Privacy Policy

This Privacy Policy describes how Epsilon LLC ("ActionLayer", "we", "us") collects, uses, and shares information in connection with the ActionLayer service (the "Service"). By using the Service you agree to the practices described here.

We collect the following categories of information:

• Account information. Name, work email, organization name, password hash, and OAuth identifiers when you sign up.
• Customer Data. Email content (inbound and outbound), drafts, attachments, contact records, and thread metadata that pass through the Service so we can route, deliver, and store them on your behalf.
• Billing information. Plan selection, invoices, and payment status. Card details are collected and stored by Stripe; we never see or store full card numbers.
• Usage and log data. IP address, browser/device info, request timestamps, API endpoints invoked, and error traces — used to operate, secure, and debug the Service.
• Cookies. Strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies.

We use the information we collect to:

• Operate, maintain, and improve the Service.
• Authenticate users and protect against abuse and fraud.
• Process transactions and send billing notices.
• Send transactional notifications (approval requests, quota warnings, security alerts) — not marketing email by default.
• Comply with legal obligations and enforce our Terms.

We do not use the content of your emails to train AI models, and we do not sell Customer Data.

We share information only as needed to operate the Service, with the following categories of recipients:

• Subprocessors. Amazon Web Services (hosting, email transport via SES), Stripe (payments), Postmark (transactional notifications). Each subprocessor is bound by a data-processing agreement.
• Legal obligations. When required by law, subpoena, or valid government request.
• Business transfers. In connection with a merger, acquisition, or sale of assets, with notice to you.

We retain Customer Data for the duration of your subscription plus a reasonable grace period to allow export. Account, billing, and audit records may be retained longer where required by law. You can request deletion of your account and associated data at any time (see "Your rights" below).

We use industry-standard practices including TLS encryption in transit, encryption at rest for sensitive fields, scoped API keys, role-based access controls, and audit logging. No system is completely secure; if we become aware of a breach affecting your data we will notify you in accordance with applicable law.

Depending on where you live, you may have the right to access, correct, export, or delete your personal information, to object to or restrict certain processing, and to lodge a complaint with a supervisory authority. To exercise these rights, email support@actionlayer.dev. We will respond within the timeframe required by applicable law.

ActionLayer is operated from the United States. If you access the Service from outside the US, your information will be transferred to, stored, and processed in the US and other countries where our subprocessors operate. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

The Service is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be announced by email or in-app notice. The "Last updated" date at the top of this page indicates when the policy was last revised.

Questions or requests about your privacy? Email support@actionlayer.dev.