Privacy Policy

Effective Date: March 25, 2026 · Last Updated: March 25, 2026

SuperOrgs, Inc. (“SuperOrgs,” “we,” “us,” or “our”) is committed to protecting your privacy and handling your data with transparency and care. This Privacy Policy explains how we collect, use, share, and protect information when you visit superorgs.com, use our Agent Workforce Transformation Platform, interact with Orion, or otherwise engage with our products and services (collectively, the “Services”).

This policy applies to visitors to our website, prospective customers, registered users, Authorized Users within customer organizations, and anyone who contacts us. If you are using our Services on behalf of an organization, this policy applies to your use and to the organization's data processed through the Services.

Please read this policy carefully. By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Services.

1. Quick Reference Summary

We know privacy policies can be long. Here is a plain-language summary of the most important points:

2. Who We Are and How to Contact Us

SuperOrgs, Inc. is the data controller for personal data collected through our website and Services. We are incorporated in Delaware and operate primarily from San Francisco, California.

• Privacy inquiries: privacy@superorgs.com
• General contact: hello@superorgs.com
• Legal / data requests: legal@superorgs.com
• Website: superorgs.com

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, SuperOrgs, Inc. acts as the data controller. Where SuperOrgs processes personal data on behalf of a customer organization, we act as a data processor and the customer organization is the data controller.

3. Information We Collect

3.1 Information You Provide Directly

We collect information you provide when you create an account, use the Services, or communicate with us, including:

• Account Registration: Name, work email address, job title, company name, and password when you sign up for SuperOrgs.
• Profile Information: Any additional details you add to your account profile, such as a profile photo or department.
• Payment Information: Billing name, billing address, and payment method details when you subscribe to a paid plan. Full payment card details are processed directly by our payment processor and are not stored on SuperOrgs systems.
• Communications: Messages, questions, and feedback you send us via email, support tickets, or in-app chat.
• Survey and Research Responses: Information you provide when participating in customer research, beta programs, or satisfaction surveys.

3.2 Information We Collect Automatically

When you use our website or Platform, we automatically collect certain technical and usage information:

• Log Data: IP address, browser type and version, operating system, referring URLs, pages viewed, and timestamps of access.
• Device Information: Device type, screen resolution, and hardware identifiers used to optimize the platform experience.
• Usage Data: Features accessed, actions taken within the Platform (such as org chart interactions, governance workflow completions, and Orion queries), session duration, and click patterns.
• Cookies and Similar Technologies: See Section 9 for full details on our cookie practices.

3.3 Information from HRIS and HR Platform Integrations

When you connect a Human Resource Information System (HRIS) or HR platform to SuperOrgs, we receive and process employee workforce data from that system, which may include:

• Employee names, job titles, departments, and reporting structures.
• Employment status (active, inactive, contractor, full-time, part-time).
• Office location, team, and cost center assignments.
• Start dates and other employment metadata necessary to build accurate org charts.

We do not request or process compensation data, performance reviews, or sensitive HR records unless explicitly configured to do so by the customer administrator. The specific data fields synced depend on the HRIS platform connected and the permissions Customer grants.

3.4 AI Agent and Automation Data

A core function of SuperOrgs is discovering and cataloging AI agents operating within your organization. In providing this capability, we may collect and process:

• Agent metadata: Agent names, types, descriptions, and deployment configurations.
• Platform API usage signals: API call patterns and usage volumes from connected AI platforms (such as Anthropic, OpenAI, GitHub Copilot, and Cursor) used to identify and inventory agents.
• Agent ownership and governance data: Assigned owners, approval records, audit log entries, and data access scope configurations.
• Agent performance metrics: Cost per agent, usage frequency, department attribution, and productivity signals.

SuperOrgs does not access the inputs, outputs, or conversation content of your AI agents. Agent discovery is based on metadata and API usage signals, not on the content of agent interactions.

3.5 Information from Third-Party Integrations

Beyond HRIS systems and AI platforms, you may connect other third-party tools to SuperOrgs. We receive only the data necessary to provide the integration functionality you have enabled. We treat all data received from third-party integrations as Customer Data subject to Section 3.3's protections.

3.6 Information from Orion

When you interact with Orion, our AI workforce strategist, we collect:

• Your queries and questions submitted to Orion within the Platform.
• Orion's responses and recommendations generated during your session.
• Interaction metadata such as query timestamps and session identifiers.

Orion queries are processed using your organization's Platform data and SuperOrgs' AI infrastructure. Orion interaction data is used to provide the Orion feature and improve its accuracy and relevance. We do not use Orion conversation data to train external AI models without your explicit consent.

3.7 Information from Publicly Available Sources

We may supplement account information with publicly available information such as company size, industry, and public company descriptions to improve our understanding of your organization and tailor the Services appropriately.

4. How We Use Your Information

We use the information we collect for the following purposes, each grounded in an appropriate legal basis under applicable data protection law:

4.1 Providing and Maintaining the Services

• Creating and managing your account and Authorized User accounts.
• Syncing and displaying HRIS data to build accurate, real-time org charts.
• Discovering, cataloging, and mapping AI agents across your connected platforms.
• Operating Agent Workforce Planning, future modeling, and governance features.
• Powering Orion's recommendations, benchmarking, and strategic insights.
• Processing payments and managing subscription billing.
• Sending transactional communications including account confirmations, security alerts, and billing receipts.

4.2 Improving and Developing the Services

• Analyzing aggregated, anonymized usage patterns to understand how features are used and where we can improve.
• Conducting research and testing new features with design partners and beta users.
• Identifying bugs, performance issues, and technical errors.
• Developing industry benchmarks from aggregated, anonymized data across our customer base to power Orion's benchmarking features.

4.3 Customer Support and Communications

• Responding to support requests, bug reports, and account inquiries.
• Sending product updates, new feature announcements, and educational content (where you have opted in or where permitted by applicable law).
• Conducting customer satisfaction surveys and research interviews.

4.4 Security, Compliance, and Legal Obligations

• Detecting, investigating, and preventing fraud, unauthorized access, and other security incidents.
• Maintaining and enforcing our Terms of Service and Acceptable Use Policy.
• Complying with applicable legal obligations, court orders, and regulatory requirements.
• Exercising or defending legal claims.

4.5 What We Do Not Do

• We do not sell your personal data or Customer Data to any third party.
• We do not use Customer Data - including HRIS data, agent metadata, or Orion queries - to train AI models without your explicit prior written consent.
• We do not use your data for advertising targeting on third-party platforms.
• We do not make automated decisions about individuals that produce legal or similarly significant effects without human review.

5. Legal Bases for Processing (EEA, UK, and Switzerland)

For users in the European Economic Area, United Kingdom, or Switzerland, we process personal data only where we have a valid legal basis under the General Data Protection Regulation (GDPR) or applicable local law. The legal bases we rely on are:

• Performance of a Contract: Processing necessary to provide the Services you have subscribed to, including account management, HRIS syncing, agent discovery, and Orion.
• Legitimate Interests: Processing for our legitimate business interests, including improving the Services, ensuring platform security, and sending relevant product communications, where these interests are not overridden by your rights and interests.
• Legal Obligation: Processing required to comply with applicable laws, regulations, court orders, or legal process.
• Consent: Processing based on your freely given, specific, informed consent, such as for optional marketing communications or use of Customer Data for AI model training. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Where SuperOrgs acts as a data processor on behalf of a customer organization, our processing is governed by the customer's instructions and the applicable Data Processing Agreement.

6. How We Share Your Information

6.1 Service Providers and Subprocessors

We engage trusted third-party service providers to help us operate and improve the Services. These providers access data only as necessary to perform their services and are contractually bound to protect your information. Categories of service providers include:

• Cloud infrastructure and hosting providers (such as Amazon Web Services).
• Payment processors (such as Stripe) for subscription billing.
• Customer support and communications platforms.
• Product analytics and error monitoring tools to help us understand platform performance and usage.
• Email delivery services for transactional and product communications.
• Security and fraud detection services.

A current list of our key subprocessors is available upon request at privacy@superorgs.com.

6.2 HRIS and AI Platform Integration Partners

When you connect an HRIS or AI platform to SuperOrgs, data flows between your connected platforms and our Services through established API integrations. SuperOrgs does not share your data with integration partners beyond what is technically required to maintain the integration you have configured.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of SuperOrgs' assets, your information may be transferred to the acquiring entity as part of that transaction. We will provide notice of any such change and, where required by law, seek your consent.

6.4 Legal Disclosures

We may disclose your information if we believe in good faith that disclosure is necessary to: comply with applicable law or legal process; respond to lawful requests from government or law enforcement authorities; protect the rights, property, or safety of SuperOrgs, our customers, or the public; or enforce our agreements.

6.5 With Your Consent

We may share your information with other parties where you have given us explicit consent to do so, such as in case studies, testimonials, or co-marketing activities.

6.6 Aggregated and Anonymized Data

We may share aggregated, anonymized data - from which no individual or organization can reasonably be identified - with third parties for research, industry reporting, or benchmarking purposes. This data is not personal data and its sharing is not subject to the restrictions in this policy.

7. Data Retention

We retain personal data and Customer Data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Our general retention approach is:

You may request earlier deletion of your personal data as described in Section 8. Certain data may be retained longer where required by law or where legitimate business interests (such as resolving outstanding disputes) require it.

8. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal data. SuperOrgs respects and honors these rights for all users regardless of jurisdiction.

8.1 Rights Available to All Users

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that we correct inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request a machine-readable export of your personal data.
• Opt-out of Marketing: Unsubscribe from marketing communications at any time using the unsubscribe link in any email or by contacting privacy@superorgs.com.

8.2 Additional Rights for EEA, UK, and Swiss Users (GDPR)

• Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
• Right to Object: Object to processing based on our legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
• Right to Lodge a Complaint: Lodge a complaint with your local data protection authority. For EEA users, this is your national data protection authority. For UK users, this is the Information Commissioner's Office (ICO).

8.3 Additional Rights for California Residents (CCPA/CPRA)

California residents have the following additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to Know: Know what personal information we collect, use, disclose, and sell (we do not sell personal information).
• Right to Delete: Request deletion of your personal information subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Services.

To exercise California rights, contact us at privacy@superorgs.com. We will respond within 45 days as required by law.

8.4 How to Exercise Your Rights

To submit a privacy rights request, contact us at privacy@superorgs.com with the subject line “Privacy Rights Request.” Please include your name, the email address associated with your account, and a description of your request. We will respond within 30 days (or as required by applicable law) and may need to verify your identity before fulfilling the request.

Note: If you are an employee of a SuperOrgs customer organization, some data rights must be exercised through your employer, as SuperOrgs processes that data as a data processor on your employer's behalf.

9. Cookies and Tracking Technologies

9.1 What We Use

SuperOrgs uses cookies and similar tracking technologies on our website and Platform. These include:

• Essential Cookies: Required for the Platform to function. These enable authentication, session management, security features, and basic platform functionality. They cannot be disabled without breaking the Services.
• Functional Cookies: Enhance your experience by remembering your preferences, such as display settings, language preferences, and UI state within the Platform.
• Analytics Cookies: Help us understand how users interact with our website and Platform by collecting anonymized usage data. We use this to improve performance, fix bugs, and prioritize feature development.
• Marketing Cookies: Used on our public website (not inside the logged-in Platform) to understand which channels drive traffic and to measure the effectiveness of our marketing. We do not use marketing cookies for behavioral advertising targeting.

9.2 Managing Cookies

When you visit superorgs.com for the first time, we present a cookie consent banner where you can accept or decline non-essential cookies. You can change your preferences at any time by clicking the “Cookie Preferences” link in the website footer.

You can also control cookies through your browser settings. Note that disabling essential cookies may prevent certain features of the Platform from functioning correctly.

9.3 Do Not Track

Some browsers transmit a Do Not Track (DNT) signal. SuperOrgs honors DNT signals for our public website by disabling non-essential analytics tracking for those sessions. DNT signals do not affect the logged-in Platform, where usage data collection is necessary to provide the Services.

10. Data Security

SuperOrgs takes data security seriously and implements multiple layers of technical and organizational safeguards:

• Encryption: All data in transit is encrypted using TLS 1.3. All data at rest is encrypted using AES-256.
• Access Controls: Strict role-based access controls limit which SuperOrgs personnel can access customer data. Access is granted on a need-to-know basis and is logged.
• Multi-Tenant Isolation: Each customer organization's data is isolated at the database level. Cross-tenant data access is architecturally prevented.
• Audit Logging: All actions within the Platform are logged with actor identity, timestamp, and field-level change details. Logs are immutable.
• SOC 2 Architecture: Our security architecture is designed to meet SOC 2 Type II requirements, with certification in progress.
• Vulnerability Management: We conduct regular security assessments, penetration testing, and dependency scanning.
• Incident Response: We maintain a formal incident response plan. In the event of a confirmed data breach affecting personal data, we will notify affected customers within 72 hours as required by applicable law.

Despite these measures, no security system is completely impenetrable. We cannot guarantee the absolute security of your data against all threats. We encourage you to use strong passwords, enable multi-factor authentication, and report any suspected security concerns to security@superorgs.com.

11. International Data Transfers

SuperOrgs is headquartered in the United States. If you are accessing our Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where SuperOrgs or its service providers operate.

For transfers of personal data from the EEA, United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, SuperOrgs relies on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission for transfers from the EEA.
• UK Addendum to SCCs for transfers from the United Kingdom.
• Swiss SCCs or equivalent measures for transfers from Switzerland.

You may request a copy of the applicable transfer mechanisms by contacting privacy@superorgs.com.

12. Children's Privacy

The SuperOrgs Platform is designed for use by businesses and organizations and is not directed at children under the age of 18. We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected personal data from a minor, we will promptly delete it.

If you believe we have collected information from a child under 18, please contact us immediately at privacy@superorgs.com.

13. Third-Party Links and Services

Our website and Platform may contain links to third-party websites, documentation, or services. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party sites or services you visit. SuperOrgs is not responsible for the privacy practices or content of third-party sites.

14. AI and Automated Processing

14.1 Orion AI Processing

Orion processes data within your SuperOrgs account - including your organization's workforce structure, agent inventory, and usage patterns - to generate recommendations, benchmarks, and strategic insights. This processing is fully automated. Orion's outputs are informational and advisory in nature; no automated decisions with legal or similarly significant effects are made about individual employees based solely on Orion's outputs.

14.2 Agent Discovery

SuperOrgs' agent discovery feature uses automated analysis of API usage signals and integration metadata to identify AI agents operating within your organization. This is a technical inventory function and does not involve assessments or decisions about individual people.

14.3 No Training on Customer Data

SuperOrgs does not use Customer Data, including HRIS data, agent metadata, Orion conversations, or organizational structure data, to train, fine-tune, or improve AI models without your explicit prior written consent. Aggregate, fully anonymized usage patterns may be used to improve platform functionality, but this does not constitute use of personal data or Customer Data for AI training.

15. Data Processing Agreement

Where SuperOrgs processes personal data on behalf of a customer organization as a data processor under GDPR or similar legislation, the parties will enter into a Data Processing Agreement (DPA) governing that processing. The DPA describes the nature and purpose of processing, data categories, retention periods, security measures, and subprocessor arrangements.

Enterprise customers and customers subject to GDPR may request our standard DPA by contacting legal@superorgs.com. The DPA supplements and, where it conflicts with this Privacy Policy in respect of personal data processed on behalf of the customer, takes precedence.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, Services, or applicable law. When we make material changes, we will:

• Update the “Last Updated” date at the top of this policy.
• Notify active users by email or via an in-app notification at least 30 days before the changes take effect.
• Where required by law, seek your consent before implementing changes that affect how we process your personal data.

We encourage you to review this policy periodically. Your continued use of the Services after the effective date of any updated policy constitutes your acceptance of the changes.

17. Specific Disclosures for California Residents

In addition to the rights described in Section 8.3, California residents are entitled to the following disclosures:

17.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information as defined under the CCPA:

• Identifiers: Name, email address, IP address, account identifiers.
• Commercial Information: Subscription plan, payment history, and billing records.
• Internet or Electronic Network Activity: Usage logs, feature interactions, and session data.
• Professional or Employment-Related Information: Job title, department, and employer name provided during account registration or synced from HRIS integrations.
• Inferences: Aggregated inferences about platform usage patterns used to improve the Services.

17.2 Sources of Personal Information

We collect personal information directly from you, automatically through your use of the Services, and from connected third-party platforms (HRIS systems and AI platforms) that you authorize.

17.3 Business or Commercial Purposes

We use personal information for the business purposes described in Section 4 of this policy, including providing the Services, improving platform functionality, ensuring security, and complying with legal obligations.

17.4 Categories of Third Parties

We share personal information with service providers and subprocessors as described in Section 6.1. We do not sell personal information and do not share personal information for cross-context behavioral advertising.