Privacy Policy

1. Information We Collect

a. Information You Provide

We may collect information you provide directly, including:

• Name, email address, and contact details
• Account credentials
• Billing and payment information
• Content, files, and data you submit through the Services
• Communications with us

b. Information Collected Automatically

When you use the Services, we may automatically collect:

• IP address
• Device type, browser, and operating system
• Usage data, logs, and interaction data
• Cookies and similar technologies

c. Third-Party Information

We may receive information from third-party services you choose to connect, subject to their own privacy policies. The data we receive depends on which service you connect and the permissions you grant. Google connections are described in full in "Google API Services & User Data" below.

2. How We Use Information

We use personal information to:

• Provide, operate, and improve the Services
• Create and manage accounts
• Process payments and subscriptions
• Communicate with you
• Provide customer support
• Analyze usage and performance
• Comply with legal obligations

3. Google API Services & User Data

The Cloud connects to Google so its features can work with your Gmail, Google Calendar, Google Drive, and YouTube. You choose which connections to set up, and each one only does what you ask. This section describes exactly what data we access, how we use it, where we store it, who we share it with, and how you can remove it.

a. We Ask for the Least Access Needed

We request the narrowest Google permissions a feature needs. Where Google offers a read-only version of a permission, we request that first. Permissions that let The Cloud create, change, or send on your behalf are requested only for the specific features that need them, and never bundled into a connection that doesn't use them. The Google consent screen always shows you the exact permissions before you approve.

b. Data We Access from Google

Depending on which Google connections you enable and the permissions you grant, we may access:

• Account identity (email address)— Your Google account's email address, used only to label the connection and identify which account is linked. This grants no access to your content.
• Gmail (gmail.modify, gmail.compose) — When you connect Gmail, The Cloud powers its in-app Mail client so you can work with your own email. We read your messages and labels and organize them (for example, mark as read, archive, or label) and create and edit drafts (gmail.modify), and we compose and send messages from your account (gmail.compose) — all only at your request. We do not use your Gmail data for advertising, we do not sell it, and we do not transfer it to anyone except as needed to provide this feature.
• Google Calendar (calendar.readonly, calendar.events) — We read your calendar events (calendar.readonly) so you can see your schedule in The Cloud, and we create, update, and delete events (calendar.events) when you schedule, reschedule, or cancel through The Cloud. We also read calendar identifiers and sync tokens to keep changes in sync efficiently.
• Google Drive — When you connect Drive, The Cloud can read the files you choose so you can bring them into your workspace. We request read-only access to Drive.
• YouTube (youtube.upload, youtube.readonly) — When you connect YouTube, The Cloud uploads recordings you create in The Cloud to your own YouTube channel, only at your request and only the content you explicitly choose to publish (youtube.upload). It reads your channel identity and the status of those uploads to confirm a recording posted successfully (youtube.readonly). We do not browse, modify, or delete other videos on your channel.

c. How We Use Google Data

We use Google user data only to provide and improve the features you enable in The Cloud — showing and organizing your mail, calendar, files, and channel; carrying out the actions you ask for; and keeping the connected service and The Cloud in sync. We do not use it for any unrelated purpose.

d. How We Store Google Data

The access and refresh tokens that authorize a connection are encrypted before they are stored, and are held on our backend infrastructure provider, Convex. Data we retrieve from Google to power a feature — such as your calendar events — may be cached in our database so The Cloud loads quickly and works reliably. All data is encrypted in transit (HTTPS/TLS) and encrypted at rest.

e. Sharing of Google Data

We do not sell, rent, or trade Google user data. We do not share it with any third party except:

• Our infrastructure providers (such as database hosting) who process data on our behalf and are bound by confidentiality obligations
• When required by law, regulation, or valid legal process

Google user data is never used for, transferred to, or shared with any party for serving advertisements, retargeting, personalized advertising, or determining creditworthiness.

f. Data Retention and Deletion

We keep data from a Google connection only while that connection is active. When you disconnect a Google connection from The Cloud:

• Its access and refresh tokens are immediately deleted, and we attempt to revoke them at Google
• Data we synced from that connection is removed from our database

You can disconnect any Google connection at any time from the relevant settings in The Cloud, and deleting your account removes everything. You can also review and revoke The Cloud's access from your Google Account permissions page.

g. Limited Use

The Cloud's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In plain terms, for all Google user data — Gmail, Calendar, Drive, and YouTube:

• We only use it to provide and improve the features you enable in The Cloud.
• We do not sell it, and we do not use it for advertising.
• We do not transfer it to others except as needed to provide those user-facing features, to comply with the law, or as part of a merger or acquisition with appropriate notice.
• We do not allow humans to read it, except with your consent, for security or to comply with the law, or where the data has been aggregated and anonymized.
• We do not use Google user data — including Gmail and any other Google Workspace user data — to develop, improve, or train generalized or non-personalized artificial intelligence or machine learning models.

4. AI and the MCP Fabric

The Cloud is an AI-native workspace. This section explains how its AI features use your data.

a. Ora and AI Features

Ora — The Cloud's built-in AI — and other AI features process your content to do what you ask: drafting and editing pages, organizing memory, managing tasks and your calendar, and similar functionality. They process the content relevant to your request and for no unrelated purpose.

b. AI Providers

We use Anthropic as our AI provider. Your content is sent to Anthropic only to deliver the feature you are using, as our service provider under contract. Your content is not used to train Anthropic's or any other third party's AI models.

c. The MCP Fabric

The Cloud can connect to external AIs through the Model Context Protocol (MCP), and can act as an MCP server that exposes the content you authorize to a connected AI. You control what a connected AI can reach. Connecting an AI, sharing content, and opening content always require your explicit consent at the time of the action; content an AI creates in The Cloud is private by default.

d. Accuracy

AI output can be inaccurate, incomplete, or outdated. Review it before relying on it.

5. Voice Data and AI-Audio Processing

When you use voice and AI-audio features — text-to-speech, speech-to-text, music and sound effects, dubbing, or voice cloning — we process the text, audio, and voice samples needed to deliver the feature you requested, and for no unrelated purpose.

a. Third-Party Sub-Processors

We use third-party providers to power voice and AI-audio features. Your text and any voice samples you provide for cloning may be sent to these providers solely to deliver the feature, as our service providers under a data processing agreement (DPA). Your content is not used to train their or any other party's models.

• ElevenLabs — audio and voice processing, including text-to-speech, speech-to-text, and voice cloning. Text and voice samples may be sent to ElevenLabs under a DPA.

We maintain a current list of sub-processors. The plain-language summary on our Data Use page lists the sub-processors we rely on.

b. How Voice Data Is Protected

• Per-tenant isolation — your voice data and cloned voices are scoped to your account and are not shared across tenants.
• Encryption — voice data is encrypted in transit (HTTPS/TLS) and at rest.
• Minimization — we collect and send only the data a feature needs to run.
• No sale — we do not sell voice data, and we do not use it for advertising.

c. Retention and Revocation

You can delete your voice samples and cloned voices at any time. When you delete a voice or your account, the data is removed from our systems, and we propagate the deletion to the sub-processors that processed it where they support deletion. Deleting your account removes everything as described in the Data Retention section below.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Enable core functionality
• Understand usage patterns
• Improve performance

You may control cookies through your browser settings, but disabling them may affect functionality.

7. Sharing of Information

We may share personal information with:

• Service providers and vendors who assist in operating the Services
• Payment processors and infrastructure providers
• Legal authorities if required by law or to protect rights and safety

We do not sell personal information.

8. Data Retention

We retain personal information only as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements.

Account deletion. You can delete your account at any time. When you do, we permanently and immediately delete your personal data and the content you created in The Cloud — including your pages, spaces, memories, tasks, files, and data synced from connected accounts. Content you move to Trash is permanently purged after 30 days. Limited information may persist briefly in encrypted backups and is cleared in the ordinary course; we retain only the minimum that the law requires.

9. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect personal information. However, no system is completely secure, and we cannot guarantee absolute security.

10. Your Rights and Choices

Depending on your location, you may have rights to:

• Access your personal information
• Correct inaccurate data
• Request deletion of your data
• Object to or restrict certain processing

Requests can be made by contacting us at the email below.

11. Children's Privacy

The Services are not intended for individuals under 18. We do not knowingly collect personal information from children.

12. International Users

If you access the Services from outside the United States, you understand that your information may be processed and stored in the United States or other jurisdictions.

13. Browser Extension (The Cloud)

The Cloud offers a browser extension for Google Chrome ("the Extension") that lets you save images, links, and web pages from any website to your Files. This section describes the specific data practices of the Extension.

a. Data the Extension Accesses

The Extension is designed around user-initiated actions. It does not read, log, or transmit data about websites you visit unless you explicitly trigger a save. Specifically, the Extension accesses:

• Authentication cookie — After you sign in on thecloud.so, the Extension reads the session cookie set by our authentication system so it can call our API on your behalf. It reads cookies only from the thecloud.so domain.
• Local storage — The Extension caches your session token in chrome.storage.local so you remain signed in between browser sessions. No browsing data or page content is stored locally.
• Active tab data (on save only)— When you click the save button on an image, or choose a save action from the right-click menu, the Extension reads the relevant data for that save — the image URL, the link URL, or the current page's URL, title, and rendered text content — and transmits it to our backend. No tab data is accessed until you initiate a save.

b. What the Extension Does NOT Do

• It does not track your browsing history.
• It does not log mouse movements, keystrokes, scroll behavior, or any passive user activity.
• It does not collect or transmit data from pages you have not explicitly saved.
• It does not inject ads or third-party scripts into web pages.
• It does not sell or share your data with third parties.

c. How Saved Content Is Used

Items you save through the Extension are stored in your personal Files on thecloud.so, tied to your account. They are used solely to provide the save-and-retrieve functionality of your Files. They are not used to build advertising profiles, train public AI models, or for any purpose unrelated to your use of the Services.

d. Removing the Extension

You can uninstall the Extension at any time from Chrome's extension settings, which immediately revokes all its permissions and clears its local storage. You can also delete individual saved items, or your entire Files, from your account on thecloud.so.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be effective when posted. Continued use of the Services constitutes acceptance of the updated Policy.