Privacy Policy

When you create a Squad account, we collect information necessary to identify you and provide the Service. This includes your name, email address, organization name (if applicable), and authentication credentials. If you sign up through a third-party identity provider such as Google or GitHub, we receive the profile information that provider shares with us, which typically includes your name, email address, and profile photo.

For paid plans, we collect billing information through our payment processor. We do not store full credit card numbers on our servers. Your payment processor relationship is governed by their own privacy policy.

Squad’s BYOS model requires you to connect your own AI model provider subscriptions. When you connect a provider — such as Anthropic (Claude), GitHub (Copilot), or OpenAI (Codex) — we collect and store the credentials necessary to authenticate with that provider on your behalf. This may include API keys, OAuth tokens, or other authentication artifacts.

All BYOS credentials are encrypted at rest using AES-256 encryption. They are decrypted only at the moment of use, held in memory for the duration of the API call, and never logged, cached to disk, or transmitted to any party other than the provider you have configured. You can disconnect a provider at any time, which triggers immediate deletion of the associated credentials from our systems.

Customer Content is the data you provide to or generate through the Service in the course of your agent workflows. This includes prompts, instructions, code, documents, files, and any other inputs you provide to your AI agents, as well as the outputs those agents produce.

Squad processes Customer Content as a conduit. We route it between you and your configured model providers, and between agents within a workflow. We do not retain Customer Content beyond the duration of the active workflow plus any user-configurable retention window. We never use Customer Content to train, fine-tune, or improve Squad’s own models or algorithms. This is a core commitment of our platform.

Coordination Metadata is operational data generated by Squad’s orchestration engine as it routes tasks between agents. It includes task routing decisions, agent assignments, timing data, token usage counts, workflow topology (which agents were involved and in what order), success/failure signals, and performance metrics.

Coordination Metadata does not include the substance of your prompts, code, or outputs. It is structural and operational in nature — it describes how work moved through the system, not what the work contained.

We use Coordination Metadata in identifiable form to provide you with analytics, insights, and work receipts about your agent workflows. We also use an anonymized and aggregated version of Coordination Metadata to improve our routing algorithms and platform performance. Section 3 (Three-Tier Data Model) describes these uses in detail.

When you access Squad through our website or desktop application, we automatically collect technical information about your device and connection. This includes your IP address, browser type and version, operating system, device type, screen resolution, language preference, and referring URL. For our desktop application, we also collect application version, crash reports, and basic performance telemetry.

This information is used to ensure compatibility, diagnose technical issues, detect and prevent abuse, and improve the user experience.

We use cookies and similar technologies (such as local storage and session storage) for several purposes:

• Essential cookies maintain your authentication session, remember your preferences, and ensure the Service functions correctly. These cannot be disabled.
• Analytics cookies help us understand how users interact with our website and Service, which pages are visited most frequently, and where users encounter errors. We use this information to improve the Service.
• Marketing cookies are used to deliver relevant content and measure the effectiveness of our marketing campaigns. These are only set with your consent and can be disabled at any time through your cookie preferences.

Most browsers allow you to control cookies through their settings. Blocking essential cookies may impair the functionality of the Service.

The primary purpose of data collection is to provide, maintain, and improve the Service. This includes authenticating your identity, connecting to your BYOS model providers, routing tasks between agents, generating work receipts and agent traces, providing analytics and insights about your workflows, and delivering customer support.

We use anonymized Coordination Metadata — never Customer Content — to improve Squad’s coordination algorithms. This means we analyze patterns in how tasks are routed, which agent combinations produce successful outcomes, where bottlenecks occur, and how workflow topologies evolve over time. All of this analysis is performed on data that has been stripped of identifying information and aggregated across users.

We do not and will not use Customer Content — your prompts, code, documents, or agent outputs — to train, fine-tune, or otherwise improve any Squad model, algorithm, or service. This is a foundational commitment of our platform, not merely a current practice.

We use your Coordination Metadata in identifiable form to provide you with detailed analytics about your agent workflows. This includes work receipts (showing what each agent did, in what order, and how long it took), cost attribution (breaking down token usage by provider, agent, and task), performance trends, and workflow optimization suggestions.

These analytics are visible only to you and members of your organization who have appropriate permissions. They are a core feature of the Service, not a secondary use of your data.

We use Account Information, Device & Browser Information, and usage patterns to detect, investigate, and prevent unauthorized access, abuse, fraud, and other harmful activities. This includes monitoring for unusual login patterns, credential stuffing attempts, API abuse, and violations of our Terms of Service.

We use your email address to send transactional communications related to the Service, such as account verification, security alerts, billing notifications, and product updates. These communications are necessary for the operation of the Service and cannot be opted out of while you maintain an active account.

With your consent, we may also send marketing communications about new features, events, or content we believe may be relevant to you. You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by updating your communication preferences in your account settings. Opting out of marketing does not affect transactional communications.

When you configure a workflow, Squad routes your Customer Content to the external model providers you have selected. This is the core function of the Service. Which providers receive your data is entirely determined by your workflow configuration. Squad transmits Customer Content to these providers using your credentials and does not retain copies after transmission.

Each external model provider has its own privacy policy and data practices. We strongly encourage you to review the privacy policies of any provider you connect through Squad. Squad is not responsible for how external providers handle your data once it leaves our systems. See Section 5 (BYOS Data Flow) for additional detail.

We work with third-party service providers who perform functions on our behalf. These include:

• Cloud hosting providers that host our infrastructure and store encrypted data.
• Payment processors that handle billing and subscription management.
• Analytics providers that help us understand how the Service is used.
• Communication providers that deliver transactional and marketing emails.
• Security providers that help us detect and prevent threats.

All service providers are bound by data processing agreements that restrict their use of your data to the specific services they provide to us. They are prohibited from using your data for their own purposes. We select providers based on their security practices and compliance certifications.

If you use Squad as part of an organization account, certain information may be visible to other members of your organization based on the permissions and roles configured by your organization administrator. This may include your name, email address, workflow activity, and Coordination Metadata. Organization administrators can configure team-level permissions, visibility settings, and data sharing policies within the Service.

Your organization’s administrator controls these settings. If you have questions about what data is visible within your organization, contact your administrator.

We may disclose your data if we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation, subpoena, court order, or governmental request.
• Protect the rights, property, or safety of Squad, our users, or the public.
• Detect, prevent, or address fraud or security issues.
• Enforce our Terms of Service or other agreements.

Where legally permitted, we will notify you of any legal demand for your data before disclosure. We will narrow the scope of disclosure to the minimum required by law.

We may share aggregated or de-identified data that cannot reasonably be used to identify you. This includes Service Data (Tier 3) and anonymized Coordination Metadata. We use industry-standard de-identification techniques and do not attempt to re-identify anonymized data.

If Squad is involved in a merger, acquisition, bankruptcy, or sale of all or a portion of its assets, your data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your data becomes subject to a different privacy policy.

When you execute a workflow, Squad acts as a coordination layer between you and your model providers. Customer Content flows from you to Squad, then from Squad to the provider(s) your workflow specifies, then back through Squad to you. During this process, Squad holds Customer Content in memory for the minimum time necessary to complete the routing operation. It is not persisted to long-term storage except within the user-configurable retention window described in Section 6.

Think of Squad as a network switch for AI agents. Data passes through us, but we do not store or inspect the payload.

You decide which model providers are connected to your account. You decide which agents and providers are assigned to each workflow. You can configure different providers for different tasks within the same workflow. Squad executes the routing you specify and does not independently decide to send your data to a provider you have not configured.

If a workflow involves multiple providers (for example, Claude for code review and Copilot for code generation), each provider receives only the portion of Customer Content relevant to its assigned task, unless you have configured the workflow to share context across agents.

Once Customer Content is transmitted to an external model provider, that provider’s privacy policy and data practices govern how they handle it. This is a fundamental aspect of the BYOS model: you maintain direct relationships with your model providers, and their terms apply to data they receive.

We encourage you to carefully review each provider’s policies regarding data retention, training data usage, and data sharing before connecting them to Squad. Key questions to consider include whether the provider uses your inputs to train their models, how long they retain your data, and whether they share data with third parties.

Squad provides documentation identifying the data each connected provider receives and links to their respective privacy policies. However, Squad cannot control and is not responsible for the privacy practices of external providers.

All data in transit is encrypted using TLS 1.2 or higher. This includes data flowing between your device and Squad, between Squad and your model providers, and between internal Squad services. BYOS credentials are encrypted at rest using AES-256 encryption with keys managed through a dedicated key management service. Customer Content and Coordination Metadata are encrypted at rest using the encryption mechanisms provided by our cloud infrastructure provider.

Access to production systems and user data is restricted to authorized Squad personnel on a need-to-know basis. We use role-based access controls, multi-factor authentication, and audit logging for all access to sensitive systems. Access reviews are conducted regularly, and access is promptly revoked when no longer needed.

Our infrastructure is hosted on industry-leading cloud providers that maintain SOC 2 Type II, ISO 27001, and other relevant certifications. We implement network segmentation, intrusion detection, vulnerability scanning, and regular penetration testing. Our infrastructure is monitored 24/7 for anomalies and potential threats.

We maintain a documented incident response plan that covers detection, containment, investigation, remediation, and notification. In the event of a data breach that affects your personal information, we will notify you and any applicable regulatory authorities within the timeframes required by applicable law. Our target is to notify affected users within 72 hours of confirming a breach.

No method of electronic transmission or storage is 100% secure. While we implement commercially reasonable security measures, we cannot guarantee absolute security. We encourage you to use strong, unique passwords, enable multi-factor authentication on your Squad account, and protect your BYOS provider credentials.

You have the right to request a copy of the personal information we hold about you. This includes Account Information, Coordination Metadata, and any other data associated with your account. You can access most of this information directly through your account settings and analytics dashboard. For a comprehensive export, contact us at privacy@trysquad.ai.

You have the right to correct inaccurate personal information we hold about you. You can update most Account Information directly through your account settings. For corrections to other data, contact us.

You have the right to request deletion of your personal information. You can delete your account at any time through your account settings, which will trigger deletion of all associated data according to the retention schedules in Section 6. You can also request deletion of specific data categories by contacting us. Note that some data may be retained if required by law or for legitimate business purposes (such as resolving disputes or enforcing our Terms of Service).

You have the right to receive your data in a structured, commonly used, machine-readable format. We provide data exports in JSON format. You can request an export of your Account Information, Coordination Metadata, and any retained Customer Content by contacting us. We will fulfill export requests within 30 days.

You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, by updating your communication preferences in your account settings, or by contacting us. We will process opt-out requests within 10 business days.

You can manage your cookie preferences through the cookie settings available on our website. You can also control cookies through your browser settings. Note that disabling essential cookies may affect the functionality of the Service.

Enterprise customers can opt out of having their anonymized Coordination Metadata used for algorithm improvement. This opt-out applies to all data associated with the enterprise account, including data from individual users within the organization. Contact us at privacy@trysquad.ai to exercise this option.

Under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA”), California residents have the following rights:

• Right to Know: You can request details about the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You can request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing: We do not sell personal information and do not share it for cross-context behavioral advertising. Therefore, there is no need to opt out of these practices.
• Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (such as account credentials) only to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

We will respond to verified CCPA requests within 45 days, with the possibility of a 45-day extension if reasonably necessary. You may submit up to two requests per 12-month period.

Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require the agent to provide proof of authorization and may still contact you to verify your identity directly.

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy laws may have similar rights, including the right to access, correct, delete, and obtain a portable copy of their data, as well as the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.

We honor these rights for all users regardless of state residence. Response timelines vary by state but we aim to respond to all requests within 45 days. If you believe we have not adequately addressed your request, you may have the right to appeal our decision by contacting us, and the right to lodge a complaint with your state attorney general.

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers: name, email address, IP address, account ID.
• Commercial information: subscription tier, billing history, feature usage.
• Internet or network activity: browser type, pages visited, interaction with the Service.
• Professional or employment information: organization name and role (if provided).
• Inferences: workflow preferences and usage patterns derived from Coordination Metadata.

We collect this information from the sources described in Section 1 and use it for the purposes described in Section 2. We share it with the categories of recipients described in Section 4.

We process your personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): Processing Account Information, BYOS Credentials, and Customer Content as necessary to provide the Service under our Terms of Service.
• Legitimate interests (Article 6(1)(f)): Processing Coordination Metadata for product improvement (in anonymized form), processing Device & Browser Information for security and fraud prevention, and sending transactional communications. Our legitimate interests include operating, improving, and securing the Service.
• Consent (Article 6(1)(a)): Processing data for marketing communications and non-essential cookies. You can withdraw consent at any time.
• Legal obligation (Article 6(1)(c)): Processing data as required to comply with applicable laws and regulations.

Under the GDPR, you have the following rights in addition to those described in Section 8:

• Right to Restriction: You can request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests.
• Right to Object: You can object to our processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at the European Data Protection Board website.

We will respond to GDPR data subject requests within one month of receipt. This period may be extended by up to two additional months if the request is complex or if we receive a high volume of requests. We will inform you of any such extension within one month of receipt.

There is no fee for exercising your GDPR rights. However, we may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive, particularly if it is repetitive.

Squad does not train any machine learning model, neural network, or AI system on Customer Content. This includes but is not limited to:

• We do not use your prompts, code, documents, or files as training data.
• We do not use agent outputs generated from your workflows as training data.
• We do not use your data for fine-tuning, reinforcement learning from human feedback (RLHF), or any other model improvement technique.
• We do not allow third parties to use your Customer Content for training purposes through our platform.

This commitment applies regardless of your plan tier and cannot be overridden by Terms of Service changes without explicit notice and your affirmative consent.

While we do not train on Customer Content, we do use anonymized Coordination Metadata to improve Squad’s coordination algorithms. To be specific about what this means:

• We use anonymized workflow patterns (which agents were assigned, in what order, for what duration) to train routing models that optimize how tasks are distributed across agents.
• We use anonymized success/failure signals to train selection models that recommend optimal agent combinations for different task types.
• We use anonymized timing data to train scheduling models that predict and minimize latency.

This training uses only structural and operational metadata. The substance of your work — what you asked, what was produced, what your code does — is never part of this training data. Enterprise customers can opt out of this usage entirely.

Squad makes automated decisions about how to route tasks between agents and model providers. These decisions are based on your workflow configuration, agent capabilities, provider availability, historical performance data, and Squad’s coordination algorithms. While these routing decisions are automated, they do not produce legal effects or similarly significant effects concerning you as contemplated by the GDPR. They affect which AI agent processes a specific task within your workflow.

You always retain the ability to override automated routing by manually specifying agent assignments in your workflow configuration. You can also view the routing decisions made for any workflow through your work receipts and agent traces.

When you use Squad to route Customer Content to external model providers (Claude, Copilot, Codex, etc.), those providers may have their own policies regarding the use of your data for training their models. Squad does not control and cannot override these provider policies.

It is your responsibility to review the data practices of each provider you connect through Squad and to configure your provider settings accordingly. Many providers offer options to opt out of training data usage — we recommend you review and configure these options directly with each provider.

Squad provides information in our documentation about the current training data policies of commonly connected providers, but we cannot guarantee the accuracy or currency of this information. Always refer to the provider’s own privacy policy for authoritative information.

TrySquad, Inc. acts as the data controller for Account Information, Device & Browser Information, and Service Data. This means we determine the purposes and means of processing this data. We collect and process this data to provide, secure, and improve the Service as described in this policy.

Squad acts as a data processor for Customer Content. You (or your organization) are the data controller for Customer Content, and you determine the purposes and means of its processing. Squad processes Customer Content solely on your instructions — specifically, the instructions embodied in your workflow configurations and agent assignments.

For enterprise customers, we offer a Data Processing Agreement (DPA) that formalizes this relationship and includes the Standard Contractual Clauses approved by the European Commission for international data transfers. Contact us at privacy@trysquad.ai to request a DPA.

Coordination Metadata presents a nuanced case. For identifiable Coordination Metadata used to provide you with analytics, Squad acts as a processor, processing the data on your behalf to deliver a feature of the Service. For anonymized Coordination Metadata used for algorithm improvement, Squad acts as a controller, as we determine the purposes and means of this processing independently.

For transfers of personal data from the EEA or UK to the United States, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission and, where applicable, the UK International Data Transfer Addendum. We also implement supplementary measures, including encryption and access controls, to ensure your data is protected during and after transfer.

You can request a copy of the SCCs we use by contacting us at privacy@trysquad.ai.

When you route Customer Content to external model providers through Squad, that content may be processed in the locations where your selected providers operate. These locations are determined by your provider, not by Squad. For example, if you connect to a provider that processes data in the EU, your content routed to that provider will be processed in the EU. If you connect to a provider that processes data in the US, your content will be processed in the US.

You are responsible for ensuring that your use of external providers complies with any applicable data localization requirements. Squad provides documentation identifying the processing locations of commonly connected providers, but you should verify this information directly with your providers.