Cmdless Privacy Policy

1. Scope and Controller Information

This Privacy Policy applies to the cmdless.com website, the Cmdless desktop application, connected support channels, and other services that link to this Policy.

Grid Heap, Inc., a Delaware corporation (“Grid Heap,” “we,” “us,” or “our”), is the controller of personal information processed under this Policy unless a separate agreement states otherwise.

We use personal information only for service-related purposes described in this Policy. We do not use personal information for unrelated advertising, data brokerage, or unrelated commercial exploitation.

Our place of incorporation does not, by itself, determine where your Service data is processed. Cloud-backed synchronization, delivery, storage, and support flows may run on infrastructure operated globally by our service providers, including in the United States.

2. Information We Process

2.1 Account, contact, and support information

We may process information such as your name, organization, email address, billing or support communications, and any information you choose to provide when contacting us.

2.2 Configuration and credential information

If you enable model providers, integrations, or channels, we may process API keys, OAuth tokens, refresh tokens, channel identifiers, integration settings, runtime preferences, and related configuration metadata. We use this information only to operate the features you enable.

2.3 Prompts, transcripts, files, and runtime data

Depending on how you use the Service, we may process typed prompts, pasted content, selected text, live transcripts, task instructions, schedules, messages, generated drafts, logs, workflow state, and files or metadata that you choose to route through Cmdless.

Many of these data elements may be stored locally on your device or in local runtime storage. If you enable remote providers or cloud-backed channels, relevant content may also be transmitted to those services at your direction.

2.4 Audio, device permissions, and local resources

When you use voice features or enable system actions, Cmdless may access your microphone and speech recognition permissions, and may interact with local resources such as clipboard items, selected text, files, calendar data, camera-related workflows, or other operating system surfaces that you explicitly permit.

2.5 Integration and channel data

If you connect services such as email, collaboration tools, or messaging platforms, we may process metadata and content necessary to read, classify, draft, send, or otherwise perform the actions you request.

2.6 Technical and diagnostic data

We may process usage logs, crash reports, configuration state, device or application version information, network metadata, and security events to operate, secure, troubleshoot, and improve the Service.

2.7 Website and edge delivery data

When you visit cmdless.com, our infrastructure providers may process standard request metadata such as IP address, user agent, referrer, timestamp, and edge security or caching logs. As of the effective date of this Policy, the landing page does not include advertising trackers or behavioral analytics scripts.

3. How We Use Information

We use personal information to:

provide, configure, secure, and maintain the Service;
route prompts and instructions into local or remote execution paths;
operate voice capture, transcription, automation, scheduling, and channel workflows you enable;
respond to support requests and service communications;
monitor performance, investigate incidents, prevent abuse, and improve reliability;
comply with legal obligations, enforce contracts, and protect rights, safety, and security.

We do not use personal information for unrelated advertising, data brokerage, or other purposes outside operating the Service and supporting the customer relationship described in this Policy.

4. Legal Bases for Processing

Depending on the context and the law that applies, we may process personal information on the basis of your consent, our need to perform a contract with you, our legitimate interests in operating and securing the Service, or our legal obligations.

Where consent is required, you may withdraw it at any time, subject to the limitations of the specific feature and the lawfulness of processing that occurred before withdrawal.

5. How We Share Information

We may disclose personal information to:

infrastructure, hosting, delivery, and support providers acting on our behalf;
third-party model providers, email providers, communication platforms, and external services that you connect or instruct us to use;
professional advisers, auditors, insurers, and transaction partners where reasonably necessary;
regulators, courts, law enforcement, or other parties when required by law or necessary to protect rights, safety, or the integrity of the Service.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising as part of the current Service model.

We also do not use customer personal information for purposes outside the Service itself, except where required to comply with law, protect rights and security, process a transaction you request, or respond to a support or account administration matter.

6. International Transfers

Grid Heap, Inc. is incorporated in the State of Delaware, United States of America. Grid Heap may use infrastructure, subprocessors, model providers, and integrations located in multiple jurisdictions. As a result, personal information may be accessed, processed, or stored outside your country or region, including in the United States.

Certain synchronization, delivery, security, and cloud storage workflows may use globally distributed infrastructure service providers. Where those workflows are used, data in those flows is protected with encryption in transit and, for hosted storage under our control, encryption at rest.

When cross-border transfers occur, we apply lawful transfer mechanisms appropriate to the relevant data flow and applicable law. Depending on the jurisdiction and transfer scenario, this may include contractual safeguards, user-directed transfers, standard contractual commitments, certification or assessment-based mechanisms, or other legally recognized bases.

Transfers to third-party providers and legal exceptions. If you enable a remote model provider, email provider, or messaging integration, the content you route to that provider may be processed under that provider’s own infrastructure and legal terms. We may also transfer or disclose information where required by applicable law, lawful process, or to address a validated security or abuse issue.

7. Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Policy, including to provide the Service, maintain runtime continuity, resolve disputes, enforce agreements, meet legal obligations, and support security and fraud prevention.

Retention periods vary by data type and configuration. For example, local-first runtime content may remain on your device until deleted by you or removed through product controls, while support records and operational logs may be retained for longer periods where necessary.

8. Security

We use technical and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures may include credential isolation, access controls, logging, process separation, and transport safeguards.

Where some synchronization, storage, or delivery flows use managed infrastructure, we rely on encryption and related security controls for those workflows. Local-first content may remain on your device under your own environment and security controls.

No system is completely secure. You are responsible for securing your own devices, local environments, credentials, and connected third-party accounts, and for evaluating whether a particular Cmdless workflow is appropriate for sensitive or regulated information.

9. Your Rights

Depending on your jurisdiction, you may have rights to request access to, correction of, deletion of, portability of, restriction of, or objection to our processing of your personal information, and to withdraw consent where processing is based on consent.

If you are in California and the CCPA applies, you may have rights to know, delete, correct, and limit certain processing of sensitive personal information, as well as the right not to be discriminated against for exercising applicable rights.

If you are in the EEA, the UK, or another jurisdiction with comparable data protection rules, you may also have the right to lodge a complaint with your local supervisory authority.

To exercise rights, contact contact@gridheap.com. We may need to verify your identity and authority before completing a request.

10. Children

Cmdless is not directed to children. The Service requires users to be at least 18 years old, and we do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact us and we will take appropriate steps to investigate and address the issue.

11. Changes to This Policy

We may update this Policy from time to time to reflect changes to the Service, law, infrastructure, integrations, or our data practices. When we do, we will post the updated version here and revise the effective date above.

12. Contact

Privacy questions, requests, or complaints may be sent to contact@gridheap.com.