Privacy Policy

Alchemyst, Inc. — Last updated: April 23, 2026

This Privacy Policy explains how Alchemyst, Inc. (“Alchemyst,” “we,” “us,” “our”) collects, uses, shares, and safeguards information in connection with the alchemyst.one website and the Alchemyst AI services, APIs, SDKs, models, and dashboards (collectively, the “Services”). By using the Services, you agree to this Policy.

Important: Website vs. Application Tracking

Marketing tracking tools (including Apollo.io) operate only on our public marketing website (alchemyst.one homepage, pricing, contact pages, etc.). Once you sign in and access the Alchemyst application dashboard and AI tools, NO marketing tracking scripts are active. Only essential operational logging occurs within the authenticated application to provide and secure the Services.

Contents

  1. Key Definitions & Roles
  2. Information We Collect
  3. How We Use Information
  4. Legal Bases (EEA/UK/Switzerland)
  5. How We Share Information
  6. Retention
  7. Your Choices
  8. Cookies, Analytics & Marketing Tracking
  9. Security
  10. Children’s Privacy
  11. Your Rights — EEA/UK/Switzerland
  12. Your Rights — U.S. State Laws
  13. International Data Transfers
  14. Automated Decision-Making & Profiling
  15. Third-Party Links & Services
  16. Enterprise & Processor Terms
  17. Contact

Who We Are

Alchemyst, Inc. (Delaware corporation)
Principal place of business: 28 Geary Street Suite 650 #2654, San Francisco, CA 94108, USA
Support & privacy requests: support@alchemyst.one
Legal/DMCA and notices: contact@alchemyst.one

We may update this Policy; if we make material changes, we’ll try to give at least 30 days’ notice.

1) Key Definitions & Roles

Customer Content: your prompts, uploads, datasets, configurations, and Outputs.

Personal Data/Personal Information: information that identifies or can reasonably be linked to a person (definitions vary by jurisdiction).

Service Data: operational, security, and telemetry data (e.g., IP address, device, timestamps, token counts, error codes).

Beta Features: features labelled Beta/Preview/Early Access.

Roles. For Customer Content processed on your instructions, we act as a processor/service provider (with a DPA where required). For account, billing, website analytics, and product telemetry, we act as an independent controller/business.

2) Information We Collect

You provide. Account/profile (name, email, password—hashed), organisation, role; billing info (via payment processor), support tickets/attachments, survey responses; Customer Content (prompts, files, datasets, configs, Outputs).

Automatically. Service Data (IP, device/OS, browser, locale, timestamps, request metadata such as token counts, referrer/UTM), authentication events, rate-limit events, suspicious activity flags; cookies/local storage.

From third parties. Auth and payment providers, fraud prevention, analytics, CRM, website visitor tracking and identification services (Apollo.io for sales/marketing purposes on the public website only), and publicly available sources.

3) How We Use Information

  • Provide & secure the Services (auth, inference, routing, logging, abuse detection).
  • Operate Alchemyst AI (process inputs; generate Outputs; apply safety filters).
  • Improve reliability & safety (de-identified/aggregated telemetry, capacity planning, quality).
  • Communicate (service notices, product updates, security alerts; opt-out of non-essential marketing).
  • Billing & account management (payments, invoices, tax).
  • Legal compliance (court orders, export/sanctions, fraud prevention).
  • R&D (feature evaluation and safety) using de-identified/aggregated data.

Model training. Alchemyst does not train its models on your Customer Content. Where we call third-party model APIs (e.g., OpenAI), we configure provider settings so that API data is not used for training by default. Any sharing for model improvement is opt-in only and will be enabled solely at your explicit direction, where available.

4) Legal Bases (EEA/UK/Switzerland)

We rely on contract (to provide the Services), legitimate interests (to secure and improve Services; prevent abuse), consent (non-essential cookies/analytics, marketing, optional training opt-in), and legal obligations (tax, accounting, law enforcement requests).

5) How We Share Information

We do not sell Personal Information and we do not share it for cross-context behavioural advertising. We share with:

  • Service providers/sub-processors (cloud hosting, model inference, support, email, billing, analytics, marketing/sales tracking) under contracts limiting use to our instructions. This may include OpenAI as a model provider, Microsoft Clarity for analytics, Google Tag Manager for analytics, and Apollo.io for sales/marketing visitor tracking on our public website. Where supported, we set provider controls to disable training on API data.
  • Enterprise administrators (usage and admin visibility for org accounts).
  • Legal/safety (to comply with law or protect rights, safety, or the Services).
  • Business transfers (merger, acquisition, financing); successors must honour this Policy or notify you.

A current Sub-processor List is available upon request at support@alchemyst.one. We’ll give advance notice of material changes where required.

6) Retention

We retain Personal Data only as long as necessary for the purposes in this Policy or as required by law. Typical windows:

  • Account records: life of account + up to 3 years.
  • Billing/tax: up to 7 years.
  • Security logs: about 90 days (adjusted for investigations).
  • Customer Content (inputs/outputs): retained up to 30 days by default for abuse detection and debugging, then deleted or anonymised. Enterprise controls (where available) may further reduce retention.
  • Analytics/session recordings (consent-based): up to 12–13 months.
  • Backups: rolling backups with fixed expiry.

You may request deletion; we’ll process as required by law and contract.

7) Your Choices

  • Cookie controls: manage consent via our banner/preferences for analytics/session recording.
  • Email: unsubscribe from non-essential emails.
  • AI improvement opt-in: off by default; if offered, you can opt-in/out at any time.
  • Access/edit/delete: see regional rights below.

8) Cookies, Analytics & Marketing Tracking

(Including Microsoft Clarity, Google Tag Manager, Apollo.io)

Cookie categories

We use three categories of cookies and local storage on our public website:

  • Strictly necessary — Session security, CSRF protection, and authentication state. These are required for the site to function and cannot be disabled.
  • Analytics (consent required) — Google Tag Manager (GTM-52BVLBFW) for aggregated traffic and behaviour metrics, and Microsoft Clarity (ID: tng271o58e) for session recordings and heatmaps (clicks, scrolls, rage-clicks). Sensitive fields are automatically masked by Clarity. Retention: up to 13 months.
  • Marketing (consent required) — Apollo.io (appId: 68f9d0866c25b1000d3e488d) for B2B visitor identification and sales lead enrichment on the public marketing website only. This script is never loaded inside the authenticated Alchemyst application.

How we obtain and record consent

When you first visit alchemyst.one, a consent banner is shown. No analytics or marketing scripts are loaded until you click Accept all or individually enable categories via Customise. Your choice is saved in your browser’s local storage (key: alch_consent_v1) and scripts are loaded only after a positive signal is recorded.

You can review or withdraw your consent at any time by clicking Cookie settings in the footer of any page, or by calling window.AlchemystCookies.showPreferences() in your browser console. Withdrawing consent prevents new data collection but does not delete data already collected under prior consent.

Lawful basis

Analytics and marketing cookies are processed on the basis of consent (GDPR Art. 6(1)(a) and ePrivacy Directive). Strictly necessary cookies are processed on the basis of legitimate interests (security and fraud prevention) and do not require consent.

9) Security

We use industry-standard safeguards: encryption in transit, access controls, least-privilege, logging/monitoring, and vulnerability management. No system is 100% secure. If we become aware of a breach affecting your data, we’ll notify you and regulators as required.

10) Children’s Privacy

The Services are not directed to children under 13 (or under 16 where applicable). We do not knowingly collect Personal Data from children. If you believe a child provided data, contact support@alchemyst.one.

11) Your Rights — EEA/UK/Switzerland

Subject to exceptions, you may access, rectify, erase, restrict, object, and request data portability, and withdraw consent where processing is based on consent.

To exercise rights: support@alchemyst.one (verification may be required).

You may lodge a complaint with your local supervisory authority. If Article 27 representation is required, we will appoint a representative and update this Policy.

12) Your Rights — U.S. State Laws (CA/CO/CT/VA/UT and others)

Depending on your state, you may have rights to access, correct, delete, portability, and to opt out of targeted advertising, sale, and certain profiling.

We do not sell Personal Information and do not share it for cross-context behavioural advertising.

Appeals: If we deny a request, you may appeal by replying to our decision email; we’ll review and respond.

Authorised agents: We honour valid agent requests with proof of authorisation.

California Notice at Collection (summary): Categories: identifiers (email, device IDs), commercial info (subscriptions), internet/network activity (logs), geolocation (approximate IP-based), professional info (organisation), inferences (non-sensitive product analytics), and Customer Content. Sensitive Personal Information is not used to infer characteristics and is used only for security/authentication or as you direct. Retention: §6. Purposes: §3. Sources: you, your devices, service providers, publicly available sources.

Submit requests: support@alchemyst.one.

13) International Data Transfers

We are U.S.-based and may transfer data globally. Where required, we use safeguards such as EU Standard Contractual Clauses and the UK IDTA/Addendum. Details/copies available on request (subject to redactions).

14) Automated Decision-Making & Profiling

Alchemyst AI generates outputs from your inputs. We do not use automated decision-making to produce legal or similarly significant effects without human involvement. You remain responsible for reviewing Outputs before use.

15) Third-Party Links & Services

Third-party sites/services have their own policies. We are not responsible for their practices.

16) Enterprise & Processor Terms

Where we act as a processor/service provider for Customer Content: we process per your instructions (Agreement/DPA), maintain appropriate security measures, assist with data subject requests and incident notifications as required, bind sub-processors to equivalent obligations, and support deletion/return on termination (subject to legal retention). For a DPA with SCCs/UK Addendum, contact support@alchemyst.one.

17) Contact

Support & privacy requests: support@alchemyst.one
Legal/DMCA and notices: contact@alchemyst.one
Mailing address: Alchemyst, Inc., 28 Geary Street Suite 650 #2654, San Francisco, CA 94108, USA

Plain English Summary
  • No training by Alchemyst on your prompts/outputs.
  • If we call OpenAI, we set no-training by default; any improvement sharing is opt-in only and will be enabled only if you ask us to.
  • Seat-based monthly/annual plans, no preset usage caps; we still reserve throttling to protect uptime.
  • Cookie/Clarity tracking is consent-based; sensitive fields are masked.

Also see: Terms of Service