top of page

Privacy Policy

Change Agents, Inc. (“Change Agents,” “we,” “us,” or “our”)

Effective date: April 27, 2026

This Privacy Policy explains how we collect, use, disclose, and protect information in connection with changeagents.co, our software platform and application programming interfaces (including api.changeagents.co and related services), and related websites and features (together, the “Services”). By using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

1. Who this applies to

This policy applies to visitors to our public websites, registered users, organization administrators, and other individuals who interact with the Services. If you use the Services on behalf of an organization, that organization’s agreement with us may also govern how we process data (for example, as a processor on the organization’s instructions).

2. Information we collect

We may collect the following categories of information, depending on how you use the Services:

  • Account and identity information such as name, email address, company or organization, role, and similar profile details, including identifiers assigned by our authentication provider when you sign in.

  • Customer content that you or your organization uploads or generates in the product, such as compliance-related documents, form responses, workflow data, task details, comments, and file attachments. This may include sensitive or regulated data depending on what you choose to submit. You should only provide content you are authorized to share and that your policies permit.

  • Usage and device information such as IP address, browser type, approximate location derived from the IP, timestamps, and diagnostic or performance data, including through cookies and similar technologies on our web properties.

  • Communications such as messages you send us (for example, support or sales inquiries) and, where applicable, records of in-product notifications and similar communications.

3. How we use information

We use information to:

  • Provide, secure, and improve the Services, including multi-tenant workspaces, workflows, and collaboration features.

  • Authenticate users, manage sessions, and enforce access controls, including organization and workspace permissions.

  • Operate and improve document-related and automation features, including features that use machine learning and large language models to analyze or generate suggestions from content you or your organization submits.

  • Send transactional and product notifications, including through our notification technology partners.

  • Analyze use of our sites and product (for example, through web analytics) to understand performance and improve user experience.

  • Comply with law, respond to legal requests, and protect the rights, safety, and security of you, us, and others.

4. AI and automated processing

Parts of the Services use artificial intelligence, including model providers that process text and related inputs. When you or your organization uses these features, relevant customer content (such as form fields, document excerpts, or other inputs you provide) may be sent to our subprocessors’ model APIs for processing, consistent with the feature. We configure processing for service operation and do not use that content to train our vendors’ foundation models for their general public models, except where a vendor’s terms applicable to an enterprise or API agreement explicitly and transparently state otherwise. Your organization’s terms with us, if any, may further describe its instructions for this processing.

The Services are decision-support and workflow tools, not a substitute for professional legal, compliance, or regulatory advice. You remain responsible for your regulatory submissions and decisions.

5. Cookies and similar technologies

We and our partners use cookies, local storage, and similar technologies for authentication, security, preferences, and analytics. For example, our web applications connect to services such as Google Analytics and Google Tag Manager in accordance with your cookie choices and our implementation. You can control some cookies through your browser settings. Our public marketing site may be hosted on third-party website builders, which can set their own cookies in addition to the product (see “Subprocessors”).

6. How we share information

We do not sell your personal information. We may share information:

  • With service providers and subprocessors that process data on our behalf, listed below.

  • With your organization and its authorized users, according to the permissions and access controls in the product.

  • When required by law or to protect rights and safety, or in connection with a business transaction (such as a merger or acquisition) subject to appropriate confidentiality and notice where required.

7. Subprocessors and key third parties

The following are representative third-party services and infrastructure identified in our codebase and security configuration. We use them to operate the Services. Their privacy practices are governed by their own policies, and the exact subset used can depend on your product configuration and environment.

  • WorkOS — user authentication, organization and session management, and related identity services.

  • Vercel and related — application hosting, edge delivery, and related infrastructure (for example, preview or deployment tooling such as Porter as referenced in our application configuration).

  • Vercel Blob — object storage for certain static or documentation content.

  • Amazon Web Services (AWS) — cloud object storage and related infrastructure (for example, S3) for file storage and presigned access patterns as implemented in the platform.

  • Google — as applicable, use of generative or embedding APIs (for example, Google’s generative AI APIs) in addition to Google Analytics, Tag Manager, or similar analytics products on the web client.

  • Anthropic, OpenAI, and Amazon Bedrock (AWS) — large language and related model APIs, depending on the models your organization or our configuration enables in the product.

  • Novu — in-app, email, or other notification and messaging infrastructure for product notifications.

  • Outline (Get Outline) — content management and synchronization for certain public documentation experiences.

  • PostgreSQL, Redis, and our application servers — we store and process data in our databases, caches, and back end (for example, permission and session-related caching), hosted on our chosen infrastructure.

  • Wix and related marketing infrastructure — the public changeagents.co marketing experience may be delivered through Wix or similar providers; that experience may use Wix’s cookies and analytics separately from the Change Agents product.

The Services may be accessed through domains such as auth.changeagents.co (authentication) and api.changeagents.co (API) as part of normal operation.

8. Data retention

We retain information for as long as your account is active, as needed to provide the Services, and as required to meet legal, accounting, and compliance obligations, resolve disputes, and enforce agreements. Retention periods can vary by data type, customer contract, and backup practices.

9. Security

We implement administrative, technical, and organizational measures designed to protect information against unauthorized access, loss, or misuse. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. International data transfers

We may process and store information in the United States and in other countries where we or our subprocessors operate. If we transfer personal data from regions that require a legal mechanism (for example, the EEA, UK, or Switzerland), we use appropriate safeguards such as standard contractual clauses where applicable.

11. Your rights and choices

Depending on where you live, you may have the right to access, correct, delete, or export certain information, or to object to or limit certain processing. You may also have the right to lodge a complaint with a data protection authority. To make a request, contact us using the details below. We may need to verify your request and may redirect certain requests to your organization’s administrator where the organization controls the account.

 

California (summary): If the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA) applies, we do not “sell” or “share” personal information as those terms are defined in the CCPA for the practices described in this policy. California residents may have additional rights regarding personal information, including the right to know, delete, and correct, subject to exceptions. You or your authorized agent can contact us as set out below.

12. Children

The Services are not intended for use by children under 16, and we do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will take steps to delete it as appropriate.

13. Third-party links and services

The Services or our websites may link to third-party sites or allow integrations we do not control. This policy does not govern those services; please review their privacy policies.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the effective date. If changes are material, we will take additional steps as required by law, such as providing additional notice in the product or by email.

15. How to contact us

For questions about this Privacy Policy or to exercise privacy rights, contact us at privacy@changeagents.co (or the contact method provided in your organization’s agreement, if you access the Services through a company account).

Change Agents’ public marketing site: https://changeagents.co

bottom of page