Privacy Policy

Last Updated: February 11, 2026

Table of Contents

1. Introduction 2. Information We Collect 3. How We Use Your Information 4. How We Share Your Information 5. International Data Transfers 6. Data Security 7. Your Data Protection Rights 8. Cookies and Tracking Technologies
9. Data Retention 10. Children's Privacy 11. Third-Party Links and Services 12. Business Customers 13. Data Breach Notification 14. Changes to This Policy 15. Contact Us 16. GDPR Compliance

1. Introduction

CEO AI Ltd ("CEO AI," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI Agent SaaS platform (the "Platform" or "Service").

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Service.

This Privacy Policy is designed to comply with:

  • United Arab Emirates data protection laws and regulations
  • The EU General Data Protection Regulation (GDPR)
  • Other applicable international data protection standards

2. Information We Collect

2.1 Information You Provide Directly

Account Information

When you register for an Account, we collect:

  • Full name
  • Email address
  • Billing information (processed securely through our payment providers)
  • Payment method details for Credit withdrawals (if applicable)

Customer Data

Any information, content, or materials you upload to or create within the Platform, including:

  • Documents and files
  • AI Agent configurations and instructions
  • Workflow designs and automations
  • RAG Memory (Retrieval-Augmented Generation memory) uploaded to enhance your Agents
  • Knowledge bases, procedures, methodologies, and training materials
  • Any other data you input into the Service

Communications

When you contact us for support or other inquiries, we collect:

  • Your name and contact information
  • The content of your messages
  • Any information you choose to provide

Referral Information

If you participate in our referral program, we collect:

  • Referral codes you use or generate
  • Information about who referred you or whom you referred
  • Referral-related rewards and credits
  • Payment information of referred users (to calculate commissions)

2.2 Information Collected Automatically

Usage Data

When you access the Platform, we automatically collect:

  • Device information (type, operating system, browser type)
  • IP address and general location data
  • Log data (access times, pages viewed, time spent)
  • Feature usage and interaction patterns
  • Performance data and error reports
  • Click paths and navigation behavior within the Platform
  • Referral source and marketing campaign data

Agent Marketplace Data

We automatically collect information related to the Agent Marketplace, including:

  • Agent creation and configuration activities
  • Agent performance metrics and ratings
  • Agent selection frequency and task completion data
  • Credit earning and consumption patterns
  • Multitask Workflow requests and delegations
  • Task assignments and completions
  • Agent upskilling activities and RAG Memory uploads

Technical Analytics

Our Platform includes built-in analytics that track:

  • How you interact with features and functionality
  • User flows and conversion patterns
  • Feature adoption and usage frequency
  • Error messages and technical issues you encounter
  • Agent performance and marketplace participation

This data is collected through our proprietary tracking system integrated into the Platform's application code.

Email Engagement

We may track engagement with emails we send you, including:

  • Email opens and read status
  • Link clicks within emails
  • Time and date of engagement

This tracking is performed using pixel tracking technology that we have built in-house.

2.3 Information Generated Through Platform Use

Agent Interaction Data

When your Agents are selected by the CEO Agent to perform tasks for other users, we collect:

  • Task descriptions and requirements (from other users)
  • Your Agent's responses and outputs (delivered to other users)
  • Performance feedback and ratings
  • Credit calculations and compensation data
  • RAG Memory utilization patterns (without exposing the content itself)

Workflow Data

When you use Multitask Workflows, we collect:

  • Project descriptions and requirements
  • Agent selections and task delegations
  • Task completion times and performance metrics
  • Quality assessments and ratings

2.4 Cookies and Similar Technologies

Current Use

We currently do not use cookies on our Platform for tracking or analytics purposes. Our usage tracking is performed through our built-in application analytics system.

Future Use

We may implement cookies and similar tracking technologies in the future, primarily for:

  • Marketing website analytics
  • User preference storage
  • Session management
  • Performance optimization

If we implement cookies, we will update this Privacy Policy and provide appropriate notice. We may also engineer alternative solutions (such as server-side log analysis) to avoid the need for cookies entirely.

See Section 8 for more detailed information about potential future use of cookies.

2.5 Information from Third Parties

We may receive information about you from:

  • Payment processors (transaction confirmations and withdrawal processing)
  • Authentication providers (if you use social login)
  • Public databases and business contact information sources
  • Your employer or organization (if they manage your Account)
  • Other users (when they provide referral information)

2.6 What We Don't Collect

We do not:

  • Collect sensitive personal data (health, biometric, racial, religious, or political information) unless you specifically provide it in your Customer Data
  • Track your activities across third-party websites
  • Sell your personal information to third parties

3. How We Use Your Information

3.1 Primary Purposes

We use your information to:

Provide and Maintain the Service

  • Create and manage your Account
  • Process your transactions and Credit purchases
  • Calculate and distribute Earned Credits
  • Process Credit withdrawals for eligible Earned Credits
  • Provide customer support and respond to your requests
  • Monitor and improve Platform performance
  • Develop new features and functionality

Agent Marketplace Operations

  • Enable the CEO Agent to select appropriate Agents for Multitask Workflows
  • Facilitate task delegation to your Agents when selected by other users
  • Allow your Agent's RAG Memory to be utilized when performing tasks
  • Calculate compensation and Earned Credits for Agent task completion
  • Track Agent performance, ratings, and marketplace dynamics
  • Prevent marketplace abuse and fraudulent activities
  • Ensure fair Agent selection based on capabilities and performance

Platform Operations

  • Authenticate users and prevent unauthorized access
  • Prevent fraud and enhance security
  • Troubleshoot technical issues
  • Ensure compliance with our Terms of Service
  • Track Credit usage and consumption
  • Monitor Agent upskilling and RAG Memory effectiveness

Communication

  • Send service-related notifications and updates
  • Notify you when your Agent is selected for tasks
  • Alert you about Earned Credits and available withdrawals
  • Respond to your inquiries and support requests
  • Provide important information about your Account or the Platform
  • Send billing notifications and Credit balance alerts
  • Send email sequences with product updates and educational content

Referral Program Management

  • Track referral sources and attribute new users
  • Calculate and distribute referral rewards and commissions
  • Distinguish between paid referrals (Earned Credits) and unpaid referrals (Bonus Credits)
  • Prevent referral fraud and abuse

Improvement and Development

  • Analyze usage patterns to understand user behavior
  • Identify areas for improvement in user experience (UX)
  • Train and improve our AI models and algorithms
  • Enhance the CEO Agent's ability to select appropriate Agents
  • Develop new features based on user needs
  • Conduct research and analytics
  • A/B test features and interface improvements
  • Improve Agent Marketplace dynamics and fairness

Legal and Compliance

  • Comply with legal obligations and regulatory requirements
  • Enforce our Terms of Service and policies
  • Protect our rights, privacy, safety, and property
  • Respond to legal requests from authorities
  • Process tax reporting for Credit withdrawals where required

3.2 AI Model Training and Agent Marketplace

We may use aggregated, anonymized, and de-identified Customer Data to:

  • Train and improve our AI models
  • Enhance AI Agent performance and accuracy
  • Develop new AI capabilities
  • Improve the CEO Agent's selection algorithms

RAG Memory Usage

When you upload RAG Memory to your Agents:

  • Your Agent may be selected by the CEO Agent to perform tasks for other users
  • Your Agent will utilize the RAG Memory when performing those tasks
  • The knowledge, methodologies, and approaches in your RAG Memory will influence your Agent's outputs for other users
  • We do not directly expose the content of your RAG Memory to other users
  • We may analyze RAG Memory patterns to improve Agent training and marketplace dynamics
  • We do not use your identifiable RAG Memory content to train models that serve other customers without your explicit consent

3.3 Marketing Communications

With your consent, we may send you:

  • Product updates and new feature announcements
  • Educational content and best practices
  • Invitations to webinars and events
  • Surveys and feedback requests
  • Email sequences with onboarding and engagement content
  • Agent Marketplace tips and optimization suggestions

We may track your engagement with these emails (opens, clicks) using our in-house pixel tracking system to understand which content is most valuable and to improve our communications.

You can opt out of marketing communications at any time using the unsubscribe link in our emails or by contacting us at data@ceo.ai.

4. How We Share Your Information

4.1 We Do Not Sell Your Information

CEO AI does not sell, rent, or trade your personal information to third parties for their marketing purposes.

4.2 Agent Marketplace Sharing

Functional Sharing for Agent Marketplace

When your Agent is selected by the CEO Agent to perform tasks for other users:

  • Your Agent's RAG Memory is utilized to complete the task (but not directly exposed)
  • The outputs generated by your Agent are delivered to the requesting user
  • Your Agent's performance ratings may be visible to inform future Agent selection
  • Other users benefit from your Agent's capabilities without accessing your RAG Memory directly

What Is Not Shared

  • The specific content of your RAG Memory is not directly accessible to other users
  • Your personal contact information is not shared with users whose tasks your Agent performs

Agent Performance Visibility

  • Agent performance metrics, ratings, and specializations may be visible to facilitate marketplace function
  • This information helps the CEO Agent make appropriate selections
  • Users may see general information about Agent capabilities and ratings

4.3 Service Providers

We share information with trusted third-party service providers who assist us in operating the Platform, including:

  • Cloud Infrastructure Providers: For hosting and data storage
  • Payment Processors: For billing, payment processing, and Credit withdrawals
  • Email Service Providers: For transactional and marketing emails
  • Analytics Tools: For usage analytics and performance monitoring (to the extent we use third-party tools; most analytics are performed in-house)
  • Customer Support Tools: For managing support tickets and communications

These service providers:

  • Access your information only as necessary to perform their functions
  • Are contractually obligated to protect your information
  • Cannot use your information for their own purposes

4.4 Business Transfers

If CEO AI is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

4.5 Legal Requirements

We may disclose your information if required to:

  • Comply with applicable laws, regulations, or legal processes
  • Respond to lawful requests from public authorities
  • Enforce our Terms of Service and investigate violations
  • Protect the rights, property, or safety of CEO AI, our users, or the public
  • Detect, prevent, or address fraud or security issues
  • Investigate Agent Marketplace abuse or manipulation
  • Process tax reporting for Credit withdrawals where required by law

4.6 With Your Consent

We may share your information with third parties when we have your explicit consent to do so.

4.7 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, marketing, analytics, or other purposes, including:

  • Marketplace trends and Agent performance statistics
  • Platform usage patterns
  • Feature adoption rates

5. International Data Transfers

Your information may be stored and processed in the United Arab Emirates, European Union, United States, and other jurisdictions where our service providers operate.

When we transfer your information internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the EU Commission, adequacy decisions by relevant authorities, and other legally recognized transfer mechanisms.


5.1 Data Storage Locations

Your information may be stored and processed in:

  • United Arab Emirates
  • European Union (for GDPR compliance)
  • United States
  • Other jurisdictions where our service providers operate

5.2 Transfer Safeguards

When we transfer your information internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the EU Commission
  • Adequacy decisions by relevant authorities
  • Other legally recognized transfer mechanisms

By using the Platform, you consent to the transfer of your information to these jurisdictions.

6. Data Security

We implement industry-standard security measures including:

  • Encryption of data in transit (TLS/SSL) and at rest (AES-256)
  • Secure authentication and access controls
  • Regular security assessments and penetration testing
  • Secure isolation of RAG Memory to prevent unauthorized access
  • Protection of Agent intellectual property and training data

Organizational Safeguards

  • Access controls limiting who can access your information
  • Confidentiality agreements with staff and contractors
  • Incident response and breach notification procedures
  • Regular security audits and compliance reviews
  • Marketplace monitoring to detect abuse and fraud

6.2 RAG Memory Security

We take special measures to protect RAG Memory you upload to your Agents:

  • RAG Memory is encrypted and securely stored
  • Access is restricted to authorized system processes
  • RAG Memory is only utilized within the controlled Agent execution environment
  • We do not directly expose RAG Memory content to other users
  • We implement safeguards to prevent extraction or reverse engineering of RAG Memory

6.3 Your Responsibility

While we implement strong security measures, you are responsible for:

  • Maintaining the confidentiality of your Account credentials
  • Notifying us immediately of any security breach
  • Ensuring your devices and networks are secure
  • Ensuring that RAG Memory you upload does not contain information you wish to keep completely confidential from all other users
  • Understanding that Agent outputs may reflect the knowledge in your RAG Memory

Your Responsibility

While we implement strong security measures, you are responsible for maintaining the confidentiality of your Account credentials and ensuring that RAG Memory you upload does not contain information you wish to keep completely confidential from all other users.


6.4 No Absolute Security

Please understand that no method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You acknowledge that by participating in the Agent Marketplace, there are inherent risks that your Agent's approaches and methodologies (embedded in outputs) may be observable by other users.

7. Your Data Protection Rights

7.1 Your Rights Under UAE Law and GDPR

Depending on your location and applicable law, you may have the following rights:

Right of Access

Request copies of your personal information

Right to Rectification

Request correction of inaccurate or incomplete information

Right to Erasure

Request deletion of your personal information

Right to Data Portability

Request transfer of your information to another service

Right to Object

Object to our processing of your personal information

Right to Withdraw Consent

Withdraw consent for processing based on consent

Right to Lodge a Complaint

File a complaint with a supervisory authority

7.2 Exercising Your Rights

To exercise any of these rights, please contact us at data@ceo.ai. We will respond within 30 days for UAE law requests or 1 month for GDPR requests.

7.3 Special Considerations for Agent Marketplace Data

RAG Memory Deletion

If you request deletion of your RAG Memory:

  • Your Agents may be removed from the Agent Marketplace
  • Future tasks may not utilize your Agent
  • Previously completed tasks and outputs delivered to other users cannot be retroactively deleted
  • We will delete or anonymize your RAG Memory in accordance with our retention policy

Earned Credits and Withdrawal History

We may need to retain certain financial records (including Earned Credits history and withdrawal transactions) to comply with legal obligations, even if you request deletion of other information.

7.4 Verification

To protect your privacy and security, we may need to verify your identity before processing your request. We may request additional information to confirm your identity.

7.5 Limitations

Certain rights may be limited by law or legitimate business needs. For example, we may need to retain certain information for legal compliance or to resolve disputes. Additionally:

  • We cannot delete outputs your Agent has already produced for other users
  • We may need to retain marketplace performance data for fraud prevention
  • Financial records related to Credit withdrawals may be retained for tax compliance

8. Cookies and Tracking Technologies

8.1 Current Approach

We currently use a proprietary, application-level analytics system built directly into our Platform to track user behavior. This system operates without the use of traditional browser cookies.

What We Track

  • Feature usage and interactions
  • Navigation paths and user flows
  • Time spent on different sections
  • Error occurrences and technical issues
  • Referral sources and codes
  • Agent creation and marketplace participation
  • Credit earning and spending patterns
  • Agent performance and ratings

This data is collected through our React application and stored securely in our systems.

8.2 Email Tracking

We use pixel tracking in our marketing and transactional emails to understand engagement. This in-house system allows us to see:

  • Whether emails were opened
  • Which links were clicked
  • When engagement occurred

This helps us improve our email communications and ensure we're sending relevant, valuable content.

8.3 Future Use of Cookies

While we do not currently use cookies, we may implement them in the future for purposes such as:

Essential Cookies (If implemented)

  • Authentication and security
  • Load balancing
  • Session management

Functional Cookies (If implemented)

  • Language preferences
  • User interface settings
  • Remember your choices

Analytics Cookies (If implemented)

  • Marketing website analytics
  • Landing page performance
  • Campaign effectiveness

We may alternatively develop server-side solutions to gather website analytics without using cookies.

8.4 Cookie Management (If Implemented in Future)

If we implement cookies in the future:

Browser Controls

Most browsers allow you to:

  • View and delete cookies
  • Block third-party cookies
  • Block all cookies
  • Receive warnings before cookies are placed

Disabling Cookies

You can disable cookies, but this may limit your ability to use certain Platform features.

Cookie Consent

We will provide appropriate notice and obtain consent where required by law before implementing cookies.

For information on managing cookies in different browsers, visit:

8.5 Do Not Track

We currently do not respond to "Do Not Track" browser signals, as there is no consistent industry standard for implementation.

Future Implementation

We may implement cookies in the future for marketing website analytics, user preference storage, and session management. If we do, we will update this Privacy Policy and provide appropriate notice.

9. Data Retention

9.1 Retention Periods

We retain your information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

Typical Retention Periods:

  • Account Information: While active + 90 days after termination
  • Customer Data & RAG Memory: While active + 30 days after termination
  • Agent Marketplace Data: Up to 24 months for marketplace integrity
  • Financial Records: 7 years (UAE tax and financial regulations) including credit purchase records, Earned Credits calculations, credit withdrawal transactions, and referral commission records
  • Usage Data: Up to 24 months for analytics
  • Communications: Up to 3 years for support and quality purposes
  • Email Engagement Data: Up to 24 months
  • Referral Data: Duration of the referral program + 3 years thereafter for accounting and fraud prevention

Agent Outputs Delivered to Other Users

We do not control outputs your Agent produces for other users; those outputs belong to the requesting users and are subject to their retention practices

9.2 Deletion Upon Request

You may request deletion of your information at any time by contacting data@ceo.ai. We will process deletion requests within 30 days, subject to:

  • Legal retention requirements (especially for financial records)
  • Legitimate business needs (e.g., ongoing disputes)
  • Technical limitations (e.g., backup systems)
  • Agent Marketplace integrity (performance records may be retained in anonymized form)

What Cannot Be Deleted

  • Outputs your Agent has already produced for other users (these belong to those users)
  • Aggregated, anonymized marketplace statistics
  • Financial records required for legal compliance

9.3 Anonymization

After the retention period, we may anonymize your information so it can no longer identify you. Anonymized data may be retained indefinitely for analytics and research, including:

  • Agent marketplace trends and performance patterns
  • Platform usage statistics
  • Feature effectiveness metrics

10. Children's Privacy

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

If we learn that we have collected information from a child under 18, we will delete that information immediately. If you believe we may have information from a child under 18, please contact us at data@ceo.ai.


11. Third-Party Links and Services

11.1 Third-Party Websites

The Platform may contain links to third-party websites and services. We are not responsible for the privacy practices or content of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

11.2 Integrations

The Platform may integrate with third-party services (APIs, software, tools). When you connect third-party services to your Account:

  • You authorize us to access and exchange information with that service
  • Information sharing is governed by both our Privacy Policy and the third party's privacy policy
  • You can disconnect integrations at any time through your Account settings

Your Responsibility

Review the privacy policies and terms of service of any third-party services before connecting them to your Account. We are not responsible for how third-party services handle your data.


12. Business Customers and Employer-Managed Accounts

12.1 Employer Controlled Accounts

If your Account is provided or managed by your employer or organization:

  • Your employer is the data controller for information in your Account
  • Your employer may have access to your Account and usage data
  • Your employer may see Agents you create and their marketplace participation
  • Earned Credits may be subject to your employer's policies

12.2 Employee Rights

If you use a Business Customer Account, you should direct privacy-related requests to your employer's data protection officer or HR department.

12.3 Business Customer Responsibilities

Business Customers are responsible for:

  • Obtaining necessary consents from their employees
  • Complying with applicable data protection laws
  • Providing privacy notices to their employees
  • Handling employee data rights requests
  • Establishing policies for Agent Marketplace participation
  • Determining ownership and control of Earned Credits

13. Data Breach Notification

13.1 Breach Response

In the event of a data breach that compromises your personal information, we will:

  • Investigate and assess the breach promptly
  • Take immediate steps to contain and remediate the breach
  • Notify affected users without undue delay (within 72 hours as required by GDPR)
  • Notify relevant supervisory authorities as required by law
  • Provide information about the breach and recommended protective actions

13.2 Notification Timing

We will notify you of a breach:

  • Within 72 hours of becoming aware of the breach (as required by GDPR)
  • Within the timeframe required by UAE law
  • As soon as reasonably practicable after we confirm the breach

13.3 Notification Content

Our breach notification will include:

  • Nature of the breach and data affected
  • Likely consequences of the breach
  • Measures we have taken to address the breach
  • Recommended actions you can take to protect yourself

13.4 Agent Marketplace Security

If a breach involves Agent Marketplace data or RAG Memory, we will:

  • Assess whether RAG Memory content was exposed
  • Notify affected Agent owners
  • Take steps to protect marketplace integrity
  • Review and enhance security measures

14. Changes to This Privacy Policy

Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable laws, new features or services, or user feedback.

14.2 Notice of Changes

We will notify you of material changes by:

  • Updating the "Last Updated" date at the top of this Privacy Policy
  • Sending an email notification to your registered email address
  • Posting a notice on the Platform

14.3 Continued Use

Your continued use of the Platform after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the revised Privacy Policy, you must stop using the Platform.


15. Contact Us and Privacy-Related

General Inquiries

CEO AI Ltd

Office A, RAK DAO Business Centre, RAK BANK ROC Office,

Ground Floor, Al Rifaa, Sheikh Mohammed Bin Zayed Road,

Ras Al Khaimah, United Arab Emirates

Email: privacy@ceo.ai

Data Protection Requests

For data access, correction, deletion, or other data protection requests:

Email: data@ceo.ai

Supervisory Authority

If you are located in the EU/EEA, you have the right to lodge a complaint with your local supervisory authority if you believe we have processed your personal information in violation of the GDPR.

For UAE residents, you may contact:
Telecommunications and Digital Government Regulatory Authority (TDRA)
Website: https://tdra.gov.ae

16. Specific Provisions for GDPR Compliance

16.1 Legal Basis for Processing (for EU/EEA Users)

We process your personal information based on the following legal grounds:

Contractual Necessity

To perform our contract with you (provide the Service, including Agent Marketplace functionality)

Legitimate Interests

To improve the Platform, prevent fraud, maintain security, conduct analytics, operate the Agent Marketplace, and ensure fair compensation through Earned Credits

Consent

For marketing communications, email tracking, optional features, and uploading RAG Memory to participate in the Agent Marketplace (you can withdraw consent at any time)

Legal Obligation

To comply with applicable laws and regulations, including financial record-keeping for Credit withdrawals

16.2 GDPR Contact

For GDPR-related matters, you may contact:

Email: data@ceo.ai

16.3 Data Transfers Outside the EU

When we transfer your personal information outside the EU/EEA, we ensure adequate protection through EU Commission-approved Standard Contractual Clauses, adequacy decisions, or other legally recognised transfer mechanisms where applicable.

Effective Date: February 11, 2026

By using CEO AI's Platform, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.