Last updated: 24 April 2026
This privacy policy applies to Ergora Ltd, a company registered in England & Wales, trading as Ergora. We operate the marketing site at ergora.app, the product portal at ergora.cloud, the cold-outreach domain try-ergora.com, and the Ergora Remote desktop agent. For the purposes of UK GDPR and the Data Protection Act 2018 we are the data controller for personal data we process about our customers, prospects and website visitors.
You can contact us about anything in this policy — including to exercise your rights — at hello@ergora.cloud. Our data protection contact is reachable at the same address.
When you create an account we collect your name, email address, and (where set) a password hash. If you sign in via a social provider we receive your name, email and profile photo from that provider. We use this to authenticate you, contact you about the account, and personalise the experience.
You may add your company name, website, industry, brand assets, and connect third-party integrations (Shopify, Google, Meta, HubSpot, LinkedIn, Xero and others). When you do, we store the resulting access tokens encrypted and use them only to retrieve data on your behalf within the scope you approved.
We process the prompts, files, voice notes, meeting recordings and other content you submit so the AI can respond. Voice and meeting audio is sent to Google Cloud for transcription and is not retained beyond what is needed to produce the transcript and downstream summaries you see in the product.
The product builds personalised memory layers (your personal seat context and your organisation’s shared company memory) from your interactions. These memories belong to your workspace, are not shared across customers, and can be cleared by you at any time.
We collect token consumption, image generation counts, feature usage, IP address, browser, device, session timestamps and similar technical data to operate the platform, enforce plan limits, prevent abuse and improve the Service. Stripe holds your payment-method details — we never see full card numbers.
If you accept analytics on the marketing site, Google Analytics 4 may set cookies that record anonymised usage patterns. The portal does not use advertising trackers.
We process personal data on the following lawful bases under UK GDPR: performance of a contract (operating your account, delivering the Service, processing payments), legitimate interests (securing the Service, preventing fraud, improving the product, and reaching out to business prospects in line with PECR), consent (where required, for example for non-essential cookies and marketing email), and legal obligation (for example, retaining tax records).
We share data only with the third-party processors that help us run the Service, with integration providers you choose to connect, and where we are required to by law. We do not sell your data, and we do not share it with advertising networks.
| Processor | Purpose | What it receives | Region |
|---|---|---|---|
| Supabase | Database, authentication and file storage | Account info, project data, files, embeddings, OAuth tokens | EU (Frankfurt) — primary |
| Stripe | Payment processing and subscription management | Name, email, billing address, card data (held by Stripe, not us) | US / EU |
| Loops | Transactional and lifecycle email | Email address, name, account events | US |
| OpenRouter | LLM gateway routing chat and reasoning prompts to underlying model providers (sub-processors include Anthropic / Claude, OpenAI and Google / Gemini); inputs and outputs are not retained for training | Prompts and context window sent at the time of each request | US |
| Google Cloud / Vertex AI | Gemini image and video generation, speech-to-text, text-to-speech | Prompts, attached files, voice notes, meeting recordings (when you use those features) | US (us-central1) — accessed under Standard Contractual Clauses; see s.5 below |
| Hostinger | VPS hosting for the portal and supporting services | Encrypted application data and logs | UK / EU |
Each processor is bound by a written data processing agreement that requires them to keep your data confidential, secure and used only for the purposes we direct.
Your data is hosted primarily in the UK and EU. Some of our sub-processors (Stripe, Loops, OpenRouter, Google Cloud / Vertex AI) operate in the United States — including the Vertex AI region we currently use for image, video and speech generation (us-central1). Where data leaves the UK or EEA we rely on the UK-US Data Bridge, the EU-US Data Privacy Framework, or Standard Contractual Clauses with appropriate supplementary measures to ensure your data remains protected to UK GDPR standards.
We keep your account data for as long as your account is active. If you close your account or ask us to delete it, we erase your personal data within 30 days, except where we are required to keep it for longer (for example, billing records that we must retain for tax purposes for up to 7 years).
Backups are rotated on a 30-day cycle, so deleted data may persist in encrypted backups for up to 30 days after deletion before being permanently overwritten.
You have the right to access the personal data we hold about you, ask us to correct inaccurate data, request erasure, object to or restrict certain processing, withdraw consent where processing is based on it, and receive a copy of your data in a portable format.
You can exercise the most common rights yourself, instantly, from within the product:
GET https://ergora.cloud/api/account/export while signed in.POST https://ergora.cloud/api/account/delete while signed in.For anything else, email hello@ergora.cloud. We will respond within one month. If you are not satisfied with our response you have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).
Ergora Remote is a desktop agent that runs on your own device. When you ask it a question that requires reading a local file, the file is accessed locally on your machine — its contents are not uploaded to our servers. Only the resulting query, the answer, and minimal metadata (such as which integration was used and timestamps) are transmitted to the Ergora cloud so the conversation can be continued in the portal. To revoke a Remote agent’s access, email privacy@ergora.cloud. A self-service Devices view is on our roadmap.
Ergora Remote Private (when available) operates fully air-gapped — no traffic leaves your device or local network — and is intended for customers with strict data-locality requirements.
We use a small number of essential cookies to keep you signed in and to remember your preferences, plus optional analytics cookies that only load if you accept them. See our Cookie Policy for the full list.
The Service is not directed at children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
We use encryption in transit (TLS) and at rest, row-level security in our database, encrypted OAuth tokens, access-controlled production secrets, and least-privilege access for our team. No system is perfectly secure; if we ever suffer a breach affecting your personal data we will notify you and the ICO in line with our legal obligations.
We may update this policy from time to time. The “Last updated” date at the top of this page reflects the latest revision. Material changes will be communicated by email or an in-product notice in advance.
For privacy questions, data subject requests, or to contact our data protection lead, email hello@ergora.cloud.