[ privacy policy ]updated · may 12, 2026

your data, our duty.

This Privacy Policy describes how Donkit.AI ("Company", "we", "us") collects, uses, and protects your personal information when you visit and use our websites and services, including our prompt-to-agent platform.

Our Services are designed for and offered to businesses and other organizations for commercial and professional use. They are not directed at consumers, and we do not knowingly process personal data of individuals acting outside of a business context. Where personal data is processed through our platform, this is generally done on behalf of our business customers.

This Privacy Policy is an integral part of our Terms of Service. By using our Services, you agree to the collection and use of information in accordance with this policy.

01

Our Role: Data Controller vs. Data Processor

To comply with global privacy frameworks (such as the GDPR, UK GDPR, emerging US state privacy laws, and the Israeli Privacy Protection Law), our legal responsibilities depend on the type of data being processed:

When Donkit is the Data Controller

We act as the Data Controller for your direct relationship with us. This includes your account information, billing details, and data automatically collected when you navigate our website.

When Donkit is the Data Processor

When you use our platform to build agents, upload context files, submit prompts, configure integrations, or publish public agents, you are the Data Controller of that specific data. Donkit acts strictly as a Data Processor, handling this "Agent Data" solely on your behalf and according to your instructions.

02

Information We Collect

We collect information that you provide directly to us, as well as data collected automatically or generated through your use of our platform.

Information you provide directly to us

  • Name, email address, and contact information.
  • Account credentials and profile information.
  • Billing information (such as company name and billing address) used for invoicing. Payment card details are collected and processed directly by our payment processor; we do not receive or store your full payment card information and rely on payment processor's customer and transaction identifiers for billing and reconciliation purposes.
  • Information you provide when contacting us or using our support services.
  • Agent Data: Conversational data (prompts), documents, and contextual files you upload to instruct or manage your agents.
  • Integration Credentials: API keys, OAuth tokens, and passwords you provide to connect third-party tools to your agents.

Information we automatically collect

  • Log data (IP address, browser type, access times).
  • Device information.
  • Usage data and analytics.
  • Cookies and similar tracking technologies.
03

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Services.
  • Process transactions and send related information.
  • Send technical notices, updates, and support messages.
  • Respond to your comments, questions, and requests.
  • Monitor and analyze trends, usage, and activities.
  • Detect, prevent, and address technical issues and fraudulent activity.
  • Comply with legal obligations.

AI Model Training Policy

We respect your privacy and the confidentiality of your data. We do not use your personal information, prompts, conversational data, or uploaded context files to train or fine-tune our internal AI models unless you provide explicit, opt-in consent to do so. Your private data remains yours.

04

Third-Party AI Providers & "Bring Your Own Key" (BYOK)

To power our prompt-to-agent platform, we utilize industry-leading third-party Artificial Intelligence providers (currently Microsoft, Google, and OpenAI) to process your prompts by default. Data sent to these default providers is transmitted securely via API and is subject to their enterprise data privacy standards, which prohibit using API data to train their foundational models.

Alternatively, if you utilize our Bring Your Own Key (BYOK) feature, you are solely responsible for the relationship, data sharing, and privacy agreements with your chosen AI provider.

05

Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

  • With Service Providers: Including the default third-party AI providers mentioned above, cloud hosting platforms, and payment processors who perform services on our behalf.
  • To Comply with the Law: To comply with legal obligations or respond to valid legal requests.
  • To Protect Rights: To protect our rights, privacy, safety, or property.
  • Business Transfers: In connection with a business transfer, merger, or acquisition.
  • With Your Consent: With your consent or at your direction.
06

Data Security & Integration Credentials

We implement appropriate technical and organizational measures to protect your personal information. When you connect third-party integrations to your agents (e.g., email accounts, LLM providers, Telegram, or MCP servers), we employ stringent security measures to protect your credentials:

  • Encryption at Rest: All credentials are encrypted before being saved to our database using industry-standard symmetric encryption (AES-128-CBC with HMAC-SHA256 authentication).
  • No Plaintext Storage: We never store your credentials in plaintext; our databases utilize encrypted-only columns. Encryption keys are securely managed via environment variables and isolated by domain.
  • Minimal Exposure: Credentials are only decrypted temporarily, in-memory, at the exact moment your agent needs to interact with the third-party service. Decrypted values are never cached or persisted. Furthermore, our API responses will only ever surface masked versions of your credentials.

Note: While we use enterprise-grade security, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

07

Public Agents and End-Users

Our platform allows our business customers to "Publish" agents, making them accessible via a public URL with or without password protection.

If you interact with a public agent created by a Donkit business customer, please be aware that the customer who created and deployed that agent acts as the Data Controller. The Data Controller dictates the agent's purpose, configuration, and may have access to the conversation logs. Donkit processes these interactions strictly on behalf of the agent creator. We encourage end-users to verify the privacy practices of the organization hosting the public agent.

08

Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

09

Your Rights

Depending on your location (including under the GDPR, applicable US State Laws, and the Israeli Privacy Protection Law), you may have certain rights regarding your personal information, including:

  • The right to access your personal information.
  • The right to rectify inaccurate information.
  • The right to request the deletion of your information.
  • The right to object to or restrict the processing of your information.
  • The right to data portability.
  • The right to withdraw consent.

To exercise these rights, please contact us using the details below. Where a right relates to Agent Data processed on behalf of one of our business customers, we will refer you to that customer as the relevant Data Controller, or assist them in fulfilling your request in accordance with our Data Processing Agreement.

10

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Services and hold certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent.

12

Children's Privacy

Our Services are intended for businesses and are not directed at children. We do not knowingly collect personal information from individuals under the age of 18. If you become aware that a child has provided us with personal information, please contact us so we can take steps to remove that information.

13

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. Our platform infrastructure and Agent Data are primarily hosted in the United States. Other categories of data — including data collected through website analytics and tracking technologies, and data processed by our third-party AI, payment, and infrastructure providers — may be processed in additional jurisdictions, including the European Economic Area, the United Kingdom, Israel, and other regions, depending on the service. By using our Services, you consent to the transfer of your information to our facilities and to the third parties with whom we share it as described in this policy.

14

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top of this policy. You are advised to review this Privacy Policy periodically for any changes.

15

Contact Us

If you have any questions about this Privacy Policy, please contact us: