Privacy Policy and Terms of Service

Last updated: April 6, 2026

Privacy Policy

This Privacy Policy explains how Elastra collects, uses, shares, and protects personal data across our website, self-serve product, and enterprise services. Elastra is a Portuguese company based in Matosinhos, Portugal.

1. Scope and Roles

This policy applies to personal data processed by Elastra as a controller for our website, account management, sales, billing, security, and support operations. When Elastra processes Customer Content on behalf of an organization, Elastra generally acts as a processor or service provider and the customer organization acts as the controller. In those cases, the applicable commercial agreement and Data Processing Addendum, if any, govern that processing.

2. Data We Collect

We may collect account and identity data, organization and billing data, support communications, product telemetry, authentication events, security logs, and Customer Content submitted to the platform, including prompts, policies, rules, memory entries, commands, tool traces, repository metadata, synced file references, and generated outputs.

3. How We Use Data

We use personal data to provide and secure the service, authenticate users, operate workspaces, enforce organization settings, process payments, prevent abuse, monitor reliability, investigate incidents, provide support, communicate service updates, comply with legal obligations, and improve the performance and safety of the platform.

4. Legal Bases for Processing

Where required by applicable law, we process personal data on the basis of contract performance, legitimate interests, legal obligations, and consent where consent is specifically required, such as certain cookies or marketing communications.

5. AI Models and Customer Content

Elastra may route Customer Content to third-party model, infrastructure, storage, observability, authentication, email, and billing providers in order to operate the service. By default, Elastra does not use Customer Content from business workspaces to train foundation models for general use unless the customer explicitly opts in to a separate improvement program. Customers are responsible for deciding what content they submit to the service and for configuring internal access controls.

6. Sharing and Subprocessors

We do not sell personal data. We may share data with subprocessors and service providers that support hosting, authentication, analytics, billing, communication, observability, support, and AI model execution. We may also disclose data where required by law, legal process, or to protect rights, safety, and the integrity of the service. A list of subprocessors may be provided separately to enterprise customers or on request.

7. International Transfers

When personal data is transferred internationally, we use appropriate transfer mechanisms and technical and organizational safeguards consistent with applicable law, including contractual protections where required.

8. Retention

We retain personal data for as long as necessary for the purposes described in this policy, including service delivery, account administration, legal compliance, security monitoring, fraud prevention, and dispute resolution. Retention periods may differ for operational logs, audit trails, billing records, support records, and Customer Content. Enterprise customers may have additional retention terms under their commercial agreement.

9. Security

We apply technical and organizational safeguards designed to protect personal data and Customer Content against unauthorized access, loss, alteration, and improper disclosure. No system is entirely risk-free, but we design controls proportionate to the sensitivity of the data and the operational role of the platform.

10. Organization Admin Controls

If you use Elastra through an organization account, your organization administrators may be able to access, manage, export, or delete workspace data, configure integrations, review logs, manage retention settings, and control user access. Your use of Elastra within an organization may therefore be subject to your employer's or organization's policies.

11. Your Rights

Depending on applicable law, you may have rights to access, correct, update, port, restrict, object to, or delete your personal data. You may also withdraw consent where consent is the legal basis for processing. If Elastra processes your data on behalf of a customer organization, requests should usually be directed to that organization first. You may also lodge a complaint with the competent data protection authority, including the CNPD in Portugal.

12. Children and Sensitive Uses

Elastra is not directed to children and should not be used to process children's data without an appropriate legal basis and supervision. Customers should not use Elastra for highly sensitive or regulated processing unless they have independently assessed suitability and executed any required contractual, security, and compliance documentation.

13. Policy Updates and Contact

We may update this Privacy Policy from time to time. When material changes are made, we will publish the updated version and, where appropriate, provide additional notice. For privacy questions or to exercise your rights, contact support@elastra.ai.

Terms of Service

These Terms of Service govern access to and use of Elastra by website visitors, self-serve users, and customer organizations, unless a separate signed commercial agreement supersedes them in whole or in part.

1. Contract Structure

If a customer organization has signed an order form, master services agreement, enterprise services agreement, or Data Processing Addendum with Elastra, that commercial documentation will control over these website terms to the extent of any conflict. These terms otherwise apply to trials, self-serve use, and public website access.

2. Accounts and Organization Administration

You must provide accurate registration information and keep credentials secure. If you access Elastra through an organization, the organization may assign administrators who can manage users, integrations, content, policies, logs, billing, and workspace settings. You are responsible for activity conducted through your account, subject to applicable law.

3. Customer Content and Ownership

As between Elastra and the customer, the customer retains ownership of Customer Content submitted to the service, including repository material, prompts, rules, policies, memories, outputs, and configuration data, subject to any rights of third parties in that content. You grant Elastra the limited rights necessary to host, process, transmit, store, index, analyze, and display Customer Content solely to operate, secure, support, and improve the contracted service.

4. AI Features, Output, and Third-Party Models

Elastra may rely on third-party models, APIs, and infrastructure providers to generate outputs or execute features. AI-generated outputs may be incomplete, inaccurate, biased, or unsuitable for a particular use. You are responsible for reviewing outputs before relying on them for technical, legal, security, financial, employment, compliance, or other material decisions. Elastra does not provide legal advice and should not be used as the sole basis for high-impact decisions.

5. Data Use for Model Training

Unless explicitly stated otherwise in a separate written agreement or opt-in program, Elastra does not use Customer Content from business workspaces to train foundation models for general use. Elastra may use service metadata, abuse signals, and de-identified or aggregated operational data to secure, monitor, and improve the service.

6. Acceptable Use and Security Restrictions

You may not use Elastra to violate law, infringe rights, distribute malware, exfiltrate data without authorization, interfere with the service, bypass safeguards, abuse rate limits, reverse engineer restricted components except where prohibited by law, or submit content for prohibited, deceptive, or harmful activity. You must implement appropriate internal review and human oversight for high-risk uses of AI.

7. Billing, Suspension, and Termination

Paid features may require a subscription or order form. Fees, billing cycles, trials, and renewal terms are presented at purchase or in the applicable commercial agreement. We may suspend or terminate access for non-payment, legal risk, security incidents, misuse, or material breach. You may stop using the service at any time, subject to any active subscription or contracted commitment.

8. Confidentiality

Each party may receive confidential information from the other. The receiving party must protect that information using reasonable safeguards and may use it only as necessary to perform or receive the service, except where disclosure is required by law.

9. Intellectual Property

Elastra and its licensors retain all rights, title, and interest in the service, software, documentation, trademarks, branding, and underlying technology, excluding Customer Content and any third-party materials owned by their respective holders.

10. Warranties and Disclaimers

Except as expressly stated in a signed commercial agreement, Elastra is provided on an as available basis. To the maximum extent permitted by law, we disclaim implied warranties, including merchantability, fitness for a particular purpose, and non-infringement. We do not warrant uninterrupted operation or error-free output.

11. Limitation of Liability

To the maximum extent permitted by law, Elastra will not be liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for loss of profits, revenues, goodwill, or data, even if advised of the possibility. Where liability caps are permitted, Elastra's aggregate liability under these terms will not exceed the amounts paid by the customer for the relevant service during the twelve months preceding the event giving rise to the claim, except for liability that cannot be limited by law.

12. Governing Law and Contact

These terms are governed by the laws of Portugal, without regard to conflict of laws principles, and the courts of Matosinhos, Portugal will have jurisdiction except where mandatory law requires otherwise. Questions about these terms may be sent to support@elastra.ai.