Privacy Policy
Effective date: 2025-09-12
This Privacy Policy describes how we collect, use, disclose, and protect information in connection with the Agent Builder application that helps users create and run automations and AI-powered agents on top of n8n (the “Application”). “We”, “us”, and “our” refer to the operator of the Application. “You” refers to the user or the organization using the Application.
If you are completing this policy for your organization, replace the placeholders below with your legal entity name, address, and contact details:
- Controller: MergeOS Inc.
- Address: 1168 Vallejo St, San Francisco, CA 94109
- Contact: daniel@midpoint.ai
1) Scope and Roles
- Controller vs. Processor: For your account data, in‑product telemetry, and service administration, we act as an independent controller. For data you process through your agents and workflows (e.g., messages, webhook payloads, and data passed to third‑party connectors you choose), we act as a processor on your behalf.
- Services Covered: This policy covers the Application’s backend, frontend, and the embedded/self‑hosted n8n instance the Application orchestrates. It also covers the remote “runner” component used to execute workflows.
2) Information We Collect
We collect information in the following categories. The specific data collected depends on how you use the Application and which integrations you connect.
- Account and Profile Data: name (if provided), email address, and identifiers created by us (e.g., user ID). If you sign in with Google, we receive your basic Google profile information (email, name) for account creation.
- Authentication and Security Data: JSON Web Tokens (JWTs) we issue for API access, IP address and user agent (used for rate limiting, security, and troubleshooting), and server timestamps.
- Chat and Agent-Building Data: your chat messages, assistant responses, workflow JSON (nodes and connections), “agent state” snapshots linked to messages, OpenAI response IDs and similar metadata used to resume or refine conversations.
- Credentials and Connected Accounts: OAuth tokens and minimal metadata for services you connect (e.g., Google APIs such as Gmail, Calendar, Drive/Sheets/Docs/Slides/Translate/YouTube; Slack; GitHub; Calendly), as well as API keys or basic/header auth you provide (e.g., OpenAI API key, HTTP Request node headers). We store these credentials encrypted at rest and use them only to perform the actions you request.
- Webhooks and Integration Payloads: inbound requests from third‑party services (headers, query parameters, and JSON/body content) and outbound requests the workflow makes to APIs you configured. Payloads may contain personal data depending on your integrations.
- Workflow Execution and Test Data: limited previews/samples of node inputs/outputs (e.g., first item or truncated JSON) and execution diagnostics to help you validate and troubleshoot workflows.
- System and Usage Data: server logs, error messages, timestamps, performance metrics, and counts of sessions/threads/messages to improve reliability and support.
- Support and Feedback: information you submit to us for support or product feedback.
3) How We Use Information
We use information to:
- Provide and operate the Application, including generating, testing, and running your agents and workflows.
- Authenticate users, secure the service, and prevent abuse (rate limiting, anomaly detection).
- Store and retrieve your conversations, workflow designs, execution traces, and credentials at your direction.
- Connect to and act on your behalf with third‑party services you authorize (via OAuth/API keys).
- Improve and troubleshoot the Application, including monitoring reliability and performance.
- Communicate with you about updates, security notices, and support.
Legal bases for processing (where applicable, e.g., EEA/UK/Switzerland): (a) performance of a contract (to provide the Application), (b) legitimate interests (to secure and improve the service), and (c) consent (for optional integrations and reads on your connected accounts).
4) Third‑Party Services and Disclosures
We disclose or route data to third parties only as needed to provide the Application or when you direct us to do so.
- AI Model Providers: We use OpenAI to process user prompts, conversation history (or resumed context), and tool‑call instructions to build or refine workflows and produce responses. Content you send can be processed by OpenAI to generate the assistant’s output. See OpenAI’s privacy/security documentation for details.
- OAuth/Connector Providers You Choose: If you connect accounts, we receive tokens and exchange data with, for example:
- Google APIs: Gmail, Calendar, Drive, Sheets, Docs, Slides, Translate, YouTube
- Slack
- GitHub
- Calendly
- Other APIs you configure (via HTTP Request or n8n nodes, including but not limited to Salesforce, HubSpot, Shopify, Stripe, etc.).
- Hosting and Infrastructure: We host on Amazon Web Services (AWS), currently including services such as EC2/ECS/ECR, SSM Parameter Store, and CloudWatch Logs in the region(s) we operate (e.g., us‑east‑1). Infrastructure providers may process IP addresses and service metadata.
- Embedded n8n Instance: The Application orchestrates a local/embedded n8n instance and may proxy n8n assets. n8n workflows are executed locally or via a remote runner. n8n itself may set cookies or local storage; see n8n’s documentation.
- Service Providers: We may share limited data with vendors that provide security, logging, error monitoring, or support services under contracts requiring confidentiality and appropriate safeguards.
- Legal and Safety: We may disclose information to comply with law, enforce our terms, or protect rights, safety, or property.
We do not sell your personal information or share it with third‑party advertisers.
5) How We Store and Protect Information
- Encryption at Rest for Credentials: OAuth tokens and API keys are stored encrypted at rest in a dedicated credentials store managed by the Application. An application‑level encryption key is required to decrypt.
- Encryption in Transit: We support HTTPS/TLS for data in transit where applicable. If you deploy self‑hosted components, ensure TLS is enabled.
- Access Controls and Separation: Access to production data is limited to authorized personnel on a least‑privilege basis. Credentials are only used to execute your workflows.
- Logging and Minimization: Operational logs avoid sensitive payloads where possible. Diagnostic previews (e.g., partial inputs/outputs) are kept minimal and primarily for debugging.
No security controls are perfect; please use strong secrets, restrict access, and review your workflow permissions.
6) Data Retention
- Account and Profile Data: retained while your account is active and for a reasonable period thereafter to comply with legal, tax, or accounting obligations.
- Chat, Threads, and Agent State: retained until you delete them from the Application or request deletion. You can typically remove sessions/threads/messages via the UI; if unavailable, contact us.
- Credentials: retained until you revoke or delete them or your account is deleted. Revoking tokens in the connected service may also invalidate access.
- Webhook and Execution Data: retained for operational purposes and troubleshooting, typically for shorter periods. Aggregated/service logs may persist longer for security, audit, and reliability.
We may anonymize or aggregate data for analytics. If legal retention requirements apply, we may retain certain records beyond the periods above.
7) International Data Transfers
We may transfer, store, and process information in countries other than where it was collected (for example, in the United States on AWS). Where required, we rely on appropriate safeguards such as Standard Contractual Clauses for transfers of personal data from the EEA/UK/Switzerland.
8) Your Privacy Rights
Depending on your location, you may have rights to request:
- Access to information we hold about you.
- Correction of inaccurate data.
- Deletion (erasure) of your personal data.
- Restriction or objection to certain processing.
- Portability of your personal data.
- Withdrawal of consent where consent was the legal basis.
To exercise these rights, contact us at privacy@mergeos.ai. We may ask you to verify your identity. You also have the right to complain to your local supervisory authority.
9) California Disclosures (CCPA/CPRA)
We do not sell or share personal information as defined by the CCPA/CPRA. We process the categories of information described in Section 2 for the business purposes in Section 3. California residents may exercise rights to know, delete, and correct as described in Section 8. We do not use or disclose sensitive personal information for purposes other than those permitted by the CPRA.
10) Children’s Privacy
The Application is not directed to children under 16 and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will take appropriate steps.
11) Cookies and Similar Technologies
The Application primarily uses token‑based auth (JWT in an Authorization header) and WebSockets for real‑time features. We do not use third‑party advertising cookies. The embedded n8n editor may set its own cookies or local storage for session and UI preferences. You can manage browser‑level cookie controls, but disabling necessary cookies may impact functionality.
12) Service‑Specific Notices
- OpenAI: User prompts, portions of conversation history, tool instructions, and relevant workflow context may be sent to OpenAI to generate responses or refine workflows. We configure models intended for API use. Refer to OpenAI’s terms and privacy documentation. Do not include regulated or highly sensitive data in prompts unless your compliance review permits it.
- Google APIs (including Gmail): Use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. For Gmail scopes, we access and use message data only to perform actions you explicitly configure (e.g., read, draft, send, label) and do not use Gmail data to serve ads.
- Slack, GitHub, Calendly and others: We retrieve and use tokens and data strictly to execute your configured actions (e.g., post a Slack message, read GitHub issues, retrieve Calendly events) and do not use such data for unrelated purposes.
- AWS Hosting: We operate on AWS infrastructure (e.g., us‑east‑1). AWS may process IP addresses and service metadata to deliver infrastructure services.
13) Your Responsibilities
- Data You Bring: Workflows you design may process third‑party personal data (e.g., via webhooks or connectors). You are responsible for ensuring you have a lawful basis to process such data and for configuring scopes and nodes appropriately.
- Secrets Hygiene: Provide only the minimum necessary scopes and rotate/revoke tokens when no longer needed. Avoid sending secrets or highly sensitive data in free‑form prompts.
- Third‑Party Terms: Your use of connected services remains subject to those services’ terms and privacy policies.
14) Changes to This Policy
We may update this policy from time to time. When we do, we will revise the “Effective date” above and, where appropriate, provide additional notice (e.g., in‑app or by email). Your continued use of the Application after an update constitutes acceptance of the revised policy.
15) Contact Us
Questions or requests regarding this policy can be sent to: privacy@mergeos.ai. If you are in the EEA/UK and require details for our EU/UK representative or Data Protection Officer (if applicable), contact us at the address above.
Appendix: Security Highlights (Overview)
- Encrypted credential storage with an application‑level key.
- TLS for data in transit where supported.
- Rate limiting and abuse prevention tied to IP and headers.
- Principle of least privilege for service and infrastructure access.
- Minimal diagnostic previews for workflow debugging; avoid logging full payloads by default.
If you deploy the Application yourself, you are responsible for configuring secure transport, storage, backups, and access controls in your environment.