Privacy Policy

Effective date: 2025-09-12

This Privacy Policy describes how we collect, use, disclose, and protect information in connection with the Agent Builder application that helps users create and run automations and AI-powered agents on top of n8n (the "Application"). "We", "us", and "our" refer to the operator of the Application. "You" refers to the user or the organization using the Application.

Important Notice: This Application uses YouTube API Services.

By using the Application, you acknowledge that this Application uses YouTube API Services to enable optional integrations with YouTube. Your use of YouTube through this Application is governed by the YouTube Terms of Service. For information about how Google handles your data when you use YouTube API Services, please review the Google Privacy Policy.

If you are completing this policy for your organization, replace the placeholders below with your legal entity name, address, and contact details:

  • Controller: MergeOS Inc.
  • Address: 1168 Vallejo St, San Francisco, CA 94109
  • Contact: privacy@mergeos.ai (for privacy-related questions and concerns)

1) Scope and Roles

  • Controller vs. Processor: For your account data, in‑product telemetry, and service administration, we act as an independent controller. For data you process through your agents and workflows (e.g., messages, webhook payloads, and data passed to third‑party connectors you choose), we act as a processor on your behalf.
  • Services Covered: This policy covers the Application’s backend, frontend, and the embedded/self‑hosted n8n instance the Application orchestrates. It also covers the remote “runner” component used to execute workflows.

2) Information We Collect

We collect information in the following categories. The specific data collected depends on how you use the Application and which integrations you connect.

  • Account and Profile Data: name (if provided), email address, and identifiers created by us (e.g., user ID). If you sign in with Google, we receive your basic Google profile information (email, name) for account creation.
  • Authentication and Security Data: JSON Web Tokens (JWTs) we issue for API access, IP address and user agent (used for rate limiting, security, and troubleshooting), and server timestamps.
  • Chat and Agent-Building Data: your chat messages, assistant responses, workflow JSON (nodes and connections), “agent state” snapshots linked to messages, OpenAI response IDs and similar metadata used to resume or refine conversations.
  • Credentials and Connected Accounts: OAuth tokens and minimal metadata for services you connect (e.g., Google APIs such as Gmail, Calendar, Drive/Sheets/Docs/Slides/Translate/YouTube; Slack; GitHub; Calendly), as well as API keys or basic/header auth you provide (e.g., OpenAI API key, HTTP Request node headers). We store these credentials encrypted at rest and use them only to perform the actions you request.
  • Webhooks and Integration Payloads: inbound requests from third‑party services (headers, query parameters, and JSON/body content) and outbound requests the workflow makes to APIs you configured. Payloads may contain personal data depending on your integrations.
  • Workflow Execution and Test Data: limited previews/samples of node inputs/outputs (e.g., first item or truncated JSON) and execution diagnostics to help you validate and troubleshoot workflows.
  • System and Usage Data: server logs, error messages, timestamps, performance metrics, and counts of sessions/threads/messages to improve reliability and support.
  • Support and Feedback: information you submit to us for support or product feedback.

3) How We Use Information

We use information to:

  • Provide and operate the Application, including generating, testing, and running your agents and workflows.
  • Authenticate users, secure the service, and prevent abuse (rate limiting, anomaly detection).
  • Store and retrieve your conversations, workflow designs, execution traces, and credentials at your direction.
  • Connect to and act on your behalf with third‑party services you authorize (via OAuth/API keys).
  • Improve and troubleshoot the Application, including monitoring reliability and performance.
  • Communicate with you about updates, security notices, and support.

Legal bases for processing (where applicable, e.g., EEA/UK/Switzerland): (a) performance of a contract (to provide the Application), (b) legitimate interests (to secure and improve the service), and (c) consent (for optional integrations and reads on your connected accounts).

4) Third‑Party Services and Disclosures

We disclose or route data to third parties only as needed to provide the Application or when you direct us to do so.

  • AI Model Providers: We use OpenAI to process user prompts, conversation history (or resumed context), and tool‑call instructions to build or refine workflows and produce responses. Content you send can be processed by OpenAI to generate the assistant’s output. See OpenAI’s privacy/security documentation for details.
  • OAuth/Connector Providers You Choose: If you connect accounts, we receive tokens and exchange data with, for example:
    • Google APIs: Gmail, Calendar, Drive, Sheets, Docs, Slides, Translate, YouTube
    • Slack
    • GitHub
    • Calendly
    • Other APIs you configure (via HTTP Request or n8n nodes, including but not limited to Salesforce, HubSpot, Shopify, Stripe, etc.).
    In all cases, data exchanged depends on your workflow and the scopes you authorize. We use these tokens only to perform workflow actions you configure.
  • YouTube API Services: If you connect your YouTube account, the Application uses YouTube API Services to access and process data according to your configured workflows. The data we may access includes (depending on the scopes you authorize):
    • Channel information (name, description, statistics)
    • Video metadata (titles, descriptions, tags, thumbnails)
    • Playlists and playlist items
    • Video comments and comment threads
    • Upload capabilities for videos you create through workflows
    • Channel subscription information
    • Analytics and reporting data (if authorized)
    We access and use YouTube data only to execute the specific workflow actions you configure (e.g., upload a video, retrieve comments, update video metadata, post a comment). We do not:
    • Use YouTube data for advertising or ad targeting
    • Store YouTube data longer than necessary to execute your workflows
    • Share YouTube data with third parties except as required to perform your configured workflow actions
    • Allow humans to read YouTube data except as necessary for security, compliance, or with your explicit consent
    Your use of YouTube through the Application is subject to the YouTube Terms of Service and the Google Privacy Policy. The Application's use of information received from YouTube APIs adheres to YouTube API Services Terms of Service, including the Limited Use requirements.
  • Hosting and Infrastructure: We host on Amazon Web Services (AWS), currently including services such as EC2/ECS/ECR, SSM Parameter Store, and CloudWatch Logs in the region(s) we operate (e.g., us‑east‑1). Infrastructure providers may process IP addresses and service metadata.
  • Embedded n8n Instance: The Application orchestrates a local/embedded n8n instance and may proxy n8n assets. n8n workflows are executed locally or via a remote runner. n8n itself may set cookies or local storage; see n8n’s documentation.
  • Service Providers: We may share limited data with vendors that provide security, logging, error monitoring, or support services under contracts requiring confidentiality and appropriate safeguards.
  • Legal and Safety: We may disclose information to comply with law, enforce our terms, or protect rights, safety, or property.

We do not sell your personal information or share it with third‑party advertisers.

5) How We Store and Protect Information

  • Encryption at Rest for Credentials: OAuth tokens and API keys are stored encrypted at rest in a dedicated credentials store managed by the Application. An application‑level encryption key is required to decrypt.
  • Encryption in Transit: We support HTTPS/TLS for data in transit where applicable. If you deploy self‑hosted components, ensure TLS is enabled.
  • Access Controls and Separation: Access to production data is limited to authorized personnel on a least‑privilege basis. Credentials are only used to execute your workflows.
  • Logging and Minimization: Operational logs avoid sensitive payloads where possible. Diagnostic previews (e.g., partial inputs/outputs) are kept minimal and primarily for debugging.

No security controls are perfect; please use strong secrets, restrict access, and review your workflow permissions.

6) Data Retention

  • Account and Profile Data: retained while your account is active and for a reasonable period thereafter to comply with legal, tax, or accounting obligations.
  • Chat, Threads, and Agent State: retained until you delete them from the Application or request deletion. You can typically remove sessions/threads/messages via the UI; if unavailable, contact us.
  • Credentials: retained until you revoke or delete them or your account is deleted. Revoking tokens in the connected service may also invalidate access.
  • Webhook and Execution Data: retained for operational purposes and troubleshooting, typically for shorter periods. Aggregated/service logs may persist longer for security, audit, and reliability.

We may anonymize or aggregate data for analytics. If legal retention requirements apply, we may retain certain records beyond the periods above.

7) International Data Transfers

We may transfer, store, and process information in countries other than where it was collected (for example, in the United States on AWS). Where required, we rely on appropriate safeguards such as Standard Contractual Clauses for transfers of personal data from the EEA/UK/Switzerland.

8) Your Privacy Rights

Depending on your location, you may have rights to request:

  • Access to information we hold about you.
  • Correction of inaccurate data.
  • Deletion (erasure) of your personal data.
  • Restriction or objection to certain processing.
  • Portability of your personal data.
  • Withdrawal of consent where consent was the legal basis.

To exercise these rights, contact us at privacy@mergeos.ai. We may ask you to verify your identity. You also have the right to complain to your local supervisory authority.

Deleting Your Data

You can delete your data through the following procedures:

  • Chat, Threads, and Workflows: You can delete sessions, threads, messages, and workflows directly through the Application's user interface. Deleted items are permanently removed from our systems.
  • Stored Credentials: You can revoke and delete connected accounts and API keys through the Application's credential management interface. Once deleted, encrypted credentials are permanently removed from our database.
  • Account Deletion: To delete your entire account and all associated data, contact us at privacy@mergeos.ai. We will delete your account data within 30 days, except where we must retain certain records for legal, tax, or security purposes.

Revoking Google and YouTube API Access

If you have connected Google services (including Gmail, Calendar, Drive, YouTube, or other Google APIs) to the Application, you can revoke the Application's access to your Google data at any time through Google's security settings:

On this page, you can:

  • View all third-party applications (including Midpoint) that have access to your Google account data
  • Review what data each application can access
  • Revoke access for any application, which immediately prevents that application from accessing your Google data

Once you revoke access through Google's security settings:

  • The Application will no longer be able to access your Google account data
  • Any workflows that depend on Google API access will stop functioning until you re-authorize
  • We will be unable to refresh OAuth tokens for the revoked connection
  • You should also delete the stored credential from the Application's credential management interface to fully remove it from our systems

For other connected services (Slack, GitHub, Calendly, etc.), you can revoke access through each service's respective security or application settings page, then delete the credential from the Application.

9) California Disclosures (CCPA/CPRA)

We do not sell or share personal information as defined by the CCPA/CPRA. We process the categories of information described in Section 2 for the business purposes in Section 3. California residents may exercise rights to know, delete, and correct as described in Section 8. We do not use or disclose sensitive personal information for purposes other than those permitted by the CPRA.

10) Children’s Privacy

The Application is not directed to children under 16 and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will take appropriate steps.

11) Cookies and Similar Technologies

We use cookies, local storage, and similar tracking technologies to operate the Service and understand how users interact with it.

Essential Technologies

  • Authentication: We primarily use token-based authentication (JWT in an Authorization header) for API access. These tokens are required for the Service to function.
  • WebSockets: Real-time features (e.g., live workflow updates) use WebSocket connections.
  • n8n Editor: The embedded n8n workflow editor may set its own cookies or use local storage for session management and UI preferences (e.g., zoom level, node positioning).

Analytics and Marketing Technologies

  • PostHog (Product Analytics): We use PostHog to collect product analytics, including:
    • Page views, feature usage, and navigation patterns
    • Session recordings that capture your interactions with the Application (mouse movements, clicks, scrolls)
    • User profiles to understand usage patterns across sessions
    PostHog may set cookies or use local storage in your browser. Session recordings can be disabled upon request. See PostHog's privacy policy at posthog.com/privacy.
  • Google Analytics 4: We use Google Analytics to measure website traffic and user behavior on our marketing pages. Google may set cookies to track page views, referral sources, and user demographics. See Google's privacy policy at policies.google.com/privacy.
  • Facebook Pixel: We use Facebook Pixel (ID: 709293522213668) to track page views and conversions for advertising campaigns. Facebook may set cookies to enable retargeting and measure ad performance. See Facebook's privacy policy at facebook.com/privacy/policy.
  • Dub Analytics: We use Dub.co for link tracking and attribution. Dub sets a cookie (dub_id) on the .midpoint.ai domain that:
    • Expires after 90 days
    • Tracks click attribution across marketing campaigns
    • Automatically tags outbound links to app.midpoint.ai with attribution IDs
    • Enables us to measure conversion rates from different referral sources
  • Klaviyo (Email Marketing): If you subscribe to our mailing list, Klaviyo may set cookies to track email engagement and website visits for personalized email campaigns.

Information Collected Through Cookies

The tracking technologies described above may collect or have access to:

  • Your IP address and approximate location (city/region level)
  • Browser type, version, and language preferences
  • Device type, operating system, and screen resolution
  • Pages visited, time spent on pages, and navigation paths
  • Referral sources (which website or ad brought you to Midpoint)
  • Click behavior, form interactions, and feature usage
  • Session replays showing your interactions with the Application (PostHog only)

Third-Party Access

The analytics and advertising services listed above (PostHog, Google, Facebook, Dub, Klaviyo) may use the information they collect for their own purposes, including:

  • Building user profiles across multiple websites
  • Serving targeted advertisements on other platforms
  • Measuring the effectiveness of advertising campaigns
  • Aggregating data with information from other sources

We do not control how these third parties use cookies or data. Please review their respective privacy policies for details.

Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to:

  • View and delete existing cookies
  • Block all cookies or only third-party cookies
  • Receive notifications before cookies are set
  • Browse in private/incognito mode

Note that disabling essential cookies (authentication, n8n editor) will prevent you from using the Service. Disabling analytics cookies will not affect core functionality but may limit our ability to improve the product.

To opt out of interest-based advertising:

12) Service‑Specific Notices

  • OpenAI: User prompts, portions of conversation history, tool instructions, and relevant workflow context may be sent to OpenAI to generate responses or refine workflows. We configure models intended for API use. Refer to OpenAI’s terms and privacy documentation. Do not include regulated or highly sensitive data in prompts unless your compliance review permits it.
  • Google APIs (including Gmail): Use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. For Gmail scopes, we access and use message data only to perform actions you explicitly configure (e.g., read, draft, send, label) and do not use Gmail data to serve ads.
  • Slack, GitHub, Calendly and others: We retrieve and use tokens and data strictly to execute your configured actions (e.g., post a Slack message, read GitHub issues, retrieve Calendly events) and do not use such data for unrelated purposes.
  • AWS Hosting: We operate on AWS infrastructure (e.g., us‑east‑1). AWS may process IP addresses and service metadata to deliver infrastructure services.

13) Your Responsibilities

  • Data You Bring: Workflows you design may process third‑party personal data (e.g., via webhooks or connectors). You are responsible for ensuring you have a lawful basis to process such data and for configuring scopes and nodes appropriately.
  • Secrets Hygiene: Provide only the minimum necessary scopes and rotate/revoke tokens when no longer needed. Avoid sending secrets or highly sensitive data in free‑form prompts.
  • Third‑Party Terms: Your use of connected services remains subject to those services’ terms and privacy policies.

14) Changes to This Policy

We may update this policy from time to time. When we do, we will revise the “Effective date” above and, where appropriate, provide additional notice (e.g., in‑app or by email). Your continued use of the Application after an update constitutes acceptance of the revised policy.

15) Contact Us

Questions or requests regarding this policy can be sent to: privacy@mergeos.ai. If you are in the EEA/UK and require details for our EU/UK representative or Data Protection Officer (if applicable), contact us at the address above.

Appendix: Security Highlights (Overview)

  • Encrypted credential storage with an application‑level key.
  • TLS for data in transit where supported.
  • Rate limiting and abuse prevention tied to IP and headers.
  • Principle of least privilege for service and infrastructure access.
  • Minimal diagnostic previews for workflow debugging; avoid logging full payloads by default.

If you deploy the Application yourself, you are responsible for configuring secure transport, storage, backups, and access controls in your environment.

Launch Now Launch Now Launch Now Launch Now Launch Now Launch Now Launch Now Launch Now Launch Now
© 2025 MergeOS Inc.. 
All rights reserved. 
Built in San Francisco.