Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

We collect information you provide when you:

• Create or register an account, including name, business email address, company name, job title, and password.
• Complete an Order Form or subscription agreement, including billing contact information and payment details.
• Contact us for customer support, sales inquiries, or other communications.
• Participate in surveys, product feedback sessions, webinars, or other events.
• Correspond with us by email or through in-product messaging.

1.2 Information We Collect Automatically

When you access or use the Services, we automatically collect certain technical and usage information, including:

• Device and connection information: IP address, browser type and version, operating system, device identifiers, and mobile carrier.
• Usage data: pages and features accessed, actions taken within the Services, session duration, clickstream data, search queries within the platform, and error logs.
• Log data: server logs, access times, and referring URLs.
• Cookies and similar technologies: as described in Section 3 below.

We use this information to operate, maintain, and improve the Services, detect security incidents, and understand how users interact with the platform.

1.3 Customer Data (Data You Provide on Behalf of Your Business)

If you are a business customer, you may provide to us, or we may collect on your behalf through the Services, data relating to your business operations, including consumer transaction records, sales data, inventory data, loyalty program data, and other operational data (collectively, “Customer Data”). Customer Data may include personal information of your consumers, employees, and other individuals (“Consumer Personal Information”).

Our collection and use of Customer Data is governed primarily by our agreement with you (including the Data Processing Addendum in Appendix A to our Terms of Service) rather than this Policy. With respect to Consumer Personal Information contained in Customer Data, we act as a processor on your behalf and process such information only as directed by you and as necessary to provide the Services.

You are responsible for ensuring that you have the appropriate rights, consents, and legal bases to provide Consumer Personal Information to us, and for providing required privacy notices to your consumers.

1.4 Information from Third Parties

We may receive information from business partners, resellers, referral sources, and third-party platforms and integrations that you connect to the Services, such as point-of-sale systems, eCommerce platforms, or loyalty programs. Data received through connected integrations is Customer Data and is governed by Section 1.3 and our Data Processing Addendum.

2. How We Use Information

2.1 Providing and Operating the Services

• Creating and managing your account.
• Processing transactions and fulfilling your subscription.
• Delivering product features, AI-generated outputs, analytics, and reports.
• Providing customer support and responding to your inquiries.
• Sending service-related communications, including account notifications, billing information, and updates.

2.2 Improving and Developing the Services

• Analyzing usage patterns to understand how the Services are used and where improvements can be made.
• Training, evaluating, and improving the AI models that power the Services, using de-identified or aggregated data as described in our Terms of Service.
• Developing new features, products, and services.
• Conducting internal research and analytics.

We do not use identified Consumer Personal Information contained in Customer Data to train AI models in a way that would permit reconstruction of your specific customer data. See Section 4.3 of our Terms of Service for details.

2.3 Security and Fraud Prevention

• Detecting, investigating, and preventing unauthorized access, fraud, abuse, and other harmful or illegal activity.
• Enforcing our Terms of Service and other agreements.
• Protecting the rights, property, and safety of Winston AI, our customers, and others.

2.4 Marketing and Communications

• Sending you information about Winston AI products, features, events, and offers that may be of interest to you, where permitted by applicable law.
• Measuring engagement with our marketing communications.
• We currently do not share your personal information with third-party advertising partners for targeted advertising purposes.

You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at legal@treez.io. Opting out of marketing does not affect service-related communications.

2.5 Legal and Compliance Purposes

• Complying with applicable laws, regulations, and legal process.
• Responding to lawful requests from government authorities and law enforcement.
• Establishing, exercising, or defending legal claims.
• Fulfilling contractual obligations to you.

2.6 Aggregated and De-identified Data

We may use aggregated or de-identified information derived from information we collect — including Customer Data — for business analytics, benchmarking, product development, and other lawful purposes. Aggregated or de-identified information is not subject to this Policy and may be used or shared without restriction, provided it cannot reasonably be used to identify you or any individual.

3. Cookies and Tracking Technologies

We and our third-party service providers use cookies and similar tracking technologies (such as web beacons, pixels, and session replay tools) to collect information about how you access and use the Services.

3.1 Strictly Necessary Cookies

These cookies are required for the Services to function and cannot be disabled. They include session authentication cookies, security tokens, and cookies that remember your login state. You cannot opt out of these cookies while using the Services.

3.2 Functional Cookies

These cookies remember your preferences and settings to provide a more personalized experience, such as language preferences and UI customizations. Disabling these cookies may affect your experience of the Services.

3.3 Analytics Cookies

We use analytics tools, which may include third-party providers, to collect information about usage patterns, feature adoption, and platform performance. This information is used in aggregate to improve the Services.

3.4 Advertising and Marketing Cookies

We do not currently use advertising or marketing cookies. If we do so in the future, we will update this Policy and, where required by applicable law, obtain your consent before placing such cookies.

3.5 Managing Cookies

Most browsers allow you to control cookies through their settings. Please note that disabling cookies may affect the functionality of the Services. We do not currently respond to “Do Not Track” browser signals.

4. How We Share Information

We do not sell your personal information. We share information only as described below:

4.1 Service Providers

We share information with third-party vendors and service providers that perform services on our behalf, including cloud hosting and infrastructure, payment processing, customer support tools, email delivery, analytics, and AI model providers. Our AI model providers (which may include Anthropic PBC, OpenAI LLC, and Google LLC) may receive Input and Customer Data as necessary to generate Output. These providers are contractually required to use your information only to perform services for us and in accordance with our instructions.

4.2 Your Organization

If you access the Services through an account created by your employer or organization, we may share information about your use of the Services with that organization, including account administrators.

4.3 Business Customers

If you are a consumer whose personal information has been provided to us by one of our business customers, we process your information on behalf of that business customer and may share information about you with them as necessary to provide the Services.

4.4 Business Transfers

We may share or transfer information in connection with a merger, acquisition, reorganization, sale of assets, financing, or similar transaction. We will provide notice of any such transfer where required by applicable law.

4.5 Legal Requirements

We may disclose information if we believe in good faith that disclosure is necessary to comply with applicable law or valid legal process, protect the rights, property, or safety of Winston AI, our customers, or the public, or detect, prevent, or address fraud, security, or technical issues. Where permitted by law and practicable, we will endeavor to notify you before disclosing your information in response to legal process.

4.6 With Your Consent

We may share information for other purposes with your consent or at your direction.

4.7 What We Do Not Do

• We do not sell personal information to third parties.
• We do not share personal information with third-party advertisers for targeted advertising without prior notice and, where required, your consent.
• We do not disclose Consumer Personal Information contained in Customer Data to third parties except as directed by the applicable business customer, as required by law, or as necessary to provide the Services.

5. Data Retention

We retain personal information for as long as necessary to provide the Services, fulfill the purposes described in this Policy, and comply with our legal obligations. The factors we consider include the duration of your subscription, legal obligations, whether information is needed to resolve disputes or enforce agreements, and the sensitivity of the information.

When personal information is no longer needed, we take reasonable steps to delete, de-identify, or aggregate it. Deletion from active systems does not guarantee immediate deletion from backup or archival systems. We may also retain information for longer periods where necessary for legal compliance, dispute resolution, enforcement of our agreements, or fraud prevention. For Customer Data, retention and deletion obligations are governed by the Data Processing Addendum in our Terms of Service.

6. Security

We implement commercially reasonable technical and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data in transit and at rest, access controls, and security monitoring.

We maintain a SOC 2 Type II security program. No security system is impenetrable, and we cannot guarantee the absolute security of your information. If you have reason to believe that your interaction with us is no longer secure, please contact us at legal@treez.io.

In the event of a security incident involving personal information, we will notify affected parties to the extent required by, and within the time periods specified by, applicable law.

7. Your Privacy Rights

Depending on where you are located, you may have certain rights regarding your personal information. To exercise any of these rights, please contact us at legal@treez.io with the subject line “Privacy Rights Request” and indicate your state or country of residence. We will verify your identity before processing rights requests and will not discriminate against you for exercising your privacy rights.

7.1 Rights Available to All Users

• Access: You may request a copy of the personal information we hold about you.
• Correction: You may request that we correct inaccurate or incomplete personal information.
• Deletion: You may request that we delete your personal information, subject to certain exceptions.
• Portability: Where technically feasible, you may request your personal information in a structured, machine-readable format.
• Opt out of marketing: You may opt out of receiving marketing communications from us at any time.

7.2 California Residents (CCPA/CPRA)

California residents have additional rights under the CCPA and CPRA, including the right to know categories and specific pieces of personal information collected, the right to opt out of the sale or sharing of personal information (we do not currently sell or share personal information for cross-context behavioral advertising), the right to limit use of sensitive personal information, and the right to non-discrimination.

To submit a CCPA/CPRA request, email legal@treez.io with the subject line “California Privacy Rights Request.” We will respond within 45 days of receipt.

7.3 Other U.S. State Residents

Residents of Colorado, Connecticut, Texas, Virginia, and other states with applicable privacy laws may have rights similar to those described above. To submit a request, email legal@treez.io with the subject line “Privacy Rights Request” and indicate your state of residence. If we decline your request, you may appeal within 30 days by emailing us with the subject line “Privacy Rights Appeal.”

7.4 Canadian Residents (PIPEDA / Provincial Privacy Laws)

Canadian residents have the right to access personal information we hold about them, request correction of inaccurate information, and withdraw consent to certain processing activities. To submit a request, email legal@treez.io with the subject line “Canadian Privacy Rights Request.”

8. Children's Privacy

The Services are not directed to children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate consent, we will take reasonable steps to delete that information. If you believe a child has provided us with personal information without appropriate consent, please contact us at legal@treez.io.

9. Data Transfers

The Services are operated from the United States. If you access the Services from Canada or other jurisdictions outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For Canadian residents: we process personal information in the United States in connection with providing the Services. By using the Services, you acknowledge that your personal information may be subject to access by U.S. courts and law enforcement authorities under applicable U.S. law. We handle Canadian personal information in accordance with applicable Canadian privacy law, including PIPEDA and applicable provincial legislation.

10. Third-Party Links and Services

The Services may contain links to or integrations with third-party websites and services not operated by Winston AI. This Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Services.

11. Changes to This Policy

We may update this Policy from time to time by posting a revised version with an updated “Last Updated” date. If we make material changes, we will provide reasonable advance notice by email or through a prominent notice within the Services. Your continued use of the Services after any update constitutes acceptance of the revised Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

We have designated an internal Privacy Lead responsible for overseeing our privacy program, fielding rights requests, and ensuring this Policy is kept current. To reach our Privacy Lead, use the contact information above.