Privacy Policy

Last Updated: August 29, 2025

OpenSesame AI Inc. (“OpenSesame,” “we,” “our,” or “us”) respects your privacy and is committed to protecting it through our compliance with this Privacy Policy. This Policy explains how we collect, use, disclose, and safeguard your information when you use our products and services, including Cell (our embeddable AI agent and interface).

By accessing or using our Services, you agree to this Policy. If you do not agree, please discontinue use of the Services.

1. Who We Are

OpenSesame AI Inc. is incorporated under the laws of Ontario, Canada, with headquarters in Toronto. We build Cell, an embeddable AI interface that allows product teams to transform their APIs into natural-language agents.

We operate in compliance with Canadian privacy law, including the Personal Information Protection and Electronic Documents Act (PIPEDA), and maintain a SOC 2 Type I certification (and are pursuing/maintaining SOC 2 Type II) to ensure industry-standard security and privacy controls.

2. Information We Collect

We collect the following types of information when you use our Services:

a. Information you provide directly

Account information (name, email, company, billing details)
API keys or configuration data you supply when integrating Cell into your systems
Support requests, feedback, or communications

b. Information collected automatically

Usage data (queries, interactions, logs) used to improve performance and reliability
Device and technical information (browser type, IP address, operating system)

c. Information processed through integrations

Cell may access or process data from your connected applications (e.g., APIs, CRMs, ERPs, or productivity tools).
This data is processed only as instructed by you and your organization. We do not sell or repurpose integration data.

3. How We Use Information

We use collected information to:

Provide, operate, and maintain the Services
Securely process and route natural-language queries to your APIs and systems
Improve and personalize Cell’s functionality and performance
Comply with legal obligations and audit requirements (including SOC 2 controls)
Communicate with you regarding updates, security, or support

4. How We Share Information

We do not sell personal information. We may share information in limited cases:

Service Providers: With trusted vendors who help us operate infrastructure, cloud hosting, and security.
Enterprise Customers: If you access Cell through your employer or organization, usage data may be visible to your administrator.
Legal Compliance: When required to comply with law, regulation, or valid legal process.
Business Transactions: In the event of a merger, acquisition, or sale of assets, subject to confidentiality protections.

5. Data Security and SOC 2 Compliance

We take data protection seriously:

SOC 2 Type I Certified: Our policies, procedures, and systems have been independently audited for security, availability, and confidentiality controls.
Encryption: All data in transit is encrypted (TLS 1.2+), and sensitive data at rest is encrypted using industry standards (AES-256).
Access Control: Data access is restricted on a need-to-know basis with multi-factor authentication and role-based permissions.
Monitoring & Incident Response: We monitor for unusual activity and have defined escalation procedures.

Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser.

We use both session and persistent Cookies for the purposes set out below:

6. Data Retention

We retain personal information only as long as necessary to fulfill the purposes described in this Policy or as required by law.

Query logs and integration data are retained according to your organization’s settings and agreements with us.

7. International Data Transfers

As a Canadian company, your information may be processed in Canada, the United States, or other jurisdictions where we or our service providers operate. We ensure appropriate safeguards are in place for cross-border data transfers.

8. Your Rights

Depending on your jurisdiction, you may have rights to:

Access and obtain a copy of your personal information
Request corrections or deletion of your personal information
Withdraw consent for processing (where applicable)
File a complaint with your local privacy regulator (in Canada, the Office of the Privacy Commissioner of Canada)
To exercise these rights, contact us at jai@opensesame.devi

9. Children’s Privacy

Our Services are not directed to children under 13 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the Service before the changes take effect.