Legal
Last updated: 2026-05-19
TOO “NOCODIA” (“Company,” “Teamly,” “we,” “us,” or “our”) operates the Teamly platform at teamly.to (the “Service”). The Service is an AI-agent orchestration platform: you describe a goal in natural language, and autonomous AI agents — running in isolated compute environments we call “Cells” — assemble, coordinate, and execute work on your behalf, including by interacting with third-party services you have connected (Slack, Gmail, Google Sheets, Stripe, Notion, GitHub, and others).
This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and what rights you have. It applies to every visitor of teamly.to, every registered account, every paying customer, and every third party whose data is processed through the Service at the direction of one of our users.
The Service is operated from the Republic of Kazakhstan but is used globally. Where local law gives you additional rights (for example, under the EU General Data Protection Regulation (“GDPR”), the United Kingdom Data Protection Act 2018, the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), or other US state privacy laws) we honour those rights as described in Section 8 and Section 9.
By creating an account, logging in, or otherwise using the Service, you confirm that you have read this Privacy Policy. If you do not agree, please discontinue use of the Service.
The data controller responsible for personal data processed through the Service is:
TOO “NOCODIA”
BIN: 220840027580
Registered address: ul. Maulenova, dom 38, kv. 10, Almaty, Republic of Kazakhstan
Privacy Officer: privacy@teamly.to
General legal contact: legal@teamly.to
Default controller posture. Absent a separately executed Data Processing Addendum (“DPA”), Teamly acts as the sole controller of the limited data described in § 3 (account, billing, audit) and the individual user is the sole controller of every category of Content they upload, generate, or process through the Service.
Organisational customers under DPA. Where the Service is procured by an organisation under an executed DPA (available on request from legal@teamly.to), that organisation is the controller for personal data its members process through their Cells under the scope of the DPA, and Teamly acts as a processor for that data subject to the terms of the DPA (which incorporate the GDPR Art. 28(3) terms by reference).
In every case, where a user instructs an AI agent to act on data belonging to a third party (for example, by sending an email or updating a Google Sheets row containing personal data of another person), the user — not Teamly — is the controller of that third party's personal data, is responsible for having a lawful basis for that processing, and is responsible for compliance with GDPR Art. 22 (automated decision-making) where applicable.
When you create an account we collect your name, email address, and authentication credentials (handled by our authentication provider Clerk — see Section 5). If you sign in with a federated identity provider (Google, Microsoft, etc.) we receive the basic profile fields that provider discloses on your behalf.
Subscription management and payment processing are handled by Polar.sh. We do not collect or store full card numbers or bank account details. We receive from Polar.sh: subscription tier, purchase history, invoice metadata, and a non-sensitive customer identifier we use to reconcile your account.
The Service exists to process your content. This includes: chat messages you send to agents, files you upload, prompts you write, spreadsheet rows you ask agents to read or write, emails you ask agents to compose, documents you ask agents to summarise, code repositories you connect, and any other data you knowingly bring into a Cell. This content may include personal data of third parties (for example, a customer list, a CRM export, an inbox). You are responsible for having the right to provide such data — see Terms of Service §§ 4, 8 and 14.
When you connect a third-party service (Slack, Gmail, Google Workspace, Stripe, Notion, GitHub, Linear, Salesforce, HubSpot, Zendesk, and others — full list in our Subprocessors page), we and our integration broker (Composio) store an encrypted access token issued by that service. The token grants the agent the access scope you approved during the OAuth consent screen of that service. Tokens are encrypted at rest using industry-standard AES-256-GCM with server-side keys; they are never sent to the browser or to the underlying AI model.
For every tool call an agent makes on your behalf we record: timestamp, agent identity, tool name, target service, the safety-class of the action (read-only / mutating / destructive), your approval decision (allow / deny / time-out), and the resulting status. This audit log is essential for security, billing accuracy, fraud prevention, and incident response. It is described further in Section 7 and Section 9.
We automatically collect information about how you interact with the Service: pages visited, features used, IP address (truncated or hashed where possible), browser type and version, operating system, device type, approximate geolocation derived from the IP address, referring URL, and timestamps. This data is used for analytics, performance monitoring, abuse prevention, and to improve the product.
We use a small number of strictly necessary cookies (session, security, consent state) and, where you opt in, a small number of analytics cookies. Full details, categories, retention, and your choices are in our Cookie Policy.
When you email us, file a support ticket, or otherwise communicate with our team, we keep a record of that correspondence so we can respond and follow up. This typically includes your name, email address, and the contents of the message.
We generate a small amount of derived information from the data above — for example, your subscription state, your hour-pack balance, your account's risk score, and aggregated usage statistics. We do not sell this data, and we do not use it to build advertising profiles.
The table below explains, for each category of personal data, why we process it and which legal basis under GDPR Article 6 we rely on (where GDPR or an equivalent regime applies).
| Purpose | Data category | Legal basis (GDPR Art. 6) |
|---|---|---|
| Provide and operate the Service (run agents, host Cells, store your content) | 3.1, 3.3, 3.4, 3.5 | 6(1)(b) — performance of a contract with you |
| Bill and collect subscription fees | 3.1, 3.2 | 6(1)(b) — performance of a contract |
| Authenticate users and prevent unauthorised access | 3.1, 3.6 | 6(1)(f) — legitimate interest (security) |
| Maintain an audit trail of agent actions | 3.5 | 6(1)(c) — legal obligation; 6(1)(f) — legitimate interest (security, fraud prevention, dispute resolution) |
| Send transactional emails (account, billing, security notifications) | 3.1, 3.2 | 6(1)(b) — performance of a contract |
| Send product update emails / marketing communications | 3.1 | 6(1)(a) — consent (you can withdraw at any time via the unsubscribe link) |
| Server-side aggregated analytics & product improvement | 3.6, 3.9 | 6(1)(f) — legitimate interest, balanced against your rights |
| Cookie- or SDK-based analytics (GA4, GTM) | 3.6, 3.7 | 6(1)(a) — consent, captured via the cookie banner per ePrivacy Directive Art. 5(3) (PECR, TTDSG and equivalent national implementations) |
| Error monitoring & performance tracing | 3.6 | 6(1)(f) — legitimate interest (security, service quality) |
| Comply with legal, tax and regulatory obligations | 3.1, 3.2, 3.5 | 6(1)(c) — legal obligation |
| Defend, establish or exercise legal claims | All categories | 6(1)(f) — legitimate interest |
Special-category data (GDPR Art. 9). We do not solicit special-category data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation), and the Service is not designed for such processing. Processing of Art. 9 data on the Service requires an executed DPA with a specific Art. 9 addendum; absent that, you must not upload such data, and we may suspend or terminate accounts that do. If your content nevertheless contains such data, you are solely responsible for the Art. 9 lawful basis. See Acceptable Use Policy for prohibited content categories.
To operate the Service we rely on a number of subprocessors. They are bound by contractual confidentiality and data-protection obligations consistent with this Policy. The complete, current list, updated whenever we add or remove a subprocessor, is published at:
The list groups subprocessors into the following categories: large language model (LLM) inference providers, the integration broker Composio together with the dozens of downstream services it brokers (Gmail, Slack, Google Workspace, Microsoft 365, Stripe, Notion, GitHub, Linear, Jira, Asana, Salesforce, HubSpot, Zendesk, Intercom, Calendly, Discord, Telegram, WhatsApp, Zoom, Airtable, Box, Dropbox, and others), our identity and authentication provider, our billing processor, our hosting and storage providers, our database (Convex), our error-monitoring provider, our analytics providers, our transactional email provider, and our content-delivery network and DDoS-protection layer.
We give you advance notice of new subprocessors by updating the public list, bumping the version stamp at the bottom of the page, and (for material additions) emailing the primary account contact. If you object to a new subprocessor you may terminate your subscription in line with the Terms of Service.
Our primary production infrastructure runs in the United States (the Fly.io region sjc, San José, California) and our real-time database is hosted on Convex (United States). Error monitoring is provided by Sentry from a data centre in Germany. Several of our LLM and integration subprocessors are headquartered in the United States.
Kazakhstan exporter status. Teamly is incorporated in the Republic of Kazakhstan. Kazakhstan is not on the European Commission's adequacy list. The KZ-side basis for cross-border transfer is Article 12 of the Law of the Republic of Kazakhstan on Personal Data and Their Protection (No. 94-V), which we satisfy by your explicit consent at signup and through contractual safeguards with each downstream recipient.
Where we transfer personal data of a data subject in the European Economic Area, the United Kingdom, or another jurisdiction with equivalent restrictions on cross-border transfers, we rely on one or more of the following transfer mechanisms:
Copies of the relevant SCCs, DPAs and Transfer Impact Assessments are available on request from privacy@teamly.to.
We keep personal data only for as long as we need it for the purpose for which it was collected, plus any additional period required by law. Specific retention periods are summarised below; the period starts to run when the data is no longer actively used (typically, when you close your account or when the data is otherwise superseded).
| Category | Retention period |
|---|---|
| Account & identity data (3.1) | Duration of account + 12 months for re-activation grace |
| Billing data (3.2) | Up to 7 years after the last transaction, as required by Kazakhstan and EU tax / accounting law |
| Content you upload (3.3) | For as long as the related Cell or session exists; deleted on Cell destruction (typically within 30 days of account closure) subject to backup-rotation windows of up to 90 days |
| Integration tokens (3.4) | Until you disconnect the integration, the third party revokes the token, or your account is closed |
| Agent execution & audit metadata (3.5) | 24 months from creation, extended only for the duration of a specific, identified legal claim or regulatory investigation under GDPR Art. 17(3)(e); pseudonymised thereafter to aggregate statistics |
| Usage & device data (3.6) | Up to 24 months in identifiable form; aggregated thereafter |
| Cookies (3.7) | See Cookie Policy |
| Support correspondence (3.8) | Up to 36 months from the date of the last message |
| Backups | Up to 90 days from creation; encrypted at rest; restored only for disaster-recovery |
Where law requires longer retention (for example, tax records under Article 215 of the Tax Code of the Republic of Kazakhstan, or financial-records obligations under Sarbanes-Oxley for US-listed customers), that longer period applies.
Subject to applicable law and the limitations described in Section 9, you have the following rights with respect to your personal data.
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another US state with a comprehensive privacy law, you have rights including the right to know what personal information we have collected, the right to delete that information (subject to exceptions), the right to correct it, the right to opt out of “sale” or “sharing”, and the right not to be discriminated against for exercising these rights.
We do not sell or share personal information for cross-context behavioural advertising as those terms are defined under CCPA/CPRA. Where you have set the Global Privacy Control (GPC) signal, we treat that signal as a valid opt-out request.
You may exercise these rights through the contact channels in § 8.4 below. We do not require you to create an account in order to exercise a privacy right.
Under the Law of the Republic of Kazakhstan “On Personal Data and Their Protection” (No. 94-V of 21 May 2013), you have the right to access, correct, block, and require destruction of your personal data, the right to be notified of cross-border transfers, and the right to lodge a complaint with the authorised body (the Committee for Information Security under the Ministry of Digital Development).
Email privacy@teamly.to from the address associated with your account, or send a written request to the address in Section 2. We will respond within one (1) month of receipt as required by GDPR Art. 12(3). We may need to verify your identity before disclosing or deleting any data. Where the request is complex or we receive a high volume of requests, we may extend the response window by a further two (2) months as permitted by GDPR Art. 12(3) and CPRA § 1798.130(a)(2); where we extend, we will notify you of the extension and the reasons for it within the original one-month period.
The rights described in Section 8 are not absolute. We will not delete or anonymise data where doing so would:
Where we refuse a request in whole or in part, we will tell you the reason and explain how you can appeal or complain to a supervisory authority.
Data held by third-party services you have connected. If you have used the Service to send data into a third-party service (for example, to draft an email in Gmail, post a message to Slack, create a row in Google Sheets, or write a record into Salesforce), a copy of that data lives in the third party's systems. We do not control those copies and cannot delete them on your behalf. You must exercise your rights directly with the third-party service. See also Terms of Service §§ 4–5 and AUP § 4.
We implement administrative, technical and physical safeguards designed to protect the personal data we process. These include:
No internet-based service can guarantee perfect security. If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours and notify affected individuals without undue delay, as required by GDPR Art. 33–34 and equivalent laws.
The Service is not directed to children. We do not knowingly collect personal data from anyone under the age of 16, or the lower age set by the EU Member State of the user's residence under GDPR Art. 8(1) (in no case below 13). For US users we apply 13 in line with the Children's Online Privacy Protection Act (“COPPA”); for Kazakhstan users we apply 14 in line with Art. 22 of the Civil Code of the Republic of Kazakhstan. If you are a parent or guardian and believe your child has provided personal data to us, please contact privacy@teamly.to and we will delete that data and close the account.
To produce an agent response we forward the relevant portion of your prompt, conversation context, and any files you have referenced to one or more LLM providers (see the LLM Inference category on the Subprocessors page). The model produces a response which we relay back to you. Each LLM provider applies its own privacy policy and data-handling terms to the request; we link those policies on the Subprocessors page.
Teamly does not train, fine-tune, or operate any LLM of its own. We have configured each LLM provider relationship to opt out of any provider-side training on your prompts and completions, where the provider exposes that setting. The exact opt-out posture for each provider is listed on the Subprocessors page. We monitor changes to each provider's training and data-use policy and will notify the primary account contact within 30 days of any material adverse change so that you have the option to disable that provider before continued use.
Bring-Your-Own-Key (BYOK). The opt-out posture above does not apply to providers you have configured yourself via your own BYOK credential. For BYOK requests we act solely as a transmission conduit on your instruction; you are the sole controller of the data sent to the BYOK provider and you assume all obligations under the BYOK provider's terms and applicable data-protection law.
LLMs sometimes produce outputs that are inaccurate, fabricated, out of date, or otherwise unsuitable for the use you intend. Agent outputs are NOT professional advice (legal, medical, financial, tax, regulatory or otherwise) and you must independently verify them before acting. We disclaim all warranties of merchantability and fitness for a particular purpose as described in our Terms of Service § 12.
When an agent uses an integration token you have connected to take an action in a third-party service — sending an email, posting a message, creating, modifying or deleting a record — that action is taken on your behalf, by you, using Teamly as a tool. Teamly is not a party to the resulting transaction, message or record. This attribution is binding on you for all purposes — including data-protection law — and you remain the controller (with any Agent acting as your processor or sub-tool) for personal data of third parties processed at your direction. You bear sole responsibility for those actions, including under the terms of service of the third-party platform. See Terms of Service §§ 4–5, §§ 13–14, and AUP § 4.
The Service has known and unknown limitations in Agent perception — for example, limitations in reading non-textual inputs such as images, audio, or video. This example is illustrative, not exhaustive, and we make no commitment to remediate any specific limitation. Where you ask an agent to act on a screenshot, photograph or other non-textual input, you are responsible for confirming the agent understood the content before approving any mutating action; where you cannot independently verify the Agent's perception, you should not authorise irreversible actions that depend on it.
In accordance with Article 50 of the EU AI Act, you are informed that you are interacting with an autonomous AI system, and the Service's outputs may be wholly machine-generated. Where the Service interacts directly with a third party (for example, where an Agent you instruct sends an email to a recipient), you — as the “deployer” of that interaction under the AI Act — are responsible for informing that third party that the communication or content is AI-generated, and for complying with the deepfake-labelling obligation under Art. 50(4) where it applies. We may provide tooling to help you make these disclosures; you must enable and not suppress that tooling where the law requires it.
We will update this Privacy Policy from time to time. The “Last updated” date at the top of this page identifies the current version. Material changes will be notified to the primary email address on your account at least 14 days before they take effect, except where a shorter notice period is required by law. Continued use of the Service after the new version takes effect constitutes acceptance of the updated Policy.
Earlier versions of this Policy are available on request from privacy@teamly.to.
Privacy questions, rights requests and complaints: privacy@teamly.to.
General legal correspondence: legal@teamly.to.
Postal address: TOO “NOCODIA”, ul. Maulenova, dom 38, kv. 10, Almaty, Republic of Kazakhstan.
This Privacy Policy is provided in English. It is a translation where a translation exists; the English text controls in case of discrepancy.
