Privacy Policy
Effective Date: March 28, 2026 Last Updated: March 28, 2026 Anima Labs Ltd (“Anima,” “we,” “us,” or “our”) is committed to protecting the privacy of our customers and their end users. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with the Anima platform, APIs, and related services (the “Service”) available at https://useanima.sh. This Privacy Policy applies to all users of the Service, including developers, administrators, and operators acting on behalf of their organizations.1. Data Controller Information
Anima Labs Ltd is the data controller for personal data processed in connection with the operation of the Service and your account. For personal data processed on behalf of our customers (e.g., email content, phone records, and vault entries associated with customer Agents), the customer is the data controller and Anima acts as a data processor. The terms of such processing are governed by our Data Processing Agreement. Contact: Email: legal@useanima.sh Website: https://useanima.sh2. Types of Personal Data Collected
2.1 Account Data
When you register for the Service, we collect:- Full name and job title
- Business email address
- Company or organization name
- Billing address and payment information
- Phone number (optional)
2.2 Usage Data
We automatically collect data about how you interact with the Service:- API call logs (endpoints called, timestamps, response codes, latency)
- Dashboard activity (pages visited, features used)
- Authentication events (login times, IP addresses, authentication methods)
- Error logs and diagnostic data
- Feature usage metrics and patterns
2.3 Agent Data
When your Agents use the Service, we process data on your behalf, which may include:- Email Data: Email addresses, message content (headers, body, attachments), delivery status, bounce and complaint data.
- Phone and SMS Data: Phone numbers, call metadata (duration, timestamps, call direction), SMS message content, delivery receipts.
- Vault Entries: Encrypted credential data, metadata about stored entries (creation date, last accessed, entry type). Anima does not have access to decrypted vault content in customer-managed encryption configurations.
- Identity Data: Decentralized Identifiers (DIDs), verifiable credential metadata, Agent Card profiles, A2A protocol interaction logs.
2.4 Technical Data
We collect technical information from devices and browsers used to access the Service:- IP addresses
- Browser type and version
- Operating system and device type
- Referring URLs
- Time zone and language settings
3. Legal Bases for Processing (GDPR Article 6)
We process personal data under the following legal bases:3.1 Contract Performance (Article 6(1)(b))
Processing necessary for the performance of our contract with you, including:- Provisioning and maintaining your account
- Providing the Service features you have requested (email, phone, vault, identity)
- Processing billing and payments
- Providing customer support
3.2 Legitimate Interest (Article 6(1)(f))
Processing necessary for our legitimate interests, provided these interests are not overridden by your rights and freedoms, including:- Improving and optimizing the Service
- Detecting and preventing fraud, abuse, and security incidents
- Analyzing usage patterns to develop new features
- Ensuring network and information security
- Enforcing our Terms of Service
3.3 Consent (Article 6(1)(a))
Where required by applicable law, we process personal data based on your freely given, specific, informed, and unambiguous consent, including:- Sending marketing communications and newsletters
- Placing non-essential cookies and tracking technologies
- Processing data for purposes beyond those described in this Privacy Policy
3.4 Legal Obligation (Article 6(1)(c))
Processing necessary for compliance with legal obligations, including tax reporting, responding to lawful government requests, and maintaining records required by financial regulations.4. How We Use Your Data
We use the personal data we collect to:- Provide the Service: Operate, maintain, and deliver the features and functionality of the Platform, including email routing, phone/SMS services, vault storage, and identity management.
- Process Transactions: Process payments, generate invoices, and manage your billing account.
- Communicate with You: Send transactional communications (account notifications, security alerts, service updates), and, where you have opted in, marketing communications.
- Ensure Security: Monitor for and protect against fraud, abuse, unauthorized access, and other security threats.
- Improve the Service: Analyze usage data to understand how the Service is used, identify areas for improvement, and develop new features.
- Comply with Law: Fulfill our legal and regulatory obligations, including tax reporting, anti-money laundering requirements, and responding to lawful requests from authorities.
- Enforce Our Terms: Investigate and enforce compliance with our Terms of Service and Acceptable Use Policy.
5. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law.| Data Category | Retention Period |
|---|---|
| Account Data | Duration of the account plus 3 years after termination |
| Usage Data (API logs) | 90 days in detailed form; 2 years in aggregated form |
| Email Content | 30 days after delivery, unless configured otherwise by the customer |
| Phone/SMS Records | 90 days, or as required by telecommunications regulations |
| Vault Entries | Duration of the account; deleted within 30 days of account termination |
| Identity Data (DIDs) | Duration of the account plus 1 year after termination |
| Technical Data | 90 days |
| Billing Records | 7 years, as required by tax and accounting regulations |
6. Data Sharing and Subprocessors
6.1 No Sale of Personal Data
Anima does not sell personal data to third parties. We do not share personal data for third-party advertising purposes.6.2 Subprocessors
We share personal data with the following categories of subprocessors, who process data on our behalf and under our instructions:| Subprocessor | Purpose | Data Processed |
|---|---|---|
| Google Cloud Platform (GCP) | Cloud infrastructure and hosting | All categories (encrypted at rest) |
| Stripe | Payment processing and billing | Billing data, payment methods |
| Telnyx | Phone and SMS services | Phone numbers, call/SMS metadata and content |
| Clerk | Authentication and user management | Account data, authentication events |
| Resend | Transactional email delivery | Email addresses, email content |
6.3 Other Disclosures
We may disclose personal data:- To comply with law: In response to a subpoena, court order, or other lawful request from a government authority.
- To protect rights: When we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.
- In a business transfer: In connection with a merger, acquisition, bankruptcy, or sale of assets, in which case you will be notified of any change in data controller.
- With your consent: Where you have provided explicit consent to the disclosure.
6.4 Subprocessor Updates
We maintain an up-to-date list of subprocessors at https://useanima.sh/subprocessors. Customers who have entered into a Data Processing Agreement will receive 30 days’ prior notice of any new subprocessor additions.7. International Data Transfers
7.1 Transfer Mechanisms
Anima Labs Ltd is based in the United Kingdom. Personal data may be transferred to and processed in the United States and other countries where our subprocessors operate. For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not received an adequacy decision, we rely on:- Standard Contractual Clauses (SCCs): As adopted by the European Commission (Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum.
- Supplementary Measures: Including encryption in transit and at rest, access controls, and contractual commitments from subprocessors.
7.2 EU-U.S. Data Privacy Framework
Where applicable, we rely on relevant data privacy framework certifications maintained by our subprocessors.8. Data Subject Rights (GDPR)
If you are located in the EEA or the United Kingdom, you have the following rights under the GDPR and UK GDPR:8.1 Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and, if so, to request a copy of that data along with information about the purposes and categories of processing.8.2 Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data and completion of incomplete personal data.8.3 Right to Erasure (Article 17)
You have the right to request deletion of your personal data where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal basis; you object to processing and there are no overriding legitimate grounds; or the data has been unlawfully processed.8.4 Right to Restriction of Processing (Article 18)
You have the right to request restriction of processing where: the accuracy of the data is contested; the processing is unlawful and you prefer restriction to erasure; Anima no longer needs the data but you require it for legal claims; or you have objected to processing pending verification.8.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.8.6 Right to Object (Article 21)
You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defense of legal claims.8.7 Right Related to Automated Decision-Making (Article 22)
Anima does not currently make decisions based solely on automated processing that produce legal effects or similarly significant effects concerning you. If this changes, we will provide meaningful information about the logic involved and the significance and envisaged consequences of such processing, and provide a mechanism to request human review.8.8 Exercising Your Rights
To exercise any of these rights, contact us at legal@useanima.sh. We will respond to your request within 30 days. We may request verification of your identity before fulfilling your request. If we are acting as a data processor on behalf of a customer, we will direct your request to the appropriate data controller.9. CCPA Rights (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):9.1 Right to Know
You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share it.9.2 Right to Delete
You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal obligations, completing a transaction, security purposes).9.3 Right to Opt-Out of Sale or Sharing
Anima does not sell personal information and does not share personal information for cross-context behavioral advertising purposes as defined by the CCPA/CPRA.9.4 Right to Correct
You have the right to request that we correct inaccurate personal information that we maintain about you.9.5 Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge you different prices, or provide a different level of quality based on your exercise of privacy rights.9.6 Exercising Your Rights
To exercise your CCPA rights, contact us at legal@useanima.sh. We will verify your identity before fulfilling your request and respond within 45 days.10. Cookies and Tracking Technologies
10.1 Types of Cookies
We use the following categories of cookies on our website and dashboard:- Strictly Necessary Cookies: Required for the operation of the Service (authentication, session management, security). These cookies cannot be disabled.
- Analytics Cookies: Used to understand how visitors interact with the Service, measure performance, and identify areas for improvement. Deployed only with your consent where required by law.
- Preference Cookies: Used to remember your settings and preferences (language, theme, display options).
10.2 Managing Cookies
You can manage your cookie preferences through: (a) the cookie consent banner displayed on first visit; (b) your browser settings; or (c) contacting us at legal@useanima.sh.10.3 Do Not Track
The Service currently does not respond to “Do Not Track” browser signals. However, you can opt out of analytics cookies as described above.11. Children’s Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe that a child under 18 has provided us with personal data, please contact us at legal@useanima.sh.12. Security Measures
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:- Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
- Access Controls: Role-based access control, multi-factor authentication for administrative access, and principle of least privilege.
- Infrastructure Security: Hosted on SOC 2 Type II certified infrastructure (Google Cloud Platform) with network segmentation, intrusion detection, and DDoS protection.
- Audit Logging: Comprehensive audit logs of administrative actions and data access events.
- Employee Security: Background checks, security training, and confidentiality agreements for all employees with access to personal data.
- Vulnerability Management: Regular security assessments, penetration testing, and a responsible disclosure program.
13. Data Breach Notification
13.1 Supervisory Authorities
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, Anima will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.13.2 Affected Individuals
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Anima will communicate the breach to the affected individuals without undue delay, in accordance with GDPR Article 34.13.3 Customer Notification
For data breaches affecting Customer Data where Anima acts as a data processor, Anima will notify the affected customer without undue delay and in any event within 72 hours of becoming aware of the breach, providing sufficient information for the customer to fulfill its own notification obligations.14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:- Posting the updated Privacy Policy on our website with a revised “Last Updated” date.
- Sending an email notification to the address associated with your account at least 30 days before the changes take effect.
