> ## Documentation Index
> Fetch the complete documentation index at: https://docs.useanima.sh/llms.txt
> Use this file to discover all available pages before exploring further.

# Privacy Policy

> Privacy Policy for the Anima platform — how we collect, use, and protect your data.

# Privacy Policy

**Effective Date:** March 28, 2026

**Last Updated:** March 28, 2026

Anima Labs Ltd ("Anima," "we," "us," or "our") is committed to protecting the privacy of our customers and their end users. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with the Anima platform, APIs, and related services (the "Service") available at [https://useanima.sh](https://useanima.sh).

This Privacy Policy applies to all users of the Service, including developers, administrators, and operators acting on behalf of their organizations.

***

## 1. Data Controller Information

**Anima Labs Ltd** is the data controller for personal data processed in connection with the operation of the Service and your account.

For personal data processed on behalf of our customers (e.g., email content, phone records, and vault entries associated with customer Agents), the customer is the data controller and Anima acts as a data processor. The terms of such processing are governed by our [Data Processing Agreement](/legal/data-processing-agreement).

**Contact:**
Email: [legal@useanima.sh](mailto:legal@useanima.sh)
Website: [https://useanima.sh](https://useanima.sh)

***

## 2. Types of Personal Data Collected

### 2.1 Account Data

When you register for the Service, we collect:

* Full name and job title
* Business email address
* Company or organization name
* Billing address and payment information
* Phone number (optional)

### 2.2 Usage Data

We automatically collect data about how you interact with the Service:

* API call logs (endpoints called, timestamps, response codes, latency)
* Dashboard activity (pages visited, features used)
* Authentication events (login times, IP addresses, authentication methods)
* Error logs and diagnostic data
* Feature usage metrics and patterns

### 2.3 Agent Data

When your Agents use the Service, we process data on your behalf, which may include:

* **Email Data:** Email addresses, message content (headers, body, attachments), delivery status, bounce and complaint data.
* **Phone and SMS Data:** Phone numbers, call metadata (duration, timestamps, call direction), SMS message content, delivery receipts.
* **Vault Entries:** Encrypted credential data, metadata about stored entries (creation date, last accessed, entry type). Anima does not have access to decrypted vault content in customer-managed encryption configurations.
* **Identity Data:** Decentralized Identifiers (DIDs), verifiable credential metadata, Agent Card profiles, A2A protocol interaction logs.

### 2.4 Technical Data

We collect technical information from devices and browsers used to access the Service:

* IP addresses
* Browser type and version
* Operating system and device type
* Referring URLs
* Time zone and language settings

***

## 3. Legal Bases for Processing (GDPR Article 6)

We process personal data under the following legal bases:

### 3.1 Contract Performance (Article 6(1)(b))

Processing necessary for the performance of our contract with you, including:

* Provisioning and maintaining your account
* Providing the Service features you have requested (email, phone, vault, identity)
* Processing billing and payments
* Providing customer support

### 3.2 Legitimate Interest (Article 6(1)(f))

Processing necessary for our legitimate interests, provided these interests are not overridden by your rights and freedoms, including:

* Improving and optimizing the Service
* Detecting and preventing fraud, abuse, and security incidents
* Analyzing usage patterns to develop new features
* Ensuring network and information security
* Enforcing our Terms of Service

### 3.3 Consent (Article 6(1)(a))

Where required by applicable law, we process personal data based on your freely given, specific, informed, and unambiguous consent, including:

* Sending marketing communications and newsletters
* Placing non-essential cookies and tracking technologies
* Processing data for purposes beyond those described in this Privacy Policy

You may withdraw consent at any time by contacting us at [legal@useanima.sh](mailto:legal@useanima.sh) or by using the relevant opt-out mechanism. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

### 3.4 Legal Obligation (Article 6(1)(c))

Processing necessary for compliance with legal obligations, including tax reporting, responding to lawful government requests, and maintaining records required by financial regulations.

***

## 4. How We Use Your Data

We use the personal data we collect to:

* **Provide the Service:** Operate, maintain, and deliver the features and functionality of the Platform, including email routing, phone/SMS services, vault storage, and identity management.
* **Process Transactions:** Process payments, generate invoices, and manage your billing account.
* **Communicate with You:** Send transactional communications (account notifications, security alerts, service updates), and, where you have opted in, marketing communications.
* **Ensure Security:** Monitor for and protect against fraud, abuse, unauthorized access, and other security threats.
* **Improve the Service:** Analyze usage data to understand how the Service is used, identify areas for improvement, and develop new features.
* **Comply with Law:** Fulfill our legal and regulatory obligations, including tax reporting, anti-money laundering requirements, and responding to lawful requests from authorities.
* **Enforce Our Terms:** Investigate and enforce compliance with our Terms of Service and Acceptable Use Policy.

***

## 5. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law.

| Data Category         | Retention Period                                                       |
| --------------------- | ---------------------------------------------------------------------- |
| Account Data          | Duration of the account plus 3 years after termination                 |
| Usage Data (API logs) | 90 days in detailed form; 2 years in aggregated form                   |
| Email Content         | 30 days after delivery, unless configured otherwise by the customer    |
| Phone/SMS Records     | 90 days, or as required by telecommunications regulations              |
| Vault Entries         | Duration of the account; deleted within 30 days of account termination |
| Identity Data (DIDs)  | Duration of the account plus 1 year after termination                  |
| Technical Data        | 90 days                                                                |
| Billing Records       | 7 years, as required by tax and accounting regulations                 |

Customers may request earlier deletion of their data subject to applicable legal retention requirements. See Section 8 (Data Subject Rights) for details.

***

## 6. Data Sharing and Subprocessors

### 6.1 No Sale of Personal Data

Anima does not sell personal data to third parties. We do not share personal data for third-party advertising purposes.

### 6.2 Subprocessors

We share personal data with the following categories of subprocessors, who process data on our behalf and under our instructions:

| Subprocessor                    | Purpose                            | Data Processed                               |
| ------------------------------- | ---------------------------------- | -------------------------------------------- |
| **Google Cloud Platform (GCP)** | Cloud infrastructure and hosting   | All categories (encrypted at rest)           |
| **Stripe**                      | Payment processing and billing     | Billing data, payment methods                |
| **Telnyx**                      | Phone and SMS services             | Phone numbers, call/SMS metadata and content |
| **Clerk**                       | Authentication and user management | Account data, authentication events          |
| **Resend**                      | Transactional email delivery       | Email addresses, email content               |

### 6.3 Other Disclosures

We may disclose personal data:

* **To comply with law:** In response to a subpoena, court order, or other lawful request from a government authority.
* **To protect rights:** When we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.
* **In a business transfer:** In connection with a merger, acquisition, bankruptcy, or sale of assets, in which case you will be notified of any change in data controller.
* **With your consent:** Where you have provided explicit consent to the disclosure.

### 6.4 Subprocessor Updates

We maintain an up-to-date list of subprocessors at [https://useanima.sh/subprocessors](https://useanima.sh/subprocessors). Customers who have entered into a Data Processing Agreement will receive 30 days' prior notice of any new subprocessor additions.

***

## 7. International Data Transfers

### 7.1 Transfer Mechanisms

Anima Labs Ltd is based in the United Kingdom. Personal data may be transferred to and processed in the United States and other countries where our subprocessors operate.

For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not received an adequacy decision, we rely on:

* **Standard Contractual Clauses (SCCs):** As adopted by the European Commission (Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum.
* **Supplementary Measures:** Including encryption in transit and at rest, access controls, and contractual commitments from subprocessors.

### 7.2 EU-U.S. Data Privacy Framework

Where applicable, we rely on relevant data privacy framework certifications maintained by our subprocessors.

***

## 8. Data Subject Rights (GDPR)

If you are located in the EEA or the United Kingdom, you have the following rights under the GDPR and UK GDPR:

### 8.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, to request a copy of that data along with information about the purposes and categories of processing.

### 8.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data.

### 8.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal basis; you object to processing and there are no overriding legitimate grounds; or the data has been unlawfully processed.

### 8.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing where: the accuracy of the data is contested; the processing is unlawful and you prefer restriction to erasure; Anima no longer needs the data but you require it for legal claims; or you have objected to processing pending verification.

### 8.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.

### 8.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defense of legal claims.

### 8.7 Right Related to Automated Decision-Making (Article 22)

Anima does not currently make decisions based solely on automated processing that produce legal effects or similarly significant effects concerning you. If this changes, we will provide meaningful information about the logic involved and the significance and envisaged consequences of such processing, and provide a mechanism to request human review.

### 8.8 Exercising Your Rights

To exercise any of these rights, contact us at [legal@useanima.sh](mailto:legal@useanima.sh). We will respond to your request within 30 days. We may request verification of your identity before fulfilling your request. If we are acting as a data processor on behalf of a customer, we will direct your request to the appropriate data controller.

***

## 9. CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

### 9.1 Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share it.

### 9.2 Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal obligations, completing a transaction, security purposes).

### 9.3 Right to Opt-Out of Sale or Sharing

Anima does not sell personal information and does not share personal information for cross-context behavioral advertising purposes as defined by the CCPA/CPRA.

### 9.4 Right to Correct

You have the right to request that we correct inaccurate personal information that we maintain about you.

### 9.5 Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge you different prices, or provide a different level of quality based on your exercise of privacy rights.

### 9.6 Exercising Your Rights

To exercise your CCPA rights, contact us at [legal@useanima.sh](mailto:legal@useanima.sh). We will verify your identity before fulfilling your request and respond within 45 days.

***

## 10. Cookies and Tracking Technologies

### 10.1 Types of Cookies

We use the following categories of cookies on our website and dashboard:

* **Strictly Necessary Cookies:** Required for the operation of the Service (authentication, session management, security). These cookies cannot be disabled.
* **Analytics Cookies:** Used to understand how visitors interact with the Service, measure performance, and identify areas for improvement. Deployed only with your consent where required by law.
* **Preference Cookies:** Used to remember your settings and preferences (language, theme, display options).

### 10.2 Managing Cookies

You can manage your cookie preferences through: (a) the cookie consent banner displayed on first visit; (b) your browser settings; or (c) contacting us at [legal@useanima.sh](mailto:legal@useanima.sh).

### 10.3 Do Not Track

The Service currently does not respond to "Do Not Track" browser signals. However, you can opt out of analytics cookies as described above.

***

## 11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe that a child under 18 has provided us with personal data, please contact us at [legal@useanima.sh](mailto:legal@useanima.sh).

***

## 12. Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

* **Encryption:** Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
* **Access Controls:** Role-based access control, multi-factor authentication for administrative access, and principle of least privilege.
* **Infrastructure Security:** Hosted on SOC 2 Type II certified infrastructure (Google Cloud Platform) with network segmentation, intrusion detection, and DDoS protection.
* **Audit Logging:** Comprehensive audit logs of administrative actions and data access events.
* **Employee Security:** Background checks, security training, and confidentiality agreements for all employees with access to personal data.
* **Vulnerability Management:** Regular security assessments, penetration testing, and a responsible disclosure program.

***

## 13. Data Breach Notification

### 13.1 Supervisory Authorities

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, Anima will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

### 13.2 Affected Individuals

Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Anima will communicate the breach to the affected individuals without undue delay, in accordance with GDPR Article 34.

### 13.3 Customer Notification

For data breaches affecting Customer Data where Anima acts as a data processor, Anima will notify the affected customer without undue delay and in any event within 72 hours of becoming aware of the breach, providing sufficient information for the customer to fulfill its own notification obligations.

***

## 14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

* Posting the updated Privacy Policy on our website with a revised "Last Updated" date.
* Sending an email notification to the address associated with your account at least 30 days before the changes take effect.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

***

## 15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection team:

**Anima Labs Ltd**
Data Protection Officer
Email: [legal@useanima.sh](mailto:legal@useanima.sh)
Website: [https://useanima.sh](https://useanima.sh)

If you are located in the EEA or UK and are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with your local supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO) at [https://ico.org.uk](https://ico.org.uk).
