Privacy Policy
Last updated: March 12, 2026
Introduction
Welcome to Obelisk, an autonomous AI agent platform owned and operated by Toadstool Labs LLC ("Toadstool Labs," "we," "us," or "our"), located in Portland, Oregon. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and your rights regarding your data.
Notice at Collection (CCPA): We collect the categories of personal information described below for the purposes identified in the "How We Use Your Data" section. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
Our Company
Toadstool Labs LLC is responsible for your personal data. For any privacy-related inquiries, please contact us at hello@obelisk.li.
Data We Collect
Account and Contact Information
Full name, company name, email address, phone number, and Organization details provided during registration or account management.
Registration Data
Email, password, and/or third-party authentication details (e.g., Google account information including name and email).
Usage Data
Technical information automatically collected, including IP address, browser type, device information, pages visited, and timestamps.
Scribe Operational Data
- Conversation Logs: Full transcripts of interactions between Users and Scribes, including instructions, responses, and tool usage.
- Work Span Records: Records of active Scribe engagement periods, including start times, end times, duration, token usage, session identifiers, and billing categorization.
- Audit Logs: Immutable records of Scribe actions and system events.
- Scribe Configuration: Agent settings, tool configurations, plugin selections, and task parameters.
- Credential Metadata: Metadata about stored Credentials (type, creation date, associated services), but not the Credentials themselves in plaintext.
Communication Data
Content of emails and SMS messages sent and received by Scribes, including sender/recipient information, timestamps, and delivery status. Contact records associated with Scribe communications.
Infrastructure Data
Service identifiers, health and status telemetry, heartbeat data, and resource utilization metrics for Scribe instances.
Contact Form Data
Full name, email address, and message content submitted through contact forms.
Analytics Data
Error tracking and site usage data collected through our analytics and monitoring tools.
Legal Basis for Processing
We process your data on the following legal bases:
- Contract Performance: Processing necessary to provide the Platform and fulfill our obligations to you.
- Legitimate Interest: Processing for purposes such as improving the Platform, ensuring security, preventing fraud, and communicating service updates.
- Legal Obligation: Processing required to comply with applicable laws, regulations, or legal proceedings.
- Consent: Where you have provided consent for specific processing activities, such as marketing communications. You may withdraw consent at any time.
CCPA Disclosure: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
How We Use Your Data
Your personal data is used for the following purposes:
- Provisioning, operating, and managing Scribes and associated infrastructure;
- Sending conversation data to third-party AI providers for real-time inference (powering Scribe reasoning);
- Maintaining immutable audit trails of Scribe activity;
- Calculating billing based on Work Span records;
- AI-powered categorization and summarization of Work Spans for billing and reporting purposes;
- Facilitating account registration, authentication, and Organization management;
- Sending operational notifications (Scribe status, errors, alerts) and service communications;
- Improving the Platform, troubleshooting issues, and enhancing user experience;
- Detecting, preventing, and responding to fraud, abuse, and security incidents;
- Complying with legal obligations; and
- Marketing communications (with your consent or based on our legitimate interests).
Client Responsibility
Users are solely responsible for ensuring that any data they provide to Scribes — including data about third parties — is collected and processed in compliance with applicable laws. Users must obtain all necessary permissions and consents from relevant data subjects before providing their information to or through the Platform.
Data Transfers to Third Parties
We do not transfer personal data to third parties except as necessary to provide our services or as required by law. Our third-party service providers (subprocessors) are contractually bound to protect your data and use it solely for the purposes of supporting our service.
Our current subprocessors include:
| Subprocessor | Purpose |
|---|---|
| Anthropic | AI inference for Scribe reasoning |
| DigitalOcean | Cloud infrastructure |
| Railway | Application hosting |
| AgentMail | Email services for Scribes |
| OpenPhone | SMS services for Scribes |
| Lemonfox.ai | Voice synthesis and transcription |
| Sentry | Error monitoring |
| Cloudflare | Security and performance |
| Amazon Web Services | File storage |
| Postmark | Transactional email delivery |
We may update this list as our service providers change. Material changes will be reflected in updates to this Privacy Policy.
Data Retention
We retain your data according to the following schedule:
- Account Data: Retained while your account is active and for a reasonable period thereafter, unless longer retention is required by law.
- Conversation Logs: Retained while the associated Scribe exists. Deleted when the Scribe is destroyed.
- Work Span Records: Retained for 7 years for tax and accounting purposes.
- Audit Logs: Immutable and retained indefinitely. Audit logs cannot be modified or deleted, including upon user request. This is necessary for security, legal compliance, and maintaining the integrity of the audit trail.
- Credentials: Destroyed when the associated Scribe is destroyed. Credentials are not retained separately after Scribe destruction.
- Communication Data: Retained in accordance with CAN-SPAM requirements (3 years for opt-out records) and TCPA requirements, or longer where required by law.
- Analytics and Usage Data: Retained for a reasonable period to support Platform improvement and security.
If you close your account, your data will be deleted in accordance with the schedule above, unless retention is required by law or for legitimate business purposes (such as fraud prevention or legal claims).
Data Security
We implement appropriate administrative, technical, and physical safeguards to protect your data. These measures include:
- All data in transit is protected by industry-standard encryption;
- Access controls enforce Organization-scoped isolation, ensuring your data is accessible only to authorized members of your Organization;
- Credentials are encrypted using commercially reasonable methods;
- API keys are generated using cryptographically secure methods; and
- We employ administrative, technical, and physical safeguards appropriate to the sensitivity of the data we process.
No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
AI-Specific Data Practices
- AI Inference: Conversation data (including your instructions and Scribe responses) is sent to third-party AI providers for real-time inference. This data is used solely to generate Scribe responses and is not used by Obelisk to train AI models.
- Current AI Provider: Our primary AI provider is Anthropic, subject to Anthropic's data usage policies. AI providers may change; material changes will be reflected in updates to this Privacy Policy.
- AI-Generated Content: Scribe outputs are AI-generated. Obelisk does not review, moderate, or endorse Scribe outputs prior to delivery.
- Billing Categorization: Work Span data may be analyzed using AI to categorize and summarize Scribe activity for billing and reporting purposes.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
California (CCPA/CPRA)
- Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary.
- Right to Limit Use of Sensitive Personal Information: You may request that we limit the use of sensitive personal information to purposes necessary to provide the Platform.
- Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Oregon Consumer Privacy Act
As an Oregon-based company, we comply with the Oregon Consumer Privacy Act, including rights of access, deletion, correction, data portability, and the right to opt out of targeted advertising, sale of personal data, and profiling.
Other State Privacy Laws
We also honor the privacy rights of residents of Virginia, Connecticut, Colorado, Utah, and other states with applicable consumer privacy laws, including rights of access, deletion, correction, portability, and opt-out where applicable.
How to Exercise Your Rights
To exercise any of these rights, please contact us at hello@obelisk.li. We will verify your identity and respond within 45 days (or as required by applicable law). You may designate an authorized agent to make a request on your behalf.
Important Exception
Immutable audit logs cannot be deleted or modified upon request. This exception is necessary for the security, integrity, and legal compliance of the Platform, and is permitted under applicable privacy laws as a security exception.
Data Breach Notification
In the event of a data breach that involves your personal information, Obelisk will notify affected users and applicable authorities as required by applicable state and federal laws, including Oregon and California data breach notification requirements.
Do Not Track / Global Privacy Control
Obelisk honors Global Privacy Control (GPC) signals in accordance with the CCPA/CPRA. We do not currently respond to Do Not Track (DNT) browser signals, as there is no industry-standard protocol for DNT compliance.
Children's Privacy
The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected information from a person under 18, please contact us immediately at hello@obelisk.li so that we can delete the information. We comply with the Children's Online Privacy Protection Act (COPPA).
International Data Transfers
Your data may be transferred to or processed in countries outside the United States in connection with the services provided by our subprocessors. In such cases, we take steps to ensure that appropriate safeguards are in place to protect your data.
Marketing Communications
With your consent or based on our legitimate interests, we may send you marketing communications about our services and updates. You may opt out of marketing communications at any time by using the unsubscribe link provided in our emails or by contacting us at hello@obelisk.li.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Any changes will be posted on this page with a revised "Last updated" date. Material changes will be communicated to you via email or prominent notice on the Platform. Your continued use of the Platform after such changes constitutes acceptance of the updated Privacy Policy.
Contact Us
If you have any questions or concerns regarding this Privacy Policy, or to exercise your privacy rights, please contact:
Toadstool Labs LLC
Portland, Oregon
Email: hello@obelisk.li