Privacy Policy

This Privacy Policy describes how Adapt.com, Inc., a Texas corporation ("Adapt," "we," "us," or "our") collects, uses, discloses, and protects your personal data. It applies when you use our website, products, and related offerings.

This Privacy Policy applies when Adapt acts as a data controller -- for example, when you interact directly with Adapt.ai, Adapt.com, or our other products as an individual user ("Services"), or when Adapt operates and provides our commercial customers and their end users with access to our commercial products ("Commercial Services"). This Privacy Policy applies to all users of the Services, including those who access the Services through integrations with third-party platforms.

This Privacy Policy does not apply where Adapt acts as a data processor and processes personal data on behalf of commercial customers using Adapt's Commercial Services – for example, your employer has provisioned you an Adapt account, or you're using an app that is powered on the back-end with Adapt. In those cases, the commercial customer is the controller, and you can review their policies for more information about how they handle your personal data.

This Privacy Policy also describes your privacy rights. More information about your rights, and how to exercise them, is set out in Section 4 ("Rights and Choices").

If you are located in EEA (GDPR), Canada, Brazil, or California (CCPA/CPRA) please read the relevant Regional Supplemental Disclosure that applies to you.

If you are located in Washington or a state with similar consumer health data laws, please read our Consumer Health Data Privacy Policy which applies to you if you integrate third party health applications with Adapt.

Other U.S. States: We comply with applicable state privacy laws, including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCPA).

1. Collection of Personal Data

We collect the following categories of personal data:

Personal data you provide to us directly

• Account Information, Identity and Contact Data: Adapt collects identifiers, including your name, email address, and phone number when you sign up for an Adapt account, or to receive information on our Services. We may also collect or generate indirect identifiers (e.g., "USER12345").

• Payment Information: We collect your payment information if you choose to purchase access to Adapt's products and services. Payment Information is handled by our third-party payment processors.

• Customer Data, Inputs and Outputs: You are able to interact with our Services in a variety of formats, including but not limited to chat, coding, and agentic sessions ("Prompts" or "Inputs"), which generate responses and actions ("Outputs") based on your Inputs. This includes third-party applications you choose to integrate with our Services. If you include personal data or reference external content in your Inputs, we will collect that information, and this information may be reproduced in your Outputs. We also process the business data, documents, and files you upload to, provide access to, or create within the Services and that data may be reproduced in Outputs from the Services.

• Sensitive Personal Information: We do not intentionally collect sensitive personal information. If such information is inadvertently included in Customer Data, it will be processed with additional safeguards.

• Feedback on your use of our Services: We appreciate feedback, including ideas and suggestions for improvement or rating an Output in response to an Input ("Feedback"). We will store the entire related conversation as part of your Feedback.

• Communication Information: If you communicate with us, including via our chatbot on our Help site, we collect your name, contact information, and the contents of any messages you send.

Personal data we receive automatically from your use of the Services

When you use the Services, we also receive certain technical data automatically (described below, collectively "Technical Information"). This includes:

• Device and Connection Information. Consistent with your device or browser permissions, your device or browser automatically sends us information about when and how you install, access, or use our Services. This includes information such as your device type, operating system information, browser information and web page referrers, mobile network, connection information, mobile operator or internet service provider (ISP), time zone setting, IP address (including information about the location of the device derived from your IP address), identifiers (including device or advertising identifiers, probabilistic identifiers, and other unique personal or online identifiers), and device location.

• Usage Information. We collect information about your use of the Services, such as the dates and times of access, browsing history, search, information about the links you click, pages you view, and other information about how you use the Services, and technology on the devices you use to access the Services.

• Log and Troubleshooting Information. We collect information about how our Services are performing when you use them. This information includes log files. If you or your device experiences an error, we may collect information about the error, the time the error occurred, the feature being used, the state of the application when the error occurred, and any communications or content provided at the time the error occurred.

• Cookies & Similar Technologies. We and our service providers use cookies, scripts, or similar technologies ("Cookies") to manage the Services and to collect information about you and your use of the Services. These technologies help us to recognize you, customize or personalize your experience, market additional products or services to you, and analyze the use of our Services to make them safer and more useful to you. For more details about how we use these technologies, and your opt-out controls and other options, please visit our Cookie Policy.

• Information from Third Parties. We may receive information about you from publicly available sources and business data providers. If you connect third-party services (such as CRM, financial, or marketing platforms) to Adapt, we receive data from those integrations as authorized by you.

2. Uses of Personal Data Permitted Under Applicable Data Protection Laws

We use your personal data for the following purposes:

• To provide, maintain and facilitate any products and services offered to you with respect to your Adapt account, which are governed by our Terms of Service;
• To provide, maintain and facilitate optional services and features that enhance platform functionality and user experience;
• To communicate with you, including to send you information about our Services and events;
• To create and administer your Adapt account, including authentication of users and to maintain account security;
• To facilitate payments for products and services provided by Adapt;
• To prevent and investigate fraud, abuse, and violations of our Usage Policy, unlawful or criminal activity, unauthorized access to or use of personal data or Adapt systems and networks, to protect our rights and the rights of others, and to meet legal, governmental and institutional policy obligations;
• To investigate and resolve disputes;
• To investigate and resolve security issues;
• To debug and to identify and repair errors that impair existing functionality;
• To improve the Services and conduct research, using de-identified and aggregated data only; and
• To enforce our Terms of Service and similar terms and agreements, including our Usage Policy.

We do not use Customer Data to train AI models. We may use your Inputs and Outputs to improve our Services. We may review Inputs and Outputs when your conversations are flagged for safety review to detect harmful content or enforce our policies, or when you've explicitly reported the materials to us (for example via our feedback mechanisms).

Please see Section 10 below for details of our legal bases for processing your personal data.

3. How We Share Your Information

Adapt does not sell, rent, or lease your Customer Data. We may share your information only with your explicit consent, when required by law, or as necessary to provide the Services. Adapt will disclose personal data to the following categories of third parties for the purposes explained in this Policy:

• Affiliates & corporate partners. Adapt discloses the categories of personal data described above between and among its affiliates and related entities.

• Service providers & business partners. Adapt may disclose the categories of personal data described above with service providers and business partners for a variety of business purposes, including website and data hosting, ensuring compliance with industry standards, research, auditing, data processing, and providing you with the services.

Adapt may also disclose personal data in the following circumstances:

• As part of a significant corporate event. If Adapt is involved in a merger, corporate transaction, bankruptcy, or other situation involving the transfer of business assets, Adapt will disclose your personal data as part of these corporate transactions.

• Third-Party Websites and Services: Our Services may involve integrations with, or may direct you to, websites, apps, and services managed by third parties. By interacting with these third parties, you are providing information directly to the third party and not Adapt and subject to the third party's privacy policy. If you access third-party services, such as social media sites or other sites linked through the Services (e.g., if you follow a link to our Twitter account), these third-party services will be able to collect personal data about you, including information about your activity on the Services. If we link to a site or service via our Services, you should read their data usage policies or other documentation. Our linking to another site or service doesn't mean we endorse it or speak for that third party.

• Pursuant to regulatory or legal requirements, safety, rights of others, and to enforce our rights or our terms. We may disclose personal data to governmental regulatory authorities as required by law, including for legal, tax or accounting purposes, in response to their requests for such information or to assist in investigations. We may also disclose personal data to third parties in connection with claims, disputes or litigation, when otherwise permitted or required by law, or if we determine its disclosure is necessary to protect the health and safety of you or any other person, to protect against fraud or credit risk, to enforce our legal rights or the legal rights of others, to enforce contractual commitments that you have made, or as otherwise permitted or required by applicable law.

• With an individual's consent. Adapt will otherwise disclose personal data when an individual gives us permission or directs us to disclose this information, including as a part of our Services.

• Aggregated Data. Adapt may share aggregated or de-identified data that cannot reasonably be used to identify you.

• Subprocessors. A list of subprocessors is available at adapt.com/subprocessors. This includes the third parties Adapt engages to help us process personal data provided to us where Adapt acts as a data processor, such as with respect to personal data we receive, process, store, or host when you use Adapt's commercial services.

4. Rights and Choices

Depending on where you live and the laws that apply in your country of residence, you may enjoy certain rights regarding your personal data, as described further below. We may decline a request if we have a lawful reason for doing so. We strive to prioritize the protection of personal data and comply with all applicable privacy laws.

To exercise your rights, you or an authorized agent may submit a request by emailing us at privacy@adapt.com. After we receive your request, we may verify it by requesting information sufficient to confirm your identity. You may also have the right to appeal requests that we deny by emailing privacy@adapt.com. Adapt will not discriminate based on the exercising of privacy rights you may have. Set out below is a summary of the rights which you may enjoy, depending on the laws that apply in your country of residence.

• Right to know: the right to know what personal data Adapt processes about you, including the categories of personal data, the categories of sources from which it is collected, the business or commercial purposes for collection, and the categories of third parties to whom we disclose it.

• Access & data portability: the right to request a copy of the personal data Adapt processes about you, subject to certain exceptions and conditions. In certain cases, and subject to applicable law, you have the right to port your information.

• Deletion: the right to request that we delete personal data collected from you when you use our Services, subject to certain exceptions. You also are able to delete individual conversations, which will be removed immediately from your conversation history and automatically deleted from our back-end within 30 days.

• Correction: the right to request that we correct inaccurate personal data Adapt retains about you, subject to certain exceptions. Please note that we cannot guarantee the factual accuracy of Outputs. If Outputs contain factually inaccurate personal data relating to you, you can submit a correction request and we will make a reasonable effort to correct this information—but due to the technical complexity of our large language models, it may not always be possible for us to do so.

• Objection: the right to object to processing of your personal data, including profiling conducted on grounds of public or legitimate interest. In places where such a right applies, we will no longer process the personal data in case of such objection unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise or defense of legal claims. If we use your information for direct marketing, you can object and opt out of future direct marketing messages using the unsubscribe link in such communications.

• Restriction: the right to restrict our processing of your personal data in certain circumstances.

• Withdrawal of consent. Where Adapt's processing of your personal data is based on consent, you have the right to withdraw your consent. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

• Automated decision-making: Adapt does not engage in decision making based solely on automated processing or profiling in a manner which produces a legal effect (i.e., impacts your legal rights) or significantly affects you in a similar way (e.g., significantly affects your financial circumstances or ability to access essential goods or services).

• Sale & targeted Adapt marketing of its products and services. Adapt does not "sell" your personal data as that term is defined by applicable laws and regulations. You can opt-out of sharing your personal data for targeted advertising to promote our products and services, and we will honor global privacy controls.

5. Data Transfers

When you access our website or Services, your personal data may be transferred to our servers in the US, or to other countries outside the European Economic Area ("EEA") and the UK. This may be a direct provision of your personal data to us, or a transfer that we or a third party make.

Where information is transferred outside the EEA or the UK, we ensure it benefits from an adequate level of data protection by relying on:

• Adequacy decisions. These are decisions from the European Commission under Article 45 GDPR (or equivalent decisions under other laws) where they recognize that a country outside of the EEA offers an adequate level of data protection. We transfer your information as described in "Collection of Personal Data" to some countries with adequacy decisions, such as the countries listed here; or

• Standard contractual clauses. The European Commission has approved contractual clauses under Article 46 GDPR that allows companies in the EEA to transfer data outside the EEA. These (and their approved equivalent for the UK and Switzerland) are called standard contractual clauses. We rely on standard contractual clauses to transfer information as described in "Collection of Personal Data" to certain affiliates and third parties in countries without an adequacy decision.

In certain situations, we rely on derogations provided for under applicable data protection law to transfer information to a third country.

6. Data Retention, Data Lifecycle, and Security Controls

Adapt retains your personal data for as long as reasonably necessary for the purposes and criteria outlined in this Privacy Policy.

When the personal data collected is no longer required by us, we and our service providers will perform the necessary procedures for destroying, deleting, erasing, or converting it into an anonymous form as permitted or required under applicable laws.

Aggregated or De-Identified Information

We may process personal data in an aggregated or de-identified form to analyze the effectiveness of our Services, conduct research, and study user behavior as permitted under applicable laws. For instance:

• When you submit Feedback, we disassociate Inputs and Outputs from your user ID to use them for improving our Services.
• If our systems flag Inputs or Outputs for potentially violating our Usage Policy, we disassociate the content from your user ID for trust and safety review. However, we may re-identify the Inputs or Outputs to enforce our Usage Policy with the responsible user if necessary.
• To improve user experience, we may analyze and aggregate general user behavior and usage data. This information does not identify individual users.

Security Controls Relating to our Processing of Personal Data

We implement appropriate technical and organizational security measures designed to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. We implement industry-standard security measures including:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Security practices consistent with SOC 2 standards
• Employee security awareness training
• Regular security assessments and testing

Data is stored in the United States. In the event of a data breach, we will notify affected users as required by applicable law.

While we strive to protect your information, no method of transmission or storage is 100% secure.

7. Children's Privacy

Our Services are not directed towards, and we do not knowingly collect, use, disclose, sell, or share any information from children under the age of 16 (in the EEA) or 13 (in the U.S.). If you become aware that a child under the ages noted above has provided any personal data to us while using our Services, please email us at privacy@adapt.com and we will investigate the matter and, if appropriate, delete the personal data.

8. Changes to Our Privacy Policy

Adapt may update this Privacy Policy from time to time. We will notify you of any material changes to this Privacy Policy, as appropriate, by posting on our website, in-app notice, or email notification.

9. Contact Information

Whether you live in the European Economic Area (EEA), UK or Switzerland (the "European Region"), or outside the European Region, the data controller responsible for your personal data is Adapt.com, Inc.

If you have any questions about this Privacy Policy, or have any questions, complaints or requests regarding your personal data, you can contact us as described below:

Adapt.com, Inc.

privacy@adapt.com

For GDPR-related inquiries, you may also contact our Data Protection Officer at privacy@adapt.com.

We will respond to your request within 30 days (for GDPR requests) or 45 days (for CCPA/CPRA requests), with the possibility of an extension of an additional 45 days with notice.

Please note that under many countries' laws, you have the right to lodge a complaint with the supervisory authority in the place in which you live or work. If you live or work in the UK, you have the right to lodge a complaint with the UK Information Commissioner's Office. Various EU authorities are also available for this purpose depending on the country in which you reside. If you live in Brazil, you have the right to lodge a complaint with the Brazilian Data Protection Authority (ANPD). If you live in Australia, you have the right to lodge a complaint with the Office of the Australian Information Commissioner.

10. Legal Bases for Processing

We rely on the following legal bases under the GDPR and other applicable data protection laws to process your personal data:

11. Regional Supplemental Disclosures

Supplemental Disclosures for European Economic Area (GDPR)

If you are in the EEA, you have additional rights including:

• The right to access, rectify, erase, restrict, or object to processing of your personal data
• The right to data portability
• The right to lodge a complaint with a supervisory authority
• The right to withdraw consent at any time

Supplemental Disclosures for Certain United States Jurisdictions

California (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information is collected about you
• Request deletion or correction of your personal information
• Opt out of the sale or sharing of your personal information (note: Adapt does not sell personal information)
• Limit the use of sensitive personal information
• Not be discriminated against for exercising your rights

Other U.S. States

We comply with applicable state privacy laws, including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCPA).

Supplemental Disclosures for Residents of Canada

These supplemental disclosures contain additional information relevant to residents of Canada. This content should be read in conjunction with the rest of our Privacy Policy. In case of conflict between our Privacy Policy and these supplemental disclosures, the supplemental disclosures shall prevail in relation to residents of Canada.

Consent. By expressly consenting to this Privacy Policy, you confirm you have read, understand, and consent to the collection, use, processing, and disclosure of your personal data in accordance with this Privacy Policy and understand that, in jurisdictions where it is available, Adapt also relies on other lawful bases for the foregoing as more fully set out in this policy. We will only collect, use and disclose your personal data with your consent, unless otherwise permitted or required by law. Your consent may be given expressly or implied, depending on the circumstances and the sensitivity of the information involved. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

Cross-jurisdictional Transfers. By providing us with personal data, you acknowledge and agree that your personal data may be transferred or disclosed to other jurisdictions for processing and storage outside of Canada, including to the United States and the countries listed on our Subprocessor List, where laws regarding the protection of personal data may be less stringent than the laws in your jurisdiction. Furthermore, we may disclose your personal data in these jurisdictions in response to legal processes or where we believe in good faith that disclosure is required or permitted by law.

Contact. If you have any questions or comments about our processing of your personal data, or to exercise your rights as outlined in Section 4. ("Rights and Choices"), please contact us at privacy@adapt.com.

Supplemental Disclosures for Residents of Brazil

These supplemental disclosures contain additional information relevant to residents of Brazil. This content should be read in conjunction with the rest of our Privacy Policy. In case of conflict between our Privacy Policy and these supplemental disclosures, the supplemental disclosures shall prevail in relation to residents of Brazil.

Legal Bases. Depending on the specific purpose of the processing, we may rely on different grounds than those listed under section 2, where permitted by and in accordance with the Brazilian General Data Protection Law (LGPD). For example, we may rely on the "exercise of legal rights" basis to process personal data associated with customer complaints and to enforce our Terms of Service and similar terms and agreements, including our Usage Policy.

Data Subject's Rights. LGPD grants certain rights regarding your personal data, which differ from the ones listed under section 4. We will respond to your requests to exercise your rights below in accordance with applicable law:

• Confirmation of whether your data is being processed. You have the right to receive a confirmation on whether Adapt processes your data.
• Access to your data. You have the right to know what personal data Adapt processes about you.
• Correction of incomplete, inaccurate or outdated data. You have the right to request the correction of your data that is incomplete, inaccurate, or outdated.
• Anonymization, blocking or erasure of data. You have the right to request the anonymisation, blocking or erasure of data that is unnecessary, excessive or processed in non-compliance with the provisions of the law.
• Portability of personal data to a third party. You have the right to request portability of your data to a third-party, as long as this does not infringe on our trade secrets.
• Information of public and private entities with which we shared data. You have the right to request information of public and private entities with which we have shared your data.
• Information about the possibility to refuse to provide consent and the respective consequences, when applicable.
• Withdrawal of your consent. You have the right to withdraw your consent. This procedure will be carried out free of charge.
• Request a review of decisions made solely based on automated processing of personal data.

Please keep in mind that these rights are not absolute and may not apply in certain circumstances. For example, in certain cases we may continue to process and retain data regardless of your request for deletion, objection, blocking or anonymization, in order to comply with legal, contractual and regulatory obligations, safeguard and exercise rights, including in judicial, administrative and arbitration proceedings and in other cases provided for by law.

International Data Transfers. You acknowledge that Adapt is a company based and headquartered in the United States. Any information we hold about you will be transferred to, used, processed, and stored in the United States and other countries and territories, which may not have data privacy or data protection laws equivalent to those in your country or territory. For the proper operation of the Services, Adapt needs to carry out international transfers of personal data. In the case of Brazil, we will rely on standard contractual clauses (SCCs) for our data transfers where required and in instances where they are not covered by an adequacy decision.