Privacy Policy

Effective date: April 25, 2026 Last updated: April 25, 2026

This Privacy Policy explains how WeDefine.ai ("we", "our", "us") collects, uses, stores, and protects your information when you use our platform (the "Service"). The Service is provided under the trading name "WeDefine.ai".

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, the operator of WeDefine.ai acts as the data controller of your personal data, except where we act as a data processor for third-party personal data you upload (see Section 3 and the Terms of Service § 5).

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

About the Controller

  • Trading name of controller: WeDefine.ai
  • Operator: WeDefine.ai is currently operated as an individual undertaking (sole operator), based in the Hong Kong Special Administrative Region of the People's Republic of China.
  • Primary contact for all privacy and data protection matters: support@wedefine.ai
  • Data Protection Officer: see Section 8
  • EU/UK Representative (Article 27 GDPR / UK GDPR): see Section 8
  • Additional controller details, including the operator's full identity and postal address, are available to data protection authorities, law enforcement, and other competent authorities on reasonable written request to support@wedefine.ai.

1. Information We Collect

Account Data

  • Email address
  • Authentication data (via Google or email login)
  • Display name or profile information you choose to provide

User Content

  • Prompts, inputs, and instructions you provide to AI features
  • Uploaded files and data
  • AI-generated outputs produced through your use of the Service
  • Session and workspace data you create within the Service (saved outputs, workflows, notes)

User Content is private to your account and is not displayed to other users, except where a specific feature is clearly marked as shared (none at the effective date of this Policy).

Memory Data

To deliver a personalized AI workspace, we may derive and store a memory layer associated with your account, representing persistent user understanding. This may include:

  • Preferences inferred from your interactions
  • Reusable context, knowledge, and patterns you have introduced into the workspace
  • Cross-app signals that help the workspace adapt to you over time

Memory is not a chat log. It is a structured derivation from your User Content intended to make the Service more useful to you. You can view, export, and delete memory entries through your account settings (or by request to support@wedefine.ai) as memory features ship. Deleting your account deletes your memory store, subject to the retention rules in Section 7.

Usage Data

  • Features accessed and actions taken within the Service
  • Session and workflow activity
  • App launches and capability invocations

Technical Data

  • IP address
  • Device type and operating system
  • Browser type and version
  • Referring URLs and general location data (country or region level, derived from IP address)

Technical data is retained for security monitoring purposes for up to 90 days (see Section 7).

Payment Data

  • Payment transactions are processed by third-party payment providers
  • We do not store full payment card details or bank account numbers
  • We may retain transaction records (amount, date, plan) for billing and legal compliance

Email Preferences

  • Whether you have opted in to receive digest and product update emails
  • Your email notification preference is stored as part of your account data and can be updated at any time

Cookies & Local Storage

We currently do not use third-party tracking cookies or advertising cookies. We may use strictly necessary session cookies or local storage solely to enable core platform functionality (such as maintaining your login session). These are essential to operate the Service and cannot be opted out of while using the platform.

We use Vercel Analytics for anonymous usage statistics, which does not use cookies or cross-site tracking and does not collect personally identifiable information.

If we introduce any non-essential cookies or tracking technologies in the future, we will update this Policy accordingly and, where required by law, obtain your consent before setting such cookies (for example, via a cookie banner in the EU, UK, and similar jurisdictions).

Anonymous Use

Certain stateless apps may allow limited one-time anonymous use without an account, as described in Terms of Service § 2. For anonymous use, we process:

  • Strictly necessary technical data (IP address, user-agent, a short-lived anonymous session cookie or local storage identifier) to enforce per-IP and per-cookie rate limits, allocate the shared anonymous credit pool, and prevent abuse
  • The inputs and outputs of the anonymous run itself for the duration needed to deliver the result back to you

We do not associate anonymous-run data with a personal identity. If you accept the "Save this to your workspace" offer and create an account, we will migrate the just-produced result into your new account, at which point it becomes account-associated User Content governed by the rest of this Policy. If you do not save the run, the run data is retained only as long as needed to serve it back to you and is then discarded (subject to short-lived technical logs retained under the rules in Section 7).

The legal basis for processing anonymous-use technical data is our legitimate interest in protecting the Service from abuse and runaway AI cost.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Process your requests and interactions with AI features
  • Derive and maintain your personal memory layer to personalize the workspace
  • Manage your account and communicate with you about the Service
  • Send emails as described in Section 13
  • Process payments and maintain billing records
  • Monitor for fraud, abuse, and security threats
  • Comply with legal obligations

Use of Personal Data to Train AI Models

We apply the following rules to the use of your personal data for AI model training. This mirrors Section 3 of our Terms of Service and is reproduced here for privacy transparency:

  • First-party models (internal tools): We may use aggregated, anonymized, and de-identified signals (such as feature usage statistics or non-identifying interaction patterns) to improve internal routing logic, classifiers, and platform features. We do not train generative models directly on your identifiable personal data, prompts, uploaded files, or private outputs.
  • Third-party foundation models: Some third-party AI providers may, under their own default policies, use inputs and outputs to improve or train their models. We make commercially reasonable efforts to select providers that offer "no-training" or "zero-retention" configurations for the data you submit through the Service, and to route your data through such configurations where available. Where a provider's configuration for a particular feature may permit use of your inputs or outputs for model training, we will disclose this in the feature description or in-product notice and, where required by law, obtain your consent before such use. A current summary of our provider configurations is available on request at support@wedefine.ai.
  • Your right to opt out of training use of your data: You may request that your User Content (including prompts, uploaded files, AI outputs, session data, and memory) be excluded from any first-party aggregated or anonymized training signal we may compile, as described in the Terms of Service. To exercise this right, contact support@wedefine.ai with the subject line "No-Train Opt-Out".

If we ever propose to materially expand how we use personal data for AI training, we will provide at least 30 days' advance notice by email and, where required by law, obtain your consent.

No Automated Decision-Making

We do not make decisions that produce legal or similarly significant effects on you through solely automated processing (including profiling) within the meaning of GDPR Article 22. If we introduce such features in the future, we will update this Policy and comply with applicable legal requirements, including providing you with the right to human review.

Legal Basis for Processing (EEA & UK Users)

Where the EU General Data Protection Regulation (GDPR) or UK GDPR applies, we process your personal data on the following legal bases:

  • Contract performance: to provide the Service you signed up for
  • Legitimate interests: to improve the platform, prevent fraud, and ensure security. Our assessment is that these interests do not override your fundamental rights and freedoms because the processing is limited in scope, uses anonymized or minimized data where possible, and supports the security and integrity of the Service — which is a shared interest of all users. You may request a fuller summary of our balancing assessment by contacting support@wedefine.ai.
  • Consent: for optional marketing communications (weekly digest and product updates), for any cookies or tracking technologies requiring consent under applicable law, and for any third-party AI processing where consent is legally required
  • Legal obligation: where processing is required by applicable law (e.g., tax, accounting, or law enforcement cooperation)

You may withdraw consent at any time where consent is the basis for processing, without affecting the lawfulness of prior processing.

Sensitive Personal Data

We do not intentionally collect or process special categories of personal data under GDPR Article 9 (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data concerning a person's sex life or sexual orientation). Uploading such data to the Service is prohibited by our Terms of Service § 5. If you nonetheless submit such data, we treat it as an incidental transmission for which you provide your explicit consent and lawful basis, and we do not process it for any secondary purpose. We may delete such data without notice if detected.

3. AI Data Processing

When you use AI features on the Service:

  • Your inputs (text, prompts, uploaded files) are transmitted to third-party AI providers to generate outputs
  • Inputs and outputs may be temporarily cached to support your session
  • We may use aggregated, anonymized usage patterns to improve platform features
  • Training use is governed by Section 2 above and Section 3 of our Terms of Service

Third-Party AI Providers

We use third-party AI providers to power AI features. These providers typically act as data processors under data processing agreements (DPAs) with us, which require them to process personal data on our instructions, in accordance with applicable data protection law, and subject to appropriate confidentiality and security obligations.

Some third-party AI providers may, under their own policies applicable to particular API tiers, additionally process inputs and outputs as independent controllers for their own limited purposes (including model improvement, abuse monitoring, and safety research). We will disclose this in the feature description where applicable, and you should review the relevant provider's privacy policy.

Where providers are located outside your country, we rely on Standard Contractual Clauses or equivalent transfer mechanisms (see Section 6). We do not name specific providers here as they may change; a current list is available on request at support@wedefine.ai.

We strongly encourage you to avoid including sensitive personal information (such as financial details, health information, or government IDs) in prompts or uploaded files. See the Terms of Service § 5 for the categories of data you must not upload.

Third-Party Personal Data in Your Uploads

If you upload data containing personal information about third parties, you act as the data controller for that data and we act as a data processor, as described in Section 5 of the Terms of Service. You are responsible for ensuring you have a lawful basis and for providing any required notices to those individuals.

4. Analytics

We use Vercel Analytics to collect anonymous usage statistics. This service:

  • Does not collect personally identifiable information
  • Is used solely for performance monitoring and traffic analysis
  • Does not use cookies or cross-site tracking

5. Data Sharing

We may share your data with:

  • Cloud hosting and infrastructure providers: to operate the Service
  • Third-party AI providers: to process your inputs and generate outputs, under data processing agreements or, where applicable, under the provider's own independent-controller terms (see Section 3)
  • Payment processors: to handle transactions securely
  • Analytics providers: currently Vercel Analytics (anonymous data only)
  • Legal or regulatory authorities: where required by law, legal process, or to protect our legal rights, the rights of users, or public safety
  • Successors in interest: in the event of a merger, acquisition, reorganization, asset sale, or bankruptcy, your data may be transferred to the successor entity, which will be bound by this Privacy Policy or a policy providing at least equivalent protection. We will notify affected users by email at least 14 days in advance of any such transfer where feasible.

We do not sell your personal data to third parties.

We do not share your personal data with advertisers.

We do not share your personal data for cross-context behavioral advertising (as defined under the California Consumer Privacy Act, as amended).

6. International Data Transfers

Our Service is operated globally. Your data may be processed in countries outside your own, including countries that may not have the same data protection laws as your jurisdiction.

Processing Locations

Your personal data may be processed in any of the following locations, depending on the provider and feature used:

  • The country or countries in which the operator of the Service is based
  • The United States (for cloud hosting, AI inference, and payment processing)
  • The European Union (for cloud hosting and AI inference, where applicable)
  • Other countries in which our third-party service providers operate data centers

You may request a list of the primary processing locations applicable to your data by contacting support@wedefine.ai.

Transfer Safeguards (EEA, UK, Swiss Users)

Where we transfer personal data from the EEA, UK, or Switzerland to third countries that have not received an adequacy decision, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, with the UK International Data Transfer Addendum and Swiss adaptations where applicable
  • Equivalent mechanisms recognized under applicable law (such as approved certifications or binding corporate rules)
  • Transfer risk assessments, including supplementary measures where required by the Schrems II decision (for example, encryption in transit and at rest, access controls, and documented responses to government access requests)

Transfers under Other Data Protection Regimes

Where our processing is subject to China's Personal Information Protection Law (PIPL), Brazil's LGPD, or other cross-border transfer regimes, we comply with applicable requirements, which may include standard contract filings, security assessments, or certifications as required by the competent authority.

You may request a copy of our transfer safeguards and transfer risk assessments by contacting support@wedefine.ai.

7. Data Retention

We retain your data for the following periods:

  • Account data: retained while your account is active, and for up to 90 days after account deletion to allow for recovery, then permanently deleted or anonymized
  • User Content (prompts, uploads, outputs, session data): retained while your account is active; deleted on account deletion in accordance with Section 9
  • Memory data: retained while your account is active; deleted on account deletion (subject to the 90-day recovery window and any active legal hold)
  • Usage and activity logs: retained for up to 12 months, then deleted or anonymized
  • Payment records: retained for the period required by applicable tax and accounting laws (typically up to 7 years)
  • Technical and security logs: retained for up to 90 days for security monitoring purposes
  • Email preference records: retained for the duration of your account to honor your communication preferences

"Anonymized" means data that has been irreversibly processed to remove all fields that could reasonably identify an individual (including username, email, and account association), such that re-identification is not reasonably possible.

After the applicable retention period, data is securely deleted or anonymized. We may retain data longer if required by law, to resolve ongoing disputes, or where data is subject to a legal hold in connection with actual or reasonably anticipated legal proceedings, regulatory investigations, or law enforcement requests. Data under legal hold will be deleted or anonymized as soon as the hold is lifted.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your personal data ("right to be forgotten")
  • Object to or restrict certain types of processing
  • Data portability: receive your data in a structured, machine-readable format
  • Withdraw consent at any time where processing is based on consent (including withdrawing consent to marketing emails)

For EEA/UK/Swiss users: these rights are granted under the GDPR, UK GDPR, and the Swiss Federal Act on Data Protection. You also have the right to lodge a complaint with your local data protection authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/board/members_en. The UK supervisory authority is the Information Commissioner's Office (ICO) at https://ico.org.uk. The Swiss authority is the Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch.

For California users (CCPA/CPRA): you may have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including:

  • The right to know what personal information we collect, use, disclose, and retain
  • The right to delete your personal information
  • The right to correct inaccurate personal information
  • The right to limit the use and disclosure of sensitive personal information
  • The right to opt out of the sale or sharing of personal information
  • The right to non-discrimination for exercising your privacy rights

We do not sell personal information and do not share personal information for cross-context behavioral advertising. Because we do not engage in these activities, we do not offer a separate "Do Not Sell or Share" link; if this changes, we will provide one. To exercise your CCPA/CPRA rights, contact support@wedefine.ai.

Under California Civil Code § 1798.83 ("Shine the Light"), California residents may request information about disclosures of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their own direct marketing purposes.

For users in other jurisdictions (including Brazil (LGPD), Canada (PIPEDA), Australia, Japan (APPI), South Korea (PIPA), China (PIPL), and others): we honor the rights afforded to you under your applicable local law. To exercise these rights, contact support@wedefine.ai.

Data Protection Officer

As an early-stage platform, we have not formally appointed a Data Protection Officer (DPO), as we do not meet the thresholds for mandatory appointment under Article 37 of the GDPR. For any data protection matters, including requests that would otherwise be directed to a DPO, please contact: support@wedefine.ai.

EU/UK Representative

If you are located in the EEA or UK and we are required to appoint a representative under Article 27 of the GDPR or UK GDPR, the representative's contact details will be published here. As of the effective date of this Policy, we have determined that the Article 27 threshold is not met, based on the current scale, nature, context, and purposes of our processing and the likely risk to the rights and freedoms of data subjects. We will reassess this determination periodically, and will appoint and disclose a representative promptly if our processing scope changes or if we are notified that appointment is required. For any inquiries in the meantime, please contact support@wedefine.ai.

How to Exercise Your Rights

Submit a request to support@wedefine.ai with the subject line "Privacy Request", describing the right you wish to exercise. We will respond within 30 days (or as required by applicable law; some jurisdictions require shorter response periods). We may ask you to verify your identity before processing your request to protect your information. We will not discriminate against you for exercising your rights.

If we decline your request, we will explain why and inform you of your right to appeal or lodge a complaint with your supervisory authority.

9. Data Deletion

You may:

  • Delete specific User Content directly within the Service
  • Request full account deletion by contacting support@wedefine.ai

We will process deletion requests within 30 days. Following deletion, residual copies may persist in backups for up to 90 days before being purged, unless we are legally required to retain the data longer (including under a legal hold as described in Section 7).

Deleting your account also stops all email communications from the Service, including transactional emails.

10. Security

We implement reasonable technical and organizational safeguards to protect your data, including:

  • Encrypted data transmission (HTTPS/TLS)
  • Access controls limiting data access to authorized personnel
  • Regular security monitoring

However, no system is completely secure. We cannot guarantee the absolute security of your information.

Data Breach Notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, as required by GDPR and other applicable law. We will also notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms. For users in jurisdictions with specific breach notification requirements (including U.S. state laws, China's PIPL, and others), we will comply with the applicable local standard.

11. Children's Privacy

The Service is not intended for users under the age of 13, or the higher minimum age of digital consent applicable in your country or region (for example, 16 in Germany, Ireland, and several other EU member states; 15 in France; 14 in Spain, Italy, and Austria).

We do not knowingly collect personal data from children below the applicable minimum age. If we become aware that a user below the minimum age has registered or submitted personal data, we will promptly delete the account and all associated data.

For U.S. users, we comply with the Children's Online Privacy Protection Act (COPPA) with respect to users under 13.

If you believe a user below the applicable minimum age has registered on our platform, please contact us at support@wedefine.ai.

12. Changes to This Policy

We may update this Privacy Policy from time to time.

For material changes (including changes to how we use your data, the types of data we collect, the legal basis for processing, the categories of recipients with whom we share data, or international transfer arrangements), we will notify you by email at least 14 days before the changes take effect. For users in jurisdictions requiring longer advance notice, we will comply with that longer period.

For minor updates, we will update the "Last updated" date at the top of this page.

Continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.

13. Email Communications

We send the following types of emails to users. In all jurisdictions, we aim to comply with applicable anti-spam law, including the U.S. CAN-SPAM Act, Canada's Anti-Spam Legislation (CASL), the EU ePrivacy Directive, and equivalent regimes.

Transactional Emails (always sent while your account is active, no opt-out)

Magic Link login emails are sent when you request to log in to your account. These emails are essential to operating the Service and are sent regardless of your notification preferences. To stop receiving all emails from the Service (including magic link emails), you must delete your account as described in Section 9.

Service Notification Emails (sent based on your activity)

Workspace notification emails may be sent when something tied to your account changes state — for example, when a long-running task you initiated completes, when a scheduled agent run finishes, or when a saved workflow produces a new result. These notifications are directly related to your activity on the platform. You can manage these notifications through your account settings or by using the unsubscribe link included in each email.

Product Update Emails (consent-based)

Product update emails may be sent periodically to highlight new apps and capabilities added to the workspace, and changes that may improve your workflows. These emails are sent only to users who have opted in.

  • At registration, you will be shown an opt-in checkbox: "Send me product updates" (unchecked by default). You must actively check this box to subscribe.
  • You may withdraw consent at any time by clicking the unsubscribe link included in every such email, or by updating your preferences in your account settings.
  • Unsubscribe requests are processed without undue delay, and in any case within 10 business days (U.S. CAN-SPAM requirement; typically within 48 hours in practice).
  • Unsubscribing from product update emails does not affect transactional or workspace notification emails.

We do not send unsolicited commercial email. We do not share your email address with third parties for their marketing purposes.

14. Contact

For questions, concerns, or requests related to this Privacy Policy or your personal data:

Email: support@wedefine.ai

We aim to respond to all privacy-related inquiries within 30 days. We reserve the right to designate additional contact addresses (for example, privacy@) in the future; any such addresses will be published on the Service.