Legal

Privacy Policy

Effective date: June 3, 2026. PIILOT is currently an alpha product.

1. Scope

This policy applies to PIILOT’s website, application, workflow builder, chat agent, integrations, agent-control features, and related services.

2. Information PIILOT collects

PIILOT collects account information such as name, email address, password hash, account membership, role, timestamps, invite-code submission, and session records.

PIILOT collects profile and personalization information such as intended use, technical comfort level, title or role, company name, company website, company description, and onboarding status.

PIILOT collects workflow and automation content such as chat messages, workflow requests, clarification answers, workflow drafts, workflow names, summaries, nodes, edges, connector contracts, validation results, setup mappings, simulations, and approval gates.

PIILOT collects integration records such as provider, toolkit slug, toolkit name, connection status, external connected-account identifiers, authentication configuration identifiers, redirect URLs, timestamps, and integration metadata.

PIILOT may process request metadata such as IP address, browser information, request headers, timestamps, rate-limit metadata, and security diagnostics.

PIILOT may store workflow drafts and selected workflow identifiers in browser local storage.

3. How PIILOT uses information

  • to create and authenticate accounts;
  • to operate, secure, troubleshoot, and improve the service;
  • to personalize AI responses and workflow guidance;
  • to generate, revise, validate, simulate, save, and display workflows, automations, and agents;
  • to discover, connect, and run third-party integrations when authorized;
  • to provide notifications, approvals, setup status, run previews, logs, and diagnostics;
  • to prevent abuse, unauthorized access, and excessive automated requests;
  • to comply with legal obligations and enforce PIILOT’s Terms of Service.

4. AI processing

PIILOT uses AI systems to interpret workflow requests, ask clarifying questions, generate workflow drafts, validate workflow structure, revise workflow drafts, summarize context, and prepare responses.

For these tasks, PIILOT may send AI providers the content needed to complete the request, including messages, recent chat history, profile context, connected-integration context, current workflow context, tool results, and workflow JSON.

PIILOT may use aggregated, de-identified, or account-level usage patterns to improve product quality, reliability, safety, evaluation, and debugging. PIILOT does not sell personal information.

5. Third-party providers

PIILOT uses Cloudflare for hosting, database services, network services, security, request handling, and AI inference.

PIILOT uses Composio for integration discovery, managed authorization flows, connected-account identifiers, and tool execution for supported third-party applications.

Connected applications, including email, spreadsheets, CRM, messaging, support, database, and productivity tools, remain governed by their own terms and privacy policies.

PIILOT may load fonts, icons, rendering libraries, or other client-side assets from third-party providers.

6. Cookies and local storage

PIILOT uses a secure, HTTP-only session cookie named piilot_session. The session cookie uses Secure and SameSite=Lax attributes and is currently set for a 30-day session period.

Browser local storage may be used for workflow drafts and selected workflow state.

7. Retention

PIILOT retains account, profile, workflow, integration, notification, and operational records for as long as needed to provide the service, support workflows, maintain security, meet legal obligations, resolve disputes, and enforce agreements.

Some diagnostic logs are held in volatile server memory and may clear when the runtime restarts. Browser local storage remains on your device until cleared.

8. Security

PIILOT is built with security-conscious controls, including password hashing, hashed server-side session tokens, secure session cookies, same-origin request checks, rate limiting, account-scoped database queries, and integration status tracking.

PIILOT is designed around SOC 2 and ISO 27001-aligned controls, but unless stated separately in writing, PIILOT should not be treated as SOC 2 certified or ISO 27001 certified.

9. Sharing

PIILOT may share information with service providers, AI providers, Composio, connected applications, account users or administrators, legal authorities where required, and parties involved in a corporate transaction. PIILOT does not sell personal information.

10. User choices

You can reduce data collection by limiting what you enter into PIILOT, disconnecting integrations you no longer need, clearing browser local storage, and archiving notifications.

11. Changes

PIILOT may update this Privacy Policy as the product evolves. Continued use after an update means the updated policy applies.