Formael

Privacy Policy

Last updated: 5/3/2026

Privacy Policy

Last Updated: May 3, 2026

Introduction

This Privacy Policy describes how Formael, Inc. ("Formael", "we", "us", or "our") collects, uses, and protects information in connection with the Formael platform - a managed governance and execution layer for AI agents acting in external systems.

This policy applies to information collected through our website (formael.com), our management console (app.formael.com), and our agent and management APIs.

Information We Collect

Account and Workspace Information

When you or your organization creates an account, we collect identifying information such as name, work email address, organization name, role, and authentication identifiers (including identifiers issued by single sign-on providers when applicable).

Configuration Data

The platform stores configuration you create or import: governance policies, approval groups, domain ownership, connector settings, capability customizations, and references to third-party credentials your organization configures for execution against external systems.

Provider Credentials

Credentials your organization configures for outbound execution (for example, API keys for SaaS systems your agents act in) are stored encrypted at rest and decrypted only at execution time. Plaintext credentials are never logged, never exposed to agents, and never returned through any API after creation.

Operational Records (Intent Execution Cycles)

Every action your agents submit produces an immutable execution record. This record includes the structured intent, the outcome of governance evaluation, the action executed against the external system, the response received, and timing and identity metadata associated with the call. These records are retained as the audit trail for your organization and are accessible to you through the management console and API.

Usage and Telemetry

We collect aggregate technical telemetry - request volume, latency, error rates, and similar operational metrics - to operate, secure, and improve the platform.

Website Information

When you visit our marketing website, we collect standard log data (IP address, user agent, referrer, pages viewed) and privacy-respecting analytics. We do not use third-party advertising trackers.

How We Use Information

We use the information we collect to:

  • Provide and operate the Formael platform, including authentication, policy evaluation, execution, and audit
  • Maintain the security and integrity of the platform
  • Detect, prevent, and respond to abuse, fraud, or unsafe behavior
  • Communicate with you about your account, changes to the service, and support requests
  • Comply with legal and regulatory obligations
  • Improve the platform and develop new features

We do not use customer execution data (Intent Execution Cycle records, intent payloads, or governance verdicts) to train shared machine learning models.

How We Share Information

We do not sell personal information. We share information only in the following circumstances:

  • At your direction. Configuration you create may cause Formael to send data to external systems you have integrated (for example, a connector that creates a ticket in your Jira workspace).
  • Service providers. We use a small set of vetted infrastructure and security subprocessors to operate the platform (cloud hosting, identity, error monitoring, communications). Subprocessors are bound by data protection terms.
  • Legal requirements. When we are required to disclose information by law, valid legal process, or to protect the rights, property, or safety of Formael, our customers, or others.
  • Business transfers. In connection with a merger, acquisition, or sale of assets, with notice and continued protection of your information.

Security

The platform is designed with security as a primary requirement:

  • Provider credentials are encrypted with AES-256-GCM and decrypted only at execution time
  • Multi-tenant isolation is enforced at both the application and database layers
  • Audit records are append-only and cannot be modified after they are written
  • Administrative access to production systems is logged and restricted to authorized personnel

No security control is absolute. We commit to investigating and disclosing material incidents in line with applicable law and our customer agreements.

Data Location

The Formael platform is operated from data centers in the European Union. If your use of the platform involves the transfer of personal information across regions, we apply appropriate safeguards in line with applicable data protection law.

Data Retention

We retain account and configuration data for as long as your organization remains an active customer. Audit and execution records are retained for the period required by your plan or contract, after which they may be archived or deleted in accordance with your retention settings. We will retain or delete information beyond these defaults where required by law.

Your Rights

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, or to object to or restrict certain processing. To exercise these rights, contact us at the address below. We will respond consistent with applicable law.

If you are a California resident, you have specific rights under the California Consumer Privacy Act, including the right to know what personal information we collect about you and the right to request deletion.

Cookies

Our website uses a minimal set of first-party cookies necessary to operate the site and to measure aggregate traffic. We do not use cookies for cross-site advertising. You can control cookies through your browser settings.

Children

Formael is intended for use by businesses. The platform is not directed to children, and we do not knowingly collect personal information from anyone under 16.

Changes

We may update this Privacy Policy from time to time. Material changes will be communicated through the platform or by email to the primary contact for your organization. The "Last Updated" date above always reflects the current version.

Contact

Questions about this Privacy Policy or how we handle information can be sent to: