CipherSense Logo
Back to Home

Privacy Policy

Last Updated: April 11, 2026

1. Introduction & Scope

CipherSense AI (“CipherSense”, “we”, “us”, or “our”) is a technology company incorporated in the Federal Republic of Nigeria. This Privacy Policy describes how we collect, use, process, disclose, and safeguard personal and organisational data when you access or use our AI agent orchestration platform, including the visual workflow designer, multi-provider LLM routing, native MCP server support, third-party integration connectors, webhook triggers, and all associated APIs and services (collectively, the “Platform”).

This Policy applies to all users of the Platform — individual account holders, organisation administrators, team members, and API consumers — regardless of their geographic location. By accessing or using the Platform, you acknowledge that you have read and agree to the practices described in this Policy. If you do not agree, you must discontinue use immediately.

2. Information We Collect

We collect the following categories of data:

2.1 Account & Identity Data

  • Full name, email address, and profile picture (provided directly or via Google OAuth)
  • Organisation name, slug, and role within that organisation
  • Billing contact details and subscription tier information
  • Multi-factor authentication (MFA) preferences and verification records

2.2 Integration Credentials & Configuration

When you connect third-party services to the Platform — including but not limited to OpenAI, Anthropic, Google Gemini, DeepSeek, Grok, Perplexity, HuggingFace, Ollama, PostgreSQL, MySQL, MongoDB, Elasticsearch, Snowflake, Databricks, BigQuery, Supabase, Airtable, Google Workspace (Sheets, Drive, Docs, Gmail, Calendar), Microsoft Outlook, Microsoft Teams, Salesforce, HubSpot, Zendesk, Shopify, Notion, WordPress, Calendly, Zoom, Slack, Jira, Discord, Telegram, WhatsApp Business, Twilio, Resend, SMTP, Amazon S3, LinkedIn, Twitter/X, Apollo, Lusha, Pinecone, ElevenLabs, Fal.ai, Replicate, Apify, Stripe, and custom MCP servers — we collect and store the credentials required to operate those connections on your behalf. This includes API keys, OAuth tokens, webhook signing secrets, database connection strings, and similar secrets.

All such credentials are encrypted at rest using AES-256 encryption prior to storage. They are never logged in plaintext and are only decrypted in memory at the moment a workflow execution requires them.

2.3 Workflow & Execution Data

  • Workflow graph definitions (nodes, edges, configurations)
  • Workflow execution records, status, trigger source, and state snapshots
  • LLM prompts, responses, and token consumption (as part of execution context)
  • Webhook payloads received from third-party services
  • Human-in-the-loop (HITL) task submissions and approvals
  • Scheduled job configurations and execution histories

2.4 Usage & Technical Data

  • IP addresses, browser type, operating system, and device identifiers
  • Pages visited, features used, and session duration
  • API request logs, error rates, and performance metrics
  • Plan quota consumption (workflow runs, active workflows, token usage, log retention)

2.5 Data Processed on Your Behalf

In the course of executing your workflows, the Platform may process personal data belonging to third parties (your customers, contacts, or end users) that you route through the Platform via integrations or webhooks. You are the data controller for such data; we act solely as a data processor. You are responsible for ensuring you have the appropriate legal basis to process and transfer such data through our Platform.

3. How We Use Your Information

We process your data for the following purposes:

  • Service delivery: To authenticate you, execute your workflow automations, route requests to integrated third-party services, and return results.
  • Credential management: To securely store, decrypt, and use your integration secrets at execution time on your behalf.
  • Quota enforcement: To monitor usage against your plan limits (active workflows, monthly runs, token budgets, log retention windows) and enforce fair-use policies.
  • Platform improvement: To diagnose errors, improve performance, prioritise feature development, and maintain service reliability.
  • Billing & account management: To process payments, issue invoices, manage plan upgrades or downgrades, and communicate account-related notices.
  • Security: To detect, prevent, and respond to fraud, abuse, or unauthorised access to the Platform.
  • Legal compliance: To comply with applicable Nigerian law, court orders, or regulatory requirements.
  • Communications: To send transactional emails (welcome, verification, password reset, HITL task notifications), product updates, and — where you have opted in — marketing communications.

We do not sell your personal data or your integration credentials to any third party.

4. Data Security & Encryption

Security is foundational to CipherSense. We implement the following technical and organisational measures:

  • Encryption at rest: All integration credentials, API keys, tokens, and connection secrets are encrypted using AES-256-CBC before being persisted to our database. Encryption keys are stored separately from encrypted data.
  • Encryption in transit: All data transmitted between your browser, our servers, and third-party APIs is protected using TLS 1.2 or higher.
  • Row-Level Security (RLS): Our database enforces row-level access policies so that organisation data is strictly isolated — members of one organisation cannot access data belonging to another.
  • Principle of least privilege: Internal services access only the credentials and data they require to perform their specific function.
  • MFA support: Users may enable email-based two-factor authentication to add a second layer of identity verification to their accounts.
  • Webhook signature verification: Incoming webhook payloads from integrated services (e.g., Stripe, Slack, HubSpot, Jira, Twilio) are validated using HMAC cryptographic signatures or shared secrets before triggering any workflow execution.
  • Audit logging: Platform activity is logged for security review and is subject to the log retention windows applicable to your subscription tier.

Despite these measures, no system is perfectly secure. If you suspect a security incident involving your account or credentials, please contact us immediately at hello@ciphersense.ai.

5. Third-Party Integrations & Sub-processors

The Platform is designed to connect with external services on your behalf. When you configure an integration, your credentials and relevant data are transmitted to the target third-party service to execute the action you have defined. We are not responsible for the privacy or security practices of those third-party services. You should review the privacy policies of each service you connect.

We rely on the following categories of sub-processors to deliver the Platform:

  • Database & authentication: Supabase (PostgreSQL, Auth, Storage) — data hosted in the region you select at account creation.
  • Payment processing: Stripe — for billing and subscription management. We do not store raw payment card data; Stripe processes it directly under their PCI-DSS compliance.
  • Transactional email: A Resend-compatible SMTP provider — for account verification, welcome emails, and HITL notifications.
  • Hosting & infrastructure: Cloud infrastructure providers used to run the Platform and its background job queues.

When you connect AI provider integrations (OpenAI, Anthropic, Google Gemini, etc.), your workflow prompts and model inputs are sent directly to those providers subject to their own terms and privacy policies. We do not retain model inputs or outputs beyond the execution log retention window applicable to your plan tier.

5.1 Google API Data: Limited Use Compliance

CipherSense AI's use of data obtained from Google APIs (including Gmail, Google Drive, Google Docs, Google Sheets, and Google Calendar) strictly complies with the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • No transfer to restricted AI providers: Data obtained via Google APIs is never transmitted to DeepSeek, Grok (xAI), or any other AI provider whose terms of service permit training general AI models on user-submitted content. The Platform enforces this at the architectural level — workflows that include a Google integration (Gmail, Drive, Docs, Sheets, or Calendar) are technically blocked from routing data to these providers.
  • Purpose limitation: Google user data is used solely to perform the specific workflow actions you have configured (e.g., reading an email, appending a row to a spreadsheet, creating a calendar event). It is not used for any secondary purpose, including advertising, profiling, or improving our own AI models.
  • No unauthorised sharing: Google user data is not shared with any third party except as necessary to execute the specific integration action you have defined in your workflow, and only to the extent required for that action.
  • Human access restriction: CipherSense personnel do not access your Google user data unless you explicitly grant permission for support purposes, or as required by law.

6. Data Retention

We retain different categories of data for different periods:

  • Account data: Retained for the lifetime of your account and for up to 90 days after account deletion, to allow for recovery and to satisfy legal obligations.
  • Integration credentials: Retained for as long as the integration is active. Deleted immediately upon removing the integration from your project.
  • Workflow execution logs: Retained according to your plan tier — 3 days (Free), 7 days (Starter), 30 days (Pro), up to 6 months (Enterprise). Logs older than your retention window are automatically purged.
  • Billing records: Retained for a minimum of 6 years in accordance with applicable Nigerian tax and financial record-keeping requirements under the Finance Act and FIRS regulations.
  • Security and audit logs: Retained for up to 12 months for security incident investigation purposes.

You may request earlier deletion of your personal data by contacting us at hello@ciphersense.ai, subject to any overriding legal retention obligations.

7. Cookies & Tracking Technologies

We use cookies and similar session technologies solely to maintain your authenticated session, remember your preferences (e.g., last active organisation), and ensure platform security. We do not use third-party advertising trackers or behavioural profiling cookies. We use reCAPTCHA v3 on authentication forms to protect against automated abuse; this is subject to Google's Privacy Policy and Terms of Service.

8. Your Rights

As a user of the Platform, you have the following rights regarding your personal data. These rights are consistent with the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation (NDPR) 2019 issued by the National Information Technology Development Agency (NITDA):

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may request correction of inaccurate or incomplete personal data.
  • Right to erasure: You may request deletion of your personal data, subject to legal retention obligations and legitimate business purposes.
  • Right to data portability: You may request your account and workflow data in a structured, machine-readable format.
  • Right to object: You may object to processing of your personal data for marketing communications at any time by unsubscribing or contacting us.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

You can exercise most of these rights directly through your account settings. For requests that require our involvement, contact us at hello@ciphersense.ai. We will respond within 30 days.

9. International Data Transfers

CipherSense AI is incorporated and headquartered in Nigeria. Our infrastructure and sub-processors may be located in other jurisdictions. When data is transferred outside Nigeria, we ensure that adequate safeguards are in place consistent with the NDPA 2023 and NDPR 2019, including data processing agreements with our sub-processors that impose equivalent data protection obligations.

When you configure integrations with third-party services located in other jurisdictions, you acknowledge that data transferred to those services will be governed by the laws and policies of those jurisdictions.

10. Children's Privacy

The Platform is intended for use by individuals aged 18 and over and by businesses. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us at hello@ciphersense.ai and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, the Platform's functionality, or applicable law. We will notify you of material changes by email (to the address on your account) and by updating the “Last Updated” date above. Your continued use of the Platform after the effective date of a revised policy constitutes your acceptance of the changes.

12. Contact & Complaints

For privacy-related enquiries, requests, or complaints, contact our Data Protection Officer:

If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

© 2026 CipherSense AI. Secure. Scalable. Sovereign.