Privacy Policy

Last Updated: July 21, 2025

1. Introduction

Welcome to Asteroid.ai. This Privacy Policy is designed to provide you with clear, transparent information about how Entropy Systems, Inc. ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our Asteroid platform and related services (collectively, the "Services").

We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy explains your privacy rights and how you can exercise them. We encourage you to read this policy carefully to understand our practices. By using our Services, you acknowledge that you have read and understood this Privacy Policy.

This policy is structured to meet the requirements of major privacy regulations globally, including the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable U.S. state privacy laws.

2. The Personal Information We Collect and How We Use It

We collect personal information to provide and improve our Services. The specific categories of information we collect, the sources from which we collect it, our purposes for using it, and the third parties with whom we share it are detailed in the categories below.

Identifiers

Category of Personal Information: Identifiers

Examples: Real name, alias, email address, unique personal identifier, online identifier, Internet Protocol (IP) address.

Sources: Directly from you; automatically from your use of our Services.

Business & Commercial Purposes for Processing: To create and manage your account; provide, maintain, and secure our Services; communicate with you; process transactions; comply with legal obligations.

Lawful Basis (for EEA/UK Users): Performance of a contract; Legitimate interest; Legal obligation.

Categories of Third Parties: Cloud hosting providers; payment processors; customer support providers; analytics providers.

Customer Records Information

Category of Personal Information: Customer Records Information

Examples: Name, address, financial information (e.g., credit card details for payment).

Sources: Directly from you.

Business & Commercial Purposes for Processing: To process payments and provide the Services you have requested.

Lawful Basis (for EEA/UK Users): Performance of a contract.

Categories of Third Parties: Payment processors; financial institutions.

Internet or Other Electronic Network Activity Information

Category of Personal Information: Internet or Other Electronic Network Activity Information

Examples: Interaction with our Services, system performance metrics, diagnostic data.

Sources: Automatically from your use of our Services.

Business & Commercial Purposes for Processing: To monitor and analyze usage patterns; improve Service performance and functionality; enhance security; prevent fraud.

Lawful Basis (for EEA/UK Users): Legitimate interest.

Categories of Third Parties: Analytics providers; security service providers.

Geolocation Data

Category of Personal Information: Geolocation Data

Examples: Imprecise location (e.g., derived from your IP address).

Sources: Automatically from your use of our Services.

Business & Commercial Purposes for Processing: For security purposes (e.g., fraud detection).

Lawful Basis (for EEA/UK Users): Legitimate interest.

Categories of Third Parties: Analytics providers; security service providers.

Sensitive Personal Information

Category of Personal Information: Sensitive Personal Information

Examples: Account login credentials

Sources: Directly from you when you create an account.

Business & Commercial Purposes for Processing: To secure your account access and authenticate your identity.

Lawful Basis (for EEA/UK Users): Performance of a contract; Legal obligation.

Categories of Third Parties: Cloud hosting providers (for storage with encryption). We do not "sell" or "share" this information.

User-Generated Content

Category of Personal Information: User-Generated Content

Examples: Prompts, instructions, and other content you input into our AI agents; agent outputs and responses generated for you.

Sources: Directly from you through your use of our Services.

Business & Commercial Purposes for Processing: To provide AI agent functionality; deliver personalized responses; maintain service quality and security; provide customer support when requested.

Lawful Basis (for EEA/UK Users): Performance of a contract; Legitimate interest (service improvement and security).

Categories of Third Parties: Cloud hosting providers (encrypted storage); AI infrastructure providers (processing only, no training).

Browser Session Recording Technology

We may use session recording technology in order to identify and resolve customer issues, to monitor and analyze how you use our Services, to better understand user behavior, and to improve our Services. By continuing to use the Services, you consent to the use of session recording technology.

Agent Prompts

We store the prompts you provide and the outputs generated by the Services to deliver and maintain the functionality of your agents.

To ensure our Services are working correctly and to provide you with effective customer support, our authorized support personnel may need to access your prompts and outputs. This access is strictly limited to the following purposes:

  • Troubleshooting and Support: To investigate and resolve issues you report with your specific agents.
  • Service Improvement: To identify and fix bugs, and to improve the performance and functionality of the agents you build on our platform.

Important Clarification: We do not use your prompts or outputs to train our general, underlying artificial intelligence models. Your data is used only to support and improve your direct experience with the Services.

For users in the EEA/UK, our lawful basis for this processing is the performance of our contract with you (to provide a functional service and support) and our legitimate interest in maintaining and improving the quality and reliability of our Services.

3. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Services and hold certain information. You can manage your preferences for these technologies.

  • Types of Cookies: We use strictly necessary cookies for basic site functionality, performance cookies to analyze usage, and functional cookies to remember your preferences.
  • Your Choices: We provide a cookie consent banner where you can manage your preferences. You can also instruct your browser to refuse all cookies or to indicate when a cookie is being sent.
  • Global Privacy Control (GPC): We recognize and honor browser-based universal opt-out signals like the GPC to respect your choices regarding the sale or sharing of your data for targeted advertising.

4. Your Privacy Rights and How to Exercise Them

You have specific rights concerning your personal information, which may vary depending on your location. We are committed to enabling you to exercise these rights, regardless of where you live.

To exercise any of your rights, please email us at support@asteroid.ai.

A. Your Rights as a California Resident

Under the CCPA, you have the following rights:

  • Right to Know: You can request to know the specific pieces and categories of personal information we have collected about you, the sources of that information, the purposes for which we use it, and the categories of third parties with whom we share it.
  • Right to Delete: You can request that we delete personal information we have collected from you, subject to certain exceptions.
  • Right to Correct: You can request that we correct inaccurate personal information that we maintain about you.
  • Right to Opt-Out of Sale or Sharing: You have the right to opt out of the "sale" of your personal information or its "sharing" for cross-context behavioral advertising. We do not "sell" personal information in the traditional sense. However, you can opt out of sharing for advertising purposes via the GPC.
  • Right to Limit Use of Sensitive Personal Information (SPI): You can direct us to limit our use of your SPI to only what is necessary to perform the Services.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

B. Your Rights if You Are in the European Economic Area (EEA), UK, or Switzerland

Under the GDPR, you have the following rights:

  • Right of Access: You can request a copy of the personal information we hold about you.
  • Right to Rectification: You can ask us to correct or complete inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): You can request that we delete your personal information under certain conditions.
  • Right to Restrict Processing: You can request that we restrict the processing of your data under certain conditions.
  • Right to Data Portability: You have the right to receive your data in a structured, machine-readable format and transfer it to another controller.
  • Right to Object: You can object to our processing of your personal information, particularly where we rely on legitimate interests as our legal basis.
  • Rights Related to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you.

C. Rights Under Other U.S. State Laws

Residents of states including Colorado, Connecticut, Delaware, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia also have rights similar to those listed above. We will honor verifiable requests from all our users in accordance with these laws.

5. Data Security

We are committed to protecting your information from unauthorized access, use, or disclosure. We implement and maintain a comprehensive information security program with administrative, technical, and physical safeguards.

Our security measures include:

  • Security Framework: Our security program is aligned with leading industry frameworks such as SOC 2 to ensure our practices are robust and verifiable.
  • Encryption: We encrypt your data both in transit over public networks and at rest in our storage systems.
  • Access Controls: We enforce the principle of least privilege and use role-based access controls (RBAC) to ensure that our employees and systems only have access to the data necessary to perform their functions.
  • Risk Management: We conduct regular risk assessments and data protection impact assessments (DPIAs) for high-risk processing activities to proactively identify and mitigate threats.
  • Incident Response: We have a documented incident response plan to promptly detect, investigate, and respond to any data breaches. In the event of a breach affecting your personal information, we will notify you in accordance with applicable laws.
  • Employee Training: All our employees receive training on data privacy and security best practices.

6. Data Retention

We retain your personal information only for as long as is necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, and applicable legal requirements. For example, account information is retained for as long as your account is active and for a reasonable period thereafter in case you decide to re-activate the Services. Data related to legal obligations may be retained for longer periods as required by law.

7. International Data Transfers

Our Services are hosted and operated in the United States. If you are accessing the Services from outside the U.S., your information will be transferred to, stored, and processed in the United States.

For transfers of personal information from the EEA, UK, or Switzerland, we rely on legally-provided mechanisms to lawfully transfer data across borders. This includes implementing the Standard Contractual Clauses (SCCs) as approved by the European Commission.

8. Children's Privacy

Our Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13.

In addition, we adhere to stricter standards for older minors as required by various state laws. We do not "sell" or "share" for targeted advertising the personal information of any user we know to be under the age of 18. For users we know are between 13 and 17 years of age, we will obtain affirmative opt-in consent before processing their data for certain purposes where required by law.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last Updated" date at the top. We encourage you to review this Privacy Policy periodically for any changes.

10. How to Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or our data practices, or if you wish to exercise your rights, please contact us:

Entropy Systems, Inc.
Attn: Privacy Officer
2261 Market Street
STE 22742
San Francisco, CA 94114
United States
Email: support@asteroid.ai

You also have the right to lodge a complaint with your local data protection authority.