Privacy Policy

Last Updated: 17.02.2026

1. Introduction

Welcome to Copilotim, Inc. (“Copilotim”, “Company”, “Corbey”, “we,” “us,” or “our”). We provide an AI-powered platform named “Corbey” designed to help Human Resources (HR) professionals automate and manage their processes with greater efficiency and compliance.

This Privacy Policy explains how we collect, use, process, and disclose information, including personal data, in the context of our website www.corbey.ai (the “Website”) and the services we provide through our platform (the “Services”).

We are committed to protecting your privacy and handling your data in an open and transparent manner. As a company registered in the United States with clients in the European Union, we are dedicated to complying with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. Our role: Data Processor and Data Controller

It is crucial to understand our role concerning the data we handle. This role differs depending on the context:

  • When you visit our Website or manage your account with us: We act as the Data Controller for the personal data we collect directly from you (e.g., your name, email address, billing information). We determine the purposes and means of processing this data.
  • When you use our Services to manage your company’s HR processes: Our clients (your employer or the company you represent) are the Data Controllers. They determine which of their employee and HR-related data is processed by our Services. In this capacity, we act as a Data Processor, processing this data strictly on behalf of and under the instructions of our clients, as governed by a Data Processing Agreement (DPA).

This policy primarily focuses on our role as a Data Controller. Our obligations as a Data Processor are detailed in our DPA with our clients. If you are an employee of one of our clients, please direct any privacy-related inquiries to your employer.

3. Information we collect

We collect different types of information to provide and improve our Services, to communicate with you, and to operate our business.

A. Information you provide to us:

  • Account Information: When you register for an account, we collect information such as your name, company name, email address, phone number, and password.
  • Payment Information: To process payments for our Services, we collect billing details and payment information, which are securely handled by our third-party payment processors. We do not store your full credit card information on our servers.
  • Communications: If you contact us directly (e.g., via email, support requests, or contact forms), we will collect your name, email address, and the contents of your message.

B. Information we collect automatically:

  • Usage and log data: When you interact with our Website and Services, we automatically collect information about your device and your usage, such as your IP address, browser type, operating system, pages viewed, and the dates/times of your visits.
  • Cookies and tracking technologies: We use cookies and similar technologies to operate and analyze our Website and Services. For more information, please see our Cookie Policy.

4. How we use your Information and our legal basis for Processing

We only use your personal data when we have a valid legal basis to do so under GDPR.

Purpose of Processing Type of Data Used Legal Basis (under GDPR)
To Provide and Manage our Services Account, Payment, and Usage Data Performance of a contract with you or your company.
To Communicate with You Account Information, Communications Data Performance of a contract (for service-related messages) or Legitimate Interest (to respond to your inquiries).
For Billing, Invoicing Account and Payment Data Performance of a contract and Legal Obligation (for financial records).
To Improve and Secure Services Usage and Log Data, Technical Data Legitimate Interest (to ensure our services are secure, stable, and user-friendly).
For Marketing and Communication Account Information Consent (where required) or Legitimate Interest (to market our services to existing business clients).
To Comply with Legal Obligations All relevant data Legal Obligation (e.g., responding to lawful requests from authorities).

5. Our use of artificial intelligence (AI)

Our Services are powered by AI to provide features like labor law tracking, process building, and HR assistance. We are committed to using AI responsibly and ethically.

  • Service functionality: We use AI to analyze public legal and regulatory data, compare industry best practices, and generate automated HR process suggestions based on the configurations and data our clients provide.
  • No training on Client Data: We do not use our clients’ personal data (including their employee data) to train our general, multi-tenant AI models. Our models are trained on official governmental databases, public information, and licensed industry data. Client data is processed within a secure, isolated environment solely for the purpose of providing the Services to that specific client.
  • Anonymized and aggregated Data: We may use anonymized and aggregated data derived from the use of our Services for analytical purposes, such as improving our algorithms and service performance. This data does not identify any individual or specific client.

6. Data sharing and disclosure

We do not sell your personal data. We may share your information with the following third parties under limited circumstances:

  • Service providers (Sub-processors): We engage third-party companies to perform services on our behalf, such as cloud hosting (e.g., AWS, Google Cloud), payment processing, and analytics. These sub-processors are contractually obligated to protect your data and only process it according to our instructions.
  • Business transfers: If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal data.
  • Legal compliance: We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, protect our rights or property, or ensure the safety of our users or the public.

7. International data transfers

Our Company is based in the United States and follows the regulations of Delaware. If you are located in the European Economic Area (EEA), UK, or Switzerland, your personal data will be transferred to and processed in the United States.

We ensure that such transfers are lawful and that your data remains protected to the standards required by GDPR. We do this by implementing appropriate safeguards, including:

  • Entering into Standard Contractual Clauses (SCCs) as approved by the European Commission with our clients and service providers.
  • Where applicable, relying on adequacy decisions or participating in frameworks such as the EU-U.S. Data Privacy Framework (DPF).

8. Data security and retention

Security

We implement robust technical and organizational measures to protect your personal data from unauthorized access, use, alteration, or destruction. These measures include encryption, access controls, and regular security assessments.

Retention

We retain your personal data for no longer than is necessary for the purposes for which it was collected.

  • Client Account Data: We retain your account information for the duration of your business relationship with us and for a reasonable period thereafter as required by law (e.g., for financial auditing purposes).
  • Data Processed for Clients: We retain the employee data we process on behalf of our clients for the duration specified in our DPA with them. Upon termination of the contract, we will delete or return this data as instructed by the client.

9. Your data protection rights (For EEA/UK Residents)

Under GDPR, you have certain rights regarding your personal data.

  • Right of Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can request that we correct any inaccurate or incomplete data.
  • Right to Erasure (“Right to be Forgotten”): You can request that we delete your personal data in certain circumstances.
  • Right to Restrict Processing: You can request that we limit the way we use your personal data.
  • Right to Data Portability: You have the right to receive your data in a structured, commonly used format.
  • Right to Object: You can object to our processing of your data where we are relying on legitimate interests.
  • Right to Withdraw Consent: If we are processing your data based on your consent, you can withdraw it at any time.
  • Right to opt-out: We use clients’ aggregate anonymized data for the benefit of service. Still, if you as an individual or as a company prefer not to allow the usage of the data to train the AI agent, you may opt-out by explicitly asking for it by sending an email to the company privacy@corbey.ai.

To exercise these rights, please contact us at privacy@corbey.ai.

Important note for Employees of our Clients: If you are an employee of a company that uses our Services and you wish to exercise your data protection rights regarding data processed by our platform, please contact your employer directly. Your employer is the Data Controller and is responsible for managing your request.

You also have the right to lodge a complaint with a supervisory authority in your country of residence.

10. Children’s privacy

Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal data from children.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on our Website and updating the “Last Updated” date. We encourage you to review this policy periodically.

12. Contact us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

Copilotim, Inc.

Address: 251 Little Falls Drive, Delaware 19808, USA

Website: www.corbey.ai, Mail: support@corbey.ai