Privacy Policy
Last updated: May 6, 2026
Elego, Inc. ("Elego," "we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, share, and protect personal information when you visit our website, create an account, or use our AI business development analyst (collectively, the "Service").
If you have questions about this Policy, please contact us at founders@elego.ai or at Elego, Inc., 130 East 63rd Street, New York, NY 10065.
1. Scope and Roles
This Policy applies to (a) visitors to our website, (b) prospective customers, (c) authorized users of the Service, and (d) anyone whose personal information we receive in connection with operating the Service.
Controller and processor. When we process personal information about visitors and account holders for our own purposes (for example, to operate the website, manage accounts, or send marketing), we act as a "controller" under the GDPR and a "business" under the CCPA. When you upload Customer Data into the Service, we process that data on your instructions to provide the Service, and we act as a "processor" or "service provider." The relevant data protection terms in those cases are set out in our Data Processing Addendum, which is available on request.
2. Information We Collect
2.1 Account information
Account information. Name, work email address, employer, role, and password or single sign-on identifier.
Billing information. Billing contact, billing address, and tax identifiers. Payment card details are handled directly by our payment processor (see Section 5); we do not store full card numbers on our systems.
Communications. Messages you send us, support tickets, and survey responses.
Customer Data. Documents, files, prompts, and other content you submit to the Service, plus the outputs the Service generates for you.
2.2 Information from laptop and connected accounts
The Service can read information from your device and connected business applications, but only after you grant explicit permission, and only to the extent needed to do the work you have asked it to do.
Files and folders you select. When you point the Service at a file, folder, or shared drive, we access only the items in scope and only for the duration of the task. We do not browse other parts of your file system.
Email and calendar. If you connect Gmail, Outlook, or another mail/calendar provider, we access messages, calendar events, and contact metadata you authorize, using read-only or task-specific scopes wherever the provider supports them.
Other local applications. If you connect Slack, your CRM, or similar tools, we access the data you authorize through the relevant API.
You can revoke any of these permissions at any time, either in the Service or directly with the upstream provider (for example, in your Google or Microsoft account).
2.3 Information collected automatically
Usage data. Pages visited, features used, clicks, search queries within the Service, time spent, and similar diagnostic information.
Device and log data. IP address, browser type and version, operating system, device identifiers, referring URL, and timestamps.
Cookies and similar technologies. Strictly necessary cookies required to make the Service work, plus, where you consent, analytics and marketing cookies. You can manage cookie preferences through our cookie banner or your browser settings.
2.4 Information from third parties
We may receive information about you from business partners, marketing platforms, or publicly available sources, for example to verify a corporate domain or enrich a sales contact record. We will only use such information consistent with this Policy.
3. How We Use Information
We use information to:
Provide, operate, secure, and improve the Service, including authenticating users, maintaining session state, and supporting integrations you connect.
Process Customer Data on your instructions to generate outputs.
Communicate with you about your account, security, support, and product updates.
Send marketing communications about Elego, where permitted by law and subject to your right to opt out.
Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms.
Comply with legal obligations, enforce our agreements, and establish or defend legal claims.
Legal bases under the GDPR / UK GDPR. We rely on (a) performance of a contract to provide the Service, (b) our legitimate interests in operating, securing, and improving our business, (c) your consent for optional cookies and direct marketing where required, and (d) compliance with legal obligations. Where we rely on legitimate interests, we have considered the impact on your rights and concluded that our processing is proportionate.
4. AI Processing and Our Position on Training
AI is at the core of the Service. We have built our data practices to reflect the sensitivity of the information our customers share with us, including standards informed by professional and legal services norms.
No training on Customer Data. We do not use Customer Data, including your prompts, uploaded documents, connected-account data, or generated outputs, to train, fine-tune, or improve our own foundation models or any third-party foundation models.
Zero retention with model providers. We use Anthropic, OpenAI, and Google as foundation model providers. We process Customer Data through these providers under enterprise or zero-retention arrangements that prohibit them from using your data to train their models and that minimize their retention of prompts and outputs. The exact arrangements vary by provider; we maintain an up-to-date list of subprocessors and their applicable terms (see Section 5).
Outputs. Outputs are generated for your account and are part of your Customer Data. AI outputs can be inaccurate or incomplete; you are responsible for reviewing them before relying on them.
Aggregated and de-identified data. We may use aggregated or de-identified data that does not identify you or your customers to operate, secure, and analyze the Service. We will not attempt to re-identify any such data.
No automated decisions with legal effect. We do not use the Service to make decisions about you that produce legal or similarly significant effects without meaningful human involvement.
5. How We Share Information
We do not sell personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under US state privacy laws.
We share information only with the categories of recipients below:
Sub Processors who help us run the Service. Cloud hosting and storage (Amazon Web Services), foundation model providers (Anthropic, OpenAI, Google), authentication, error monitoring, customer support tooling, billing, and analytics.
Business tools we use to run our company. Marketing automation and CRM (such as HubSpot and Segment), communications tools, and payment processors. These vendors process information about visitors, prospective customers, and account holders, not Customer Data.
Integrations you authorize. When you connect the Service to Gmail, Outlook, your CRM, or another application, information flows between that application and the Service in line with the access you granted.
Professional advisors. Lawyers, auditors, accountants, and insurers, under confidentiality.
In a corporate transaction. If we are involved in a merger, acquisition, financing, or sale of assets, information may be disclosed to the counterparty and their advisors, subject to confidentiality.
For legal reasons. When we believe in good faith that disclosure is required by law, regulation, legal process, or government request, or is necessary to protect the rights, property, or safety of Elego, our customers, or others. Where legally permitted, we will notify the affected customer before disclosing Customer Data.
A current list of subprocessors is available on request from founders@elego.ai. We will give you a reasonable opportunity to object to material changes.
6. Retention
We keep personal information only as long as necessary for the purposes for which it was collected, plus a reasonable period to comply with legal obligations and to defend legal claims.
Customer Data. Retained for the duration of your subscription. After termination, we will, on written request received within 30 days, make Customer Data available for export and will then delete or anonymize it within an additional 30 days, except where longer retention is required by law.
Account and billing information. Retained for the life of the account and for up to seven years after closure for tax, accounting, and audit purposes.
Usage and log data. Retained in identifiable form for up to 12 months, then deleted or aggregated.
Marketing data. Retained until you unsubscribe or object, plus a short suppression period to honor your opt-out.
Where you ask us to delete information sooner, we will do so unless we have a lawful basis to keep it.
7. Security
We take the security of your information seriously, especially because professional users entrust us with confidential business material.
Encryption in transit and at rest. Customer Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256.
Access controls. Access to production systems and Customer Data is limited to a small number of authorized personnel on a need-to-know basis, protected by single sign-on, multi-factor authentication, and audit logging.
Network and infrastructure security. Hosted on AWS in the United States, with isolated environments for production and non-production workloads. Customer Data is logically segregated by account.
Vendor diligence. Subprocessors are reviewed before onboarding and re-reviewed periodically.
Personnel. Employees and contractors with access to personal information are bound by written confidentiality obligations and receive security and privacy training.
Incident response. We maintain a written security incident response plan. If we become aware of a personal data breach affecting your information, we will notify you without undue delay and in line with applicable law.
No system can be guaranteed to be 100% secure. We will continue to invest in our security program, including pursuing recognized industry certifications (such as SOC 2) as we scale.
8. International Transfers
We are based in the United States, and most of our infrastructure is located there. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions where we or our sub processors operate.
For transfers of personal information from the European Economic Area, the United Kingdom, or Switzerland, we rely on lawful transfer mechanisms, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and other safeguards required by applicable law. Copies of the relevant transfer mechanisms are available on request.
9. Your Rights
Depending on where you live, you may have the following rights with respect to your personal information:
Access the personal information we hold about you.
Correct information that is inaccurate or incomplete.
Delete personal information, subject to legal exceptions.
Restrict or object to certain processing, including processing based on legitimate interests.
Receive your information in a portable format.
Withdraw consent where processing is based on consent, without affecting the lawfulness of prior processing.
Lodge a complaint with a supervisory authority. In the EU, this is the data protection authority in your member state. In the UK, this is the Information Commissioner's Office (ico.org.uk).
For California residents, you also have rights under the CCPA, including the right to know, delete, correct, and limit the use of sensitive personal information, and the right not to be discriminated against for exercising those rights. We do not sell or share personal information for cross-context behavioral advertising.
To exercise any of these rights, email founders@elego.ai. We may need to verify your identity before responding. If we process your information on behalf of a customer (for example, you are an end user whose data was uploaded by a corporate customer), we will refer your request to that customer.
10. Marketing and Your Choices
You can opt out of marketing emails at any time using the unsubscribe link in any message or by emailing founders@elego.ai. We will continue to send you transactional and account-related communications.
You can manage cookie preferences through the cookie banner on our website or your browser settings. Most browsers allow you to refuse or delete cookies; doing so may affect your experience.
11. Children
The Service is not directed to children under 18, and we do not knowingly collect personal information from them. If you believe we have collected information about a child, please contact us so we can delete it.
12. Third-Party Services
The Service may include links to third-party websites or integrate with third-party applications. Those third parties are responsible for their own privacy practices. We encourage you to review their policies before sharing information with them.
13. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will notify you through the Service or by email before the changes take effect, and will update the "Last updated" date above. Your continued use of the Service after the effective date constitutes acceptance.
14. Contact Us
For privacy questions, requests, or complaints, contact us at:
Elego, Inc. 130 East 63rd Street New York, NY 10065
If you are in the European Economic Area or United Kingdom and would like to contact us about this Policy or your rights, you may also use the email address above. We will respond within the timeframes required by applicable law.