PRIVACY POLICY
Last Updated: April 30, 2026
This Privacy Policy describes how Cirra AI, Inc. (“Cirra AI,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information. It applies to:
- our website at https://cirra.ai and our subdomains, including docs.cirra.ai and skills.cirra.ai (collectively, the “Website”); and
- the Cirra AI software-as-a-service products and platform, including the Cirra AI MCP Server and skills library (the “Services”).
Different rules apply to information we collect through the Website than to information we process through the Services. Where this Policy treats them differently, we say so. Section 2 covers the Website; Section 3 covers the Services.
If you are a Cirra AI customer, note that personal information you submit through the Services as part of your use of those Services (“Customer Data”) is processed under your direction and is governed by your agreement with us — either our Master Services Agreement or our Terms of Service together with our Data Processing Addendum at https://cirra.ai/legal/dpa. This Policy describes our handling of personal information generally; the DPA is the controlling document for processing of Customer Data.
1. Who We Are and How to Contact Us
Cirra AI, Inc. is a Delaware corporation with its principal place of business at 2261 Market Street STE 10421, San Francisco, CA 94114. For purposes of GDPR and UK GDPR, Cirra AI is the data controller for personal information we collect through the Website and for personal information we process about prospects, customers, and partners. For Customer Data processed through the Services on a customer’s behalf, Cirra AI is a data processor.
Privacy questions, requests, or complaints: [email protected].
2. Website Privacy
2.1 Information We Collect from the Website
Information you provide
When you contact us through a form, request a demo, sign up for a newsletter, or correspond with our sales or support teams, we collect identifiers (such as name, business email address, company name, phone number, and job title) and any other information you choose to include. We use this information to respond to your inquiry, provide requested information, send marketing communications you have requested or that we are permitted to send, and maintain a record of our communications.
Information collected automatically
When you use the Website, we and our third-party providers automatically collect:
- Usage information: pages visited, time of visit, search terms, actions taken, referring URLs, and frequency of access.
- Device and browser information: IP address, browser type and version, language, operating system, device type, and screen resolution.
- Error information: technical details when something goes wrong, including filename, error line number, and error message.
- Session recordings (with consent): where you have consented, we record session interactions (mouse movements, clicks, scroll behavior) using Microsoft Clarity. Sensitive content and form inputs are masked by default.
2.2 Cookies and Similar Technologies
We use cookies and similar technologies to operate the Website, analyze how it is used, and (where permitted) market our Services. We classify cookies as:
- Strictly Necessary: required to operate the Website (e.g., load balancing, session management, security). These cannot be disabled.
- Preferences: remember your settings and choices to improve your experience.
- Statistics: help us understand how visitors use the Website (e.g., Google Analytics, Microsoft Clarity, Segment).
- Marketing: used to deliver advertising and measure ad performance (e.g., Google Ads, Meta Pixel).
When you first visit our main marketing website at cirra.ai from the European Union or European Economic Area, our cookie consent banner (powered by Cookiebot) lets you accept or reject non-essential categories before any are set. California residents see a “Do Not Sell or Share My Information” / “Cookie Settings” link in the Website footer through which they can opt out of sale or sharing of personal information; we also honor Global Privacy Control (GPC) signals from California residents’ browsers as such an opt-out signal. Visitors from other regions can manage cookie preferences at any time via the “Cookie Settings” link in the Website footer. Our subdomains docs.cirra.ai and skills.cirra.ai do not load marketing or analytics trackers and therefore do not display a consent banner; the only third-party tool that may load on these subdomains is Intercom, which is loaded only for users who are signed into the Cirra AI application (as identified by an authentication cookie set by the application).
2.3 Website Sub-Processors
| Provider | Purpose | Categories Processed |
|---|---|---|
| Google Analytics | Website usage analytics | Usage information, device information, IP address (truncated) |
| Google Ads | Advertising and conversion tracking | Usage information, device information, ad interaction data |
| Meta (Facebook) | Advertising and conversion tracking (Meta Pixel) | Usage information, device information, ad interaction data |
| Microsoft Clarity | Session replay and behavioral analytics (with consent; sensitive content masked) | Usage information, session interactions, device information |
| Segment (Twilio) | Analytics event collection and routing | Usage information, device information, identifiers |
| Calendly | Meeting scheduling | Identifiers (name, email), meeting details |
| Cookiebot (Usercentrics) | Cookie consent management | Consent records, IP address (for jurisdiction detection) |
We may update this list from time to time; the version posted at the time of your visit controls.
In addition, on our docs.cirra.ai and skills.cirra.ai subdomains we load Intercom (in-product messaging) only for users who are signed into the Cirra AI application, identified by an authentication cookie set by the application. Intercom is a sub-processor for the Services and is listed in Section 3.5. For unauthenticated visitors to these subdomains, no third-party trackers or messaging tools are loaded.
2.4 How We Use Website Information
We use Website information to:
- operate, maintain, and improve the Website;
- respond to your inquiries and requests;
- send marketing communications consistent with your preferences and applicable law;
- analyze Website usage and trends;
- detect, prevent, and respond to fraud, security threats, and abuse; and
- comply with legal obligations and enforce our rights.
2.5 Legal Bases (EEA, UK, Switzerland)
Where GDPR or UK GDPR applies, we rely on the following legal bases for Website processing: (a) your consent (for non-essential cookies, marketing emails, session recording); (b) our legitimate interests in operating, securing, and improving the Website and our business (where not overridden by your rights); (c) performance of a contract or steps prior to entering one (for sales inquiries you initiate); and (d) compliance with legal obligations.
2.6 Marketing
We may send marketing emails to business contacts who have requested information, who have given consent where required, or where applicable law permits us to do so based on a prior business relationship. Every marketing email contains an unsubscribe link. We do not send marketing emails to addresses obtained from third-party identity-resolution services.
3. Services Privacy (Cirra AI Product)
This Section 3 describes how we handle personal information in connection with the Services. If you are an end user accessing the Services on behalf of your organization (which is our customer), your organization is responsible for its handling of personal information; please direct rights requests and privacy inquiries to that organization. We will assist them in responding.
3.1 Information We Collect Through the Services
Account information
When a customer signs up for the Services, we collect business contact information about account administrators and authorized users (name, business email, company, role) and authentication credentials. We use this information to provide the Services, secure accounts, and provide customer support.
Customer Data
Customer Data is data that customers and their authorized users submit to or have processed through the Services, including Salesforce records and metadata accessed through the Cirra AI MCP Server. We process Customer Data on the customer’s behalf as a data processor (or service provider, under CCPA/CPRA), under the terms of our customer agreement and the Data Processing Addendum at https://cirra.ai/legal/dpa.
Usage information and telemetry
We collect product usage information such as logins, page views, feature usage, and errors. This telemetry does not include Customer Data. We use it to operate, secure, and improve the Services.
Support communications
When users contact our support team, we collect the contents of communications, including any information they choose to share.
3.2 Data Flow and Storage
The Services have specific data flow characteristics that affect what we have access to:
- AI prompts and responses: when customers use AI clients (such as Claude, ChatGPT, or Cursor) to interact with our MCP Server, the AI prompts and AI responses are exchanged directly between the customer’s AI client and the third-party AI provider. These prompts and responses do not transit Cirra AI’s infrastructure, and we do not have access to them.
- Customer Data flowing through the Services: Salesforce records and metadata accessed through the Services transit our infrastructure to perform the requested operation. We do not maintain a persistent product-level store of such Customer Data. It may, however, appear briefly in operational backend logs (retained up to 30 days) and short-lived response caches (retained up to 1 hour).
- Connection credentials: OAuth access tokens and refresh tokens for connected systems (such as Salesforce orgs) are stored in encrypted form to enable the Services to operate.
- Telemetry: our product telemetry captures usage information (such as logins and page views) only and does not include Customer Data; it is retained for up to 90 days.
3.3 We Do Not Train AI Models on Customer Data
We do not use Customer Data to train, fine-tune, or improve any general-purpose, foundation, or shared machine-learning model. We do not authorize our sub-processors or third-party AI providers to do so for Customer Data submitted via API.
3.4 Onboarding Analytics
During first-time user onboarding to the Services, we use Microsoft Clarity to record session interactions (mouse movements, clicks, scroll behavior) and to capture defined events (such as walkthrough completion or skip points). This helps us improve the onboarding experience and identify where users encounter friction.
We have configured Microsoft Clarity with the following safeguards:
- Strict masking: all text content and form inputs are masked by default in session recordings, so the recordings capture interaction patterns and layout but not Customer Data displayed on screen.
- Scoped to onboarding: Clarity is loaded only on onboarding routes within the Services and is not active during normal product use after onboarding is complete.
- No Customer Data in event properties: defined events sent to Clarity contain only the event name and non-identifying metadata; we do not include identifiers such as email addresses, customer names, or Salesforce content in event payloads.
- No model training: Microsoft has contractually committed not to use Clarity data to train models, and we do not authorize such use.
Microsoft Clarity is identified as a sub-processor for the Services in Section 3.5.
3.5 Services Sub-Processors
We engage the following sub-processors to provide the Services. Each is bound by a written agreement requiring data protection commitments at least as protective as those in our customer agreements. Several of these sub-processors offer multiple regional deployments; the locations listed below reflect where Cirra AI’s instance is currently configured to process data.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Cloudflare | Edge hosting, CDN, security | United States (with global edge processing) |
| Microsoft Azure | Cloud hosting and compute | United States |
| Vercel | Application hosting | United States |
| MongoDB Atlas | Database hosting | United States |
| Auth0 (Okta) | Authentication and identity management | United States |
| Stripe | Payment processing | United States |
| Intercom | Customer support and in-product messaging | United States |
| Microsoft Clarity | Onboarding behavioral analytics (with strict masking) | United States |
| Segment | Product analytics pipeline | United States |
| Attio | CRM and product analytics | United States |
| Resend | Transactional email delivery | United States |
A current version of this list is also maintained at https://cirra.ai/legal/subprocessors. We will notify customers of new or replaced sub-processors as described in our Data Processing Addendum.
3.6 Retention
We retain personal information processed through the Services for as long as needed to provide the Services and as described in our customer agreement and DPA. Specifically: backend logs that may contain Customer Data are retained for up to 30 days; response caches for up to 1 hour; product telemetry for up to 90 days; account and billing records for the duration of the customer relationship and for a reasonable period thereafter to comply with tax, accounting, and legal obligations. Customer Data is returned or deleted on the timelines set forth in the customer agreement upon termination.
4. How We Share Personal Information
We share personal information in the following circumstances:
- Within Cirra AI: among our personnel and contractors who have a need to access information to perform their roles, subject to confidentiality obligations.
- With sub-processors and service providers: as listed in Sections 2.3 and 3.5, bound by written agreements that limit their use of personal information to providing services to us.
- With customers (for Customer Data): we make Customer Data available to the customer that submitted it; we do not share Customer Data with other customers.
- In a corporate transaction: with counterparties, advisors, and successors in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to confidentiality.
- For legal reasons: to comply with law, respond to lawful requests from public authorities (including for national security or law enforcement purposes), enforce our agreements, protect our rights and property, or address fraud, security, or safety concerns.
- With your direction or consent: where you direct us to share or have given consent.
4.1 No Sale or Sharing for Cross-Context Behavioral Advertising
We do not sell personal information for monetary consideration. We may share certain identifiers with advertising providers (such as Google Ads and Meta) for targeted advertising on the Website; under CCPA/CPRA this may constitute “sharing” for cross-context behavioral advertising. California residents may opt out as described in Section 6, including via Global Privacy Control.
4.2 California “Shine the Light”
We do not share personal information with third parties for those third parties’ own direct marketing purposes.
5. International Data Transfers
Cirra AI is based in the United States, and most of our sub-processors are located in the United States. If you are accessing the Website or Services from outside the United States, your personal information will be transferred to and processed in the United States or other countries that may have data protection laws different from those in your country.
Where we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to a country not deemed by the European Commission, UK government, or Swiss Federal Data Protection and Information Commissioner to provide an adequate level of protection, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or other appropriate transfer mechanisms. For Customer Data processed under our Data Processing Addendum, the transfer terms in that DPA apply.
6. Your Privacy Rights
6.1 California Residents (CCPA/CPRA)
California residents have the following rights with respect to personal information about them that we collect or process as a business:
- Right to know what personal information we collect, use, disclose, and (where applicable) sell or share.
- Right to delete personal information we have collected, subject to legal exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of “sale” or “sharing” of personal information.
- Right to limit the use and disclosure of sensitive personal information (we do not use sensitive personal information beyond purposes permitted under CPRA without limitation).
- Right to non-discrimination for exercising these rights.
Categories collected and disclosed
In the preceding twelve months, we have collected the following categories of personal information identified by California Civil Code §1798.140: identifiers; commercial information (such as records of products or services purchased); internet or other electronic network activity information; geolocation data (general, derived from IP address); professional or employment-related information; and inferences drawn from the foregoing. We have disclosed each of these categories to sub-processors and service providers for the business purposes described in this Policy. We have not sold personal information for monetary consideration. We may share identifiers and internet activity information with advertising providers (“sharing” under CPRA).
How to exercise rights
California residents may exercise rights by emailing [email protected] with the subject line “California Privacy Request” and identifying the right being exercised. We will verify requests by matching information you provide against information in our records and may request additional information if needed for verification. We will respond within 45 days, with one 45-day extension where reasonably necessary, and will not discriminate against you for exercising your rights. You may designate an authorized agent to make a request on your behalf with appropriate proof of authorization. We maintain a record of privacy requests we receive and our responses, in compliance with applicable law.
Global Privacy Control
We honor Global Privacy Control (GPC) signals from your browser as a request to opt out of “sale” or “sharing” of personal information for California residents.
6.2 EEA, UK, and Swiss Residents (GDPR / UK GDPR / FADP)
If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights with respect to personal information about you:
- Right of access to your personal information.
- Right to rectification of inaccurate or incomplete information.
- Right to erasure (“right to be forgotten”), subject to exceptions.
- Right to restrict processing in certain circumstances.
- Right to data portability for data you provided based on consent or contract.
- Right to object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
- Right to lodge a complaint with your local supervisory authority (e.g., the UK Information Commissioner’s Office, the Irish Data Protection Commission, or the Swiss FDPIC).
To exercise these rights, contact [email protected]. If you are an end user of the Services on behalf of a customer, please direct your request to that customer; we will assist them in responding. We maintain a record of privacy requests we receive and our responses, in compliance with applicable law.
6.3 Other Jurisdictions
Residents of other U.S. states (Virginia, Colorado, Connecticut, Utah, and others with comprehensive privacy laws) and other countries with applicable privacy laws may have similar rights. To exercise rights in those jurisdictions, contact [email protected].
7. Information Security
We maintain administrative, physical, and technical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, and destruction. Our information security program is described in our security overview at https://cirra.ai/legal/security and (for customers) in the Information Security Exhibit to our Master Services Agreement. We are pursuing SOC 2 Type 2 attestation covering the Trust Services Criterion for Security.
No system is perfectly secure. While we work to protect personal information, we cannot guarantee absolute security.
8. Children’s Information
The Website and Services are not directed to or intended for use by children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact [email protected] and we will take steps to delete it.
9. Do Not Track
Web browsers can transmit a “Do Not Track” (DNT) signal. Because there is no industry standard for how to interpret DNT signals, we do not currently respond to DNT signals. We do honor Global Privacy Control (GPC) signals as described in Section 6.1.
10. Retention
We retain personal information for as long as needed to fulfill the purposes for which it was collected, including for the purposes of satisfying legal, accounting, or reporting requirements. The criteria we use include: (a) how long we have an active relationship with you or your organization; (b) whether we have a legal obligation to retain the information (e.g., tax, accounting, or audit); (c) whether retention is advisable given our legal position (such as in connection with a dispute or potential litigation). Retention specific to Services data is described in Section 3.6.
11. Changes to This Policy
We may update this Policy from time to time. We will post the updated Policy with a new “Last Updated” date at the top. If we make material changes, we will provide additional notice (such as by email or a prominent notice on the Website) before the changes take effect. We encourage you to review this Policy periodically.
12. Contact
Questions, requests, or complaints about this Policy or our privacy practices: [email protected]. Postal mail: Cirra AI, Inc., 2261 Market Street STE 10421, San Francisco, CA 94114.