Privacy Policy

Last updated: February 18, 2026 • Effective Date: February 18, 2026

GDPR CompliantCCPA / CPRACalOPPACOPPAPDPA ThailandPDPA SingaporeUAE PDPL

1. Introduction

Welcome to One Last AI ("we," "our," or "us"). We operate a global multi-agent AI platform that provides specialized AI personalities and services to users worldwide. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at onelastai.co and its sub-site applications, including Canvas App, Canvas Studio, GenCraft Pro, and Maula Editor ( maula.dev).

We are committed to protecting your privacy and complying with applicable data protection laws globally, including:

— European Union / EEA
— California, United States
— California, United States
— United States
— Canada
Privacy Act 1988 — Australia
LGPD (Lei Geral de Proteção de Dados) — Brazil
— Thailand
— Singapore
— United Arab Emirates

By using our services, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this policy, please do not access or use our services.

2. Information We Collect

2.1 Personal Information You Provide

Information you provide directly when creating an account, using our services, or contacting us:

Identifiers: Name, email address, username, password, phone number
Profile Information: Company name, job title, profile picture, bio
Financial Information: Billing address, payment method details (processed via Stripe; we do not store full card numbers)
Communication Data: Support tickets, feedback, chat conversations with AI agents, emails
Content Data: Files, documents, images, code, and prompts submitted to AI agents
Audio/Visual Data: Voice recordings when using voice-chat features, uploaded images/screenshots
Optional Profile Data: Preferred name, age, gender, nationality (for AI personalization and localization)
User-Supplied Credentials (Encrypted): Deploy tokens (GitHub, Vercel, Netlify, AWS), API keys, and user secrets — all encrypted with AES-256-GCM at rest in PostgreSQL; never logged or included in AI prompts

2.2 Information Collected Automatically

When you access or use our services, we automatically collect:

Usage Data: Pages visited, features used, time spent, click patterns, interaction frequency, AI model used, token counts (input/output), request latency, credits consumed per request
Device Information: IP address, browser type and version, operating system, device type (mobile/tablet/desktop), screen resolution, user-agent string
Geolocation Data: Approximate country and city derived from your IP address
Cookies & Tracking Technologies: Session cookies, authentication cookies, preference cookies (see Section 13)
Performance Data: API response times, page load times, error logs, crash reports, success/failure status
Referral & Marketing Data: Referrer URL, UTM parameters (source, medium, campaign), search terms
Session Tracking: Anonymous visitor ID (UUID), session start/end, page views per session, landing and exit pages
Security Data: Login attempts, failed login counts, account lock level and lock-until timestamps (3-tier progressive lockout: 15 min → 24 hr → permanent)

2.3 AI Interaction Data

When you interact with our AI agents, we collect:

Conversation history and context
Prompts, queries, and instructions submitted
AI-generated responses and outputs
Agent preferences and personalization settings
Tool execution requests and results (268 tools across 39 categories)
Files uploaded for AI processing (images, documents, code)
Voice recordings (if voice features are used)
Project files (code, HTML, CSS, JS, etc.) and project metadata
AI-generated video outputs (stored in AWS S3)

Agent Memory System

Our AI agents can auto-save "memories" about your preferences, facts, and interaction patterns to personalize your experience. These memories are:

Stored in PostgreSQL with category tags (preference, fact, interaction, general)
User-scoped — never shared between users
Source-tracked: "agent" (auto-saved) or "user" (manually saved)
Viewable, disableable, and deletable by you at any time via the Agent Memory Panel

2.4 Sensitive Personal Information

Under the CPRA, "sensitive personal information" includes certain categories of data. We may process the following sensitive PI only as necessary to provide our services:

Account credentials: Username/email in combination with password (stored using bcrypt hashing)
Precise geolocation: We do NOT collect precise geolocation. Only approximate location from IP address.
Contents of communications: Messages you send to AI agents and support

We do not collect Social Security numbers, financial account numbers, racial/ethnic origin, religious beliefs, biometric data for identification, health data, or sexual orientation data.

3. How We Use Your Information

We use collected information for the following purposes. Under the GDPR, each purpose is linked to a lawful basis for processing:

3.1 Service Delivery

GDPR lawful basis: Performance of a contract (Art. 6(1)(b))

Provide access to AI agents and platform features
Process your requests and transactions
Maintain your account, preferences, and subscriptions
Deliver personalized AI interactions
Execute tool calls and return results

3.2 Platform Improvement

GDPR lawful basis: Legitimate interests (Art. 6(1)(f))

Analyze usage patterns to improve AI accuracy and relevance
Train and enhance AI models (anonymized and aggregated data only)
Develop new features and services
Optimize performance, reliability, and user experience

3.3 Communication

GDPR lawful basis: Legitimate interests (Art. 6(1)(f)) or Consent (Art. 6(1)(a)) for marketing

Send service-related updates and transactional notifications
Provide customer support and respond to inquiries
Send marketing communications (only with explicit opt-in consent; you can unsubscribe at any time)

3.4 Security & Compliance

GDPR lawful basis: Legal obligation (Art. 6(1)(c)) / Legitimate interests (Art. 6(1)(f))

Detect and prevent fraud, abuse, and unauthorized access
Enforce our Terms of Service
Comply with legal obligations, including tax and financial reporting
Protect user safety and platform integrity

4. Data Sharing and Disclosure

We Do Not Sell or Share Your Personal Information

As defined under the CCPA/CPRA (Cal. Civ. Code § 1798.140(ad) and § 1798.140(ah)), we do not sell your personal information and do not share your personal information for cross-context behavioral advertising. In the preceding 12 months, we have not sold or shared the personal information of any consumer.

We may disclose your information in the following limited circumstances:

4.1 Service Providers (Processors)

We engage third-party service providers who process personal information on our behalf under written contracts that restrict their use of the data. Under the CCPA/CPRA, these disclosures qualify as disclosures for a "business purpose":

Payment processing: Stripe (PCI DSS Level 1 compliant)
Cloud hosting & infrastructure: AWS (Amazon Web Services)
Analytics: Internal analytics (self-hosted); no data sent to Google Analytics or third-party analytics
AI model providers (accessed via One Last AI's own API keys — users never need provider accounts):
- Anthropic — Claude Sonnet 4, Claude Opus 4, Claude Haiku (primary provider; does NOT use API data for model training)
- OpenAI — GPT-4o, GPT-4o Mini, TTS (text-to-speech), DALL·E 3 (image generation); API data not used for training when accessed via API keys
- Google — Gemini 2.5 Pro, Gemini 2.5 Flash; API data processed under Google Cloud data processing terms
- Mistral AI — Mistral Large, Codestral (code-specialized); European-headquartered, GDPR-compliant
- xAI — Grok 3, Grok 3 Mini; prompts processed under xAI's API data policy
- Groq — LLaMA 3.3 70B (speed-optimized inference); processes prompts in-memory with no persistent storage
- Cerebras — LLaMA 3.3 70B (ultra-fast wafer-scale inference); processes prompts with no persistent storage of request data
- HuggingFace — Open-source model hosting and inference; processing governed by HuggingFace Inference API terms
- Ollama — Local/self-hosted open-source model execution; data stays on our servers and is never sent to external APIs
- fal.ai / Minimax — AI video generation from text prompts
- Azure AI Vision — Image-to-code analysis from uploaded screenshots
Important: All AI API calls are made through One Last AI's own platform API keys on your behalf. You do not need accounts with any AI provider. Your prompts and code context may be sent to generate responses. We do NOT include your email, name, password, credentials, or payment info in AI prompts. We do NOT sell, share, or license your data to any third party. We do NOT use your data to train, fine-tune, or improve any AI models.
Media processing: fal.ai / Minimax (AI video generation from text prompts), Azure AI Vision (image-to-code analysis from uploaded screenshots)
Deployment targets (user-initiated only): Vercel, Netlify, GitHub, AWS — project files are sent only when you click "Deploy" using your own stored deploy tokens
Email delivery: Transactional email services
Content delivery: CDN for static asset delivery
Sandbox execution: AWS ECS Fargate — isolated container per session for user code execution

4.2 Legal Requirements

We may disclose personal information when required by law, subpoena, or other legal process, or when we believe in good faith that disclosure is necessary to:

Comply with applicable law, regulation, or legal process
Respond to lawful requests by public authorities, including national security or law enforcement
Protect our rights, property, or safety, or that of our users or the public
Investigate potential violations of our Terms of Service

4.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, reorganization, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.

4.4 With Your Consent

We may share information with third parties when you explicitly consent to such sharing.

4.5 CCPA/CPRA Disclosure Table — Categories of PI Disclosed for Business Purposes (Preceding 12 Months)

Category of PI	Disclosed To	Purpose
A. Identifiers	Cloud host, email service, payment processor	Account management, billing, support
B. Customer records	Payment processor (Stripe)	Payment processing
D. Commercial information	Payment processor	Transaction processing, invoicing
F. Internet activity	Internal analytics (self-hosted)	Service improvement, fraud detection
G. Geolocation (approx.)	Cloud host, analytics	Service delivery, localization
H. Audio/visual (voice chat, images)	AI model providers, Azure AI Vision, fal.ai	Voice-to-text, AI interaction, image-to-code, video generation
K. Inferences (agent memories)	Not disclosed to third parties	Internal AI personalization only

Categories C, E, I, J, L: Not collected. We have not sold or shared any category of PI in the preceding 12 months.

5. Data Retention

In accordance with the GDPR principle of storage limitation (Art. 5(1)(e)) and the CPRA's data minimization requirements, we retain your information only for as long as reasonably necessary for the purposes for which it was collected:

Retention Periods:

Active accounts: Duration of account + 30 days after deletion request (includes all associated data: projects, chat history, agent memories, credentials, usage logs, and files)
Chat messages: Until you delete the session or delete your account
Project files: Until you delete the project or delete your account
Agent memories: Until you disable or delete them, or delete your account
Encrypted credentials (deploy tokens, API keys): Until you remove them or delete your account
Usage logs: 2 years (automatic purge)
Page views & visitor sessions: 1 year (automatic purge)
Login attempt records: 90 days (automatic purge)
Payment & billing records: 7 years (tax and financial compliance obligations)
Support ticket records: 3 years after resolution

When data is no longer needed, we securely delete or anonymize it. Anonymized data that can no longer identify you may be retained indefinitely for statistical and research purposes.

6. Your Privacy Rights

Regardless of your location, we extend the following rights to all users:

✓ Right to Access

Request a copy of your personal data we hold

✓ Right to Rectification / Correction

Correct inaccurate or incomplete personal data

✓ Right to Erasure / Deletion

Request deletion of your personal data, subject to legal retention obligations

✓ Right to Data Portability

Receive your data in a structured, machine-readable format (JSON or CSV)

✓ Right to Object / Opt-Out

Object to processing of your personal data for certain purposes

✓ Right to Withdraw Consent

Withdraw consent at any time without affecting prior processing

How to Exercise Your Rights:

Email: privacy@onelastai.co
In-app: Dashboard → Preferences → Privacy Controls
Mailing address: One Last AI, Attn: Privacy Team (see Section 15)

We will verify your identity before processing any request. We respond within 30 days (GDPR) or 45 days (CCPA/CPRA), with extensions as permitted by law. We will not charge a fee for reasonable requests.

GDPR

7. GDPR Compliance (EU/EEA Users)

This section applies if you are located in the European Union (EU), European Economic Area (EEA), or the United Kingdom (UK), and supplements the information in the rest of this Privacy Policy per Regulation (EU) 2016/679 (the "GDPR") and the UK GDPR.

7.1 Data Controller

One Last AI is the data controller responsible for your personal data. Our contact details are set out in Section 15 below.

7.2 Lawful Bases for Processing (Article 6)

Processing Activity	Lawful Basis
Creating & maintaining your account	Performance of contract (Art. 6(1)(b))
Providing AI agent services & features	Performance of contract (Art. 6(1)(b))
AI code generation & tool execution	Performance of contract (Art. 6(1)(b))
Credit/billing management	Performance of contract (Art. 6(1)(b))
Page view & visitor session tracking	Legitimate interest (Art. 6(1)(f)) — analytics
Security monitoring (login attempts, lockout)	Legitimate interest (Art. 6(1)(f)) — security
Processing payments & billing	Performance of contract (Art. 6(1)(b))
Sending transactional emails	Performance of contract (Art. 6(1)(b))
Analytics & service improvement	Legitimate interest (Art. 6(1)(f)) — improving our services
Fraud prevention & security	Legitimate interest (Art. 6(1)(f)) — protecting our platform
Marketing communications	Consent (Art. 6(1)(a)) — opt-in only
Optional profile data (age, gender, nationality)	Consent (Art. 6(1)(a))
Agent memory storage	Consent (Art. 6(1)(a)) — user can disable
Tax/financial record-keeping	Legal obligation (Art. 6(1)(c))
Responding to legal requests	Legal obligation (Art. 6(1)(c))

7.3 Your Rights Under the GDPR (Articles 15–22)

In addition to the general rights in Section 6, GDPR provides the following specific rights:

Right of Access (Art. 15): Obtain confirmation of whether we process your data and receive a copy in a commonly used electronic format.
Right to Rectification (Art. 16): Have inaccurate personal data corrected without undue delay.
Right to Erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for continued processing (the "right to be forgotten").
Right to Restriction (Art. 18): Restrict processing while we verify accuracy or assess an objection.
Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON) and transmit it to another controller.
Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
Automated Decision-Making (Art. 22): We do not make solely automated decisions that produce legal effects on you. AI agent responses are generated content, not automated legal decisions.

7.4 International Data Transfers (Chapter V)

Your data may be transferred to and processed in the United States and other countries outside the EU/EEA. We ensure an adequate level of protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914)
Data Processing Agreements (DPAs) with all third-party sub-processors
Adequacy decisions where the European Commission has determined a country provides adequate protection
Supplementary measures (encryption, pseudonymization) where required by the Schrems II ruling (Case C-311/18)

You may request a copy of the applicable SCCs by contacting privacy@onelastai.co.

7.5 Data Protection Officer

You may reach our Data Protection Officer at dpo@onelastai.co.

7.6 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. A list of EU Data Protection Authorities is available at edpb.europa.eu.

CCPA/CPRA

8. CCPA & CPRA Compliance (California Residents)

This section applies to California residents and supplements the rest of this Privacy Policy pursuant to the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100–1798.199), as amended by the California Privacy Rights Act of 2020 ("CPRA", effective January 1, 2023). Terms used in this section have the meanings given in the CCPA/CPRA.

8.1 Categories of Personal Information Collected (§ 1798.110)

In the preceding 12 months, we have collected the following categories of personal information:

Category	Examples	Collected?
A. Identifiers	Name, email, username, IP address, account name	Yes
B. Customer records	Name, address, phone, payment information	Yes
C. Protected classifications	Age, gender (optional profile fields)	Yes*
D. Commercial information	Purchase history, subscription plan, usage records	Yes
E. Biometric information	Fingerprints, voice prints, facial recognition data	No
F. Internet / network activity	Browsing history, interactions with our platform, search queries	Yes
G. Geolocation data	Approximate location from IP address	Yes
H. Audio / visual data	Voice recordings (voice chat), uploaded images/videos	Yes
I. Professional / employment info	Job title, company name (optional profile fields)	Yes
J. Education information	Education records	No
K. Inferences	Agent preferences, usage patterns, content interests	Yes
L. Sensitive PI (CPRA)	Account login credentials; contents of messages to AI agents	Yes*

*Category C: Only age and gender are collected as optional, user-provided profile fields for AI personalization; race, religion, and other protected classes are NOT collected. *Category L: Sensitive PI is used only as necessary to provide the services you requested. You may exercise the right to limit use of sensitive PI (see Section 8.2).

8.2 Your Rights Under the CCPA/CPRA

Right to Know / Access (§ 1798.100, § 1798.110)

You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting, and the categories of third parties with whom we share your PI. You may make this request up to twice in a 12-month period.

Right to Delete (§ 1798.105)

You may request that we delete your personal information. We will comply except where retention is necessary for completing the transaction, detecting security incidents, complying with legal obligations, or other lawful purposes described in § 1798.105(d).

Right to Correct (§ 1798.106 — CPRA)

You may request that we correct inaccurate personal information we maintain about you, taking into account the nature and purposes of processing.

Right to Opt-Out of Sale/Sharing (§ 1798.120)

You have the right to direct us not to sell or share your personal information. We do not sell or share (as defined by the CCPA/CPRA) your personal information. Therefore, no opt-out mechanism is required. However, should our practices change, we will provide a "Do Not Sell or Share My Personal Information" link on our homepage.

Right to Limit Use of Sensitive PI (§ 1798.121 — CPRA)

You may direct us to limit our use of your sensitive personal information to that which is necessary to perform the services or provide the goods you requested. We only use sensitive PI for permissible purposes (authentication, service delivery) and do not use or disclose it for inferring characteristics about you.

Right to Non-Discrimination (§ 1798.125)

We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not: deny you services, charge different prices, provide a different level or quality of services, or suggest that you will receive a different price or quality.

8.3 How to Submit a Verifiable Consumer Request

You (or an authorized agent acting on your behalf) may submit a request by:

Emailing privacy@onelastai.co with subject "CCPA Request"
Using the Privacy Controls in Dashboard → Preferences

We will verify your identity by matching information you provide against our existing records. For requests from authorized agents, we require a signed written authorization or power of attorney, and we may still verify the consumer's identity directly.

Response timing: We will acknowledge receipt within 10 business days and respond substantively within 45 calendar days from receipt. If we need additional time, we will inform you and may extend by an additional 45 days (90 days total) as permitted by law.

8.4 Financial Incentives

We do not offer financial incentives, price differences, or service differences in exchange for the retention or sale of personal information.

8.5 Metrics Disclosure

Per CCPA/CPRA requirements, we will publish annual metrics on the number of requests to know, delete, correct, and opt-out received, complied with (in whole or in part), and denied, along with the median response time.

CalOPPA

9. CalOPPA Compliance (California Online Privacy Protection Act)

Pursuant to the California Online Privacy Protection Act (Cal. Bus. & Prof. Code §§ 22575–22579), we make the following disclosures:

9.1 Privacy Policy Accessibility

This Privacy Policy is conspicuously posted and accessible via the "Privacy Policy" link in the footer of every page on onelastai.co, as well as from the account registration page and account settings. The link uses the word "Privacy" as required by § 22577(b)(1).

9.2 Categories of Personally Identifiable Information

The categories of PII collected are described in Section 2 above. The categories of third parties with whom PII may be shared are described in Section 4 above.

9.3 Process for Reviewing and Requesting Changes to Your PII (§ 22575(b)(2))

You may review, update, or request changes to your personally identifiable information by:

Logging into your account and visiting Dashboard → Profile
Emailing privacy@onelastai.co

We will process your request within 30 days.

9.4 Do Not Track (DNT) Disclosure (§ 22575(b)(5)–(6))

How we respond to DNT signals: Our services do not currently respond to "Do Not Track" browser signals, as there is no industry-standard technology for recognizing or honoring DNT signals. We do not engage in cross-site tracking.

Third-party tracking: We do not allow third parties to collect personally identifiable information about your individual online activities over time and across different websites when you use our services. We do not use Google Analytics, Facebook Pixel, or other third-party tracking tools.

9.5 Effective Date and Changes (§ 22575(b)(3)–(4))

The effective date of this Privacy Policy is stated at the top of this page. When we make material changes to this policy, we will notify users via email and/or a prominent notice on our platform at least 30 days before the changes take effect. Continued use of our services after the effective date constitutes acceptance.

10. PDPA Thailand Compliance (Personal Data Protection Act B.E. 2562)

If you are located in Thailand, the following provisions apply under the , effective June 1, 2022.

10.1 Data Controller Information

One Last AI acts as the Data Controller for personal data collected from users in Thailand. We determine the purposes and means of processing your personal data in accordance with the PDPA.

10.2 Lawful Bases for Processing (Section 24)

We process your personal data under the following lawful bases:

Lawful Basis	Processing Activity
Consent (Sec. 19)	Marketing communications, optional analytics
Contract Performance (Sec. 24(3))	Account creation, service delivery, payment processing, AI interactions
Legal Obligation (Sec. 24(6))	Tax records, fraud prevention, regulatory compliance
Legitimate Interest (Sec. 24(5))	Security, service improvement, abuse prevention

10.3 Your Rights Under PDPA Thailand (Sections 30–42)

As a data subject in Thailand, you have the following rights:

Right	Description
Right to Access (Sec. 30)	Request access to your personal data and a copy thereof
Right to Data Portability (Sec. 31)	Receive your data in a structured, machine-readable format
Right to Object (Sec. 32)	Object to processing based on legitimate interests or public interest
Right to Erasure (Sec. 33)	Request deletion or destruction of your personal data
Right to Restrict Processing (Sec. 34)	Request restriction of processing in certain circumstances
Right to Rectification (Sec. 36)	Request correction of inaccurate or incomplete data
Right to Withdraw Consent (Sec. 19)	Withdraw consent at any time (does not affect prior lawful processing)
Right to Complain (Sec. 73)	Lodge a complaint with the Personal Data Protection Committee (PDPC)

10.4 Cross-Border Data Transfers (Section 28)

When your data is transferred outside Thailand to our servers, we ensure:

The destination country has adequate data protection standards as determined by the PDPC
Appropriate safeguards are in place (contractual clauses, binding corporate rules)
Where required, your explicit consent is obtained for specific transfers
All AI provider API calls are server-to-server with no persistent data retention by AI providers

10.5 Supervisory Authority

The Personal Data Protection Committee (PDPC) under the Ministry of Digital Economy and Society is Thailand's supervisory authority. You may lodge a complaint with the PDPC if you believe your data protection rights have been violated. Contact: www.pdpc.or.th.

11. PDPA Singapore Compliance (Personal Data Protection Act 2012)

If you are located in Singapore, the following provisions apply under the , as amended by the PDPA (Amendment) Act 2020.

11.1 Our Data Protection Obligations

As an organization processing personal data of Singapore residents, we comply with the following obligations under the PDPA:

Obligation	How We Comply
Consent	We obtain consent before collecting, using, or disclosing personal data
Purpose Limitation	Data is used only for purposes stated in this policy
Notification	Users are informed of purposes before or at the time of collection
Access & Correction	Users can request access to and correction of their personal data
Accuracy	We make reasonable efforts to ensure data accuracy
Protection	Reasonable security arrangements to protect personal data (TLS 1.2/1.3, AES-256)
Retention Limitation	Data is not retained longer than necessary for the purposes
Transfer Limitation	Overseas transfers only to jurisdictions with comparable protection
Data Breach Notification	We notify PDPC and affected individuals of significant data breaches
Accountability	We designate a Data Protection Officer and maintain compliance documentation

11.2 Your Rights Under PDPA Singapore

As a data subject in Singapore, you have the right to:

Access — Request access to personal data we hold about you
Correction — Request correction of errors or omissions in your personal data
Withdraw Consent — Withdraw consent for collection, use, or disclosure (with reasonable notice)
Data Portability — Request your data in a machine-readable format (per 2020 amendment)
Complaint — Lodge a complaint with the Personal Data Protection Commission (PDPC)

11.3 Do Not Call (DNC) Registry

We respect Singapore's national Do Not Call (DNC) Registry. We do not send unsolicited marketing messages via voice calls, SMS, MMS, or fax. All marketing communications are sent only with your explicit prior consent via email.

11.4 Supervisory Authority

The Personal Data Protection Commission (PDPC) is Singapore's data protection authority. You may lodge a complaint with the PDPC at www.pdpc.gov.sg.

12. UAE PDPL Compliance (Federal Decree-Law No. 45 of 2021)

If you are located in the United Arab Emirates, the following provisions apply under the on the Protection of Personal Data, effective January 2, 2022.

12.1 Data Controller Information

One Last AI acts as the Data Controller for personal data collected from users in the UAE. We process your personal data in accordance with the UAE PDPL and its Executive Regulations.

12.2 Lawful Bases for Processing (Article 4)

We process your personal data under the following lawful bases:

Lawful Basis	Processing Activity
Consent (Art. 4(1))	Marketing communications, optional features
Contract Performance (Art. 4(2))	Account creation, service delivery, payment processing
Legal Obligation (Art. 4(3))	Compliance with UAE laws, tax requirements, fraud prevention
Legitimate Interest (Art. 4(5))	Platform security, service improvement, abuse prevention

12.3 Your Rights Under UAE PDPL (Articles 13–18)

As a data subject in the UAE, you have the following rights:

Right	Description
Right to Information (Art. 13)	Be informed about how your data is processed
Right to Access (Art. 14)	Request access to your personal data
Right to Portability (Art. 15)	Request transfer of your data in a structured format
Right to Object to Automated Decisions (Art. 16)	Object to decisions based solely on automated processing including profiling
Right to Correction/Erasure (Art. 17)	Request correction of inaccurate data or erasure of personal data
Right to Restrict/Stop Processing (Art. 18)	Request restriction or cessation of data processing
Right to Withdraw Consent	Withdraw consent at any time without affecting prior lawful processing

12.4 Cross-Border Data Transfers (Article 22)

When your data is transferred outside the UAE, we ensure compliance with Article 22:

Transfers only to countries with adequate data protection levels as determined by the UAE Data Office
Standard Contractual Clauses approved by the UAE Data Office are in place
Where required, your explicit consent is obtained for specific international transfers
Sector-specific data localisation requirements are respected
All AI provider API calls are encrypted server-to-server with no persistent retention

12.5 UAE Data Office (Supervisory Authority)

The UAE Data Office, established under the Executive Regulations of the Federal Decree-Law No. 45 of 2021, is the competent supervisory authority. You may lodge a complaint with the UAE Data Office if you believe your data protection rights have been violated.

13. AI-Specific Data Processing & Training Disclosure

We Do Not Use Your Data to Train AI Models — Ever

Your prompts, code, conversations, and generated outputs are used solely to provide the requested service in real time. Once a response is delivered, we do not retain, analyze, aggregate, or reprocess your inputs for any purpose other than displaying your conversation history to you.

We will never:

Use your data to train, fine-tune, or improve any AI model (ours or third-party)
Sell, license, rent, or share your personal data with any third party for commercial purposes
Use your data for advertising, profiling, or cross-context behavioral targeting
Aggregate your data with other users' data for model improvement or research
Allow any AI provider to use your data for their own training purposes

How we protect your data with AI providers:

Anthropic (primary provider): Does not use API data for model training. Zero data retention on their API tier.
OpenAI: API data is not used for training when accessed via API keys (our configuration). 30-day retention for abuse monitoring only.
Google (Gemini): Processed under Google Cloud's enterprise data processing terms. Not used for model improvement.
Mistral AI: European-headquartered, GDPR-compliant. API data not used for training.
xAI: API data processed under xAI's enterprise API terms. Not used for training.
Groq & Cerebras: Inference-only providers. Process prompts in-memory with no persistent storage of request data.
HuggingFace: Inference API only. Processing governed by HuggingFace enterprise terms.
Ollama: Runs locally on our servers. Data never leaves our infrastructure.
fal.ai / Minimax: Video generation processing only. Input prompts are not retained after generation.
Azure AI Vision: Image analysis only. Processed under Microsoft's enterprise data processing agreement.

All AI calls are made through One Last AI's own platform API keys. You never need an account with any AI provider. Your interactions are processed server-to-server and routed through our infrastructure — no direct connection between your browser and any AI provider exists.

What We Send to AI Providers

Data Type	Sent?	Purpose
User text prompts	Yes	Generate AI response
Code files in current project	Yes	Contextual code generation
Conversation history	Yes	Multi-turn conversation context
User email / name / password	No	Never included in AI prompts
User credentials / deploy tokens	No	Never accessible to AI layer
Payment information	No	Never accessible to AI layer

14. Data Security

We implement industry-standard technical and organizational security measures to protect your information in accordance with GDPR Article 32 and reasonable security procedures required by the CCPA/CPRA:

Encryption: TLS 1.2/1.3 encryption for all data in transit; AES-256-GCM application-level encryption for user credentials (deploy tokens, API keys, user secrets); AWS EBS encryption at rest for database; AES-256 S3 server-side encryption for file storage with time-limited signed URLs
Authentication: bcrypt/scrypt password hashing (never stored in plaintext), HTTP-only secure JWT session cookies (HMAC-SHA256 signed), optional 2FA
Access Controls: Role-based access control (RBAC), principle of least privilege, CORS restricted to onelastai.co and app domains
Monitoring & Lockout: 24/7 security monitoring, intrusion detection, per-IP rate limiting on AI and auth endpoints, 3-tier progressive account lockout (15 min → 24 hr → permanent) after failed login attempts
Infrastructure: AWS cloud infrastructure (ap-southeast-1 region) with isolated networks, regular security patches, COOP/COEP headers for WebContainer SharedArrayBuffer isolation
Credential Separation: User-supplied API keys and deploy tokens are encrypted separately with AES-256-GCM, never logged, and never included in AI prompts or server logs
Sandbox Isolation: User code execution runs in isolated AWS ECS Fargate containers (one per session)
Regular Audits: Third-party security assessments and dependency vulnerability scanning
Data Backup: Regular encrypted backups with tested disaster recovery procedures

While we strive to protect your data using commercially reasonable measures, no method of transmission over the Internet or electronic storage is 100% secure. In the event of a data breach, we will notify affected individuals and supervisory authorities as required by applicable law (72 hours under GDPR Art. 33).

15. International Data Transfers

As a global platform, we may transfer your data to countries outside your country of residence, including the United States. We ensure appropriate safeguards are in place as required by the GDPR (Chapter V) and other applicable laws:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all third-party processors
Adequacy decisions where applicable
Supplementary technical measures (encryption, pseudonymization)
Binding Corporate Rules for intra-group transfers

16. Children's Privacy

Age Restriction: Our services are NOT intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 13 (as defined by COPPA, 15 U.S.C. §§ 6501–6506) or under 16 (as defined by GDPR Art. 8 and CCPA for "minors").

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@onelastai.co. We will delete such information within 48 hours of verification.

We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age (CCPA § 1798.120(c)).

17. Cookies and Tracking Technologies

We use cookies and similar technologies as follows:

Cookie Type	Purpose	Duration	Required?
Essential	neural_link_session (JWT auth, 7 days), neural_token (backup auth, session), session_id (session linking)	Session / 7 days	Yes
Preference	Theme (dark mode), AI model/provider selection, display settings	1 year	No — opt-out
Analytics	Page views, feature engagement, usage patterns (self-hosted — no Google Analytics)	1 year	No — opt-out

We do not use third-party advertising cookies or tracking pixels. No third-party tracking cookies (Google Analytics, Facebook Pixel, etc.) are used. For detailed information including localStorage keys used by our sub-site applications, please see our Cookie Policy.

Under GDPR, non-essential cookies require prior consent (ePrivacy Directive Art. 5(3) / "Cookie Law"). Under CalOPPA and CCPA, we disclose our cookie practices above.

18. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or operational needs. When we make material changes:

We will notify you via email (at the address associated with your account)
We will post a prominent notice on our platform
We will update the "Last updated" date at the top of this page
For changes requiring consent under GDPR, we will obtain your renewed consent

We encourage you to review this Privacy Policy periodically. Your continued use of our services after the updated policy becomes effective constitutes acceptance of the changes, except where consent is required.

19. Contact Us

Data Controller / Business:

One Last AI

Data Protection Officer (GDPR):

Email: dpo@onelastai.co

Privacy Team (General / CCPA Requests):

Email: privacy@onelastai.co

General Support:

Email: support@onelastai.co

Website:

https://onelastai.co

EU/EEA Representative (GDPR Art. 27): For users in the European Union / EEA, you may contact our EU representative regarding data protection matters at eu-rep@onelastai.co.

UK Representative (UK GDPR): For users in the United Kingdom, please contact uk-rep@onelastai.co.

California Residents: To exercise CCPA/CPRA rights, email privacy@onelastai.co with subject "CCPA Request" or use in-app Privacy Controls.

Thailand PDPA Representative: For users in Thailand, please contact our PDPA representative at pdpa-th@onelastai.co with subject "PDPA Thailand Request".

Singapore PDPA Representative: For users in Singapore, please contact our Data Protection Officer at pdpa-sg@onelastai.co with subject "PDPA Singapore Request".

UAE PDPL Representative: For users in the United Arab Emirates, please contact our UAE data protection representative at pdpl-uae@onelastai.co with subject "UAE PDPL Request".