Privacy Policy

Effective Date: April 15, 2025

We at Ephor Inc. (“Ephor”, “we”, “our” or “us”) respect your privacy and are strongly committed to keeping secure any information we obtain from you or about you. This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use our website and other places where Ephor may act as a data controller and link to this Privacy Policy—for example, when you interact with Ephor.ai or other products and services (“Services”).

This Privacy Policy applies to all personal data we collect and process when you use our Services. When you include personal data in your Inputs (defined below), we process that data in accordance with this Privacy Policy to provide you with our AI inference services.

This Privacy Policy also describes your privacy rights. More information about your rights, and how to exercise them, is set out in the “Rights and Choices” section.

Additional Data Processing Terms: When you use our Services and we process personal data on your behalf additional data processing obligations are set forth in our Global Data Privacy Addendum located at https://globalprivacyaddendum.trilogy.com/. The addendum contains detailed provisions for international data transfers, sub-processing, security measures, and regional compliance requirements.

If you are located in Canada, please read section 9 of the Privacy Policy which applies to you.

If you are located in Brazil, please read section 10 of the Privacy Policy which applies to you.

1. Collection of Personal Data

We collect the following categories of personal data:

Personal data you provide to us directly

Identity and Contact Data: Ephor collects identifiers, such as your name, email address, and phone number when you sign up for an Ephor account, or to receive information on our Services. We may also collect or generate indirect identifiers.

Payment Information: We may collect your payment information if you choose to purchase access to Ephor’s products and services.

Inputs and Outputs: Our AI services allow you to prompt the Services in a variety of media including but not limited to the format of text, files and documents, photos and images, and other materials along with the metadata and other information contained therein (“Prompts” or “Inputs”), which generate responses (“Outputs” or “Completions”) based on your Inputs. If you include personal data in your Inputs, we will collect that information and this information may be reproduced in your Outputs.

Feedback on your use of our Services: We appreciate feedback, including ideas and suggestions for improvement or rating an Output in response to an Input (“Feedback”). If you rate an Output in response to an Input—for example, by using the thumbs up/thumbs down icon—we will store the related conversation as part of your Feedback.

Communication Information: If you communicate with us, including via our social media accounts, we collect your name, contact information, and the contents of any messages you send.

Personal data we receive automatically from your use of the Services

When you use the Services, we also receive certain technical data automatically (described below, collectively “Technical Information”). This includes:

Device and Connection Information: Consistent with your device or browser permissions, your device or browser automatically sends us information about when and how you install, access, or use our Services. This includes information such as your device type, operating system information, browser information and web page referrers, mobile network, connection information, mobile operator or internet service provider (ISP), time zone setting, IP address (including information about the location of the device derived from your IP address), identifiers (including device or advertising identifiers, probabilistic identifiers, and other unique personal or online identifiers).

Usage Information: We collect information about your use of the Services, such as the dates and times of access, browsing history, search, information about the links you click, pages you view, and other information about how you use the Services, and technology on the devices you use to access the Services.

Log and Troubleshooting Information: We collect information about how our Services are performing when you use them. This information includes log files. If you or your device experiences an error, we may collect information about the error, the time the error occurred, the feature being used, the state of the application when the error occurred, and any communications or content provided at the time the error occurred.

Cookies & Similar Technologies: We and our service providers use cookies, scripts, or similar technologies (“Cookies”) to manage the Services and to collect information about you and your use of the Services. These technologies help us to recognize you, customize or personalize your experience, market additional products or services to you, and analyze the use of our Services to make them safer and more useful to you. For more details about how we use these technologies, and your opt-out controls and other options, please visit our Cookie Policy.

Third-Party AI Services

Ephor uses third-party AI service providers to deliver AI inference capabilities. When you use our Services, your Inputs may be transmitted securely to these third-party providers solely for the purpose of generating AI responses (Outputs) to provide you with our core service functionality. We use encryption and secure transport protocols to protect your data during transmission.

The third-party AI service providers we work with include:

• Anthropic - Privacy policy: https://privacy.anthropic.com
• OpenAI - Privacy policy: https://privacy.openai.com/policies
• Groq - Privacy policy: https://groq.com/privacy-policy/
• Google - Privacy policy: https://policies.google.com/privacy
• Cerebras - Privacy policy: https://www.cerebras.ai/privacy-policy
• OpenRouter - Privacy policy: https://openrouter.ai/privacy

When data is processed by these third-party providers, their respective privacy policies apply to that processing.

2. Uses of Personal Data Permitted Under Applicable Data Protection Laws

We will only use your personal data in accordance with applicable laws. We rely on the following grounds where permitted under and in accordance with data protection laws, such as in the European Union (our “Legal Bases”):

Exclusion: Personal data obtained through integrations with external data sources (such as Google Drive, Google Workspace APIs, or other connected services) is used exclusively for providing our core AI inference services and is never used for marketing, advertising, service improvement beyond core functionality, or any other secondary purposes.

Where it is necessary for our legitimate interests (or those of a third party) and your interests and rights do not override our interests which include:

• providing, maintaining and improving our products and services;
• developing new features to improve service functionality;
• marketing our products and services;
• detecting, preventing and enforcing violations of our terms including misuse of services, fraud, abuse, and other trust and safety protocols;
• protecting our rights and the rights of others.

Where we need it to perform a contract with you: For example, we process Identity and Contact Data, Inputs, Outputs and Payment Information in order to provide Services to you.

Where you have given us your consent: You have the right to withdraw your consent at any time.

Where we need to comply with our legal obligations.

Ephor does not train any AI models. Your Inputs and Outputs are used solely to provide you with our AI inference services through third-party AI providers. We may retain conversation data only to maintain a safe platform and comply with legal obligations.

Google Workspace APIs and other integrated data sources are NOT used to develop, improve, or train any AI or ML models, nor are they used for marketing, advertising, or any purpose other than providing core AI inference services. We use encryption at rest and in transit to protect your information. Your personal data from integrated sources is processed by third-party AI providers in accordance with their respective privacy policies for the sole purpose of generating AI responses to your queries.

3. How We Disclose Personal Data

Ephor will disclose personal data to the following categories of third parties for the purposes explained in this Policy:

Affiliates & corporate partners: Ephor discloses the categories of personal data described above between and among its affiliates and related entities.

Service providers & business partners: Ephor may disclose the categories of personal data described above with service providers and business partners for a variety of business purposes, including website and data hosting, ensuring compliance with industry standards, auditing, data processing, and third-party AI inference services as described in Section 1.

As part of a significant corporate event: If Ephor is involved in a merger, corporate transaction, bankruptcy, or other situation involving the transfer of business assets, Ephor will disclose your personal data as part of these corporate transactions.

Third-Party Websites and Services: Our Services may involve integrations with, or may direct you to, websites, apps, and services managed by third parties. By interacting with these third parties, you are providing information directly to the third party and not Ephor and subject to the third party’s privacy policy. If you access third-party services, such as social media sites or other sites linked through the Services (e.g., if you follow a link to our Twitter account), these third-party services will be able to collect personal data about you, including information about your activity on the Services. If we link to a site or service via our Services, you should read their data usage policies or other documentation. Our linking to another site or service doesn’t mean we endorse it or speak for that third party.

Pursuant to regulatory or legal requirements, safety, rights of others, and to enforce our rights or our terms: We may disclose personal data to governmental regulatory authorities as required by law, including for legal, tax or accounting purposes, in response to their requests for such information or to assist in investigations. We may also disclose personal data to third parties in connection with claims, disputes or litigation, when otherwise permitted or required by law, or if we determine its disclosure is necessary to protect the health and safety of you or any other person, to protect against fraud or credit risk, to enforce our legal rights or the legal rights of others, to enforce contractual commitments that you have made, or as otherwise permitted or required by applicable law.

With an individual’s consent: Ephor will otherwise disclose personal data when an individual gives us permission or directs us to disclose this information.

You can find information on our Subprocessor List about the third parties Ephor engages to help us process personal data provided to us, such as with respect to personal data we receive, process, store, or host when you use Ephor’s Services.

4. Rights and Choices

Subject to applicable law and depending on where you reside, you may have some rights regarding your personal data, as described further below. We make efforts to respond to such requests. However, please be aware that these rights are limited, and certain technical constraints may apply. Ephor will not discriminate based on the exercising of privacy rights you may have.

To exercise your rights, you or an authorized agent may submit a request by emailing us at ephor@trilogy.com. After we receive your request, we may verify it by requesting information sufficient to confirm your identity. You may also have the right to appeal requests that we deny by emailing ephor@trilogy.com.

Right to know: You may have the right to know what personal data Ephor processes about you, including the categories of personal data, the categories of sources from which it is collected, the business or commercial purposes for collection, and the categories of third parties to whom we disclose it.

Access & data portability: You may have the right to request a copy of the personal data Ephor processes about you, subject to certain exceptions and conditions. In certain cases and subject to applicable law, you have the right to port your information.

Deletion: You may have the right to request that we delete personal data collected from you when you use our Services, subject to certain exceptions. You also are able to delete individual conversations, which will be removed immediately from your conversation history and automatically deleted from our back-end within 30 days.

Correction: You may have the right to request that we correct inaccurate personal data Ephor retains about you, subject to certain exceptions. Please note that we cannot guarantee the factual accuracy of Outputs generated by third-party AI services. If Outputs contain factually inaccurate personal data relating to you, you can submit a correction request and we will make a reasonable effort to address this within the technical constraints of our third-party AI services.

Objection: You may have a right to object to processing of your personal data, including profiling conducted on grounds of public or legitimate interest. In places where such a right applies, we will no longer process the personal data in case of such objection unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise or defense of legal claims. If we use your information for direct marketing, you can object and opt out of future direct marketing messages using the unsubscribe link in such communications.

Restriction: You have the right to restrict our processing of your personal data in certain circumstances.

Withdrawal of consent: Where Ephor’s processing of your personal data is based on consent, you have the right to withdraw your consent. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Automated decision-making: Ephor does not engage in decision making based solely on automated processing or profiling in a manner which produces a legal effect (i.e., impacts your legal rights) or significantly affects you in a similar way (e.g., significantly affects your financial circumstances or ability to access essential goods or services).

Sale & targeted Ephor marketing of its products and services: Ephor does not “sell” your personal data as that term is defined by applicable laws and regulations. If we share your personal data for targeted advertising to promote our products and services in the future, you can opt-out and we will honor global privacy controls.

5. Data Protection and Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption: We use encryption in transit (TLS/SSL) and at rest to protect your data during transmission and storage.

Access Controls: We maintain strict access controls and authentication mechanisms to limit access to personal data to authorized personnel only.

Secure Transmission: When transmitting your data to third-party AI providers, we use secure, encrypted connections and follow industry-standard security protocols.

Data Minimization: We only process the minimum amount of personal data necessary to provide our Services.

Regular Security Reviews: We regularly review and update our security measures to address emerging threats and vulnerabilities.

For sensitive data categories (including health information, financial data, or other protected categories), we apply additional security measures and may limit processing to only what is necessary for core service functionality.

Third-Party Security: Our third-party AI service providers are required to maintain appropriate security measures for processing your data. However, when your data is processed by these providers, their security policies and procedures apply. We encourage you to review the privacy and security policies of our third-party providers linked in Section 1.

Data Breach Response: In the event of a data breach that may pose a risk to your rights and freedoms, we will notify you and relevant authorities as required by applicable law.

Limitation of Liability: While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your personal data.

6. Data Transfers

When you access our website or Services, your personal data may be transferred to our cloud infrastructure hosted on Amazon Web Services (AWS) in the US, or to other countries outside the European Economic Area (EEA) and the UK.

Where information is transferred outside the EEA or the UK, we ensure it benefits from an adequate level of data protection through appropriate legal mechanisms including adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms as required by applicable data protection laws.

Additional Transfer Details: For detailed information about international data transfers when we process personal data on your behalf, including specific standard contractual clauses and regional requirements, please refer to our Global Data Privacy Addendum at https://globalprivacyaddendum.trilogy.com/.

7. Data Retention and Data Lifecycle

Ephor retains your personal data for as long as reasonably necessary for the purposes and criteria outlined in this Privacy Policy and explained further. When the personal data collected is no longer required by us, we and our service providers will perform the necessary procedures for destroying, deleting, erasing, or converting it into an anonymous form as permitted or required under applicable laws.

We may process personal data in an aggregated or de-identified form to analyze the effectiveness of our Services and study user behavior for the sole purpose of improving service functionality, as permitted under applicable laws. For instance:

When you submit Feedback, we may use it to improve our service functionality and user experience.

To improve user experience, we may analyze and aggregate general user behavior and usage data. This information does not identify individual users.

8. Children

Because of the nature of our business, our services are not designed to appeal to minors under the age of 13. We do not knowingly attempt to solicit or receive any information from anyone under the age of 13 (or other age as required by local law) without authorization. If you are a parent or guardian and you are aware that your child has provided us with personal data without authorization, please contact us immediately. If we learn that we have collected any personal data in violation of applicable law, we will promptly take steps to delete such information and terminate the child’s account.

9. Supplemental Disclosures for Residents of Canada

These supplemental disclosures contain additional information relevant to residents of Canada when Ephor acts as a data controller.

Consent: By using our Services, you confirm you have read, understand, and consent to the collection, use, processing, and disclosure of your personal data in accordance with this Privacy Policy. Your consent may be given expressly or implied, depending on the circumstances and the sensitivity of the information involved. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

Cross-jurisdictional Transfers: Your personal data may be transferred or disclosed to other jurisdictions for processing and storage outside of Canada, where laws regarding the protection of personal data may be different from Canadian laws.

Additional Canadian Compliance: When we process personal data on your behalf through our Services, additional Canadian data protection requirements and detailed transfer mechanisms are set forth in our Global Data Privacy Addendum at https://globalprivacyaddendum.trilogy.com/.

Contact: If you have any questions or comments about our processing of your personal data, or to exercise your rights as outlined in Section 4 (Rights and Choices), please contact us at ephor@trilogy.com.

10. Supplemental Disclosures for Residents of Brazil

These supplemental disclosures contain additional information relevant to residents of Brazil when Ephor acts as a data controller.

Legal Bases: We process your personal data in accordance with the Brazilian General Data Protection Law (LGPD). We may rely on different legal bases depending on the specific purpose of processing, such as contract performance, legitimate interests, legal obligations, or consent.

Data Subject’s Rights: Under LGPD, you have specific rights regarding your personal data, including:

• Confirmation and access: Right to confirm whether we process your data and access your personal data
• Correction: Right to request correction of incomplete, inaccurate or outdated data
• Deletion/blocking: Right to request anonymization, blocking or erasure of unnecessary or excessive data
• Portability: Right to request portability of your data to a third party
• Withdrawal of consent: Right to withdraw consent where processing is based on consent

International Data Transfers: Your personal data may be transferred to, used, processed, and stored in the United States and other countries. We use appropriate transfer mechanisms as required by LGPD.

Additional Brazilian Compliance: When we process personal data on your behalf through our Services, comprehensive LGPD compliance requirements, including detailed transfer mechanisms and data processing terms, are set forth in our Global Data Privacy Addendum at https://globalprivacyaddendum.trilogy.com/.

Supervisory Authority: The Brazilian Data Protection Authority (ANPD) is the competent supervisory authority for data protection matters in Brazil.

11. Changes to Our Privacy Policy

Ephor may update this Privacy Policy from time to time. We will notify you of any material changes to this Privacy Policy, as appropriate, and update the Effective Date. We encourage you to review that page for updates when you access the Services.

12. Contact Information

The data controller responsible for your personal data is Ephor Inc. If you have any questions about this Privacy Policy, or have any questions, complaints or requests regarding your personal data when we act as a controller, you can email us at ephor@trilogy.com.

For questions related to data processing when we act as a processor (covered by our Global Data Privacy Addendum), please contact privacy@trilogy.com.