Casola
Home Products Pricing Enterprise Docs
Dashboard
Home Products Pricing Enterprise Docs Dashboard

Privacy Policy

Last updated: June 18, 2026

Effective date: June 18, 2026

Controller: Casola, 2261 Market Street STE 18830, San Francisco, CA 94114. Contact: privacy@casola.ai.

1. Scope

This Privacy Policy explains how Casola (“we”, “us”) handles personal data of visitors to casola.ai and of the businesses and individuals who register for, administer, or pay for the Casola API. Casola is established in the United States, so US privacy law (including the CCPA/CPRA) leads for these direct relationships. GDPR/UK GDPR reaches us chiefly through our processor role when customers route EU/UK End-User data through the Service (governed by the DPA), and the GDPR terms below also apply where we process EU/UK residents’ personal data directly. For End-User data processed on a customer’s behalf, see the DPA. If you are in the EEA, the UK, or a US state with its own privacy law, additional regional details apply to your relationship with us. Contact privacy@casola.ai for specifics.

2. Information We Collect (Direct Relationships)

  • Account and contact data: name, work email, company, role, and sign-in identity of the individuals who create or manage a Customer account.
  • Verification (KYC) data: business and identity information we collect to approve and maintain access.
  • Billing data: plan, usage records, and billing contact/address (card data is handled by our payment processor; we do not store full card numbers).
  • Usage and technical data: API request metadata, logs, IP address, and identifiers used for security, rate-limiting, and abuse prevention.
  • Support and communications: messages you send us and related records.

We collect Inputs and Outputs passing through the API to provide the Service; to the extent these contain personal data of End Users, we process them as a processor under the DPA, not under this Policy.

3. How We Use This Information

  • Provision, administer, and secure your account and API access.
  • Verify customers (KYC), bill usage, and prevent fraud and abuse.
  • Provide support and send transactional and (with consent where required) marketing messages.
  • Operate, monitor, and improve the reliability and security of the Service.
  • Comply with law, including the safety scanning and reporting in Section 5.

We do not sell personal data. We do not use customer Inputs or Outputs to train foundation models by default; any model-improvement use will be separately disclosed, supported by a lawful basis or contractual permission, and subject to available opt-outs.

Lawful bases (GDPR/UK GDPR). Where GDPR applies, we rely on: performance of a contract (to provision and administer your account and the Service); legitimate interests (security, abuse prevention, service improvement, and B2B marketing, balanced against your rights); legal obligation (KYC, tax, and the safety reporting in Section 5); and consent (where required, e.g., certain marketing), which you may withdraw at any time.

4. Who We Share With and Analytics

  • Service providers / processors: hosting and edge (Cloudflare), rented GPU/model-inference compute, payment processing (Stripe, for our B2B billing), analytics (see §10), and content-moderation / CSAM-detection tooling (Hive AI), bound to act only on our instructions.
  • Authorities: law enforcement, NCMEC, or regulators where required by law or to protect safety (Section 5).
  • Corporate: affiliates within our group, and a successor in a merger or sale, subject to this Policy.

5. Safety Scanning, Reporting, and Preservation

Because the Service generates and transmits content, we scan Inputs and Outputs (including hash-matching against known child-sexual-abuse-material datasets and running safety classifiers), and where we detect suspected child sexual abuse material we are legally required to report it (NCMEC CyberTipline; US-based reporting under 18 U.S.C. §2258A) and to preserve related records and cooperate with law enforcement. For these limited safety, security, and legal-compliance purposes we act as an independent controller, and these obligations override deletion requests for the specific records involved. This applies regardless of any contrary instruction from a Customer.

6. Retention

  • Account, KYC, and billing records: life of the relationship plus 7 years for tax/legal compliance.
  • Usage logs and security data: 12 months, then deleted or aggregated.
  • In-flight Inputs/Outputs: retained only as needed to deliver the Service and per the DPA; see the DPA for End-User data retention and deletion.
  • Safety/reportable records: retained as long as required for legal, evidentiary, and abuse-prevention purposes (this may exceed the periods above).

7. Your Rights

Depending on your jurisdiction you may have rights to access, correct, delete, port, restrict, or object to processing of your personal data, and to withdraw consent. Where GDPR/UK GDPR applies, you also have the right to lodge a complaint with your supervisory authority. We do not make solely automated decisions producing legal or similarly significant effects about you in our direct relationships; our safety classifiers screen content rather than make such decisions about individuals, and any human-review escalation is described in the AUP. To exercise your rights, contact privacy@casola.ai; we respond within 30 days. End Users seeking to exercise rights in their data should contact the Customer (controller); we will assist the Customer as required by the DPA.

8. International Transfers; Security; Children

Where EU/UK End-User data is processed through the Service, international transfers rely on the mechanism set out in the DPA (EU Standard Contractual Clauses / UK Addendum to the EU SCCs). We use encryption in transit, scoped credentials, and access controls; report vulnerabilities to security@casola.ai. The Service is offered to businesses and is not directed to children; we do not knowingly collect children’s data in our direct relationships.

9. Changes; Contact

We may update this Policy; material changes will be communicated to account contacts. Privacy: privacy@casola.ai. Security: security@casola.ai.

If you are in the EEA or UK and wish to raise a data-protection concern, contact privacy@casola.ai or write to us at: Casola, 2261 Market Street STE 18830, San Francisco, CA 94114.

10. Cookies & Similar Technologies

We use cookies and similar technologies on casola.ai. For full details — categories of cookies, consent choices, and how to withdraw consent — see our Cookie Policy.

Strictly necessary cookies are required for the site to function (e.g., security tokens, session state) and are set without your consent.

Analytics/performance cookies help us understand how visitors use the site. We use Google Analytics with Google Consent Mode v2. The consent model varies by region:

  • EEA, UK, and Switzerland: analytics cookies are set only after you accept via the cookie banner. No analytics data is collected before consent.
  • United States and rest of world: analytics are on by default (opt-out model). You can disable them at any time via “Cookie settings” in the page footer or on the Cookie Policy page.

Your consent signal is passed to Google before any measurement occurs. You can grant or withdraw consent at any time via the “Cookie settings” footer link or the Cookie Policy page.

We use analytics cookies to improve casola.ai. Cookie Policy

Casola

© Casola. Real-time avatar and video APIs.

DocsPrivacyTermsDPAAcceptable UseCookiesContact