SeedOS

Legal

Privacy Policy

Last updated: 2026-04-30

This policy explains how SeedOS (“we”, “us”) handles information when you visit seedos.io, talk to us, or use the SeedOS platform. We have tried to keep it readable. The short version is simple: we collect what we need to run the service, protect it carefully, and do not sell it.

In plain English

  • We collect account details, form submissions, product usage, security logs, and the business records you put into SeedOS.
  • We do not sell your data. We do not use your business records or files to train third-party AI models.
  • The vendors that process data for us are named below, including hosting, storage, analytics, email, payments, and AI providers.
  • AI agents only receive the prompt and record context needed for the task you ask them to do.
  • You can ask for a copy, correction, export, or deletion of your data, subject to legal and security limits.

Who we are

SeedOS is a software platform operated from Quebec, Canada. For privacy questions, data requests, or anything in this policy, email legal@seedos.io.

Scope

This policy covers the places where we control how information is handled:

  • Visitors to seedos.io, our blog, and our landing pages.
  • People who book a demo, contact us, or sign up for a SeedOS account.
  • Authorized users inside customer accounts, including team members and invited collaborators.

If you are an end customer, subcontractor, supplier, or contact inside one of our customer workspaces, that customer controls the record. We process that data for them. You can still contact us, but we may need to route the request back to the customer who owns the workspace.

Data we collect

We collect data in five practical buckets.

  • Account data. Name, work email, role, company, time zone, hashed password, encrypted OAuth refresh tokens, and avatar. We collect this when you create an account or accept an invite.
  • Customer business data. The records and files you put into SeedOS. That can include customers, suppliers, products, quotes, invoices, purchase orders, payments, taxes, stock movements, shipments, deliveries, uploaded PDFs, drawings, attachments, RFIs, change orders, lien waivers, prepress jobs, ecommerce orders, and similar operating records.
  • Usage data. Pages visited, features used, and in-app events. We use this in aggregate to understand what is working and what needs fixing. We do not build individual advertising profiles.
  • Audit data. Security events, AI tool calls, and undo or redo history. Security events are kept for 365 days. AI tool-call logs are kept for 90 days unless a customer agreement says otherwise.
  • Demo and sales data. Name, email, phone, company, message, revenue band, pain points, booking time, and similar details you choose to send through a form.

What we do not collect

A few lines we do not cross unless the service changes and the policy changes with it:

  • No payment card data. Stripe handles all card data for paid plans. SeedOS never sees a card number.
  • No government IDs. No SSN, SIN, EIN, passport, or driver's license.
  • No health, biometric, or genetic data.
  • No precise location tracking. We may receive an IP address from your browser for security, routing, and basic region handling, but we do not track GPS location.
  • No device fingerprinting. No keystroke capture, no session recording, no canvas fingerprinting.

How we use it

We use data for the work you would expect from an operating system:

  • To run SeedOS, keep accounts working, store records, route workflows, and support your team.
  • To improve product quality, using aggregated usage data and feedback.
  • To communicate with you about the service, your account, support, demos, billing, or security. Marketing messages are opt-in.
  • To detect, prevent, and respond to abuse, fraud, or security incidents.
  • To meet legal obligations, such as tax, accounting, records, and valid legal requests.

AI processing

SeedOS includes AI agents. They are useful because they can work with the records inside your workspace, so we want this part to be very clear.

  • Vendors. We use Anthropic and OpenAI for AI inference under commercial API terms that include no-training commitments and zero-retention arrangements for the data we send through those AI calls.
  • What gets sent. The agent receives the prompt and the records it needs for the task. If you ask an agent to summarize an invoice, it receives that invoice. It does not receive the whole workspace by default.
  • What we log. We log AI calls so we can debug, audit, and improve reliability. Logs are sanitized: prompts and responses are length-capped, common sensitive keys such as authorization, api_key, token, password, secret, cookie, session, and credential are redacted, and deeply nested data is truncated.
  • No model training. Customer data is not used to train Anthropic, OpenAI, or another third-party model. Aggregated, de-identified usage data may help us improve SeedOS itself, but not your business records, customer lists, or files.
  • Human review still matters. AI can be wrong. Please verify AI output before relying on it for financial, legal, regulatory, or safety-critical decisions. The Terms of Service explain the liability boundary.

Sub-processors

These are the vendors that may process data for us, depending on how you use the site or platform.

  • MongoDB Atlas - primary database, with Canada as the default region for new tenants.
  • AWS S3 - file storage, US by default; other regions may be available on higher tiers or by agreement.
  • Vercel - marketing site hosting and edge delivery.
  • Cloudflare - DNS, CDN, and web application firewall.
  • Google Analytics - aggregated usage analytics on marketing pages.
  • Stripe - billing and payment processing for paid plans.
  • Resend - transactional and internal notification email.
  • Anthropic - AI inference for agent tasks.
  • OpenAI - AI inference for agent tasks.

Integrations you connect

SeedOS can connect to tools such as Stripe, QuickBooks, Sage, Xero, Shopify, Google Workspace, Microsoft 365, Procore, and similar services. When you connect one, you authorize SeedOS to exchange the data needed to make that integration work. You can disconnect an integration, but the records already synced into SeedOS may remain in your workspace unless you delete them or ask us to help.

Your rights

Depending on where you live and how your data is being used, you may have the right to access, correct, export, restrict, or delete personal information. Send requests to legal@seedos.io. We may need to verify your identity and, if the data belongs to a customer workspace, coordinate with that customer before acting.

If you are in Quebec or elsewhere in Canada, privacy law generally gives individuals a right to ask whether an organization holds personal information about them, to access it, and to request correction when it is incomplete or inaccurate. Some requests can be limited by law, security, another person's privacy, or a customer's control of the workspace.

Cookies

We use the cookies and local storage needed to run the site and platform, keep you signed in, remember basic preferences, and protect the service. We do not use session replay, keystroke capture, or device fingerprinting. If we add advertising cookies later, this policy will be updated and the site will ask for consent where required.

Security

We protect data with encryption in transit, encryption at rest where supported by our infrastructure, access controls, tenant separation, audit logs, backups, and least-privilege access for our team. No system is perfectly secure, but security events are treated as urgent operational work, not as a support queue item.

International transfers

SeedOS is operated from Canada and uses vendors with infrastructure in Canada, the United States, and global edge networks. That means your data may be processed outside your province, state, or country. When we use vendors outside Quebec or Canada, we rely on contracts, access controls, and vendor security commitments to protect the data.

Retention

We keep account and customer business data while the workspace is active. If you close your account or ask us to delete data, we delete or anonymize it unless we need to keep it for legal, tax, security, backup, or dispute reasons. Backup copies age out on their normal cycle. Security logs are kept for 365 days, and AI tool-call logs are kept for 90 days unless your customer agreement says otherwise.

Children

SeedOS is built for businesses. It is not intended for children under 16, and we do not knowingly collect personal information from children.

Changes to this policy

We will update the date at the top when this policy changes. If a change materially affects how we collect, use, or share data, we will take reasonable steps to notify customers through the product, by email, or both.

Contact + Privacy Officer

For privacy requests, email legal@seedos.iowith “Privacy request” in the subject if you can. We will route it to the person responsible for privacy at SeedOS and respond as soon as reasonably possible.