Privacy Policy

Effective date: March 20, 2026
Last updated: March 20, 2026

This Privacy Policy explains how Corpore Conflux / Corpore.ai (“Corpore.ai,” “we,” “our,” or “us”) collects, uses, stores, shares, protects, and deletes personal data when people visit our website, use our agent platform, contact us, connect a Google account, or use our Salesagent outbound campaign tools.

This policy is written to describe our practices clearly, including our use of Google OAuth and Gmail API permissions. It applies to our public website, platform pages, agent tools, Salesagent, Everyoung-related tools where they are hosted under Corpore.ai, and related backend services.

Who we are
Scope of this policy
Our role: controller and processor
Information we collect
Google user data and Gmail API access
How we use information
Legal bases for processing
AI-assisted processing
Salesagent data practices
Sharing and subprocessors
Security measures
Retention
Deletion and revocation
Your privacy rights
Cookies and similar technologies
International transfers
Children
Changes to this policy
Contact

1. Who we are

Corpore.ai is an AI agent platform operated under the Corpore Conflux concept. The platform is designed around the principle of “human judgment, agent execution.” It provides role-specific AI agents that help organizations structure knowledge, support decision-making, redesign workflows, preserve memory, profile people and operational needs, and execute selected business processes.

Our agents may include, depending on the product configuration available to a customer:

Assistent: a memory and context agent for repeated work, notes, meetings, and operational continuity.
Ghostwriter: an agent that turns spoken or fragmented knowledge into structured, reusable text and organizational memory.
Mentor / Morpheus: an advisory and coaching-style agent that works with continuity, observation, and synthesis.
Architect: a management and matching agent for task allocation, team design, and fit analysis.
Analyst: a profiling agent for structured people insight, employee or candidate understanding, onboarding, and decision support.
Salesagent: an outbound campaign agent for structured commercial execution, lead discovery, contact management, Gmail-based sending, and campaign tracking.
Everyoung-related tools: agent workflows adapted to elderly care, continuity, resident notes, activities, pairing, and care-context memory where applicable.

Our public website is available at https://corpore.ai/. Our contact page is available at https://corpore.ai/pages/contact.

2. Scope of this policy

This Privacy Policy applies to personal data processed through:

the Corpore.ai website and public pages;
account registration, login, and platform access;
contact forms and consultation requests;
agent interactions, notes, transcripts, files, structured profiles, and generated outputs;
Salesagent campaign setup, website discovery, contact discovery, mailbox connection, Gmail OAuth, and Gmail-based sending;
support, security, diagnostics, audit logs, and backend operations.

Some customers may also have a separate written agreement, data processing agreement, enterprise contract, or product-specific notice. If such an agreement applies, it may contain additional terms for that customer’s workspace, users, and data.

3. Our role: controller and processor

Depending on the context, we may act either as a data controller or as a processor/service provider.

As controller, we decide how and why we process data relating to our website visitors, account holders, consultation requests, billing or business contacts, security logs, and platform administration.
As processor or service provider, we process customer workspace data, employee/customer records, campaign data, uploaded materials, transcripts, notes, and agent outputs on behalf of the organization or user that configures and uses the platform.
For Salesagent prospect data, the customer or operator is generally responsible for deciding what campaign is run, which territories and industries are targeted, what message is sent, and whether outreach is lawful under applicable marketing, ePrivacy, anti-spam, and data protection rules. We provide the technical system and process data according to the configured workflow.

4. Information we collect

4.1 Website and contact information

When you visit our website or contact us, we may collect:

name, email address, phone number, organization name, role, and message content provided through forms;
topic or product interest, such as DecaNeural, DecaSkill, Everyoung, Salesagent, partnership, investment, or other inquiry category;
technical data such as IP address, approximate location derived from IP address, browser type, device type, operating system, referring page, pages viewed, timestamps, and basic diagnostic logs;
cookie and similar technology data, subject to the cookie section below.

4.2 Account and platform information

When a user registers, logs in, or uses our platform, we may collect:

account identifiers, name, email address, authentication status, workspace or company handle, customer ID, role, permissions, and login metadata;
organization, team, campaign, project, agent, and workspace configuration data;
settings, preferences, saved templates, selected language, selected campaign, selected mailbox, and safety configuration;
usage logs, event logs, API request metadata, operational status, error logs, and audit trails.

4.3 Agent interaction and customer workspace data

Depending on the feature used, we may process:

messages, prompts, replies, comments, instructions, notes, and generated text;
voice notes, audio files, transcripts, summaries, and structured observations;
documents, uploaded files, internal knowledge, meeting notes, company background, process descriptions, and historical context;
employee, resident, candidate, customer, or stakeholder profiles where the customer uses our tools for profiling, onboarding, memory, matching, care context, team design, or task allocation;
psychometric or structured assessment data where a customer uses relevant agent modules and has appropriate legal basis to do so;
agent outputs, analytical summaries, recommendations, scores, labels, status fields, and workflow records.

4.4 Salesagent campaign and prospect data

Salesagent may process business development and outbound campaign data, including:

campaign name, target region, industry, language, target role, offer, cadence, sender name, templates, and campaign settings;
websites, domains, company names, source URLs, notes, discovery status, archive/restriction status, and diagnostic records;
public business contact details found on websites or directories, such as business email addresses, phone numbers, Facebook page URLs, contact pages, and publicly available role or company information;
contact status, send eligibility, send history, reply/bounce/completion status, and campaign event logs;
mailbox configuration and Gmail OAuth connection status for sending through a connected Google account.

4.5 Google account and Gmail-related information

If a user connects a Google account to Salesagent, we process limited Google-related data as described in detail in the next section.

5. Google user data and Gmail API access

Plain-language summary: Salesagent uses Google OAuth so an authorized user can connect a Gmail mailbox for outbound campaign sending. We request Google identity information to identify the connected account and Gmail send permission so the system can send campaign emails through that connected mailbox. We do not use this connection to read, list, search, download, analyze, sell, or train models on the user’s Gmail inbox, sent mail, attachments, contacts, or private email history.

5.1 Google OAuth scopes currently used

The Corpore.ai Salesagent mailbox connection may request the following Google OAuth permissions:

Permission / scope	Purpose	How we use it
`openid`	Authentication and account identification.	Used to support the Google OAuth flow and confirm that a real Google account authorized the connection.
`email` or Google userinfo email access	Identify the connected mailbox.	Used to display and store the email address of the connected Google account so the operator can see which mailbox is connected.
`https://www.googleapis.com/auth/gmail.send`	Send email through the connected Gmail account.	Used only to send outbound messages that the user or authorized operator configures in Salesagent. It is not used to read, search, list, download, or analyze mailbox contents.

5.2 What Google user data we access

When a user authorizes the Google connection, we may receive or store:

the connected Google account email address;
Google OAuth identifiers necessary to maintain the connection;
OAuth access tokens and refresh tokens needed to send authorized email through Gmail API;
OAuth connection status, token expiry metadata, error messages, reconnect status, and mailbox send-enabled/safety status;
message metadata generated by our own system when Salesagent sends a campaign email through the connected mailbox, such as recipient, template type, send time, status, and event history.

5.3 What Gmail data we do not access

Salesagent’s current Gmail integration is intentionally narrow. Unless we clearly update this policy and obtain new authorization, we do not use the Google connection to:

read Gmail inbox messages;
list Gmail threads;
search Gmail messages;
download email bodies from the user’s mailbox;
download or read Gmail attachments;
read Google Contacts;
read Google Drive files;
read Google Calendar events;
monitor private email history;
analyze the user’s Gmail inbox for advertising, profiling, unrelated analytics, or model training.

5.4 How Gmail send permission is used

Gmail send permission is used to perform the following actions:

connect a Gmail mailbox to a Salesagent campaign or workspace;
allow an authorized operator to enable or pause sending for that mailbox;
send outbound campaign emails prepared in Salesagent through the connected Gmail account;
record limited operational logs showing that a send attempt occurred, whether it succeeded or failed, and which campaign/contact/template was involved;
support reconnecting the mailbox if the OAuth connection expires or is revoked.

Salesagent is designed so that a mailbox connection alone does not mean unrestricted sending. The platform contains safety controls such as send-enabled status, campaign mailbox selection, contact status checks, null-email protection, inactive/restricted/archive protection, and send eligibility checks.

5.5 Google API Services User Data Policy and Limited Use

Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In practical terms:

we use Google user data only to provide and improve the user-facing mailbox connection and Gmail sending functionality that the user authorized;
we do not sell Google user data;
we do not use Google user data for advertising;
we do not transfer Google user data to third parties except as necessary to provide or secure the service, comply with law, prevent abuse, or as otherwise permitted by the Google API Services User Data Policy;
we do not use Google user data to determine creditworthiness, lending eligibility, housing eligibility, employment eligibility, insurance eligibility, or other high-stakes eligibility decisions;
we do not use Google user data to train generalized AI or machine learning models;
we do not allow humans to read Google user data unless required for security, legal compliance, support requested by the user, abuse investigation, or another limited operational purpose consistent with this policy.

5.6 Storage of Google OAuth data

OAuth tokens are stored server-side in access-controlled backend infrastructure and are not exposed in public website HTML, Shopify Liquid snippets, browser JavaScript, or general mailbox listing responses. Mailbox listing responses are designed to return safe operational fields, such as mailbox email, provider, OAuth status, send-enabled status, and timestamps, rather than raw OAuth tokens.

Google client secrets, Supabase service-role keys, and other backend secrets are stored as server-side environment variables and are not included in browser-facing code.

5.7 Revoking Google access

A user can revoke the application’s access through their Google Account permissions page. A user may also contact us to request disconnection or deletion of mailbox connection data. After revocation or deletion, Salesagent will no longer be able to send through that Google account unless the user reconnects it.

6. How we use information

We use personal data for the following purposes:

to provide, operate, maintain, secure, and improve Corpore.ai and its agent tools;
to create and manage accounts, workspaces, companies, campaigns, templates, contacts, mailboxes, and user settings;
to allow users to interact with agents and receive outputs, summaries, recommendations, and structured records;
to support Salesagent lead discovery, contact discovery, campaign execution, Gmail-based sending, and campaign tracking;
to process public business contact information for B2B outreach where configured by an authorized operator;
to detect, prevent, investigate, and respond to security incidents, fraud, abuse, spam, unauthorized access, and technical issues;
to provide customer support, respond to inquiries, and communicate about service changes;
to maintain audit logs and operational records needed for accountability, compliance, troubleshooting, and dispute resolution;
to comply with legal obligations and enforce our agreements.

7. Legal bases for processing

Where the General Data Protection Regulation (GDPR), UK GDPR, or similar laws apply, we process personal data under one or more of the following legal bases:

Legal basis	Examples
Contract	Providing platform access, agent tools, mailbox connection, Salesagent campaign functions, support, and account administration.
Consent	Connecting a Google account through OAuth, optional communications, certain cookies where required, and other voluntary submissions.
Legitimate interests	Securing the service, improving operational reliability, handling B2B communications, maintaining audit logs, preventing misuse, and processing publicly available business contact data for properly configured B2B outreach.
Legal obligation	Complying with applicable law, responding to lawful requests, tax/accounting obligations, and mandatory security or regulatory requirements.
Vital interests or public interest	Only in rare circumstances where applicable law recognizes such a basis, such as urgent safety or legal compliance situations.

Customers and operators using Salesagent or other agent modules are responsible for ensuring they have an appropriate legal basis for data they upload, generate, or process through the platform.

8. AI-assisted processing

Corpore.ai is an AI agent platform. Depending on the feature, user instructions, and customer configuration, information may be processed by AI systems to generate outputs, summaries, classifications, profiles, recommendations, drafts, or workflow actions.

AI-assisted processing may include:

turning voice notes or written notes into structured records;
summarizing meetings, conversations, or internal knowledge;
generating outbound sales copy from templates and campaign configuration;
classifying contacts, campaigns, tasks, or organizational information;
supporting profiling, matching, decision support, or workflow recommendations where the customer has configured such use.

We may use third-party AI infrastructure providers to process user inputs and generate outputs where needed to provide the service. We configure such processing according to product requirements, contractual protections, and applicable provider terms. We do not use Google user data obtained through Gmail OAuth to train generalized AI or machine learning models.

AI outputs may be incomplete, probabilistic, or incorrect. Customers and users remain responsible for reviewing outputs before using them in employment, care, commercial, legal, medical, financial, or other sensitive contexts.

9. Salesagent data practices

9.1 What Salesagent does

Salesagent is an outbound campaign operating layer. It helps an authorized operator configure campaigns, discover relevant company websites, store public business contact records, manage contact statuses, connect sending mailboxes, send cold outreach through a connected Gmail mailbox, and record campaign results.

9.2 Website and contact discovery

Salesagent may process publicly available business information from company websites, public directories, search results, Google Places results, and similar sources. This may include:

company names;
company websites and domains;
public business email addresses;
public phone numbers;
public Facebook page URLs;
contact page URLs and source URLs;
industry, location, language, and campaign context;
diagnostic data showing how a contact or website was discovered.

9.3 No-email Facebook fallback contacts

Salesagent may create non-sendable company-level contacts when no accepted email address is found but a public phone number and company Facebook page URL are found. These contacts may be marked with a status such as needs_email. Such records are not eligible for Gmail sending until a real email address is added and validated.

We do not use synthetic placeholder emails for no-email fallback contacts. If a contact has no real email address, the email field should remain empty or null, and the contact should remain non-sendable.

9.4 Sending controls

Salesagent is designed to prevent sending to contacts that are not eligible for sending. For example, contacts with no email address, empty email address, needs_email status, inactive status, restricted status, archived status, or do-not-contact status should not be sent through Gmail.

Operators are responsible for reviewing campaign content, recipient eligibility, local marketing rules, unsubscribe requirements, and outreach appropriateness before sending.

We do not sell personal data. We may share or process data with limited categories of service providers and subprocessors to operate the service:

Hosting and backend infrastructure providers for application hosting, serverless functions, routing, and deployment.
Database and storage providers for structured records, logs, uploaded files, transcripts, and workspace data.
Email and identity providers such as Google, when a user chooses to connect a Google account or use Gmail sending.
AI model and processing providers where needed to generate outputs, summaries, classifications, or other agent functions.
Security, monitoring, logging, and diagnostics providers for abuse prevention, reliability, and incident response.
Payment, ecommerce, or platform providers where relevant to account, subscription, website, or Shopify-hosted functions.
Professional advisers and authorities where needed for legal compliance, accounting, dispute resolution, or lawful requests.

These providers may process data only for the purposes of providing services to us or as otherwise allowed by law and applicable agreements. For Google user data specifically, our sharing is limited by the Google API Services User Data Policy and Limited Use requirements described above.

11. Security measures

We use technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. Measures may include:

HTTPS/TLS for data in transit;
server-side OAuth handling for Google account connection;
storage of backend secrets in server-side environment variables rather than frontend code;
not exposing OAuth tokens or service-role keys in Shopify Liquid, public HTML, or browser JavaScript;
access-controlled backend APIs;
database access controls and provider-level infrastructure protections;
separation between frontend display data and backend credential storage;
audit and operational logs where needed to diagnose errors, investigate misuse, and support accountability;
least-privilege design where feasible, including requesting only the Google scopes required for the implemented feature;
review of high-risk changes before expanding access to new categories of Google user data or new OAuth scopes.

No online service can guarantee absolute security. Users and customers should use strong account passwords, limit administrator access, review connected mailboxes, and revoke integrations that are no longer needed.

12. Retention

We retain personal data only as long as reasonably necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law.

Data category	Typical retention approach
Account and workspace data	Retained while the account or workspace is active and for a reasonable period afterward for support, security, audit, legal, or backup purposes.
Contact form messages	Retained as long as needed to respond, manage the relationship, and maintain business records.
Agent notes, transcripts, profiles, files, and outputs	Retained according to customer configuration, contract, product purpose, or deletion request, subject to legal and backup constraints.
Salesagent campaigns, contacts, discovery records, and send logs	Retained to preserve campaign memory, deduplication, auditability, suppression/restriction/archive status, and operational history unless deleted or anonymized according to request or contract.
Google OAuth tokens	Retained while the mailbox remains connected and needed for Gmail sending. Deleted or invalidated after disconnection, revocation, deletion request, or when no longer required.
Security and diagnostic logs	Retained for a limited period needed for security, reliability, fraud prevention, and troubleshooting.
Backups	Deleted on a delayed cycle according to backup practices unless earlier deletion is technically feasible.

13. Deletion, disconnection, and revocation

Users and customers may request deletion of personal data, subject to identity verification, legal obligations, contractual obligations, security requirements, and technical limits.

For Google-connected mailboxes:

you may revoke access through your Google Account permissions page;
you may request that we disconnect a mailbox and delete stored OAuth tokens;
after revocation or deletion, Salesagent cannot send through that mailbox unless it is reconnected;
we may retain limited logs showing that messages were sent or that a mailbox was previously connected if needed for audit, security, dispute resolution, or legal compliance.

For Salesagent contacts and campaigns, deletion may be implemented as archive, restriction, suppression, deletion, or anonymization depending on the operational purpose, legal basis, and customer instruction. Archived operational records may be retained to preserve auditability while being removed from normal active workflow.

14. Your privacy rights

Depending on your location and applicable law, you may have the right to:

access personal data we hold about you;
correct inaccurate or incomplete data;
request deletion of personal data;
request restriction of processing;
object to processing based on legitimate interests, including certain direct marketing or B2B outreach contexts;
withdraw consent where processing is based on consent;
request portability of data you provided to us, where applicable;
lodge a complaint with a data protection authority.

If we process your data on behalf of a customer organization, we may refer your request to that organization or act according to its instructions, unless applicable law requires otherwise.

To exercise rights, contact us using the contact details below. We may need to verify your identity and your relationship to the relevant account, workspace, campaign, mailbox, or organization before acting on the request.

15. Cookies and similar technologies

Our website and platform may use cookies, local storage, session storage, pixels, logs, and similar technologies for:

login and session management;
security and fraud prevention;
remembering settings such as selected campaign, collapsed panels, language, or interface preferences;
analytics, diagnostics, and service improvement;
website functionality and embedded third-party services.

You can control cookies through your browser settings. Blocking certain cookies or storage mechanisms may affect login, platform state, saved preferences, and core functionality.

16. International transfers

We may process and store data in countries other than your country of residence, depending on the hosting, database, AI processing, Google, Shopify, or infrastructure providers used. Where required, we use appropriate safeguards such as contractual protections, data processing agreements, standard contractual clauses, or equivalent mechanisms.

17. Children

Corpore.ai is primarily designed for organizations, professionals, employees, operators, and authorized business users. It is not directed to children under 13, and we do not knowingly collect personal data from children under 13 through the public website or Salesagent.

Some Everyoung or care-related deployments may involve records about residents, family members, or care contexts. Those deployments should be governed by customer-specific agreements, permissions, and legal bases appropriate to the care environment. Customers are responsible for ensuring that sensitive, care-related, or minor-related data is collected and processed lawfully.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify users or customers, such as updating the effective date, posting a notice, or requesting consent where required.

If we materially change how we access, use, store, share, or process Google user data, or if we request additional Google OAuth scopes for new purposes, we will update this policy and, where required, ask users to authorize the changed access before using Google user data for the new purpose.

19. Contact

For privacy questions, data requests, Google OAuth disconnection requests, or security concerns, contact us through:

Website: https://corpore.ai/
Contact page: https://corpore.ai/pages/contact
Email: support@corpore.ai

Please include enough information for us to identify the relevant account, workspace, mailbox, campaign, or data record. Do not send passwords, private keys, or other sensitive secrets through ordinary email or public contact forms.