[ LEGAL — PRIVACY ]

Privacy Policy

What information CIRO collects, why we collect it, and the choices you have — on the web and in the iOS and Android apps.

Last updated:

Introduction

Ciro AI, Inc. (“Ciro AI,” “we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website at ciroai.us, use the CIRO platform at app.ciroai.us, or use our mobile applications for iOS and Android.

By using our services, you agree to the collection and use of information in accordance with this policy. If you do not agree with our practices, please do not use our services.

Information we collect

Information you provide

  • Name, work email address, company or organization, and job title
  • Account credentials, profile information, and communication preferences
  • Billing details (processed by our payment processor — we do not store full card numbers)
  • Content you submit to the platform: queries, dashboards, uploaded files, and connector configurations
  • Messages you send us through forms, email, or support channels

Information collected automatically

  • Device and browser type, operating system, and language preferences
  • IP address, approximate geolocation derived from IP, and session timestamps
  • Pages viewed, links clicked, and the referring URL
  • Application logs, crash reports, and performance metrics

Information from third parties

When you authenticate via single sign-on (e.g., Google, Microsoft) or connect a third-party data source, we receive identifiers and authorization scopes you have granted. We never receive more than the scopes you explicitly approve.

How we use information

  • Provide the service. Authenticate users, run queries, render dashboards, and operate our integrations.
  • Communicate with you. Respond to support requests, send service notices and, with your consent, occasional product updates.
  • Improve our platform. Aggregate analytics on feature usage, model performance, and reliability.
  • Secure the service. Detect and prevent fraud, abuse, and unauthorized access; protect our customers and our infrastructure.
  • Comply with law. Meet legal, accounting, tax, and reporting obligations.

We do not sell your personal information, and we do not use your private workspace content to train general-purpose AI models.

Mobile apps (iOS / Android)

The CIRO mobile application is published as Ciro AI on the Apple App Store (Bundle ID: us.ciroai.app) and Google Play (Package: us.ciroai.app). When you install and use our mobile apps, the following additional considerations apply.

Permissions we may request

  • Camera. Optional — used only when you scan documents, QR codes, or capture screenshots of dashboards. Image data is processed locally on your device or sent to your workspace storage; we do not retain it on shared servers.
  • Notifications. Optional — to deliver alerts (e.g., threshold breaches, completed reports). You can disable these in your OS settings at any time.
  • Local network / Bluetooth. Used only when you explicitly connect to a local device or printer. Not used for tracking.
  • Biometrics (Face ID / Touch ID / Fingerprint). Optional — used to unlock the app. Biometric templates never leave your device; CIRO only receives a success/failure signal from the OS.

We do not request access to your contacts, photos library, calendar, microphone, or precise location unless a feature you are actively using requires it, and we will always prompt you first.

Mobile-specific data we collect

  • Device identifiers (e.g., Apple IDFV, Android Advertising ID where applicable), app version, and OS version
  • Crash logs and performance traces (no message bodies, no query content)
  • Push notification tokens — only when you opt in to push notifications

Apple App Tracking Transparency

On iOS, we do not engage in tracking as defined by Apple's App Tracking Transparency framework. We do not present the ATT prompt because we do not track you across third-party apps and websites for advertising purposes.

Google Play Data safety

A complete data-types disclosure for Android users is provided on our Google Play Store listing. The categories disclosed there mirror the practices described in this policy.

Children and the mobile apps

The CIRO mobile apps are not directed at children. They are rated for users aged 13 and older on Google Play and 4+ on the App Store, and are intended for use by employees of organizations that have licensed CIRO.

Sharing and disclosure

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

  • Service providers. Vetted vendors who help us operate the service — cloud hosting (AWS), email delivery, payment processing, analytics (with consent), and customer support tooling. They are bound by confidentiality and data-processing agreements.
  • Within your organization. Workspace administrators can see workspace usage, user lists, and activity logs. Content you share is visible to authorized teammates as you configure.
  • Legal requirements. When required by law, subpoena, or court order, or to protect the rights, property, or safety of CIRO, our customers, or the public.
  • Business transfers. In a merger, acquisition, financing, or sale of assets, information may transfer to the successor entity subject to the protections of this policy.
  • With your consent. For any other purpose disclosed at the time you provide the information.

Data security

We implement technical and organizational measures designed to protect your information against unauthorized access, alteration, disclosure, or destruction.

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access control, least-privilege principles, and audited admin actions
  • Regular vulnerability scanning, penetration testing, and security code review
  • Employee security training, background checks, and confidentiality agreements
  • Incident-response plan with mandatory breach-notification procedures

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we work continuously to maintain industry-standard protections.

Your rights and choices

Depending on where you live, you have rights regarding your personal information. We honor these rights regardless of jurisdiction:

  • Access. Request a copy of the personal information we hold about you.
  • Correction. Update or correct inaccurate information.
  • Deletion. Request that we delete your personal information, subject to legal retention obligations.
  • Portability. Receive your data in a structured, machine-readable format.
  • Objection / restriction. Object to or restrict certain processing, including for direct marketing.
  • Withdraw consent. Where processing is based on consent, withdraw it at any time.
  • Opt out of marketing. Unsubscribe via the link in any marketing email, or write to us.

To exercise any of these rights, email privacy@ciroai.us. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Cookies and tracking

We use cookies and similar technologies on our website. You can manage your preferences using the consent banner or by visiting our Cookie Policy.

International data transfers

CIRO is headquartered in the Delaware, United States. If you access our services from outside the United States, your information may be transferred to, stored, and processed in the United States or in other countries where our service providers operate. We rely on appropriate safeguards — including Standard Contractual Clauses where applicable — when transferring personal information internationally.

Data retention

We retain personal information for as long as necessary to provide our services, comply with our legal obligations, resolve disputes, and enforce our agreements. Workspace content is retained according to the plan and configuration set by your workspace administrator. When information is no longer needed, we securely delete or anonymize it.

Children's privacy

Our services are not directed at children under 13 (or under 16 in the EEA/UK), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us at privacy@ciroai.us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. For material changes, we will notify users via the platform or email before the changes take effect.

Contact us

If you have questions about this policy or how we handle your information, please reach out: