Privacy Policy

1. Information We Collect

We collect several categories of information to provide, maintain, and improve the Elysium platform. The types of information we collect depend on how you interact with our Service.

1.1 Account Information

When you create an account on Elysium, we collect the following personal information:

• Full name as provided during registration or invitation acceptance
• Email address used for authentication, communications, and account recovery
• Username chosen during registration for platform identification
• Password (stored only in hashed form using industry-standard algorithms; we never store plaintext passwords)
• Organization affiliation if you join or create an organization on the Platform
• Profile information including avatar, display preferences, and role within your organization

1.2 Usage Data

We automatically collect information about how you interact with the Platform:

• Conversation and interaction data including messages sent to AI agents, agent responses, task instructions, and workflow configurations
• API interaction logs including request timestamps, endpoints accessed, request parameters, response codes, and token consumption
• Task and workflow data including task descriptions, execution logs, completion status, and performance metrics
• Agent configuration data including agent parameters, tool selections, knowledge base entries, and customization settings
• Feature usage patterns such as which tools, agents, and platform features you use and how frequently
• Marketplace activity including listings viewed, purchases, sales, reviews submitted, and wallet transactions

1.3 Device and Technical Information

When you access the Platform, we may automatically collect:

• Device identifiers including device type, operating system, and version
• Browser information including browser type, version, and language settings
• Network information including IP address, connection type, and approximate geographic location derived from your IP address
• Application performance data including crash reports, error logs, and diagnostic information from our native desktop and mobile applications
• Referral information including the URL of the webpage that referred you to our Platform

1.4 Payment and Financial Information

If you subscribe to a paid plan or use marketplace features:

• Billing information including billing name, billing address, and payment method details. Credit card numbers are processed and stored exclusively by our payment processor, Stripe, Inc., and are never stored on our servers.
• Transaction history including subscription charges, marketplace purchases, wallet transfers, and refund records
• Cryptocurrency wallet addresses if you opt into blockchain-based features on the Platform

1.5 Information from Third-Party Integrations

If you connect third-party services to your Elysium account (such as Notion, Slack, GitHub, Google Calendar, Gmail, or Figma), we may receive:

• Authentication tokens and access credentials (stored encrypted in our credential vault)
• Profile information from the connected service as authorized by you during the OAuth flow
• Data from the connected service that you instruct your AI agents to access or process

1.6 Waitlist and Communication Data

If you join our waitlist or submit an access request, we collect your email address and any additional information you voluntarily provide in your request. We use this information solely to manage the waitlist, evaluate access requests, and communicate with you about your application status and Platform updates.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Providing and Operating the Service

• To create, maintain, and secure your account and authenticate your identity
• To process your instructions and deliver them to AI agents for execution
• To facilitate conversations between you and AI agents, including multi-agent group conversations
• To execute tasks, workflows, and automations as configured by you
• To operate the marketplace, process transactions, and facilitate wallet operations
• To manage your organization, team members, roles, and permissions

2.2 Improving and Personalizing the Experience

• To learn your preferences, workflows, and communication patterns in order to provide more relevant and personalized agent interactions (via our Personal Memory system, which explicitly filters out personally identifiable information before storing preferences)
• To analyze usage patterns and identify opportunities to improve Platform features, performance, and reliability
• To conduct research and development on AI agent capabilities, safety, and alignment
• To provide personalized recommendations for agents, tools, and marketplace offerings

2.3 Communication

• To send you transactional messages, including account confirmations, security alerts, billing notifications, and task completion updates
• To send you product announcements, feature updates, and Platform news (you may opt out at any time)
• To respond to your inquiries, support requests, and feedback

2.4 Safety, Security, and Legal Compliance

• To detect, investigate, and prevent fraud, abuse, unauthorized access, and other harmful or illegal activities
• To enforce our Terms of Service, Acceptable Use Policy, and other platform policies
• To comply with applicable laws, regulations, legal processes, and governmental requests
• To protect the rights, property, and safety of GGI, our users, and the public
• To maintain audit logs for security monitoring and incident response

2.5 Billing and Financial Operations

• To process subscription payments, marketplace transactions, and refunds
• To track token and resource consumption for metered billing
• To manage wallet balances, transfers, and settlement operations
• To generate invoices, receipts, and financial reports as required

3. AI Processing and Data Handling

Elysium is fundamentally an AI agent platform. Understanding how your data interacts with AI systems is critical. This section describes how your data is processed by AI models and the safeguards we have in place.

3.1 How AI Models Process Your Data

When you interact with Elysium, your messages, instructions, and relevant context are sent to large language models (LLMs) for processing. Our primary AI provider is Anthropic, whose Claude models power the core intelligence of Elysium agents. The following data may be sent to AI models:

• Your messages, prompts, and instructions to AI agents
• Contextual information necessary for agents to complete your tasks (such as relevant conversation history, knowledge base entries, and tool outputs)
• Content from connected third-party services that you explicitly instruct agents to access
• System prompts and agent configuration that define agent behavior and capabilities

3.2 AI Model Providers

Elysium routes AI processing through the following providers, each subject to their own data handling policies:

• Anthropic (Claude models) — Our primary AI provider. Anthropic’s data usage policies govern how data sent through their API is handled. Under Anthropic’s commercial API terms, data sent through the API is not used to train their models.
• Ollama (local models) — When configured, requests may be processed locally on your machine via Ollama, meaning data never leaves your device.
• OpenRouter— When configured, OpenRouter may route requests to various model providers according to their data handling policies.

3.3 Data Minimization in AI Processing

We employ several mechanisms to minimize the data sent to AI models:

• Skill filtering — Our intent-based skill filter ensures that only relevant skills and their associated data are included in AI model requests, reducing unnecessary data exposure
• Preference extraction with PII filtering — Our Personal Memory system learns your preferences while actively filtering out personally identifiable information before storage or inclusion in AI prompts
• Context window management — We limit the amount of conversation history and contextual data included in each AI request to what is reasonably necessary for the task at hand
• Credential isolation — Secrets and credentials stored in the Vault are never sent to AI models. Agents interact with external services using tool-mediated access that does not expose raw credentials to the LLM.

3.4 AI-Generated Content

Content generated by AI agents on the Platform (including responses, analysis, code, and creative works) may be inaccurate, incomplete, or biased. AI outputs should not be relied upon as professional, legal, medical, or financial advice. You are responsible for reviewing, verifying, and validating any AI-generated content before acting upon it. GGI disclaims all liability for actions taken based on AI-generated content.

4. Data Storage and Security

We take the security of your data seriously and implement multiple layers of protection to safeguard your information.

4.1 Storage Architecture

Elysium operates in a hybrid architecture. Depending on your deployment configuration:

• Local deployment — The Elysium backend can run on your own machine. In this configuration, your conversation data, task history, knowledge graph, and vector embeddings are stored locally in SQLite and ChromaDB databases on your device. Data does not leave your machine except when sent to AI model providers for processing.
• Cloud deployment — When using our hosted cloud service, data is stored on our secured infrastructure with encryption at rest and in transit.

4.2 Encryption and Access Controls

• All data transmitted between your device and the Platform is encrypted using TLS 1.2 or higher
• Passwords are hashed using industry-standard cryptographic algorithms and are never stored in plaintext
• Secrets and credentials in the Vault are encrypted using platform-native keystores (macOS Keychain, Linux libsecret) or AES-256 Fernet encryption
• API authentication tokens are generated using cryptographically secure random number generators (256-bit) and stored with restricted file permissions
• Role-based access control (RBAC) enforces the principle of least privilege across all API endpoints
• All API endpoints implement ownership validation (IDOR prevention) to ensure users can only access their own data
• Multi-tenancy isolation ensures data belonging to one organization is never accessible to another

4.3 Credential Management

Our three-layer credential management system (Secrets Manager, Vault Store, and Payment Vault) provides defense-in-depth for sensitive data. Credentials are encrypted before storage, access is controlled through a grant-based permission system, and all access events are recorded in an immutable audit trail. Third-party OAuth tokens are stored encrypted and are only decrypted at the moment of use.

4.4 Incident Response

In the event of a data breach or security incident, we will notify affected users and relevant regulatory authorities in accordance with applicable laws. We maintain incident response procedures and conduct regular security assessments to identify and address vulnerabilities. If you believe your account has been compromised, please contact us immediately at security@graygroupintl.com.

5. Data Sharing and Third Parties

We do not sell your personal information. We share your data only in the following circumstances:

5.1 AI Model Providers

As described in Section 3, your messages and relevant context are sent to AI model providers (primarily Anthropic) for processing. These providers process your data in accordance with their respective API terms of service and privacy policies. We select providers who commit to not using API data for model training purposes.

5.2 Payment Processors

We use Stripe, Inc. as our payment processor. When you provide payment information, it is transmitted directly to Stripe and processed in accordance with Stripe’s privacy policy and PCI DSS compliance standards. We do not store your full credit card number, CVV, or other sensitive card data on our servers. We receive only a tokenized reference and basic transaction details from Stripe.

5.3 Third-Party Integrations

When you connect third-party services (Notion, Slack, GitHub, Google Calendar, Gmail, Google Groups, Figma) to your Elysium account via OAuth, your AI agents may access and interact with data from those services as directed by you. We only access the scopes you explicitly authorize. You may revoke integration access at any time through your account settings.

5.4 Research and Analytics Providers

Our research pipeline may use third-party search and document reading services (such as Tavily and Jina) to perform web research as directed by you or your agents. Search queries and URLs are sent to these providers to retrieve publicly available information. We do not send your personal information to these services.

5.5 Error Tracking and Monitoring

We may use error tracking services (such as Sentry) to monitor application performance and identify bugs. These services may receive technical error data, stack traces, and device information. We configure these services to minimize the collection of personal information.

5.6 Legal Requirements and Protection of Rights

We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a legal obligation, court order, or governmental request; (b) protect and defend the rights or property of GGI; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of users of the Service or the public; or (e) protect against legal liability.

5.7 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Platform of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

6. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information. We honor these rights regardless of your location to the greatest extent practicable.

6.1 General Rights

All users of the Elysium platform have the right to:

• Access— Request a copy of the personal information we hold about you
• Correction— Request correction of inaccurate or incomplete personal information
• Deletion— Request deletion of your personal information, subject to certain exceptions (such as data we are required to retain for legal or compliance purposes)
• Data portability — Request a copy of your data in a structured, commonly used, and machine-readable format
• Withdrawal of consent — Where processing is based on consent, you may withdraw that consent at any time
• Opt-out of communications — Unsubscribe from marketing emails at any time using the link in each email, or by contacting us

6.2 European Economic Area (EEA) / GDPR Rights

If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent legislation:

• Right to restrict processing — Request that we limit the processing of your personal data in certain circumstances
• Right to object — Object to the processing of your personal data for direct marketing purposes or where processing is based on legitimate interests
• Right to lodge a complaint — File a complaint with your local data protection authority
• Automated decision-making — You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects, except where such processing is necessary for contract performance, authorized by law, or based on your explicit consent

Our legal bases for processing your personal data include: performance of a contract (providing the Service), legitimate interests (improving and securing the Platform), compliance with legal obligations, and your consent where applicable.

6.3 California Consumer Privacy Act (CCPA) Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know — Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it
• Right to delete — Request deletion of your personal information, subject to certain exceptions
• Right to opt-out of sale or sharing — We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising
• Right to non-discrimination — We will not discriminate against you for exercising your privacy rights
• Right to correct — Request correction of inaccurate personal information
• Right to limit use of sensitive personal information — Direct us to limit the use and disclosure of your sensitive personal information to what is necessary to perform the services

To exercise any of these rights, please contact us at privacy@graygroupintl.com. We will respond to verifiable requests within 45 days (or within 30 days for GDPR requests), with the possibility of extension as permitted by law.

7. Cookies and Tracking

7.1 Types of Cookies We Use

Elysium uses a minimal set of cookies and similar technologies:

• Strictly necessary cookies (session cookies) — We use httpOnly, secure session cookies for authentication and session management. These cookies are essential for the Platform to function and cannot be disabled. They do not track you across websites.
• Security cookies — Used to prevent cross-site request forgery (CSRF) and other security threats
• Preference cookies — Store your display preferences, language settings, and interface customizations

7.2 What We Do Not Do

• We do not use third-party advertising cookies or tracking pixels
• We do not use Google Analytics or similar third-party analytics services that track users across websites
• We do not engage in cross-site tracking or behavioral advertising
• We do not sell or share cookie data with third parties

7.3 Managing Cookies

You can configure your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you disable session cookies, you will not be able to use authenticated features of the Platform. Because we only use strictly necessary and functional cookies, there is no separate “cookie consent” banner — the use of these cookies is inherent to the functioning of the Service.

8. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

8.1 Retention Periods

• Account data — Retained for the duration of your account. Upon account deletion, personal data is purged within 30 days, except where retention is required for legal compliance.
• Conversation and task data — Retained for the duration of your account and for up to 90 days after account deletion to allow for account recovery.
• Billing and transaction data — Retained for the period required by applicable tax and financial regulations (typically 7 years).
• Security logs — Retained for up to 1 year for security monitoring and incident investigation purposes.
• Aggregated and anonymized data — May be retained indefinitely, as it cannot be used to identify you.

8.2 Data Deletion

You may request deletion of your account and associated data at any time by contacting us at privacy@graygroupintl.com or through your account settings. Upon receiving a verified deletion request, we will delete or anonymize your personal information within 30 days, except for information we are required to retain for legal, regulatory, or audit purposes. We will also direct our third-party service providers to delete your data where applicable.

9. Children’s Privacy

The Elysium platform is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13 years of age. If we become aware that we have collected personal information from a child under the age of 13, we will take immediate steps to delete that information from our systems.

For users between the ages of 13 and 18, use of the Platform requires parental or guardian consent. Parents or guardians who believe their child has provided personal information to Elysium without their consent should contact us at privacy@graygroupintl.com, and we will promptly delete such information.

We comply with the Children’s Online Privacy Protection Act (COPPA) and equivalent international regulations regarding the collection of personal information from children.

10. International Data Transfers

Gray Group International, Inc. is based in the United States. If you are accessing the Platform from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For users in the European Economic Area, the United Kingdom, or Switzerland, we ensure that international data transfers comply with applicable data protection laws by implementing appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all third-party service providers
• Verification that service providers maintain adequate data protection standards

By using the Platform, you consent to the transfer of your information to the United States and other jurisdictions as described in this Privacy Policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the “Effective Date” and “Last Updated” dates at the top of this page
• Provide prominent notice on the Platform (such as a banner or notification)
• Send an email notification to the address associated with your account for material changes that significantly affect your rights or the way we process your data

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of those changes. If you do not agree with the revised Privacy Policy, you should discontinue use of the Platform and contact us to request deletion of your data.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will make every effort to respond to your inquiry within 30 days. For data protection requests requiring verification of identity, the response period begins upon successful verification.