Effective July 3, 2026
Privacy Policy
This policy explains how Astral AI collects, uses, shares, protects, and gives you control over personal data across astralos.ai and the Astral AI services.
Who controls your data
Astral AI is operated by MONICORE PORTAL L.L.C, a company based in Dubai, United Arab Emirates. For most account, workspace, billing, website, and product data, MONICORE PORTAL L.L.C is the data controller because we decide why and how that data is processed.
For content that a workspace uploads, connects, instructs agents to process, or routes through third-party tools, we may act as a processor or service provider on behalf of the workspace owner, depending on the context.
Privacy contact: Amad Arif Khan, owner of Astral AI / MONICORE PORTAL L.L.C. Email: help@astralos.net.
Information we collect
We collect account and profile data such as your name, email address, avatar, timezone, authentication identifiers, onboarding answers, selected use cases, agent names, workspace setup choices, and product preferences.
We process workspace and collaboration data such as workspace names, roles, memberships, invite links, access settings, agent configuration, group chat participants, read state, pinned or muted state, activity records, routine runs, sub-agent records, and audit-style metadata.
We process content you and your agents create or handle, including chat messages, threads, prompts, instructions, uploaded or linked content, attachments, artifacts, documents, files, library items, generated outputs, sandbox commands, code, logs, terminal output, voice, audio, transcription, phone, SMS, WhatsApp, and email content when those features are used.
If you connect third-party services, we process connected-account identifiers, provider names, scopes, OAuth state, authorization metadata, token expiry, API keys, OAuth tokens, refresh tokens, and similar credentials. Astral AI is designed so agents and language models do not receive raw credentials.
We process billing data such as workspace plan, credit balance, purchased credits, subscription status, checkout status, auto-recharge settings, Stripe customer IDs, checkout session IDs, payment intent IDs, event IDs, invoice/payment metadata, and transaction records. We do not intentionally store full card numbers or card security codes.
We collect usage, device, and log data such as IP address, browser, device type, operating system, referring pages, timestamps, cookies, local storage, API requests, model usage, token counts, tool calls, run status, latency, errors, diagnostics, security events, and infrastructure logs.
Agent memory
Astral AI agents can summarize conversations and create memory artifacts so they remember facts, preferences, decisions, entities, instructions, and project context across sessions.
Memory may be created from messages, chats, agent-written summaries, library documents, artifacts, user instructions, scheduled runs, and background consolidation runs.
Workspaces may include controls that affect whether your messages are included in memory consolidation. These controls affect future memory processing, but may not automatically remove already-created records from backups, logs, billing records, or other users' workspace content.
How we use information
We use personal data to provide, operate, secure, and maintain Astral AI; create and authenticate accounts; create workspaces, agents, chats, artifacts, routines, sandboxes, integrations, and billing records; route prompts and context to AI models and tools; stream responses; save chat history; create memories; generate summaries; run routines; and execute requested agent work.
We also use personal data to process payments and credits, send service messages and support replies, debug errors, monitor uptime, improve reliability, prevent abuse, develop product features, comply with legal obligations, enforce terms, resolve disputes, and respond to lawful requests.
Legal bases
Depending on where you are located, our legal bases may include contract performance, consent, legal obligation, legitimate interests or comparable lawful grounds where permitted, and other permitted grounds such as public interest or legal claims.
For UAE users and other cases where consent or statutory exceptions are required, we rely on consent where required and otherwise on permitted grounds such as contract performance, legal obligations, public interest, or legal claims.
AI processing
Astral AI sends prompts, context, files, tool outputs, and other content to AI model providers when needed to answer you or perform requested work. The exact provider may depend on your selected model, routing settings, connected account, availability, fallback rules, and workspace configuration.
AI processing may include chat completion and streaming, tool planning, tool-result interpretation, summarization, memory extraction, embeddings, retrieval, voice transcription, voice generation, image generation, or other modality-specific processing if enabled.
We do not use your workspace content to train a public Astral AI foundation model. Third-party AI providers may process data under their own terms, data-processing agreements, or enterprise controls depending on the provider and route used.
Cookies and similar technologies
We use cookies, local storage, and similar technologies to keep you signed in, protect sessions, prevent abuse, remember preferences, cache product data for faster loading, understand basic usage, and diagnose reliability issues.
We do not currently use advertising cookies to sell or share personal information for cross-context behavioral advertising. If that changes, we will update this policy and provide legally required choices.
How we share information
We share personal data only when needed for the Services, when you direct us to, or when legally required.
We use service providers and subprocessors for hosting, database, authentication, realtime infrastructure, storage, model routing, AI models, payments, email, scheduling, sandboxes, integrations, communications, analytics, support, logging, and security.
Provider categories include Vercel, Supabase, OpenRouter and model providers reached through it, Stripe, Resend, Daytona, Composio and connected third-party app providers, Upstash QStash or cloud scheduler providers, and voice, transcription, phone, SMS, WhatsApp, and communication providers such as Deepgram, ElevenLabs, Twilio, Meta, Google, or other channel providers when those features are used.
Content and activity inside a workspace may be visible to other members of that workspace according to their roles, permissions, chat participation, and product settings.
When you connect a service or instruct an agent to act through a service, we share the data necessary to perform that action with that service.
We may disclose information to comply with law, enforce terms, detect or investigate fraud or abuse, protect users or the platform, or complete a merger, acquisition, financing, restructuring, sale of assets, or similar transaction.
International transfers
We are based in Dubai, United Arab Emirates, and use providers that may process data in the UAE, United States, European Economic Area, United Kingdom, and other countries.
When personal data is transferred internationally, we use appropriate safeguards where required, such as contracts with service providers, data-processing terms, technical security controls, and other lawful transfer mechanisms.
Data retention
We keep personal data for as long as reasonably needed to provide the Services, maintain security, comply with law, resolve disputes, enforce agreements, and preserve workspace history that users expect agents to remember.
Account and workspace data is kept while the account or workspace is active. Chats, messages, artifacts, files, memories, routine runs, and agent activity are kept until deleted through available product controls, removed by an administrator where permitted, or deleted after a verified privacy request, subject to exceptions.
Billing, payment, tax, credit, and fraud-prevention records may be kept longer where required by law or legitimate business needs. Security, diagnostic, and infrastructure logs are kept for limited periods appropriate to their purpose. Backups may retain deleted data for a limited time until overwritten or expired.
Security
We use technical and organizational measures designed to protect personal data, including authentication and session controls, workspace isolation, role-based access controls, Supabase Row Level Security, route-level access checks, encryption in transit, provider-supported encryption at rest, vault-backed or secret-reference storage for sensitive credentials where supported, just-in-time credential resolution, output-scrubbing patterns, service-role separation, logging, monitoring, and abuse-prevention controls.
No method of transmission or storage is perfectly secure. If you believe your account or workspace has been compromised, contact us immediately.
Your choices and rights
Depending on where you live, you may have rights to access personal data, receive information about processing and sharing, correct inaccurate data, delete data, restrict or object to certain processing, withdraw consent, request portability, object to certain automated processing, ask for human review where legally required, opt out of sale or sharing where those concepts apply, and complain to a data protection authority.
To exercise rights, email help@astralos.net. You can also use /user-data-deletion for deletion instructions. We may need to verify your identity and account authority before acting on a request. Workspace content may also be controlled by the workspace owner or administrator, so some requests may need to be handled through that workspace.
California privacy notice
Where the California Consumer Privacy Act applies, we may collect identifiers, customer records, commercial information, internet or network activity, approximate geolocation, audio or electronic content, professional or workspace information, inferences, and sensitive personal information such as account credentials, connected-service tokens, content you choose to provide, and payment-related metadata handled by Stripe.
We collect this information from you, workspace administrators or members, your devices, connected services, payment processors, authentication providers, integration providers, AI/model providers, and service logs.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not knowingly sell or share personal information of people under 16.
California residents may request to know, access, delete, correct, limit certain sensitive personal information uses, opt out of sale/sharing, and not be discriminated against for exercising privacy rights.
UAE, European, and UK rights
Where the UAE Personal Data Protection Law applies, you may have rights to receive information about processing, request portability, request correction or erasure, restrict or stop processing, object to certain automated processing, contact the controller, and submit a complaint to the competent authority.
Where GDPR or UK GDPR applies, you may have rights to be informed, access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making and profiling. You may also have the right to complain to your local supervisory authority.
Automated decisions
Astral AI uses automated systems and AI agents to generate responses, route models, summarize content, run tools, detect abuse, meter usage, and enforce budgets.
We do not intend to make decisions based solely on automated processing that produce legal or similarly significant effects about you without a lawful basis and any required safeguards. Where applicable law gives you a right to object or request human review, contact help@astralos.net.
Children
Astral AI is intended for professionals, founders, teams, and other users old enough to manage an online work account. It is not directed to children under 16. If you believe a child has provided personal data to Astral AI, contact help@astralos.net and we will take appropriate action.
Changes to this policy
We may update this policy as Astral AI, the law, or our providers change. When changes are material, we will take reasonable steps to notify users, such as updating the effective date, posting a notice, or sending an email.