Legal

Privacy Policy.

Effective date: May 25, 2026

Last updated: May 27, 2026

This Privacy Policy describes how Carets, Inc. (“Carets,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards information in connection with the Carets shared-memory platform, MCP servers, dashboard, command-line tooling, websites, and related services (collectively, the “Services”).

1. Scope and acceptance

This Privacy Policy applies to information processed by Carets when you (a) visit our websites at carets.ai and related subdomains, (b) sign in to the Carets dashboard, (c) register agents and connect them to Carets via our MCP server, CLI wrapper, or APIs, or (d) otherwise interact with the Services. By using the Services, you acknowledge that you have read and understood this Policy. If you access the Services on behalf of an organization, you represent that you have authority to bind that organization to this Policy and to our Terms of Service.

2. Information we collect

2.1 Information you provide

  • Account information. Name, email address, password (hashed), organization name, and profile details you provide through our authentication provider (Clerk).
  • Workspace and project content. Project names, agent configurations, agent roles, workflow descriptions, and team membership.
  • Agent credentials. Agent identifiers (agt_…) and API keys (agk_…) we generate for you; we store the agent identifier and a one-way hash of the key.
  • Communications. Messages you send to support, scheduling requests, and form submissions.
  • Billing information. If you purchase paid plans, our payment processor collects payment details on our behalf; we receive limited transactional metadata (plan, amount, last four digits, billing country).

2.2 Information generated through use of the Services

  • Contributions. Text, structured payloads, code snippets, findings, decisions, and other content that agents or users write to a Carets workspace via carets_contribute, carets_workspace_*, carets_context_*, or related tools.
  • Embeddings. Vector representations of contributions generated to power semantic recall.
  • Timeline events. Records of agent activity, including timestamps, agent identifiers, event kinds, derived/influenced edges, and summaries.
  • Usage and telemetry. API request metadata, MCP tool invocations, request timing, error codes, IP address, browser or client user agent, and derived analytics.
  • Device and log data. Standard server logs (timestamps, request paths, response codes), cookies and similar identifiers (see Section 14).

2.3 Information from third parties

  • Identity providers. If you sign in with Google, GitHub, or another OAuth provider via Clerk, we receive the profile fields you authorize (name, email, avatar, provider user ID).
  • Hosting and infrastructure providers. Operational metadata from Cloudflare, Supabase, Vercel, and other infrastructure we use to run the Services.

3. How we use information

We use information to:

  • Provide, maintain, and improve the Services, including shared memory, semantic recall, and the timeline view;
  • Authenticate users and agents, route contributions to the right workspace, and enforce access controls;
  • Generate embeddings and AI-assisted summaries to make recall and the timeline useful;
  • Communicate with you about your account, security alerts, product updates, and support requests;
  • Monitor, debug, and secure the Services, including detecting abuse, fraud, and policy violations;
  • Conduct analytics and research to understand how the Services are used and improve product design;
  • Comply with legal obligations and enforce our Terms of Service and other agreements.

We do not sell personal information, and we do not use the content of your contributions to train foundation models for ourselves or for any third party.

4. Agent contributions and shared memory

Carets is purpose-built as a shared pool of contributions. By design, content that an agent writes to a workspace is readable by other agents and human members of that workspace, including across runtimes, machines, and user accounts that have been added to the workspace.

  • You control what enters the pool. You and your agents decide what to contribute. Do not contribute information you do not want shared with workspace members or processed by AI summarization.
  • Workspace boundaries. Contributions are scoped to a project / workspace. We use authentication tokens and row-level isolation to keep one workspace's data separate from another's.
  • Sensitive data. The Services are not intended for personal health information governed by HIPAA, cardholder data governed by PCI-DSS, or similar regulated data. Do not submit such data unless you have a separate written agreement with us that contemplates it.

5. AI model and third-party processing

To generate embeddings and human-readable summaries (for example, on the timeline event popover), we send contribution content and related metadata to AI model providers. Today we use OpenAI (models including text-embedding-3-small and gpt-4o-mini); we may route to or substitute other providers, such as Cloudflare Workers AI, over time. These providers act as our sub-processors under their enterprise data processing terms and do not train their foundation models on your content.

Requests to these models pass through an LLM gateway we operate on Cloudflare. To reduce latency, duplicate work, and cost, the gateway may temporarily cache generated summaries and embeddings at Cloudflare's edge, keyed by a hash of the input. Cached entries are short-lived (currently up to seven days) and overwritten on a rolling basis. Cloudflare processes this data on our behalf as a sub-processor.

We may add or change sub-processors over time. A current list is available on request at caretsai26@gmail.com.

7. How we share information

We share information only as described below:

  • Within your workspace. Contributions and activity are visible to other members and agents of the workspace.
  • Service providers / sub-processors. Cloud hosting and edge compute (Cloudflare, Vercel), database (Supabase), authentication (Clerk), AI model providers (OpenAI today; potentially Cloudflare Workers AI and others over time), email and scheduling tools, analytics, and customer support — each bound by confidentiality and data protection obligations.
  • Business transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to standard confidentiality protections and notice where required by law.
  • Legal and safety. When required by law, legal process, or to protect the rights, property, or safety of Carets, our users, or others.
  • With your direction. When you instruct us to share, including via integrations you connect.

We do not sell personal information and do not share it for cross-context behavioral advertising.

8. Data retention

We retain information for as long as your account is active or as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. You may delete projects, workspaces, contributions, and agents through the dashboard or by contacting us. Backups and logs may persist for a limited additional period before being overwritten on a rolling basis.

9. Security

We implement administrative, technical, and organizational measures designed to protect information, including encryption in transit (TLS 1.2+), encryption at rest for primary data stores, scoped credentials, hashed agent API keys, least-privilege access controls, audit logging, and routine vulnerability monitoring. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

If we become aware of a security incident affecting your information, we will notify you and applicable regulators as required by law.

10. International data transfers

Carets is headquartered in the United States, and we and our service providers process information in the United States and other countries. Where personal data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum.

11. Your rights and choices

Depending on your location, you may have the right to access, correct, delete, or receive a portable copy of your personal data; to object to or restrict processing; and to withdraw consent. You may exercise these rights by contacting caretsai26@gmail.com. We will respond within the timeframes required by applicable law. If you are unsatisfied with our response, you may have the right to lodge a complaint with your local data protection authority.

12. U.S. state privacy rights (CCPA/CPRA and others)

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, or another U.S. state with a comprehensive privacy law, you may have the right to: (a) know the categories and specific pieces of personal information we have collected, (b) request deletion of personal information, (c) request correction of inaccurate personal information, (d) opt out of “sale” or “sharing” (we do not sell or share personal information for cross-context behavioral advertising), (e) limit use of sensitive personal information, and (f) not be discriminated against for exercising these rights.

To exercise these rights, email caretsai26@gmail.com. We may need to verify your identity before fulfilling the request. You may also designate an authorized agent to submit a request on your behalf, subject to verification.

13. Children's privacy

The Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will take appropriate steps to delete it.

14. Cookies and similar technologies

We use cookies and similar technologies to authenticate users, remember preferences, secure the Services, and understand usage. You can control cookies through your browser settings; disabling some cookies may degrade the Services.

15. Third-party services and links

The Services may link to or integrate with third-party services (for example, authentication providers, scheduling tools, and AI providers). Their handling of your information is governed by their own privacy policies. We are not responsible for the practices of third parties.

16. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by reasonable means, such as email or a notice in the Services, before they take effect. The “Last updated” date at the top reflects the most recent revision.

17. Contact us

If you have questions about this Policy or our privacy practices, contact us at:

Carets, Inc.
Berkeley, California, United States
Email: caretsai26@gmail.com

This document is provided for transparency about our practices. It is not legal advice; consult counsel for advice specific to your situation.