• Regular security reviews of code, infrastructure, and subprocessors;
• Documented incident-response procedures and (where the PDPA, GDPR, or other law requires) breach notification within the legally mandated time frame.

No service is perfectly secure. If you discover a vulnerability, please report it to security@caminu.com.

Caminu is intended for use by adults (18+). We do not knowingly collect personal data from children under the age of 18. If you believe we have inadvertently collected such data, contact dpo@caminu.com and we will delete it promptly.

We may revise this Privacy Policy from time to time. If we make a material change, we will notify you in-app or by email at least 30 days before it takes effect. Non-material changes (e.g. clarifying language, restructuring) take effect when posted. The "last updated" date at the top of this page indicates the most recent revision.

Caminu Pte. Ltd. (Singapore).

• Data Protection Officer: dpo@caminu.com
• General privacy questions: privacy@caminu.com
• Security disclosures: security@caminu.com

In Singapore you may also lodge a complaint with the Personal Data Protection Commission at pdpc.gov.sg.