Privacy Policy

1  Introduction

GCAP Labs, Inc. ("GCAP Labs", "we", "us", or "our") operates the Headmaster platform (the "Service") at gcaplabs.com and related subdomains. This Privacy Policy describes how we collect, use, retain, and disclose information when organisations and individuals use Headmaster — a persistent AI agent platform designed for enterprise workflows.

This policy applies to all users of the Service, including Workspace Administrators, Members, and end-users whose content is processed within a workspace. By using Headmaster, you consent to the practices described here. If your organisation has executed a Data Processing Agreement (DPA) with GCAP Labs, the terms of that DPA supplement and, where they conflict, override this policy.

2  Data we collect

2.1  Information you provide

• Account credentials: name, email address, organisation name, and billing details when you create a workspace.
• Workspace content: prompts, uploaded files, messages, documents, code, and any other data you or your team submit to Headmaster.
• Integration credentials: API keys for third-party services (e.g., Slack, GitHub, email providers) that you configure to enable Headmaster's integrations. These keys are encrypted at rest using AES-256-GCM with per-key salts and are accessible only to the agent runtime during an active run.
• Voluntary communications: support tickets, feedback, and survey responses.

2.2  Information collected automatically

• Usage analytics: page views, feature interactions, session duration, crash reports, and device/browser metadata. We collect these to improve product reliability and are careful to minimise what we capture.
• Agent run telemetry: timestamps, model identifiers, token counts, latency metrics, and success/error status for each agent invocation. Content of prompts and completions is not included in telemetry.
• Infrastructure logs: server-side access logs, IP addresses, and request headers processed for security and abuse prevention.

3  How we process your data

3.1  Agent runs

When you initiate a task, Headmaster sends your prompt along with relevant workspace context to a large-language-model provider (see Section 6). The model returns a completion, which is stored in your workspace alongside the prompt. We process this data solely to fulfil the request you made and to maintain your workspace history.

3.2  Persistent memory

Headmaster maintains a persistent memory store that accumulates facts, decisions, and preferences across sessions. Memory entries are scoped to your workspace and are never shared across organisations. Memory data is used exclusively to improve the quality and personalisation of subsequent agent runs within the same workspace.

3.3  Audit trails

Every mutating action (creating, updating, or deleting a resource) is logged as a durable, append-only audit event. Audit logs record the actor identity, timestamp, action type, and affected resource identifier. They are immutable once written and available to Workspace Administrators through the audit log view and API.

3.4  Lawful bases (GDPR)

For users in the European Economic Area, we rely on the following GDPR lawful bases: performance of a contract (Art. 6(1)(b)) for processing necessary to deliver the Service; legitimate interests (Art. 6(1)(f)) for security, fraud prevention, and product analytics; and consent (Art. 6(1)(a)) where explicitly obtained, such as for optional marketing communications.

4  Data retention

Upon account termination, we delete workspace content and associated data within 90 days except where retention is required by law. Audit logs are retained for their full 3-year period regardless of account status, though they contain only metadata — not your prompts or completions.

5  Third-party service providers

We engage the following categories of subprocessors to operate the Service. Each processor is bound by a data-processing agreement that contractually prohibits the use of your data for training, advertising, or any purpose beyond providing the contracted service.

Training data commitment: OpenAI, Anthropic, and Google each offer API zero-data-training agreements. We use only API access — not consumer products — and confirm that your prompts and completions are never used to train or improve their models. We will update this section if any subprocessor arrangement changes, with at least 30 days' notice for material changes.

6  Cookies & tracking

Headmaster uses a minimal set of cookies, all strictly functional:

• Session cookie — authenticates your logged-in session; HttpOnly, Secure, SameSite=Lax.
• CSRF token cookie — prevents cross-site request forgery; HttpOnly, Secure, SameSite=Lax.
• Vercel analytics cookie — anonymous, first-party performance telemetry; no cross-site tracking, opted into via anonymised IP processing.

We do not use advertising cookies, remarketing pixels, or third-party tracking identifiers. No cookie on this site qualifies as a "targeting" cookie under ePrivacy or CCPA definitions.

7  Your rights (GDPR & UK GDPR)

If you are a data subject in the EEA or the UK, you have the following rights regarding your personal data:

• Access (Art. 15): obtain confirmation of whether we process your data and a copy of that data.
• Rectification (Art. 16): correct inaccurate personal data or complete incomplete records.
• Erasure (Art. 17):request deletion of your personal data, subject to legal retention obligations. Workspace content is purged within 90 days of erasure confirmation. Audit metadata (which does not include prompt/completion content) is retained for its full 3-year period.
• Portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format. We support JSON and CSV exports for all workspace content and account data.
• Restriction (Art. 18): request that we limit processing of your data while a dispute is resolved.
• Objection (Art. 21): object to processing based on legitimate interest; we will cease unless compelling grounds exist.
• Withdrawal of consent (Art. 7(3)): where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact privacy@gcaplabs.com. We will respond within 30 days. You also have the right to lodge a complaint with the supervisory authority in your jurisdiction.

8  CCPA compliance

Under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) and the California Privacy Rights Act, California residents have the right to:

• Know: request disclosure of the categories and specific pieces of personal information we have collected, the purposes, and the categories of third parties to whom it was disclosed.
• Delete: request deletion of personal information we have collected, subject to exceptions for legal compliance, security, and bug resolution.
• Opt out of sale: we do not sell, rent, or share personal information for monetary or other valuable consideration. No opt-out is necessary because no sale occurs.
• Non-discrimination: we will not discriminate against any consumer for exercising CCPA rights.

Categories of personal information collected in the preceding 12 months: identifiers (name, email), commercial information (billing records), internet activity (page views, feature usage), and professional information (organisation, role). We collect no sensitive personal information as defined by the CCPA, except to the extent a user voluntarily includes it in workspace content.

To submit a CCPA request, email privacy@gcaplabs.com or call +1 (415) 888-3848. We will verify your identity and respond within 45 days.

9  Data security

We implement industry-standard technical and organisational measures to protect your data:

• Encryption in transit:TLS 1.3 for all network connections.
• Encryption at rest: AES-256 for databases and object storage; per-key encryption with unique salts for API keys.
• Access control: role-based permissions, principle of least privilege, and mandatory multi-factor authentication for administrative access.
• Sandboxed execution: agent code runs in isolated container environments with restricted network egress.
• Audit logging: immutable, append-only logs for all mutating actions.

No system is completely secure. While we work to protect your information, we cannot guarantee absolute security. Enterprise customers may request our SOC 2 Type II report and security questionnaire by contacting security@gcaplabs.com.

10  International data transfers

GCAP Labs is headquartered in the United States. Data may be processed in the US, EU, or other jurisdictions where our subprocessors operate. For transfers of EEA personal data to the US, we rely on the EU-US Data Privacy Framework (adequacy decision) and Standard Contractual Clauses (SCCs) as a supplementary measure. A copy of our SCCs is available to enterprise customers upon request.

11  Children's privacy

Headmaster is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we discover that we have accidentally received personal data from a child under 16, we will delete it promptly. Contact privacy@gcaplabs.com if you believe this has occurred.

12  Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to workspace administrators and by a notice banner on the Service at least 30 days before they take effect. Continued use of the Service after changes become effective constitutes acceptance of the revised policy.

13  Contact

For privacy inquiries, data-subject requests, or questions about this policy:

Email: privacy@gcaplabs.com

Data Protection Officer: privacy@gcaplabs.com

Postal address: GCAP Labs, Inc., Attn: Privacy, San Francisco, CA 94105, United States

Our EU representative for GDPR purposes may be contacted at eu-rep@gcaplabs.com.