Bengaluru, India
eida — an instrument for businesses that build themselves.
Vol. 01 · No. 001 · May 2026
P Legal · Policy Document 01 of 02

privacy
policy.

What we collect, why we collect it, and how we keep it. Written in plain English — the long version of a short promise: nothing weird, nothing sold, nothing kept longer than we have a reason to.

Effective12 May 2026
Last updated12 May 2026
Version1.0
Controllereida systems

01 Who we are.

eida systems — the company behind eida, the AI-native business operating system.

eida systems ("eida", "we", "us") operates the eida product and the eida.ai website. We're the data controller for the personal information described in this policy. We're a small team based in Bengaluru, building for businesses worldwide.

If you're on a paid plan, your business may also be a controller of the data you bring into eida (your clients, your records). In that case, we're the processor, and we handle that data on your instructions.

02 Scope.

This policy covers:

  • The eida.ai website — including the waitlist, marketing pages, and any documentation we publish.
  • The eida product — when it becomes available to you as part of a cohort or paid plan.
  • Direct communication — emails you send us, messages through support channels.

It doesn't cover third-party services we link to (Stripe checkout pages, Google Sign-In screens, etc.) — those operate under their own policies.

03 What we collect.

Only what we need to do the thing you asked us to do.

  • Account information — name, email address, and (for paid plans) billing details. Provided by you when you sign up or join a cohort.
  • Workspace content — the business descriptions, briefs, records, files, and prompts you put into eida. This is yours; we hold it for you.
  • Usage telemetry — which features you used, when, and for how long. We use this to improve the product; it doesn't include the contents of your prompts.
  • Device & log data — IP address, browser, OS, referring page, crash logs. Collected automatically by the servers and analytics tools you'd expect.
  • Communication — anything you send us in support emails or feedback forms.
In plain English We don't collect race, religion, sexual orientation, political views, or biometric data. If your workspace happens to contain that kind of information because of your business (a clinic, say), it's treated as workspace content under your control.

04 How we use it.

  • Run the product — authenticate you, store your work, send AI requests on your behalf, generate creative output.
  • Operate the business — bill paying customers, respond to support, honour refund and warranty obligations.
  • Improve eida — aggregated usage signals to decide what to build next. Never identifiable, never sold.
  • Talk to you — cohort invitations, product updates, security notices. You can unsubscribe from marketing at any time; transactional emails (receipts, security) you can't opt out of while your account is active.
  • Comply with the law — respond to lawful requests, prevent fraud, enforce our terms.

05 Legal basis.

For users in the EEA, UK, and other regions with similar laws, our legal bases are:

  • Contract — we need it to deliver the service you signed up for.
  • Legitimate interests — operating, securing, and improving the product, where your interests don't override ours.
  • Consent — for optional marketing communications and non-essential cookies; you can withdraw at any time.
  • Legal obligation — tax, accounting, fraud prevention, lawful requests.

06 Who we share with.

A short list. We do not sell personal data — ever.

  • Infrastructure — Google Cloud, Vercel, Firebase (hosting, storage, authentication).
  • AI providers — Anthropic, Google (Gemini), OpenAI. Prompts and outputs are processed under their enterprise terms, with training opt-out where available.
  • Payments — Stripe. We never see your full card number.
  • Email & support — transactional email providers and a help desk tool.
  • Analytics — privacy-respecting product analytics; no third-party advertising trackers.
  • Legal authorities — only when compelled by a lawful, narrowly-scoped request, and we'll tell you unless legally prohibited.

All processors are under written contracts (DPAs) that bind them to handle your data only on our instructions and to delete it when our relationship ends.

07 How long we keep it.

  • Active accounts — for as long as your account is open.
  • After account closure — workspace content is deleted within 30 days of confirmation; we keep account records for up to 7 years where tax law requires it.
  • Logs & telemetry — 90 days, then aggregated or deleted.
  • Backups — encrypted snapshots are rotated out within 35 days.
  • Marketing lists — until you unsubscribe.

08 Your rights.

Wherever you are, you can:

  • Access — ask for a copy of the personal data we hold on you.
  • Correct — fix anything that's wrong.
  • Delete — close your account and have it removed.
  • Export — get your workspace in a portable, open format (JSON / CSV / standard files).
  • Object & restrict — push back on a specific use of your data; we'll honour it unless we have an overriding legal reason.
  • Withdraw consent — for anything you previously opted in to.
  • Complain — to your local data protection authority. We'd prefer you talk to us first.

Email privacy@eida.ai from the address on your account and we'll respond within 30 days.

09 Security.

The basics, done properly:

  • Encryption — TLS in transit, AES-256 at rest, key rotation on the providers' standard schedule.
  • Access control — least-privilege, MFA enforced on every operational account, audit logging on production access.
  • Tenancy — workspaces are logically isolated; one customer's queries can't reach another's data.
  • Vendor review — every processor goes through a security review before we route data to them.
  • Incident response — if a breach affects you, we'll tell you within 72 hours of confirmation and explain what we're doing about it.

No system is bulletproof. If you spot a vulnerability, write to security@eida.ai.

10 Cookies.

We use three kinds:

  • Essential — to keep you logged in and remember basic preferences. Can't be turned off without breaking the product.
  • Analytics — aggregated, privacy-respecting usage data. You can opt out from the cookie banner.
  • Functional — remember UI preferences (theme, density). Opt-out available.

We don't run third-party ad trackers. We never have.

11 AI & model training.

A separate section because it deserves one.

eida sends your prompts and workspace content to third-party AI providers (currently Anthropic, Google, OpenAI) to generate responses. We use their enterprise APIs, which by default do not train on your inputs or outputs.

We don't train our own models on your data. If we ever build a fine-tuned model, we'll do it only on data you explicitly opt in to share, or on data we generate ourselves.

Generated content (images, copy, structured records) is yours — see the Terms of Service for the licence detail.

12 Changes.

We'll revise this policy as the product evolves. Material changes get a notice in-product and an email to the address on your account at least 30 days before they take effect. Older versions stay accessible at eida.ai/privacy/archive.

13 Contact.

Reach a human

Questions, requests, or pushback —

We answer privacy email ourselves. No bots, no ticket queues. If you're filing a formal rights request, mention that and we'll route it correctly.

privacy@eida.ai →