Privacy Policy

Eden Suite, Inc. Privacy Policy

Effective Date: September 2025
Last Updated: September 2025

Table of Contents

1. Introduction & Scope

2. Information We Collect

3. How We Use Your Information

4. Legal Basis for Processing

5. Sharing Your Information

6. International Data Transfers

7. Data Security

8. Data Retention

9. Your Privacy Rights

10. AI and Automated Processing

11. Children's Privacy

12. Cookies and Tracking Technologies

13. Jurisdiction-Specific Provisions

14. Changes to This Policy

15. Contact Information

1. Introduction & Scope

Eden Suite, Inc. ("Eden Suite," "we," "us," or "our") provides cloud-based file storage, document management, and note-taking services with AI-powered features through our platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service across our website, web application, mobile applications, and desktop applications.

This Policy applies to all users globally, including:

• Individual users (Free, Basic, Creator, and Pro tiers)

• Team members and administrators

• Enterprise customers

• Visitors to our website

Our Service includes:

• Free tier: 15GB storage and 15 AI requests per month

• Basic tier: 100GB storage and 200 AI requests per month

• Creator tier: 500GB storage and 500 AI requests per month

• Pro tier: 2TB storage and 1500 AI requests per month

• Additional storage and requests available for purchase

By using our Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree with this Policy, please do not use our Service.

2. Information We Collect

Information You Provide Directly

Account Information:

• Email address (required for registration)

• Name (optional)

• Password (optional if using social login)

• Google account information (if using Google sign-in)

• Payment information (processed securely via Stripe; we do not store credit card details)

User Content:

• Files you upload (PDFs, ePub files, images, videos, audio files)

  • Free tier: Up to 1GB per file

  • Basic tier: Up to 3GB per file

  • Creator tier: Up to 20GB per file

  • Pro tier: Unlimited file size

• Notes and documents you create using rich text or markdown

• Folders and workspace organization structures

• Comments and annotations on documents

• File metadata (name, size, type, creation date, modification date)

Team and Collaboration Data:

• Team member invitations and email addresses

• Sharing permissions and access controls

• Public link settings

• Collaboration activity and comments

Information We Collect Automatically

Device and Usage Information:

• Device type, operating system, and browser information

• IP address (collected for debugging and support purposes during our Beta phase)

• Session data and interaction patterns with our Service

• Feature usage statistics and frequency

• Performance metrics and error logs

• App crashes and technical diagnostics

Analytics Data (via OpenObserve Real User Monitoring):

• Page views and navigation paths

• Feature engagement metrics

• Response times and performance data

• User journey analytics

Information from Third Parties

• Authentication data from Google (when using social login)

• Payment and billing information from Stripe

• Analytics data from integrated services

• Affiliate referral information from FirstPromotor

Storage Technologies

Application Storage (not cookies):

• localStorage: For maintaining app state and user preferences

• IndexedDB: For local data caching and offline functionality

Website Analytics and Marketing:

• Google Analytics: Website usage statistics

• Meta Pixel: Advertising optimization and retargeting

• FirstPromotor: Affiliate program tracking

3. How We Use Your Information

Service Provision and Core Functionality

• Creating and managing your account

• Storing, organizing, and retrieving your files

• Providing collaboration features and team workspaces

• Processing payments and managing subscriptions

• Delivering customer support and responding to inquiries

• Sending transactional emails (account notifications, receipts, service updates)

AI and Machine Learning Features

Our Service includes integrated AI capabilities that process your content to provide:

• Automatic Transcription: Audio and video files are automatically transcribed upon upload

• Smart Search: Your content is indexed using AI-generated embeddings for semantic search

• AI Chat: Interactive question-answering with your documents

• Auto-tagging: Intelligent categorization and organization of content

Important Notice: AI processing is integral to our Service's core functionality and cannot be disabled. We do NOT use your personal content to train or improve AI models. However, some third-party AI providers may retain data according to their policies, depending on the specific model you choose to use.

Service Improvement and Development

• Analyzing usage patterns to improve existing features

• Developing new features and functionality

• Debugging issues and troubleshooting problems

• Monitoring service performance and reliability

• Conducting research to enhance user experience

Communications

• Transactional Communications: Service-critical emails that cannot be opted out of, including:

  • Account security alerts

  • Payment confirmations and failures

  • Service outage notifications

  • Important policy or terms updates

• Marketing Communications: Promotional emails about new features, tips, and offers (you can opt-out at any time)

Legal, Security, and Compliance

• Complying with applicable laws and legal processes

• Protecting against fraud, abuse, and security threats

• Enforcing our Terms of Service and other policies

• Protecting our rights, property, and the safety of our users

4. Legal Basis for Processing

For Users in the European Economic Area (EEA) and United Kingdom (UK)

We process your personal data based on the following legal grounds under GDPR:

Contract Performance (Article 6(1)(b)):

• Account creation and management

• Service delivery and file storage

• Payment processing

• Customer support

Legitimate Interests (Article 6(1)(f)):

• Service improvements and analytics

• Security and fraud prevention

• Direct marketing to existing customers

• Network and information security

Legal Obligations (Article 6(1)(c)):

• Tax and accounting requirements

• Responding to lawful requests from authorities

• Data breach notifications

Consent (Article 6(1)(a)):

• Marketing communications to prospects

• Optional analytics and advertising cookies

• Processing special categories of data (if applicable)

For Users Outside the EEA/UK

We process your personal data as described in this Policy based on your consent, which you provide by accepting this Policy and using our Service. You may withdraw consent by deleting your account.

5. Sharing Your Information

We share your information only as described below:

Service Providers and Partners

We work with trusted third-party providers to deliver our Service:

All service providers are contractually obligated to protect your information and use it only for the purposes we specify.

Other Disclosures

We may share your information in these circumstances:

• Legal Requirements: When required by law, subpoena, court order, or governmental request

• Vital Interests: To protect the vital interests of you or another person

• Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of assets

• With Your Consent: When you explicitly agree to sharing for a specific purpose

• Public Sharing: When you create public links to your content or choose to share publicly

• Team Sharing: With team members according to permissions you or your administrator set

We do NOT sell, rent, or trade your personal information to third parties for their marketing purposes.

6. International Data Transfers

As a global service, your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws than your jurisdiction.

Primary Processing Locations

• United States: Primary data processing and storage (Railway US-East region)

• Third-Party Locations: Various countries where our service providers operate

Transfer Safeguards

We ensure appropriate protection for international transfers through:

• Standard Contractual Clauses (SCCs): EU-approved contracts for data transfers

• Data Processing Agreements: Contracts with all service providers

• Technical Measures: Encryption and access controls regardless of location

• Adequacy Decisions: Relying on official adequacy findings where available

For EU/UK users, you have the right to obtain details about the safeguards we use for international transfers.

7. Data Security

We implement comprehensive security measures to protect your information:

Technical Security Measures

• Encryption at Rest: AES-256 encryption for all stored files (via Cloudflare R2)

• Encryption in Transit: TLS/SSL encryption for all data transfers

• Authentication Security: Secure authentication via InstantDB Auth

• Two-Factor Authentication: Email-based verification for enhanced account security

• Access Controls: Role-based access controls for team accounts

• Infrastructure Security: Secure cloud infrastructure with regular updates

Organizational Security Measures

• Role-based access controls for our employees

• Incident response procedures with breach notification protocols

• Regular security training for our team

• Limited access to production systems

• Planned SOC 2 Type II certification (in progress)

Your Security Responsibilities

• Maintaining the confidentiality of your password

• Using strong, unique passwords

• Enabling two-factor authentication

• Promptly reporting any suspected security issues

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but commit to maintaining industry-standard protections.

8. Data Retention

We retain your information for as long as necessary to provide our Service and comply with legal obligations:

After retention periods expire, data is permanently deleted or anonymized. Some anonymized data may be retained indefinitely for analytics and service improvement.

9. Your Privacy Rights

Rights for All Users

Regardless of your location, you can:

• Access Your Data: Request information about what data we hold about you

• Correct Your Data: Update inaccurate or incomplete information

• Delete Your Data: Request deletion of your account and associated data

• Export Your Data: Download your files in their original format

• Manage Communications: Opt-out of marketing emails

Additional Rights by Region

European Economic Area (EEA) and United Kingdom (UK) - GDPR Rights:

• Right to Rectification: Correct inaccurate personal data

• Right to Erasure ("Right to be Forgotten"): Request deletion under certain circumstances

• Right to Restrict Processing: Limit how we use your data

• Right to Data Portability: Receive your data in a structured, machine-readable format

• Right to Object: Object to certain types of processing

• Rights Related to Automated Decision-Making: We do not engage in automated decision-making with legal effects

California, USA - CCPA/CPRA Rights:

• Right to Know: Request categories and specific pieces of personal information collected

• Right to Delete: Request deletion of personal information

• Right to Opt-Out of Sale: We do NOT sell personal information

• Right to Non-Discrimination: Equal service regardless of exercising privacy rights

• Right to Correction: Correct inaccurate personal information

• Right to Limit Use of Sensitive Personal Information: Control use of sensitive data

Canada - PIPEDA Rights:

• Right to Access: Access personal information we hold

• Right to Correction: Challenge accuracy and completeness

• Right to Withdraw Consent: Withdraw consent subject to legal restrictions

Brazil - LGPD Rights:

• Similar rights to GDPR including access, correction, deletion, and portability

How to Exercise Your Rights

To exercise any of these rights:

1. Email: Contact us at support@eden.so

2. Verification: We may request information to verify your identity

3. Response Time: We will respond within 30 days (GDPR) or 45 days (CCPA)

4. No Fee: Generally free, except for excessive or repetitive requests

Current Limitations:

• Account deletion must be requested via email (self-service coming soon)

• Bulk download feature in development

• Data portability limited to original file formats

10. AI and Automated Processing

Our AI Features

Eden Suite integrates advanced AI capabilities to enhance your experience:

Core AI Features:

• Automatic Transcription: Converts audio and video content to searchable text

• Semantic Search: Understands context and meaning in your searches

• Document Chat: Ask questions and get answers from your documents

• Smart Organization: Auto-tagging and intelligent categorization

AI Service Providers

Your content may be processed by the following AI providers:

• OpenAI (GPT models)

• Anthropic (Claude models)

• Google AI (Gemini models)

• xAI (Grok models)

• Deepseek

• Perplexity

Important AI Processing Information

• Opt-Out: AI processing is integral to our Service and cannot be disabled

• Model Training: We do NOT use your content to train or improve AI models

• Provider Policies: Some AI providers may retain data temporarily for their operations. Retention policies vary by provider and model selected

• Model Selection: Where available, you can choose which AI model to use for specific features

• Data Minimization: We send only necessary content portions to AI providers

• Processing Location: AI processing may occur in various jurisdictions

Transparency and Control

• You maintain ownership of all your content

• AI-generated summaries and transcriptions belong to you

• You can delete AI-processed content at any time

• We clearly indicate when content has been AI-processed

11. Children's Privacy

Age Requirements

• Minimum Age: 13 years old (or higher if required by local law)

• Parental Consent: Users under 13 require verifiable parental consent

• Age Verification: Currently based on self-declaration (enhanced verification coming)

Our Commitments

• We do not knowingly collect information from children under 13 without parental consent

• We do not target advertising to children

• Parents may contact us to review, delete, or stop collection of their child's information

Educational Use

Schools and educational institutions using our Service for students under 13 must:

• Obtain appropriate parental consent

• Use education-specific accounts

• Comply with applicable laws (COPPA, FERPA)

If we learn we have collected information from a child under 13 without proper consent, we will delete it immediately.

12. Cookies and Tracking Technologies

Our Application

Our main application does NOT use cookies but uses browser storage for functionality:

• localStorage: Stores application preferences and state

• IndexedDB: Enables offline access and local data caching

These are essential for Service functionality and cannot be disabled while using the app.

Our Website

Our marketing website uses the following tracking technologies:

Analytics Cookies:

• Google Analytics: Analyzes website usage and visitor behavior

• Purpose: Improve website performance and user experience

• Data: Anonymized usage statistics

Advertising Cookies:

• Meta Pixel (Facebook): Optimizes advertising campaigns

• Purpose: Measure ad effectiveness and retargeting

• Data: Limited identifiers for ad targeting

Affiliate Tracking:

• FirstPromotor: Tracks referrals from affiliate partners

• Purpose: Manage affiliate program

• Data: Referral source information

Managing Cookies

You can control cookies through:

• Browser settings (blocking or deleting cookies)

• Google Analytics Opt-out Browser Add-on

• Facebook Ad Preferences

• Do Not Track signals (we honor DNT headers)

Disabling cookies may limit website functionality but will not affect the main application.

13. Jurisdiction-Specific Provisions

California Privacy Rights (CCPA/CPRA)

Additional Disclosures:

• We do NOT sell or share personal information as defined by CCPA

• Categories of personal information collected are described in Section 2

• Business purposes for collection are described in Section 3

• Third parties receiving information are listed in Section 5

Shine the Light: California residents may request information about disclosures to third parties for marketing (not applicable as we don't share for third-party marketing).

European Union and United Kingdom (GDPR)

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

Data Protection Contact: For GDPR inquiries, contact support@eden.so

Legal Basis: Detailed in Section 4

Canada (PIPEDA)

We comply with PIPEDA principles:

• Accountability

• Identifying purposes

• Consent

• Limiting collection

• Limiting use, disclosure, and retention

• Accuracy

• Safeguards

• Openness

• Individual access

• Challenging compliance

Brazil (LGPD)

Brazilian residents have rights similar to GDPR. Contact us for Brazil-specific privacy inquiries.

Other Jurisdictions

We strive to comply with applicable privacy laws in all jurisdictions where we operate. Contact us for region-specific questions.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements.

Notification of Changes

• Minor Changes: Updated policy posted with new "Last Updated" date

• Material Changes: Email notification to registered users

• Consent: Continued use after changes constitutes acceptance

Review Rights

• You may request a copy of previous versions

• Significant changes will include a summary of modifications

• 30-day notice for material changes (when possible)

We encourage you to review this Policy periodically.

15. Contact Information

Company Information

Eden Suite, Inc.
1111B S Governors Ave STE 37203
Dover, DE 19904
United States

Privacy Inquiries

Email: support@eden.so
Response Time: Within 7 business days

Complaints

If you're unsatisfied with our response, you may contact:

• Your local data protection authority (EU/UK residents)

• Your state attorney general (US residents)

• Privacy Commissioner (Canadian residents)

Appendix: Data Processing Summary Table