LaunchPathBack to home

Privacy Policy

Last updated: March 2026

1. Introduction

LaunchPath ("we," "our," or "us") operates the LaunchPath platform, an AI agent deployment service that enables users to create, train, deploy, and manage AI-powered agents for businesses. Agents can be deployed as website chat widgets, WhatsApp bots, voice assistants, and via API integrations. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

If you are a business using LaunchPath to deploy agents for your own customers ("End Users"), you act as the data controller for End User data and we act as the data processor. See our Data Processing Agreement for details.

2. Information We Collect

2.1 Account Information

  • Registration data: Email address and password when you create an account. If you sign up via Google OAuth, we receive your name, email, and profile picture from Google.
  • Profile and onboarding data: Your name, persona type (agency, developer, or explorer), and first goal preference, provided during onboarding.
  • Billing data: Payment information is collected and processed directly by Stripe. We store your Stripe customer ID, subscription plan tier, and credit balance — we do not store credit card numbers.

2.2 Agent and Content Data

  • Agent configurations: Agent names, system prompts, personality settings, model selections, tool configurations, and knowledge base content you upload or scrape.
  • Conversations: Messages exchanged between your AI agents and End Users (via website widgets, WhatsApp, voice, or API channels), including message content and metadata.
  • Knowledge base: Documents, website content, and FAQ pairs you provide to train your agents. This content is chunked and embedded as vectors for retrieval.

2.3 End User and Contact Data

  • Widget visitors: Session identifiers, page URLs, and optionally name and email if you enable pre-chat forms.
  • WhatsApp contacts: Phone numbers, profile names, and message content. Contacts may be imported via CSV or collected through inbound messages.
  • Voice callers: Audio is processed in real-time for transcription — we do not permanently store audio recordings.

2.4 Client and Portal Data

  • Client accounts: Business name, email, website, and logo for agency sub-accounts.
  • Portal members: Email addresses and roles of team members invited to client portals.

2.5 Usage and Technical Data

  • Usage logs: AI model used, token counts, credits consumed, and timestamps for each agent interaction.
  • Technical data: IP address, browser type, device information, and referrer URL collected automatically for security and rate limiting.
  • Security events: Login attempts, rate limit hits, and CSRF validation failures are logged for security monitoring. Sensitive fields (passwords, tokens, emails) are redacted from logs.

2.6 Integration Data

  • Third-party app connections: When you connect apps (e.g., Google Calendar, Slack, HubSpot) via Composio integrations, we store connection identifiers. OAuth tokens are managed by Composio — we do not store third-party access tokens directly.
  • Webhook and API tool data: URLs, authentication credentials (encrypted), and response data for custom tool integrations you configure.
  • MCP server connections: Server URLs and authentication details for Model Context Protocol integrations.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the LaunchPath platform and AI agent services.
  • Process AI agent conversations by sending message content to AI model providers (Anthropic, OpenRouter, OpenAI) for generating responses.
  • Perform retrieval-augmented generation (RAG) by embedding and searching your knowledge base content to provide context-aware agent responses.
  • Execute agent tools (webhooks, HTTP APIs, app integrations, sub-agents) as configured by you.
  • Send WhatsApp messages, broadcast templates, and drip sequences on your behalf via the Meta WhatsApp Business API.
  • Process billing, manage subscriptions, track credit usage, and handle payments via Stripe.
  • Transcribe audio messages (via OpenAI Whisper) and analyze images (via AI vision models) sent by End Users through WhatsApp or voice channels.
  • Provide account security through authentication, MFA, rate limiting, and CSRF protection.
  • Enable data export and account deletion to support your data rights.
  • Improve the platform based on aggregate usage patterns (we do not use your conversation content to train AI models).

4. AI Model Data Processing

When your AI agents respond to messages, conversation content is sent to third-party AI model providers for inference. The specific provider depends on the model you select for your agent:

  • Anthropic (Claude models): Used for direct Anthropic model calls and text embeddings for knowledge base search.
  • OpenRouter: Routes requests to various providers including OpenAI, Google, Meta, Mistral, DeepSeek, and others based on your selected model.
  • OpenAI: Used for audio transcription (Whisper) of voice messages and image analysis.

These providers process data according to their own privacy policies and data processing terms. We do not permit AI providers to use your data for model training. See our Sub-Processor List for details.

5. Data Sharing and Disclosure

We do not sell your personal information. We share your information only in the following circumstances:

  • Sub-processors: With the service providers listed on our Sub-Processor List, who assist in operating the platform (hosting, AI inference, payments, messaging).
  • Third-party integrations you configure: When you connect external apps or configure webhook/HTTP/MCP tools, data may be sent to those services as part of agent tool execution. You control which integrations are active.
  • Client portal access: Agency users can grant their clients access to view conversations and manage campaigns via the client portal.
  • Legal requirements: When required by law, subpoena, or court order, or to protect our rights, safety, or property.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with notice where required.

6. Data Retention and Deletion

We retain your information as follows:

  • Account data: Retained while your account is active. You can delete your account at any time via dashboard settings — this cascades to delete all associated agents, conversations, contacts, channels, campaigns, clients, and usage logs.
  • Conversations: Widget conversations are automatically closed after 24 hours of inactivity. All conversation data is deleted when you delete the associated agent or your account.
  • Usage logs: Retained for billing reconciliation and audit purposes.
  • Media files: WhatsApp media (images, audio, documents) is processed in memory and not permanently stored.
  • Stripe data: Billing records are retained by Stripe according to their data retention policy. We retain subscription status and credit balance records.

7. Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest.
  • Row-level security (RLS) on all database tables ensuring users can only access their own data.
  • Secure authentication via Supabase Auth with optional multi-factor authentication (TOTP).
  • CSRF protection on all state-changing API endpoints.
  • Rate limiting on authentication, billing, and chat endpoints.
  • API key hashing (SHA-256) — raw keys are never stored.
  • Credential masking in the UI — API keys and secrets are displayed as masked values.
  • Content Security Policy (CSP), HSTS, and other security headers.
  • Webhook signature verification for Stripe and WhatsApp integrations.
  • Audit logging of security events with sensitive field redaction.

8. Your Rights and Choices

Depending on your location, you may have the following rights:

  • Access and export: You can export all your data (agents, conversations, contacts, usage logs, credits) as JSON via your account settings.
  • Rectification: You can update your profile, agent configurations, and contact data at any time via the dashboard.
  • Erasure: You can delete your account and all associated data via account settings. Deletion is immediate and cascading.
  • Portability: Data export provides your data in a structured, machine-readable JSON format.
  • Restriction and objection: Contact us to restrict or object to certain processing activities.

To exercise these rights, use the self-service tools in your dashboard or contact us at the email below.

9. WhatsApp and Messaging

If you use LaunchPath to deploy agents on WhatsApp:

  • You are responsible for obtaining appropriate consent from your contacts before sending messages, in compliance with Meta's Business Messaging Policy and applicable laws.
  • Contacts can opt out at any time. Opted-out contacts are marked in our system and excluded from future broadcasts and sequences.
  • WhatsApp message templates must be approved by Meta before use for outbound messaging.
  • We process WhatsApp data (phone numbers, message content, delivery status) via the Meta WhatsApp Business API.
  • Voice notes received via WhatsApp are transcribed using OpenAI Whisper. Images are analyzed using AI vision models. Neither audio nor images are permanently stored.

10. Cookies and Local Storage

We use only essential cookies and local storage for the operation of our platform:

  • Authentication cookies: Supabase Auth session cookies (HttpOnly, Secure, SameSite=Lax) for maintaining your login session.
  • Functional cookies: A portal impersonation cookie used by agency owners to preview client portals.
  • Local storage: UI preferences such as cookie banner dismissal and checklist collapse state.

We do not use any third-party tracking cookies, analytics cookies, or advertising cookies. You can adjust your browser settings to limit cookies, though authentication requires session cookies to function.

11. Children

Our service is not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected such information, please contact us so we can delete it.

12. International Transfers

Your data may be transferred to and processed in the United States, where our infrastructure and sub-processors are located. For transfers from the EEA/UK, we rely on EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework (DPF) as applicable. See our Sub-Processor List for transfer mechanisms per provider.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. Material changes will be communicated via email or a notice in the platform. Continued use of the service after changes constitutes acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: karam@trylaunchpath.com

Return to LaunchPath