PRIVACY POLICY

Transmogrifier

Cardboard Intelligence, Inc.

Effective Date: April 20, 2026  Last Updated: April 20, 2026

At a Glance

This summary is provided for convenience. The full Privacy Policy below is the binding document.

• We built Transmogrifier around a local-first principle. Your personal content, location, files, emails, and calendars stay within your device ecosystem and your User VM. We do not copy them to our servers.

• We share only "Pattern Learning Data." This is abstracted, de-identified behavioral signals that, by design, contain no personally identifiable information, no content, and no precise location.

• We do not sell your personal information. We do not share it for cross-context behavioral advertising.

• You control connections. You decide which accounts, devices, and services Transmogrifier can access, and you can revoke access at any time.

• You have rights. Access, delete, correct, export, and opt out — see Section 9.

1. Introduction

Cardboard Intelligence, Inc., a Delaware corporation ("Cardboard," "we," "our," or "us"), provides Transmogrifier, an AI-powered personal operator application (the "Service"). This Privacy Policy explains what information we collect, process, and share when you use the Service, and the choices and rights you have.

This Policy applies to the Service across mobile platforms (iOS/Apple, Android/Google), desktop platforms (Windows, macOS), and associated web properties. Capitalized terms not defined here have the meaning given in our Terms of Service.

2. Our Privacy-Preserving Architecture

2.1 Local-First Data Handling. Transmogrifier is designed so that your personal content — the files, messages, calendar entries, location data, and other data the Service accesses — remains on devices you own or within a user-owned virtual machine (the "User VM") that functions as your always-on personal computing environment. Cardboard's central systems are not designed to, and in ordinary operation do not, receive or store copies of this content.

2.2 What Leaves Your Ecosystem. The following limited categories of data may be transmitted from your environment to Cardboard or its service providers: (a) account and authentication data required to operate your account; (b) diagnostic and telemetry data needed to detect crashes and service disruptions; (c) Pattern Learning Data, as described in Section 2.3; and (d) any data you voluntarily send to us, such as support messages. We aim to minimize what leaves your ecosystem.

2.3 Pattern Learning Data. The Service generates abstracted behavioral and outcome signals — for example, the frequency of certain categories of actions, success/failure rates of automations, latency metrics, and feature usage patterns — which are de-identified and aggregated before transmission ("Pattern Learning Data"). By design, Pattern Learning Data excludes: personally identifiable information (name, email, contact details, account identifiers linkable to you); the content of your files, messages, emails, or calendar entries; precise location data; identifiers of third parties (correspondents, contacts); and any data from which you or a third party could reasonably be re-identified, whether alone or in combination with other data reasonably available to Cardboard. Pattern Learning Data is used to improve the Service and may be shared across Cardboard's network of deployed Services to improve model and system performance for all users.

2.4 No Content Training Without Consent. We do not use the content of your files, emails, calendars, messages, or other User Content to train foundation models or to improve models for users other than you, unless you expressly opt in.

3. Information We Process

The table below summarizes the categories of information handled in connection with the Service and where each category primarily resides.

Category

Examples

Where It Lives

Account Data

Name, email, authentication credentials, billing identifiers

Cardboard servers (minimum necessary)

Device & Technical Data

Device model, OS version, app version, crash logs, diagnostic identifiers, IP address (at connection)

Cardboard servers (transient/logged)

User Content

Files, emails, calendar entries, messages, documents, notes the Service accesses at your direction

Your devices and User VM only

Location Data

Precise or approximate device location when enabled

Your devices and User VM only

Third-Party Integration Data

Tokens, scopes, and data accessed from connected accounts (Gmail, Outlook, Google Drive, iCloud, etc.)

Your devices and User VM; tokens may be brokered through Cardboard

Pattern Learning Data

De-identified, aggregated behavioral and outcome signals (e.g., "users who triggered action X succeeded Y% of the time")

Cardboard network (no PII, no content)

Support & Communications

Messages you send to support, feedback, survey responses

Cardboard servers

Payment Data

Handled by app stores or payment processors; we receive transaction confirmations, not full card numbers

Third-party processors

4. How We Use Information

We use information for the following purposes:

• To provide the Service: set up your account, provision and maintain your User VM, execute tasks you direct, sync with Third-Party Services you connect.

• To secure the Service: detect and prevent fraud, abuse, unauthorized access, or security incidents.

• To support you: respond to questions, troubleshoot issues, and communicate about the Service.

• To improve the Service: analyze Pattern Learning Data and aggregated diagnostics to improve features, reliability, and safety.

• To comply with law: meet legal, regulatory, and contractual obligations, including responding to lawful requests.

• To enforce our terms: investigate and enforce compliance with our Terms of Service and applicable policies.

For users in the European Economic Area, United Kingdom, and Switzerland, the legal bases for processing are: (a) performance of our contract with you; (b) your consent, where required (e.g., for precise location, certain sensitive data categories, and optional analytics); (c) our legitimate interests in operating, securing, and improving the Service, balanced against your rights; and (d) compliance with legal obligations.

5. Permissions We Request

Depending on your configuration and platform, the Service may request operating-system-level permissions. We request only the permissions needed for the features you use.

• Location (precise/approximate): for context-aware assistance; used locally on your device and within your User VM. Not transmitted to Cardboard servers.

• Files and storage: to read, organize, or act on files you direct the Service to manage. Processed within your ecosystem.

• Contacts: to assist with communications you direct. Processed within your ecosystem.

• Calendar: to read, create, or modify events at your direction. Processed within your ecosystem.

• Email: to read, draft, or send messages via your connected accounts at your direction. Processed within your ecosystem.

• Microphone/Camera (if enabled): for voice commands and multimodal features. Processed on-device or within your User VM unless you opt in to cloud processing.

• Notifications: to alert you about tasks, reminders, and status changes.

• Background activity: to allow the Service to operate continuously on your behalf.

You can grant or revoke any of these permissions at any time in your operating system's settings. Revoking a permission may disable the corresponding feature.

6. How We Share Information

We share information only in the following limited circumstances:

• With service providers: we use vetted vendors (e.g., cloud infrastructure, authentication, analytics, customer support tools) who process limited data on our behalf under contractual confidentiality and security obligations. These providers do not receive your User Content or precise location data.

• With Third-Party Services you connect: when you authorize the Service to connect to Gmail, Google Calendar, Microsoft 365, iCloud, Dropbox, or similar services, data flows between your User VM/device and those services according to the scopes you approve. Those services' own privacy policies apply to their handling of your data.

• For legal reasons: we may disclose information when we believe in good faith that it is necessary to comply with a legal obligation, enforce our Terms, protect the rights, property, or safety of Cardboard, our users, or others, or respond to a lawful government request. Where permitted, we will notify you.

• In business transfers: in connection with a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred, subject to the acquirer's commitment to honor this Policy or notify you of material changes.

• With your consent: for any other purpose disclosed to you at the time.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (as amended) or comparable U.S. state privacy laws.

7. International Transfers

Cardboard is based in the United States. Account, diagnostic, and Pattern Learning Data may be processed in the United States and in other countries where our service providers operate. For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, as applicable. You may request a copy of these safeguards by contacting us at the address in Section 13.

8. Data Retention

We retain information only as long as needed for the purposes described in this Policy, or as required by law.

• User Content: stored on your devices and User VM under your control. You can delete it at any time. We do not maintain separate copies.

• Account data: retained while your account is active and for a limited period after closure to meet legal, tax, and audit obligations.

• Diagnostics and logs: retained for a limited operational period (typically 30–90 days) and then deleted or further de-identified.

• Pattern Learning Data: retained in aggregated, de-identified form for the useful life of the Service.

• Support communications: retained as needed to provide support and for a reasonable period thereafter.

9. Your Privacy Rights

Subject to your jurisdiction, you may have the rights described in the table below. To exercise any right, contact us at suppart@getcardboardai.com. We will verify your request using information associated with your account and respond within the timeframes required by law (generally 30–45 days).

Right

Description

Access

Request a copy of personal data we hold about you.

Correction

Request correction of inaccurate or incomplete personal data.

Deletion

Request deletion of your personal data, subject to legal retention requirements.

Portability

Request a copy of data you provided in a structured, machine-readable format.

Opt-Out of Sale/Sharing

We do not sell personal information or share it for cross-context behavioral advertising.

Limit Use of Sensitive Data

Restrict processing of sensitive personal information to purposes permitted by law.

Withdraw Consent

Where processing is based on consent, withdraw it at any time.

Object

Object to processing based on legitimate interests, including profiling.

Automated Decision-Making

Request human review of significant automated decisions affecting you.

Non-Discrimination

We will not discriminate against you for exercising your rights.

9.1 California (CCPA/CPRA). California residents have additional rights, including the right to know categories and specific pieces of personal information collected, sold, or shared; the right to delete; the right to correct; the right to limit the use of sensitive personal information; the right to opt out of sale/sharing (we do not engage in either); and the right to non-discrimination. You may designate an authorized agent to make requests on your behalf.

9.2 Other U.S. States. Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have rights similar to those above, including the right to appeal a denial of a request. To appeal, reply to our response or contact us at support@getcardboardai.com with "Appeal" in the subject line.

9.3 EEA/UK/Switzerland. You have the right to lodge a complaint with your local data protection authority. For the UK, this is the Information Commissioner's Office (ICO).

9.4 Canada, Brazil, Australia, and Other Jurisdictions. If you are located in one of these jurisdictions, additional or alternate rights may apply under PIPEDA, LGPD, the Privacy Act 1988, or similar laws. Contact us to exercise them.

10. Security

We implement administrative, technical, and physical safeguards designed to protect information handled in connection with the Service, including encryption in transit, encryption at rest for data we host, access controls, least-privilege provisioning, logging, and regular security reviews. Because the Service is local-first, the most sensitive categories of data never leave your ecosystem in ordinary operation.

You are responsible for: maintaining the security of the devices on which the Service runs; protecting your account credentials; and securing any Third-Party Services you connect. No system is completely secure, and we cannot guarantee absolute security.

11. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. In the EEA and UK, the Service is not directed to individuals under 16. If you believe a child has provided personal information to us, please contact us and we will take steps to delete it.

12. Platform-Specific Disclosures

12.1 Apple (iOS/iPadOS/macOS). Our app's "Privacy Nutrition Label" in the App Store discloses the categories of data collected and how they are linked to you or used for tracking, consistent with Apple's App Store guidelines. We comply with Apple's App Tracking Transparency framework and do not track you across apps and websites owned by other companies without your permission. SKAdNetwork or similar Apple-provided frameworks, if used, are described in the Nutrition Label.

12.2 Google Play (Android). Our app's Data Safety section in the Google Play Store discloses the categories of data collected and shared, security practices, and data deletion options, consistent with Google Play's Data Safety requirements and Developer Program Policies.

12.3 Microsoft Store (Windows). We comply with Microsoft Store Policies regarding privacy disclosures. Telemetry on Windows may be subject to your Windows diagnostic data settings.

12.4 Permissions Sensitive to Platforms. Certain permissions (e.g., background location, SMS/Call Log access, accessibility services, Health/HealthKit, contacts) are governed by platform-specific policies. We request these only when a feature you enable requires them, and we use them only for the disclosed purpose.

13. Contact Us

If you have questions about this Privacy Policy or our practices, or if you want to exercise your rights, contact us at:

Cardboard Intelligence, Inc.

Attn: Privacy Office

1111 6th Ave

Ste 550 PMB 703484

San Diego, CA 92101

Email: support@getcardboardai.com

For EEA/UK users, our representative (if required under Article 27 GDPR or UK GDPR) is [INSERT REPRESENTATIVE / CONTACT].

For state privacy law inquiries in the United States, California, and other state-specific requests, please include the state of residence and specify your request.

14. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Service, by email, or by other reasonable means before the changes take effect. The "Last Updated" date at the top of this Policy indicates when it was last revised. Your continued use of the Service after the effective date of an updated Policy constitutes acceptance of the changes. If you do not agree to the updated Policy, you must stop using the Service.

— End of Privacy Policy —