Privacy Policy

This Privacy Policy applies to:

• •Visitors to stepsai.co and related marketing sites
• •Customers and authorized users of the StepsAI platform (app.stepsai.co)
• •End users who interact with a StepsAI-powered AI agent through any supported channel
• •Businesses that connect third-party integrations to StepsAI
• •Prospects and contacts engaged via sales, demo requests, or support channels

This Policy does not apply to:

• •Third-party websites, services, or messaging platforms linked to or integrated with StepsAI, which are governed by their own privacy policies
• •Data that customers process using StepsAI under separate written agreements where Steps AI acts solely as a service provider on behalf of the customer
• •Employment applicants, who are covered by a separate notice

3.1 Information You Provide

We collect information that you or your team provide when you:

• •Create an account (name, work email, password, organization name, role)
• •Configure a workspace or AI agent (agent settings, knowledge sources, channel preferences)
• •Upload or connect knowledge sources (documents, FAQs, product catalogs, policies)
• •Connect a communication channel or integration and authorize access
• •Submit a sales inquiry, demo request, newsletter signup, or contact form
• •Provide billing details (billing contact, company address, tax ID; payment card data is handled by third-party payment processors and is not stored on our servers)
• •Interact with customer support or submit feedback

3.2 Information Collected Automatically

When you or your end users interact with StepsAI, we may automatically collect:

• •Device and connection data (IP address, browser type, OS, device identifiers, language, time zone)
• •Usage data (pages viewed, features used, queries issued, session duration)
• •Conversation metadata (channel type, timestamps, message counts, escalation events)
• •Log data (system events, errors, security alerts, audit entries)
• •Cookies and similar technologies as described in Section 8

3.3 Information from Connected Channels and Integrations

When you connect a channel or integration, we receive data necessary to deliver the Services. The specific data depends on the integration and may include account identifiers, message content, product catalogs, customer records, contacts, documents, tickets, and similar information as applicable to the integration you enable.

• •We only access data based on the permissions you authorize
• •We do not modify or delete your source content unless you explicitly instruct us to do so

3.4 Information About End Users

When an end user interacts with a StepsAI-powered agent deployed by one of our customers, we may process on behalf of that customer:

• •Contact identifiers provided by the channel
• •Message content and interaction history
• •Derived signals such as detected intent or language
• •Contextual data related to the conversation, such as order lookups or scheduling requests

3.5 Information from Other Sources

We may receive information from:

• •Authentication providers you use to sign in
• •Analytics and marketing partners
• •Publicly available sources

4.1 Operating the Platform

We use your information to authenticate users, provision workspaces, train your AI agent on the knowledge sources you connect, route conversations, execute integrations, and provide platform features such as analytics and the unified inbox.

4.2 Communications

We use your information to respond to support requests, send service-related announcements, transactional messages, and (with your consent or as permitted by law) marketing communications. You can opt out of marketing emails at any time using the unsubscribe link.

4.3 Improvement and Security

We use your information to measure performance, diagnose errors, improve the Services, detect fraud and abuse, and enforce our terms.

4.4 Legal Purposes

We may use your information to comply with applicable laws, respond to legal process, establish or defend legal claims, and enforce our agreements.

5.1 Where We Store Data

StepsAI uses cloud infrastructure from third-party providers. Our primary hosting is in the United States and India, though this may change or expand over time. Additional hosting regions may be offered in the future.

5.2 Security

We maintain administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, loss, misuse, or alteration. These safeguards include encryption in transit, access controls, monitoring, and confidentiality obligations for team members. We review and update these measures from time to time as our platform, customer base, and the threat landscape evolve.

However, no system is completely secure, and we do not warrant or guarantee the absolute security of your information. You use the Services at your own risk, and we encourage you to use strong passwords and protect your account credentials.

We may pursue industry certifications, third-party audits, or additional compliance programs in the future and will update this policy and our documentation accordingly.

5.3 Retention

We retain information for as long as reasonably necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. General guidelines:

• •Account data: retained while your subscription is active; deleted from production systems within a reasonable period after account closure, unless legal retention is required
• •Conversation data: retained according to your workspace settings or our default retention periods, which may change from time to time
• •Knowledge sources: removed within a reasonable period after you disconnect or delete them
• •Integration tokens: revoked when you disconnect the integration
• •Billing and tax records: retained as required by applicable financial and tax regulations
• •Website analytics and cookies: retained in accordance with Section 8 and our analytics providers' policies
• •Marketing data: retained while you remain engaged, subject to your opt-out rights

To request deletion or a copy of your data, email support@stepsai.ca. We will respond within a reasonable timeframe.

6.1 Integrations

StepsAI integrates with third-party platforms that you choose to connect, including (without limitation) Meta Platforms, Shopify, WooCommerce, BigCommerce, HubSpot, Salesforce, Calendly, Google Drive, OneDrive, Notion, Confluence, Intercom, Jira, Slack, Microsoft Teams, Webflow, Framer, Stripe, Razorpay, and others. Each of these platforms is governed by its own terms and privacy policy. We are not responsible for the privacy practices of third-party services.

Disconnecting an integration stops new data from flowing to StepsAI; previously cached or indexed data is removed in line with Section 5.3.

6.2 Who We Share Data With

We do not sell personal data. We may share information with:

• •Service providers and subprocessors: hosting, AI model providers, analytics, communications — under contractual confidentiality obligations
• •Channels and integrations: you authorize, to deliver the features you enabled
• •Professional advisors: legal, accounting, audit — under professional duties of confidentiality
• •Legal and regulatory authorities: when required by law or to protect rights, property, or safety
• •In connection with a corporate transaction: such as a merger, acquisition, or sale of assets — we will notify affected customers as required by law

A list of our key subprocessors is available on request by emailing support@stepsai.ca.

Types of technologies we use:

• •Strictly necessary: authentication, security, core platform functions
• •Functional: preferences such as language and theme
• •Analytics: understanding how our site and product are used (e.g., Google Analytics)
• •Marketing: measuring campaign performance on marketing pages (we do not use cookies for cross-context behavioral advertising)

Your choices

You can manage cookies through your browser settings or, where applicable, through a consent banner on our site. Blocking certain cookies may affect platform functionality. We do not currently respond to Do Not Track signals due to the absence of a common standard. Where required by law, we honor Global Privacy Control signals.

9.1 Our Approach

Steps AI is a Canadian company and we endeavor to handle personal information in a manner consistent with applicable Canadian privacy law (PIPEDA). We also aim to respect the privacy rights recognized under other frameworks that may apply to our users, including the CCPA/CPRA (California), DPDPA (India), GDPR (EU/UK), and others.

Nothing in this Privacy Policy should be interpreted as a representation that we meet the requirements of any specific regulatory framework or industry standard unless we have explicitly stated so in a separate written agreement with you.

9.2 Legal Requests

We may disclose personal data when we believe in good faith that it is required by law or necessary to protect the safety, rights, or property of Steps AI, our customers, or the public. Where permitted by law, we will attempt to notify affected customers before disclosure.

9.3 Children

StepsAI is intended for business use by individuals aged 18 and older. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact support@stepsai.ca and we will take steps to delete it.