Permia← Home

Privacy Policy

Last updated: June 16, 2026

This Privacy Policy explains how Permia ("Permia", "we", "us") collects, uses, stores, shares, and protects information when you use the Permia platform at permia.io and its control-plane API at api.permia.io (together, the "Service"). Permia is an integration gateway: it lets AI agents, IDEs, and applications reach the tools you connect (such as Google Workspace, GitHub, Slack, and others) through a single, scoped, audited endpoint.

1. Information we collect

  • Account information. The email address, name, and organization/workspace details you provide when you sign up, and an encrypted (hashed) password if you use password sign-in.
  • Connected-provider credentials. When you connect a third-party provider, we receive OAuth access and refresh tokens (or API keys) for that provider. These tokens are stored encrypted in an isolated credential vault and are decrypted only in memory, at the moment a tool call needs them.
  • Provider data accessed on your behalf. When an agent you have authorized invokes a tool, Permia calls the provider's API with your token and returns the result to that agent. This content (for example, a spreadsheet's cells, a document's text, or a calendar event) passes through the Service transiently to fulfil the request and is not stored, retained, or indexed beyond what is required to complete the call.
  • Audit and usage records. For security and accountability, we record metadata about each tool call — which agent and key made it, which tool was invoked, a redacted summary of the arguments, the size of the result, the outcome, and a timestamp. We do not store the content returned by the provider in this audit metadata.
  • Technical information. IP address, request headers, and similar metadata generated when you or your agents interact with the Service.

2. How we use information

  • To provide, operate, secure, and maintain the Service.
  • To authenticate you and route authorized tool calls to the providers you connect.
  • To enforce the per-agent policies and permission scopes you configure.
  • To produce the audit trail you rely on for governance and incident response.
  • To detect, prevent, and investigate abuse, security incidents, and fraud.
  • To comply with legal obligations.

We do not sell your information, and we do not use the content Permia accesses from your connected providers for advertising or to train generalized artificial-intelligence or machine-learning models.

3. Google user data and Limited Use

If you connect a Google account, Permia requests only the OAuth scopes needed for the features you choose to use (for example, Google Sheets, Docs, Drive, Gmail, or Calendar access). You see and approve these scopes on Google's consent screen, and you can revoke them at any time.

Permia's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular, data obtained through Google APIs is used only to provide or improve the user-facing features you have requested; is not transferred to others except as necessary to provide those features, to comply with applicable law, or as part of a merger or acquisition; is not used for advertising; is not sold; and is not used to develop, improve, or train generalized AI/ML models. Humans do not read this data except where you give explicit consent, where it is necessary for security purposes (such as investigating abuse), where required by law, or where the data has been aggregated and anonymized.

4. How we store and protect information

  • Connected-provider tokens are held in an isolated credential vault with per-tenant encryption keys and are never exposed back to the dashboard or other tenants.
  • Tenant data is isolated at the database layer using row-level security so one customer cannot access another customer's data.
  • Traffic is encrypted in transit (TLS). Secrets are managed in a dedicated secrets store, not in source code or plain environment files.
  • No security measure is perfect; we work to protect your information but cannot guarantee absolute security.

5. Sharing and sub-processors

We share information only with service providers that help us operate the Service (for example, cloud hosting and infrastructure), and only as needed for them to perform those services. We may disclose information if required by law or to protect the rights, safety, or property of Permia, our users, or the public. We do not sell personal information.

6. Data retention

We retain account and audit records for as long as your account is active and as needed to provide the Service, meet legal obligations, resolve disputes, and enforce agreements. Provider content accessed at call time is not retained beyond completing the call. Connected-provider tokens are retained until you disconnect the provider or delete your account, after which they are purged from the vault.

7. Your choices and rights

  • Disconnect a provider at any time from the Connections page; revoking the connection purges the stored token.
  • Revoke Google access directly at myaccount.google.com/permissions.
  • Access, correct, or delete your account data, subject to applicable law, by contacting us. Deleting your account removes your stored credentials and account information.

8. International transfers

Permia may process and store information in countries other than where you live. Where we transfer information across borders, we take steps to ensure it remains protected consistent with this Policy and applicable law.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect their personal information.

10. Changes to this Policy

We may update this Policy from time to time. We will revise the "Last updated" date above and, for material changes, take reasonable steps to notify you.

11. Contact us

Questions or requests about this Policy or your data can be sent to privacy@permia.io.