Calibrant
Legal

Privacy Policy

Effective date: March 14, 2026

1. Introduction

Calibrant is operated by Trees and Rain, LLC ("we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Calibrant platform at calibrant.ai, including all associated services, APIs, and integrations (collectively, the "Service").

By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this policy, please do not access the Service.

2. Information We Collect

Account Information

When you create an account, we collect your email address, display name, and organization name. Accounts are created through Supabase Auth, and we support Microsoft single sign-on (SSO) for authentication. We do not collect or store your Microsoft password.

Service Data

As you use Calibrant, we store data you create and configure within the platform, including:

  • Agent configurations and settings
  • Instruction text and instruction variants
  • Evaluation suites, queries, and rubrics
  • Optimization results and strategy performance data
  • Evaluation scores and run history

Usage Data

We track service usage to enforce plan limits and provide usage insights. This includes credit consumption, optimization run counts, and feature usage within your account.

Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other payment credentials on our servers. We retain only your Stripe customer identifier and subscription status to manage your account.

Analytics Data

We use PostHog for product analytics. PostHog operates in a cookie-less, privacy-friendly mode. We collect aggregated, anonymized usage patterns to understand how features are used and improve the product. We do not use analytics data for advertising or sell it to third parties.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and manage your account and subscription
  • Connect to your Microsoft 365 environment to optimize your Copilot Studio agents
  • Run optimization and evaluation workflows on your agent configurations
  • Process transactions and send billing-related communications
  • Analyze usage patterns to improve the Service (using anonymized, aggregated data)
  • Respond to support requests and communicate important service updates
  • Detect, prevent, and address technical issues or abuse

We do not sell your personal information. We do not use your data for advertising purposes. We do not train AI models on your agent configurations, instructions, or optimization results.

4. Data Storage & Security

Your data is stored in Supabase, hosted on Amazon Web Services (AWS) in the US West (Oregon, us-west-2) region. We implement the following security measures:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: All data stored in our database is encrypted at rest using AES-256 encryption.
  • Supabase Vault: Sensitive credentials such as OAuth tokens and API keys are stored in Supabase Vault, which provides an additional layer of application-level encryption.
  • Row-Level Security: All database tables enforce row-level security policies with tenant isolation, ensuring that your data is only accessible to members of your organization.

While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

5. Bring Your Own Key (BYOK) Data

Calibrant offers a Bring Your Own Key option that allows you to provide your own Anthropic API key for use with the optimization engine. When you provide an API key:

  • Your API key is stored in Supabase Vault with application-level encryption, separate from general database storage.
  • The key is used exclusively to make API calls to Anthropic on your behalf for optimization and evaluation tasks.
  • We do not log, copy, or share your API key with any third party.
  • Your API key is permanently deleted when you remove it from your account settings or when your account is terminated.

6. Third-Party Services

We integrate with the following third-party services to operate Calibrant. Each service receives only the data necessary to perform its function:

  • Microsoft 365 — We use OAuth to connect to your Microsoft 365 tenant. We access organizational data and Copilot Studio agent configurations as authorized by your administrator. OAuth tokens are stored encrypted in our database.
  • Anthropic — Our optimization engine sends agent instructions and evaluation data to the Anthropic API for AI-powered analysis. If you use BYOK, calls are made using your own API key. Anthropic's API does not use inputs for model training.
  • Stripe — Handles all payment processing, including credit card storage, subscription billing, and invoicing. We share your email and organization name with Stripe to create and manage your billing account. Stripe is PCI DSS Level 1 certified.
  • Supabase — Provides our database, authentication, and encrypted vault infrastructure. All application data is stored in Supabase. Supabase is SOC 2 Type II compliant.
  • PostHog — Collects anonymized, cookie-less product analytics to help us understand feature usage and improve the Service. No personally identifiable information is shared with PostHog for advertising purposes.
  • Vercel — Hosts the Calibrant web application. Vercel processes HTTP requests and may log IP addresses and request metadata for security and performance purposes.

7. Cookies & Analytics

Calibrant uses a minimal approach to cookies and tracking:

  • Authentication cookies: We use essential cookies to maintain your login session. These are strictly necessary for the Service to function and cannot be disabled.
  • PostHog analytics: Our analytics operate in cookie-less mode. PostHog uses privacy-friendly fingerprinting that does not store cookies on your device and does not track you across websites.
  • No advertising cookies: We do not use any third-party advertising or remarketing cookies. We do not participate in ad networks or serve targeted advertisements.

8. Data Retention

We retain your data according to the following guidelines:

  • Account data: Retained for as long as your account is active. Upon account deletion request, we will delete your personal information within 30 days, except where retention is required by law.
  • Optimization and evaluation data: Retained according to your subscription tier, ranging from 14 days on the Free plan up to 1 year on Enterprise plans. You may delete this data at any time from within the application.
  • API keys and OAuth tokens: Deleted immediately when you remove them from your account, disconnect a provider, or when your account is terminated.
  • Analytics data: Anonymized analytics data may be retained indefinitely in aggregate form, as it cannot be linked to individual users.
  • Billing records: Transaction and invoice records are retained by Stripe in accordance with financial reporting requirements. We retain subscription status records for the duration of your account.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Export: Request a machine-readable export of your data.
  • Restriction: Request that we limit how we process your data in certain circumstances.
  • Objection: Object to our processing of your personal data where we rely on legitimate interest as our legal basis.

To exercise any of these rights, please contact us at the address listed in Section 13 below. We will respond to your request within 30 days.

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us and we will promptly delete such information from our systems.

11. International Users

Calibrant is operated from the United States, and our data is hosted in AWS us-west-2 (Oregon). If you access the Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your data to the United States.

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data protection laws, you may have additional rights under applicable law. We process your data based on your consent (provided at account creation) and our legitimate interest in operating the Service. You may withdraw your consent at any time by deleting your account.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by updating the "Effective date" at the top of this page and, where appropriate, by sending you an email notification or displaying a notice within the Service.

We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

13. Contact Information

If you have any questions about this Privacy Policy, your personal data, or would like to exercise your data rights, please contact us:

Trees and Rain, LLC
Email: privacy@calibrant.ai
Website: calibrant.ai