Privacy Policy

How we handle
your data.

What we collect, why we collect it, how we protect it, and the choices you have. Written to be read, not just filed.

Last updated: July 4, 2026 · Effective: July 4, 2026

DataPalace is company memory your AI can actually use. The knowledge you keep here is some of the most sensitive you own, so this page explains, in plain language, exactly how we treat the personal information that flows through it. If anything below is unclear, ask us. We would rather you did.

We are the caretaker of your memory. You remain its owner.

The Short Version

  • Every company's knowledge is walled off from every other company's.
  • Your personal palace is private from your employer and portable if you leave.
  • We do not sell your data, and we do not train AI models on your knowledge.
  • You can access, update, export, or delete your personal information.

Who We Are

DataPalace is a product of FNL Agency Inc. (doing business as Funnel+Ladder), based in Victoria, British Columbia, Canada. In this policy, “DataPalace,” “we,” “us,” and “our” mean FNL Agency Inc. operating the DataPalace service. This policy covers our marketing site, the DataPalace web application, and the DataPalace MCP server through which AI clients connect.

How This Policy Works: Your Organization and DataPalace

DataPalace is a business-to-business service, so two relationships matter.

Knowledge you or your organization put in.When your organization subscribes, it decides what knowledge to store and who may see it. Your organization is responsible for that content and for having the right to store it. We process it on your organization's behalf and under its instructions.

Your role decides what you can do with it. Within your organization, your assigned role and permissions determine which company information you can access, update, export, or delete. Access is granted by room and category, so two people at the same company may see and change different parts of the palace.

Personal information we collect directly. For the information we gather to run the service (your account, your use of the site and app, your support messages), we are the organization responsible for it, and this policy governs how we handle it.

If you use DataPalace through your employer or another organization, please direct requests about the knowledge base content to them first. We will support them in responding.

Information We Collect

Account and identity information

Your name, email address, and the sign-in identifiers created when you authenticate. You sign in with a modern OAuth 2.1 flow. When you use a social sign-in, that provider passes us basic profile details and we never see or store your password.

Access and permissions

Which organizations you belong to and which AI caretakers you can use (Rose, who reads; Libby, who edits; Morpheus, who governs), so we can enforce access by room and category.

Knowledge base content

The articles, categories, and metadata that you or your organization create. This is meant to be operational company knowledge, not regulated client data or customer personal information. Libby, our AI editor, actively flags personal data in a draft and offers to anonymize it before anything is saved.

Authorship and edit records

To keep every answer traceable, we stamp who created and who last changed each article and category, recording the person's name and a reference to their account.

Session and usage data

Each AI conversation receives its own short-lived session pass (about two hours) carrying your current organization and caretaker. We keep access and activity logs to run the service securely and reliably.

Support and feedback

If you send feedback or contact support, we receive your message, your email address, and anything you choose to include.

Technical data

Standard information your browser sends automatically, such as IP address, device and browser type, and log data, collected when you use the site or app.

Cookies and Similar Technologies

Our site and app use cookies and similar technologies (such as pixels and tags), both to run the service and to understand and improve how it is used.

Essential cookies

These keep the service working. They sign you in, keep your session secure, and remember basic preferences. The service will not function properly without them.

Analytics and product-improvement cookies

We use, or intend to use, non-essential cookies and similar tools to understand how people use DataPalace and to improve the app and our operations. This may include, but is not limited to, product analytics, session replay, and multi-channel customer analytics that help us connect your experience across the places you interact with us.

Your choices

You can control or disable cookies through your browser settings. Most browsers let you refuse new cookies, ask to be notified when one is set, or delete existing ones. Disabling non-essential cookies will not stop you from using the core service, though some features, and our insight into how to improve it, may be reduced. Where the law requires your consent for non-essential cookies, we ask for it before we set them.

We do not use cookies for third-party advertising, and we do not sell what cookies collect.

How We Use Your Information

  • To provide, operate, and maintain DataPalace.
  • To authenticate you and enforce who may enter which rooms and categories.
  • To power search across your knowledge, including semantic (vector) search.
  • To stamp authorship so every answer can be traced to its source.
  • To respond to your support requests and feedback.
  • To keep the service secure, reliable, and free of abuse.
  • To meet our legal and regulatory obligations.

We rely on the grounds permitted under Canadian privacy law, including your consent, performance of our agreement with you or your organization, and legitimate business purposes that a reasonable person would consider appropriate.

AI, Search, and Your Data

This is the part people ask about most, so we are direct about it.

We do not train models on your knowledge.We do not sell your data, and we do not use your knowledge base content to train our own or anyone else's foundation models.

Making your knowledge searchable.To let you search by meaning, article text is converted into numerical embeddings by a third-party embeddings provider. Content sent for embeddings is processed under that provider's API terms and, under those terms, is not used to train its models.

Outside AI you connect. When you connect an AI tool (such as ChatGPT, Claude, Gemini, or a coding agent) through MCP, it only has access to the rooms / categories and articles that are available to your authenticated DataPalace user account. What that AI vendor does with the content it receives is governed by your agreement with that vendor, not by DataPalace, so choose your connections deliberately.

How We Share Information

We share personal information only as needed to run the service, and only with providers bound to protect it and to use it solely for the service they provide us:

  • Railway: cloud hosting and infrastructure.
  • OpenAI: generating the vector embeddings that power search.
  • Postmark: sending and receiving transactional email.
  • UptimeRobot: monitoring uptime and service health.

We may also disclose information when the law requires it, to enforce our terms, or to protect the rights, safety, and property of DataPalace, our customers, or the public. If our business is ever involved in a merger, acquisition, or sale of assets, information may transfer as part of that deal, under continued protection consistent with this policy. We do not sell personal information.

Where Your Data Is Processed

DataPalace is operated from Canada, and some of our providers process data in other countries, including the United States. When information is processed or stored outside Canada, it becomes subject to the laws of that country, including lawful access by courts and authorities there. We work with providers that commit to appropriate safeguards for the information they handle on our behalf.

How We Protect Your Information

Security is designed in, not bolted on. Every company's space is walled off at the database level using various methods including Row-Level Security. Sign-in uses modern OAuth 2.1, and each AI connection gets its own pass that expires on its own. Access is granted on a least-privilege basis, data is encrypted in transit, and credentials / secrets are managed centrally. For the fuller picture, see our Trust, Security and Your Data page.

How Long We Keep It

We keep personal information for as long as your account and your organization's subscription are active, and for as long as we need it for the purposes in this policy or to meet legal obligations. After that we delete or anonymize it.

One deliberate exception: to keep an accurate audit trail, the recorded author or editor name may remain on an article even after that person's account is deleted. On a verified deletion request, we will remove those name records as part of fulfilling it.

Your Privacy Rights

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (PIPA), you can:

  • Ask what personal information we hold about you and get access to it.
  • Ask us to correct information that is wrong or incomplete.
  • Withdraw your consent, subject to legal and contractual limits.
  • Ask how we have handled your information.

Depending on where you live, you may have further rights, such as erasure, portability, or objection under the EU or UK GDPR. To exercise any of these, email help@datapalace.ai. We respond within the timeframes the law requires, generally within 30 days under PIPEDA. If you reach DataPalace through your employer, we may direct your request to them as the organization responsible for that content.

Your Choices

You can update your account details, disconnect any AI client at any time, and take your personal palace with you if you leave your company / employer. It belongs to you, not the company that paid for the seat. If we ever send optional product emails, every one includes a way to opt out.

Children's Privacy

DataPalace is a tool for businesses and is not directed to children. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

Changes to This Policy

We may update this policy as the product and the law evolve. When we do, we revise the date at the top. For material changes, we will give reasonable notice through the service or by email before they take effect.

Contact Us

Questions about privacy, or want to exercise a right? Reach our privacy contact at help@datapalace.ai, or write to FNL Agency Inc. (Funnel+Ladder), Victoria, British Columbia, Canada.

If you are not satisfied with our response, you may contact the Office of the Information and Privacy Commissioner for British Columbia, or the Office of the Privacy Commissioner of Canada.

Governing Law

This policy is governed by the laws of the Province of British Columbia and the applicable laws of Canada.

Nothing to hide.
Everything to protect.

Questions about data handling? Ask us directly, we would rather you did.

See how to start →