Privacy Policy

1. Introduction

Welcome to Referent, operated by Rodrigo Mahamud García, trading as Referent ("Referent," "we," "us," or "our"). We operate the Referent AI-powered enterprise knowledge assistant service (the "Service"), which integrates with your workspace tools to help improve business operations using artificial intelligence ("AI").

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use the Service, and outlines your rights and choices. By using the Service, you agree to the practices described in this Privacy Policy.

We review this Privacy Policy at least annually to ensure it remains accurate, complete, and compliant with applicable laws and our internal data governance standards.

2. Information We Collect

We collect only the information necessary to provide, maintain, and secure the Service.

A. Workspace and user information

When you install or use Referent, we may store:

• Workspace identifiers (e.g., workspace/team ID) and limited workspace metadata needed to operate the integration.
• Administrator information for the person who installs Referent (name and email address as provided by the connected service).
• User identifiers for users who interact with Referent (e.g., user ID, display name, and email address if provided by the connected service).
• User mapping data to associate actions/permissions with users (e.g., workspace/team ID, user ID, email, username).

B. Connection credentials

We store credentials necessary to maintain integrations, including:

• OAuth tokens (access/refresh tokens), token scopes, and expiration metadata.
• Credentials or tokens for other third-party integrations you enable (if applicable).
• Integrations in Referent are workspace-shared. Related credentials and tool settings may therefore be available for use by authorized members of that workspace through Referent.

C. Content and records inside Referent

We store content needed to provide continuity and run the Service, including:

• Workspace files created or uploaded in Referent (e.g., company notes, team profiles, run logs, reports, todo lists, and other documents).
• Conversation threads and messages between users and Referent, including agent outputs and tool calls.
• Approvals/permission decisions (approval or rejection records) related to actions Referent requests.
• Scheduled tasks configurations (e.g., task name/title, schedule/cron configuration, dependencies, and configuration metadata).

D. Message content

When you interact with Referent in connected platforms, we access message content from channels where Referent is invited, direct messages to Referent, and thread replies. This data is used to process your requests, maintain conversation context, and provide the Service.

E. Service logs and usage data

We collect and store limited operational data, such as:

• Service logs and audit/security logs (e.g., timestamps, error logs, request/response metadata).
• Usage events needed to operate and improve reliability (e.g., tasks executed, approvals granted, feature usage signals).

F. Communications with us

If you contact us (e.g., support tickets or email), we collect the information you provide in those communications.

G. Website/app analytics, advertising, and attribution data

When you visit our website, use product surfaces, or begin checkout flows, we may collect:

• Cookie, pixel, and similar online identifiers used for analytics, advertising measurement, and referral attribution.
• Device and browser metadata, IP address, pages viewed, and interaction events.
• Attribution and referral metadata associated with signup or billing events (for example, campaign/referral identifiers or partner discount metadata).

Sensitive data

We do not knowingly collect sensitive personal data (such as financial account numbers, health information, or children's data) unless necessary for the Service and provided by you.

3. How We Use Your Information

We use the information described above to:

A. Provide and operate the Service

• Authenticate users and workspaces.
• Maintain integrations you enable (e.g., Slack, Google Drive, Notion, and others).
• Execute tasks, respond to requests, generate outputs, and provide context continuity in Referent.

B. AI processing to generate outputs

• Relevant portions of Customer Data may be processed by AI systems to produce responses, reports, and other outputs at your direction.
• We do not use Customer Data for advertising.
• We do not train our own or third-party foundation models on Customer Data.

C. Maintain security, safety, and integrity

• Detect and prevent fraud, abuse, and unauthorized access.
• Investigate incidents and maintain audit trails where appropriate.

D. Service improvement (aggregated or de-identified)

We may use aggregated or de-identified data (that cannot reasonably identify you) to understand usage patterns and improve reliability and product experience.

E. Communications

• Send service-related communications (e.g., product updates, security notices, billing/administrative messages).
• Provide customer support.

F. Analytics, advertising, and attribution

• Measure product and website usage, campaign performance, and conversion events.
• Associate referrals, partner programs, and discount programs with subscriptions and billing records.
• Prevent abuse, fraud, and misuse of marketing/referral programs.

G. Compliance and protection

Comply with legal obligations and enforce our Terms of Use, and protect the rights, safety, and property of our users and Referent.

4. How We Disclose or Share Information

We do not sell your personal data for monetary consideration.

We may share certain identifiers and usage data with analytics, advertising measurement, and attribution partners to operate and improve the Service. Depending on your jurisdiction, this may be considered a "sale," "sharing," or "targeted advertising," and you may have rights to opt out.

We share information only as necessary to provide and support the Service, and subject to appropriate safeguards:

A. Service providers (subprocessors)

We use vendors to host and operate the Service and its infrastructure (for example, hosting, storage, monitoring, communications, support tooling, and billing). These providers may process Customer Data on our behalf solely to provide, secure, and support the Service.

B. AI technology partners

When you invoke AI features, relevant portions of data (e.g., the prompt/context needed to generate an output) may be sent to third-party AI providers to generate responses. We require these providers to use your data only to provide the requested service to you and not for advertising or training their general models.

• Data retention by AI providers: AI providers may temporarily retain data in accordance with their API retention policies for security and abuse monitoring. Data is not used for model training.
• Data tenancy: Your data is processed in isolated API requests and is not shared with or visible to other customers.
• No training: Your data is not used to train or improve AI provider models.

C. Analytics

We may use analytics, advertising measurement, and attribution tools to understand usage, attribute signups/subscriptions, and improve the Service. These tools may receive online identifiers, event metadata, and referral/campaign data. We do not use message content for advertising. You can manage cookies through your browser settings and can contact us regarding workspace-level controls where feasible.

D. Legal compliance and protection

We may disclose information if required by law or valid legal process, or when we believe disclosure is necessary to:

• Comply with legal obligations,
• Protect the rights and safety of users and the public,
• Prevent fraud or abuse, or
• Enforce our Terms of Use.

E. Business transfers

If Referent is involved in a merger, acquisition, restructuring, financing due diligence, bankruptcy, or sale of assets, information may be disclosed to advisors and successor entities, subject to appropriate confidentiality protections.

F. Third-party links

The Service may link to third-party websites/services. We are not responsible for their privacy practices.

5. Cookies and Tracking Technologies

A. What we use

Our website may use the following tracking technologies, which are loaded only after you provide explicit consent via our cookie consent mechanism:

• Meta (Facebook) Pixel: Used for advertising measurement, conversion tracking, and audience building. This pixel may set cookies such as _fbp on your device. Data is sent to Meta Platforms, Inc. (USA). Retention: up to 90 days for browser cookies.
• LinkedIn Insight Tag: Used for B2B advertising analytics, conversion tracking, and audience insights. This tag may set cookies such as li_sugr and bcookie. Data is sent to LinkedIn Corporation (USA). Retention: up to 180 days for browser cookies.

B. Essential storage

We use browser sessionStorage (not a cookie) to store a language-redirect flag (lr) so that Spanish-speaking visitors are redirected to the Spanish version of the site on first visit. This data is session-only and is cleared when you close your browser. We also use localStorage to store your cookie consent preference.

C. How to manage or opt out

You can manage your cookie preferences at any time through our cookie consent banner. You can also disable cookies through your browser settings. Note that disabling cookies may affect the functionality of certain features. To opt out of Meta tracking, visit Facebook Ad Preferences. To opt out of LinkedIn tracking, visit LinkedIn Guest Controls.

D. No cookies without consent

Non-essential tracking technologies are not loaded until you explicitly accept them. If you decline or do not interact with the consent banner, no advertising or analytics cookies will be set.

6. Data Storage and Security

A. Data storage and hosting

Customer Data is stored with reputable cloud service providers, using encryption at rest and in transit, access controls, and service monitoring appropriate to the nature of the data.

B. Security measures

We maintain industry-standard safeguards, including:

• Encryption in transit (TLS 1.2+ / 1.3),
• Encryption at rest (AES-256 with cloud-provider key management),
• Access controls (RBAC, MFA, least-privilege access),
• Audit logging and monitoring,
• Incident response processes, including notification to affected customers and/or authorities where required by applicable law.

You are responsible for maintaining appropriate security in your workspace (e.g., limiting channel access, managing admin permissions).

7. Data Retention

We retain Customer Data only as long as needed to provide the Service, meet contractual obligations, and comply with law.

A. Active production systems

When an account is closed or we receive a validated deletion request, we delete Customer Data from active production systems typically within ~30 days.

B. Backups

Encrypted backups are used only for business continuity. Remaining copies are removed as encrypted backups age out on their normal rotation (currently ~35 days), after which they are automatically overwritten or purged.

C. Exports

Where legally permitted, customers may request an export prior to deletion.

D. Derived data

Derived or transformed data (such as indexes, embeddings, or other internal representations) will be deleted or disassociated from Customer Data when the underlying Customer Data is deleted, subject to backup retention and legal obligations.

8. Your Rights and Choices

Depending on your location, you may have the following rights:

A. Access and correction

You can request access to personal data we hold about you and request correction of inaccurate or incomplete data.

B. Deletion

You may request deletion of your personal data (including workspace files, conversation threads, and related records). For workspace-level Customer Data, we may require the request to come from an authorized workspace administrator or account owner, or we may direct individual members to their workspace administrator where appropriate.

Upon receiving a verifiable deletion request, we will delete Customer Data from active production systems typically within ~30 days, and backups will age out on their normal rotation (currently ~35 days).

C. Withdrawal of consent / disconnecting integrations

You can revoke Referent's access to connected services at any time. After revocation, we stop collecting new data from those services immediately. Revoking access does not by itself delete previously stored data. If your account is deleted or closed, or we receive a verifiable deletion request, we delete previously stored data in accordance with Section 7 (Data Retention). You can also contact us to request deletion.

D. Marketing preferences

If you opt in to marketing communications, you can opt out at any time via unsubscribe links or by contacting us. You will still receive essential service communications.

E. Data portability (where applicable)

Where required by law (e.g., GDPR), you may request a copy of your data in a machine-readable format.

F. Authorized agents (where applicable)

If permitted by law, you may designate an authorized agent to submit requests on your behalf; we will verify identity and authority as required.

G. Additional EEA/UK rights (where applicable)

If you are located in the EEA or UK, you may also have the right to object to certain processing, request restriction of processing, and lodge a complaint with your local supervisory authority.

To exercise any of these rights, please contact us at privacy@referent.app.

9. Children's Privacy

The Service is not intended for children and we do not knowingly collect personal data from anyone under the age of 18 (or the age of majority in their jurisdiction, if higher). If we learn we have collected such data, we will delete it promptly. Contact privacy@referent.app if you believe a child has provided personal data.

10. International Users and GDPR/UK GDPR

Referent is based in Spain and may process personal data in the EU and other regions. If you are located in the EEA/UK, we process personal data under one or more legal bases, including:

• Performance of a contract (providing the Service you request),
• Consent (e.g., connecting integrations via OAuth and certain non-essential cookies/advertising technologies where required),
• Legitimate interests (security, fraud prevention, and improving reliability and product analytics where permitted), balanced against your rights.

Where required for cross-border transfers, we use appropriate safeguards (such as Standard Contractual Clauses).

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by appropriate means (e.g., notifying workspace administrators and/or emailing the address associated with the account). The "Last updated" date reflects the most recent revision. Your continued use of the Service after changes become effective indicates acceptance of the revised policy.

12. Contact Us

If you have questions or requests regarding this Privacy Policy or our data practices, contact: