Privacy Policy

1. Introduction

TOO “NOCODIA” (“Company,” “we,” “us,” or “our”) operates the Teamly platform (the “Service”). This Privacy Policy explains what personal data we collect, how we use it, how we share it, and your rights regarding your data.

This Policy applies to all users of the Service worldwide. While the laws of the Republic of Kazakhstan govern our operations, we provide GDPR-compatible protections to all users regardless of their location. For users in the United States, additional state-specific rights are described in Section 11 of this Policy.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service.

2. Data Controller & Privacy Officer

The data controller responsible for your personal data is:

Our designated Privacy Officer is responsible for overseeing compliance with this Policy and applicable data protection laws. All privacy-related inquiries, complaints, and data subject requests should be directed to privacy@teamly.run.

3. Data We Collect

3.1 Account Data

When you register, we collect your name, email address, and authentication credentials. Account authentication is managed through our provider, Clerk, which may store additional identity verification data.

3.2 Payment Data

Payment processing is handled by our billing partner, Polar.sh. We do not directly store your credit card numbers or bank account details. We receive transaction confirmations, subscription status, and billing history from Polar.sh.

3.3 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps, IP addresses, browser type and version, operating system, device information, screen resolution, referring URLs, and approximate geolocation derived from IP address.

3.4 Agent Data

When you use the Service, your AI agent configurations, prompts, logs, and outputs are processed within your isolated Cell. You retain full ownership of this data. We may access Agent Data only as necessary to provide the Service, troubleshoot issues at your request, or comply with legal obligations.

3.5 Communication Data

When you contact us for support, feedback, or inquiries, we collect the content of your communications, including email addresses, subject lines, and message bodies.

3.6 Cookies and Tracking Technologies

We use cookies and similar technologies as described in our Cookie Policy. This includes session cookies, persistent cookies, web beacons, pixels, and browser local storage.

3.7 Data We Do Not Collect

We do not knowingly collect: Social Security numbers, government-issued identification numbers, biometric data, genetic data, precise geolocation data, protected health information (PHI), financial account numbers, or data from known child-directed services.

4. How We Use Your Data

We use your personal data for the following purposes:

• Service Delivery: Account management, Cell provisioning, agent deployment, and platform operations
• Billing: Processing payments, managing subscriptions, and sending invoices
• Improvement: Analyzing usage patterns to improve the Service, develop new features, and optimize performance
• Security: Detecting and preventing fraud, abuse, and security threats
• Support: Responding to your inquiries and providing customer support
• Legal Compliance: Complying with applicable laws, regulations, and legal processes
• Communications: Sending service-related notifications, updates, and marketing communications (with your consent where required by law)

WE DO NOT SELL, RENT, OR LEASE YOUR PERSONAL DATA TO THIRD PARTIES. WE DO NOT USE YOUR PERSONAL DATA FOR AUTOMATED DECISION-MAKING OR PROFILING THAT PRODUCES LEGAL OR SIMILARLY SIGNIFICANT EFFECTS.

5. Legal Basis for Processing

We process your personal data on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service under our Terms of Service
• Legitimate Interests: Analytics, security, service improvement, and fraud prevention. We have conducted balancing tests to ensure our legitimate interests do not override your fundamental rights and freedoms
• Consent: Where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing performed prior to withdrawal
• Legal Obligations: Compliance with applicable laws and regulations of the Republic of Kazakhstan, the United States, the European Union, and other applicable jurisdictions

6. Data Sharing and Third-Party Processors

We do not sell, share (as defined under CCPA/CPRA), rent, or trade your personal data to or with third parties for monetary or other valuable consideration. We share data only as necessary to operate the Service through the following processors, each bound by Data Processing Agreements (DPAs):

Agent prompts and communications are routed to AI model providers through the ClawBot orchestration engine and the OpenClaw gateway as necessary to execute AI agent tasks. Both ClawBot and OpenClaw are open-source components used under the MIT License (see our Open Source Licenses page).

We may also disclose your data: (a) when required by law, subpoena, court order, or governmental regulation; (b) when necessary to protect our rights, property, or safety, or that of our users or the public; (c) in connection with a merger, acquisition, reorganization, or sale of assets, in which case the acquiring entity will be bound by this Privacy Policy; or (d) with your prior written consent.

7. International Data Transfers

Your data may be processed and stored in jurisdictions outside the Republic of Kazakhstan, including the United States and the European Union, where our third-party service providers operate.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not deemed to provide an adequate level of data protection, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): EU Commission-approved standard contractual clauses incorporated into our Data Processing Agreements with sub-processors
• EU-U.S. Data Privacy Framework: Where applicable, transfers to U.S. providers certified under the EU-U.S. Data Privacy Framework
• Supplementary Measures: Encryption in transit and at rest, access controls, and pseudonymization where technically feasible

You may request a copy of the safeguards we use for international transfers by contacting privacy@teamly.run.

8. Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law. Specific retention periods are:

• Account Data: Retained for the duration of your account plus 30 days after account deletion to allow for account recovery
• Usage Logs: Retained for up to 12 months, then anonymized or deleted
• Agent Data: Deleted upon Cell termination; Cell data is ephemeral by nature and may be lost at any time during normal operation
• Payment Records: Retained for the minimum period required by Kazakhstan tax and financial regulations (currently 5 years)
• Communication Data: Retained for up to 24 months from last interaction
• Marketing Consent Records: Retained for 3 years after consent withdrawal as proof of prior consent

Upon expiration of the retention period, data is securely deleted or irreversibly anonymized. You may request earlier deletion subject to applicable legal retention requirements (see Section 10).

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit (HTTPS/TLS 1.2+) and at rest
• Role-based access controls and principle of least privilege
• Isolated computing environments (Cells) for agent workloads
• Regular security assessments and vulnerability scanning
• Employee security awareness training
• Incident response and data breach procedures

HOWEVER, NO METHOD OF TRANSMISSION OVER THE INTERNET OR ELECTRONIC STORAGE IS 100% SECURE. WE CANNOT GUARANTEE ABSOLUTE SECURITY OF YOUR DATA. THE COMPANY SHALL NOT BE LIABLE FOR DATA BREACHES OR UNAUTHORIZED ACCESS BEYOND THE EXTENT OF COMMERCIALLY REASONABLE SECURITY MEASURES IMPLEMENTED.

10. Your Rights (General)

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of your personal data in a portable, machine-readable format
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data, subject to legal retention requirements
• Restriction of Processing: Request that we limit how we use your data while we verify its accuracy or legitimacy of processing
• Data Portability: Request your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV)
• Objection: Object to processing based on legitimate interests, including profiling
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Complaint: Lodge a complaint with a supervisory authority in your jurisdiction

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@teamly.run. We will:

• Acknowledge receipt of your request within 10 business days
• Verify your identity through your registered email address or account credentials
• Provide a substantive response within 30 calendar days (or 45 days for complex requests, with notice)
• Not discriminate against you for exercising any privacy right

You may also designate an authorized agent to submit requests on your behalf. The authorized agent must provide written authorization signed by you, and we may require you to verify your identity directly.

11. U.S. State Privacy Rights

If you are a resident of a U.S. state with applicable privacy legislation, this section provides additional disclosures and rights required by law.

11.1 California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with specific rights regarding your personal information.

Categories of Personal Information Collected (Past 12 Months):

• Identifiers: Name, email address, IP address, account ID
• Commercial Information: Subscription records, payment history, transaction data
• Internet Activity: Browsing history within the Service, feature usage, interaction data
• Geolocation Data: Approximate location derived from IP address (not precise GPS)
• Inferences: Usage patterns used to improve Service features and user experience

We Do Not:

• Sell your personal information (as “sell” is defined under CCPA/CPRA)
• Share your personal information for cross-context behavioral advertising
• Use or disclose sensitive personal information for purposes beyond those permitted by CCPA §1798.121
• Collect personal information from individuals we know to be under 16 years of age

Your California Rights:

• Right to Know: Request what personal information we collected, used, disclosed, and sold in the preceding 12 months
• Right to Delete: Request deletion of your personal information, subject to legal exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell or share your data, so this right is automatically honored
• Right to Limit Sensitive PI Use: We do not collect sensitive personal information beyond what is necessary to provide the Service
• Right to Non-Discrimination: We will not deny you goods or services, charge different prices, or provide a different quality of service for exercising your rights

Response Timeline: We will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days. If additional time is needed (up to 90 days total), we will notify you in writing.

Verification: To protect your privacy, we will verify your identity before fulfilling requests by matching the information you provide with information we already have on file. We may ask you to confirm your email address or provide additional verification.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. The agent must provide: (a) your signed written permission; and (b) proof of the agent's identity. We may still require you to verify your own identity directly.

Financial Incentives: We do not offer financial incentives for the collection, sale, or deletion of personal information.

Shine the Light: Under California Civil Code §1798.83, California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. As stated above, we do not disclose personal information to third parties for their direct marketing purposes.

11.2 Virginia (VCDPA)

Virginia residents have the right to: access their personal data, correct inaccuracies, delete personal data, obtain a portable copy, and opt out of targeted advertising, sale of personal data, and profiling. We do not engage in targeted advertising, sale of data, or profiling as defined under the VCDPA.

11.3 Colorado (CPA)

Colorado residents have the right to: access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising, sale of personal data, and profiling. We honor Global Privacy Control (GPC) signals as a valid opt-out mechanism for Colorado residents.

11.4 Connecticut (CTDPA)

Connecticut residents have rights to: access, correct, delete, and obtain portable copies of personal data, and opt out of targeted advertising, sale of data, and profiling. We do not engage in these practices.

11.5 Other U.S. States

Residents of Utah, Texas, Oregon, Montana, Tennessee, Indiana, Iowa, and other states with enacted consumer privacy laws may exercise rights provided under their respective statutes by contacting us at privacy@teamly.run. We will process requests in accordance with applicable state law.

11.6 Opt-Out Preference Signals

We honor browser-based opt-out preference signals, including the Global Privacy Control (GPC), as a valid request to opt out of the sale or sharing of personal information under applicable state law. If we detect a GPC signal from your browser, we will treat it as a valid opt-out request for the browser and device from which the signal is sent.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we commit to the following:

• Internal Detection: We maintain incident response procedures to detect, investigate, and contain data breaches promptly
• Regulatory Notification: Where required by law, we will notify the applicable supervisory authority within the legally mandated timeframe (72 hours under GDPR; as required by applicable U.S. state breach notification laws)
• User Notification: We will notify affected users without unreasonable delay, and in any event within the timeframes required by applicable law, via email to the address associated with your account
• Notification Content: Breach notifications will include: (a) a description of the nature of the breach; (b) the categories and approximate number of affected records; (c) the likely consequences; (d) measures taken or proposed to address the breach; and (e) contact information for further inquiries

For California residents, notification will be provided in accordance with California Civil Code §1798.82. For all other U.S. states, we will comply with the applicable state breach notification statute.

13. Children's Privacy

The Service is not intended for users under the age of 18. We do not knowingly collect personal data from children under 13 (or under 16 in jurisdictions where GDPR applies). We do not knowingly sell or share the personal information of consumers under 16 years of age.

If we become aware that we have collected data from a minor without proper parental consent, we will take steps to delete such data within a commercially reasonable time. If you believe that a child has provided us with personal data, please contact us at privacy@teamly.run.

14. AI-Specific Data Processing

When you use AI agents through the Service, your prompts, inputs, and agent configurations are transmitted to third-party AI model providers (such as Anthropic or OpenAI) for processing. This transmission is necessary to deliver the core functionality of the Service.

14.1 How AI Data is Processed

• Agent prompts and inputs are routed through the ClawBot orchestration engine and OpenClaw gateway to the selected AI model provider
• AI model outputs are returned to your Cell and displayed in the Service
• Prompts and outputs may be temporarily cached for performance optimization but are not permanently stored by the Company beyond the retention periods described in Section 8

14.2 AI Training Opt-Out

The Company does not use your Content or agent interactions to train or improve AI models. However, third-party AI providers may have their own data usage and training policies. We contractually require our AI providers not to use your data for model training, but you should review their privacy policies independently:

• Anthropic Privacy Policy
• OpenAI Privacy Policy

14.3 Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) for the processing of personal data through AI agents, as the processing involves new technologies and may present a high risk to data subjects. A summary of the DPIA findings is available upon request by contacting privacy@teamly.run.

YOU ARE SOLELY RESPONSIBLE FOR ENSURING THAT ANY PERSONAL DATA YOU SUBMIT TO AI AGENTS COMPLIES WITH APPLICABLE DATA PROTECTION LAWS. DO NOT SUBMIT SENSITIVE PERSONAL DATA (SUCH AS HEALTH RECORDS, FINANCIAL INFORMATION, OR GOVERNMENT IDENTIFIERS) TO AI AGENTS UNLESS YOU HAVE ENSURED APPROPRIATE LEGAL BASIS AND SAFEGUARDS.

15. Do Not Track & Global Privacy Control

Global Privacy Control (GPC): We honor GPC signals as a valid opt-out of sale/sharing of personal information under applicable U.S. state privacy laws (including CCPA/CPRA and Colorado CPA). When we detect a GPC signal, we apply it to the specific browser and device transmitting the signal.

Do Not Track (DNT): Some browsers transmit “Do Not Track” signals. There is currently no universally accepted standard for responding to DNT signals. We treat GPC signals as the authoritative opt-out mechanism but do not alter data collection practices in response to DNT signals alone, as there is no legal requirement to do so in most jurisdictions.

16. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will:

• Provide at least 30 days' advance notice via email to your registered address or through a prominent notice within the Service
• Update the “Last updated” date at the top of this Policy
• Clearly describe the changes made and their effective date

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes acceptance of the updated terms. If you do not agree with the changes, you must discontinue use of the Service before the effective date and may request deletion of your data.

17. Contact

For privacy-related inquiries, to exercise your data rights, or to file a privacy complaint, contact us:

We aim to resolve all privacy complaints within 30 calendar days. If you are not satisfied with our response, you may lodge a complaint with the applicable supervisory authority in your jurisdiction, or seek judicial remedy as permitted by law.