reduck Privacy Policy

Definitions

Automation Flow (or Flow): an automated workflow that performs tasks on websites.

Actions: operations, steps, or transactions executed by Automation Flows, including screenshots and content of websites visited.

Input: any data, file, document, or content you provide to the Automation Flows, including natural language prompts, CSV files, configuration parameters, website credentials, target URLs, and workflow instructions.

Output: results produced by Automation Flows, including downloaded files, extracted data, execution logs, error notifications, and any other results generated by Flow executions.

Cache (or Cached Patterns): automation patterns derived from successful Flow executions stored to optimize performance.

CLI: the reduck command-line tool that enables users to execute Automation Flows from their terminal.

MCP Integration: integration with Model Context Protocol servers that enable reduck to interact with external services and APIs, or that enable third-party applications and AI agents to access reduck's capabilities as an MCP server.

SDK: the reduck developer toolkit that enables third-party applications, AI agents, and automation frameworks to programmatically access the Services and execute Automation Flows through reduck's infrastructure.

Third-Party Agent: any external software, AI agent, automation framework, or application that accesses the Services through the SDK or MCP Integration on behalf of a user.

Credits: the virtual currency used to pay for Flow executions.

You: any person who uses or accesses the Services, or whose personal information may be processed through use of the Services.

Information We Collect

Personal Information

We collect information you provide directly when you register or use the Services, including name, email address, account credentials, payment method details, and profile information such as company name or job title.

Website Visitors

When you visit reduck.ai without an account, we collect limited analytics data through Plausible Analytics, a privacy-focused tool that does not use cookies or track personal information. This includes page views, referral sources, and country-level geographic location only.

Automation Data

When you use the Services, we collect information about your automation activities, including: Flows you execute, data processed through our platform, performance metrics, natural language prompts and commands, websites you automate, Cached Patterns derived from successful Flow executions, MCP Integration data, and data transmitted by Third-Party Agents accessing the Services on your behalf.

Usage Information

We automatically collect log data (IP address, browser type, pages visited, time spent), device information (type, operating system, browser version), location derived from IP address, usage patterns and preferences, and Flow execution history, success rates, and error logs.

Screenshots and Browser Activity

During Flow execution, we take screenshots of your screen and capture visual content displayed in your browser. This includes website content, personal information visible on screen, data from browser tabs opened by the Flow, notifications and pop-ups, and any other visual content displayed during execution. Screenshots may capture sensitive information such as personal messages, financial data, private documents, or confidential business information. We recommend using a dedicated browser profile for sensitive browsing.

Cookies

We use cookies only for essential Services functionality (authentication, security). We do not use tracking cookies. Website analytics are provided by Plausible Analytics, which does not use cookies or collect personal information.

Beta Period Data Collection

During the beta testing period, we have significantly broader access to your data than described above. Specifically, we may access and review all Flow executions in plain-text form, natural language prompts and commands in full detail, all websites you automate and data you extract or download, complete screenshots capturing all visual browser content, all data transmitted to or from third-party websites during Flow execution, and error logs, debugging information, and detailed execution traces.

We process all Flow execution data on the basis of legitimate interest (GDPR Art. 6(1)(f)). Comprehensive monitoring is strictly necessary at this stage to detect failures, ensure functional integrity, and maintain the security of the Services. We have assessed that this interest is not overridden by your rights, given the experimental nature of the Services, the limited duration of the beta period, and the direct benefit to all users of a more stable and secure platform. This level of access will end when the beta period concludes. At that point, a Privacy Mode will be available in your Account settings, allowing you to restrict monitoring to what is strictly necessary to deliver the Services.

How We Use Your Information

Service Provision

Execute your Automation Flows, maintain and optimize the Cache system, process transactions, manage your account, and provide customer support.

Platform Improvement

Debug issues, optimize automations, and develop and refine Cached Patterns.

Communication

Send technical notices, updates, security alerts, support messages, and respond to inquiries.

Security and Compliance

Monitor for threats, detect and prevent abuse, comply with legal obligations, and protect our rights and property.

Analytics and Research

Analyze usage patterns and conduct research to improve our technology.

Marketing

Personalize your experience and send promotional communications if you have opted in.

Legal Bases (EEA, UK, Switzerland)

For individuals located in the European Economic Area, the United Kingdom, and Switzerland, we rely on one or more of the following legal bases under GDPR: performance of a contract (Art. 6(1)(b)) to provide the Services you requested; legitimate interests (Art. 6(1)(f)) such as securing the platform and preventing abuse; compliance with legal obligations (Art. 6(1)(c)); or your consent (Art. 6(1)(a)) where required, such as for optional data collection.

Artificial Intelligence Provided by Third Parties

reduck leverages third-party AI technology to power its agent-based automation capabilities. We share your information with AI service providers to process your natural language prompts and commands, information about websites you want to automate, Flow execution data and results, screenshots and browser activity, and Inputs, Actions, and Outputs from your Flows.

AI providers may use your data in accordance with their own terms of service. We do not control or guarantee their data use practices. Please refer to each provider's terms of service for full details. Our AI service providers are contractually required to maintain the confidentiality and security of your information.

Third-Party Agents Using reduck Infrastructure

When a Third-Party Agent accesses the Services on your behalf via the SDK or MCP Integration, we process the data transmitted by that agent in accordance with this Privacy Policy. We are not responsible for the data collection practices or terms of service of Third-Party Agents. You are responsible for reviewing and agreeing to the privacy policies of any Third-Party Agent you use with the Services.

Information Sharing and Disclosure

Service Providers (Sub-processors)

We share information with vendors who perform services on our behalf. These providers are contractually obligated to use your information only to provide services to us. A current list of sub-processors is maintained in our Terms of Service.

Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

Legal Requirements

We may disclose your information when required by law or when we reasonably believe disclosure is necessary to comply with legal obligations, protect and defend our rights or property, prevent or investigate wrongdoing in connection with the Services, or protect personal safety of users or the public.

With Your Consent

We may share your information with third parties when you have given us consent to do so.

Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including encryption of data in transit and at rest, access controls and authentication mechanisms, regular security audits and vulnerability assessments, and incident response procedures.

No security system is impenetrable. We cannot guarantee the absolute security of our databases or that information will not be intercepted during transmission. You acknowledge the inherent security risks of electronic data storage and transmission.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and no later than seventy-two (72) hours after becoming aware of the breach, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, in accordance with GDPR Article 34, providing details of the nature of the breach, the likely consequences, and the measures taken or proposed to address it. Notification may be delayed where a law enforcement authority requests such delay in the interest of an ongoing investigation.

Data Retention

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

• Account information is retained while your account is active and for up to ninety (90) days thereafter.
• Flow execution logs and operational data are retained for up to two (2) years from the date of collection.
• Cached Patterns are retained for up to one (1) year from the date of creation.
• After ninety (90) days, all user-identifiable information in logs and Cached Patterns is anonymized; only aggregated, statistical, and anonymized metadata is retained.
• Downloaded files and Outputs are not retained on our servers unless you explicitly choose to store them.
• Deleted data is permanently removed from active databases within 30 days of a deletion request and may remain in encrypted backups for up to 90 days, but will not be accessible or used.

Your Rights and Choices

Access and Update

You can access and update certain account information through your account settings.

Data Subject Rights

Depending on your location and applicable law, you may have the right to: request access to and a copy of your personal information, request correction of inaccurate or incomplete data, request deletion of your personal information, request restriction of processing, request data portability, object to processing for certain purposes, and withdraw consent where processing is based on consent. You may withdraw consent at any time via your Account settings or by contacting support@reduck.ai; withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. To exercise any of these rights, contact us at support@reduck.ai. We will respond within 30 days and may verify your identity before responding.

Data Deletion

You may delete your execution history or entire account through account settings or by contacting support@reduck.ai. We will permanently delete your data from active databases within 30 days. After deletion, your data cannot be recovered.

Right to Complain

Depending on your location, you may have the right to lodge a complaint with a data protection authority where you live or work.

California Privacy Rights (CCPA)

California residents have the right to know what personal information is collected, used, shared, or sold; the right to delete personal information held by us; the right to opt out of the sale of personal information (note: we do not sell personal information); and the right to non-discrimination for exercising privacy rights.

Children's Privacy

The Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected such information without parental consent, we will delete it promptly. If you believe we have information from a child under 18, please contact us at support@reduck.ai.

International Data Transfers

We are based in the United States. Information we collect may be transferred to, processed, stored, and used in the United States and other jurisdictions. When we engage in cross-border data transfers, we ensure appropriate safeguards are in place to comply with applicable data protection laws. For more information, contact us at support@reduck.ai.

Third-Party Websites and Services

Our Services enable you to interact with and automate actions on third-party websites. We do not control those websites and are not responsible for their content, privacy practices, or terms of service. You are responsible for complying with third-party terms of service, and we are not liable for any issues that occur on third-party websites. This Privacy Policy applies only to information we collect through reduck.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time by posting the revised version on this page and updating the "Last Updated" date. For material changes that significantly impact your rights or how we process your data, we will provide at least 30 days' notice via email or a notice within the Services. Your continued use of the Services after changes take effect constitutes acceptance of the revised Privacy Policy.

Data Protection Officer

We have appointed an external Data Protection Officer (DPO) to oversee our data protection compliance. You may contact our DPO for any questions or concerns regarding the processing of your personal information or to exercise your data protection rights:

DIBB
Email: privacy@conception.dev

Our DPO also serves as our EU representative pursuant to Article 27 of the GDPR.

EU Representative (Article 27 GDPR): Conception AI SAS, 200 rue de la Croix Nivert, 75015 Paris, France.