CadiBrains
Effective date: March 12, 2026 · Last updated: April 9, 2026
This Privacy Policy describes how Cadi Labs collects, uses, and protects information processed through CadiBrains — also known as and co-named Cadi Labs App. Both names refer to the same internal enterprise chat and AI-agent platform and are fully interchangeable throughout this document and all related communications.
CadiBrains is not a public consumer product. It is deployed exclusively within organisations that hold a licence agreement with Cadi Labs, and access is limited to provisioned employees and contractors. The application does not generate revenue through the app, does not offer in-app purchases, and does not display advertising.
Your organisation (the licenced entity) acts as the primary data controller for content you create within CadiBrains. Cadi Labs acts as a data processor operating on your organisation's behalf. Questions about how your organisation handles your data should be directed to your organisation's data protection officer or administrator.
CadiBrains processes the following categories of information:
Identity & Profile Data
Name, email address, job title, and organisational attributes synced from your organisation's Azure Entra ID directory. CadiBrains does not manage passwords; all authentication is handled by your identity provider.
Conversation & Message Data
Chat messages, conversation history, metadata (timestamps, participants, reactions), and conversation summaries. This data is stored in an encrypted PostgreSQL database operated on your organisation's infrastructure or a designated cloud environment.
AI Interaction Data
Queries sent to AI agents, agent responses, tool-execution logs, and semantic embeddings generated for retrieval-augmented generation (RAG). Embeddings are stored in a pgvector database and are not human-readable text.
Preferences & Settings
User-specific application settings and preferences stored to personalise the experience.
Technical & Usage Data
Device type, operating system version, app version, and application logs used for diagnostics and security monitoring. On the mobile app, we use Google Firebase services (Analytics, Performance Monitoring, and Crashlytics) to collect anonymised usage metrics, screen-load performance data, and crash reports. Firebase may assign a device-level installation identifier; no advertising identifiers are collected. We also use OpenTelemetry trace identifiers in API requests to monitor request latency and diagnose errors across backend services — these identifiers do not contain personal data.
On-Device Storage (Mobile)
The mobile app stores certain data locally on your device using secure device storage. This includes authentication tokens, cached conversation history, user preferences (theme, selected model), and any messages queued while your device is offline. Cached data remains on-device and is not accessible to other applications. When you sign out, authentication tokens are removed. Cached data may persist until the app is uninstalled.
Information collected through CadiBrains is used exclusively to:
We do not sell your data, use it for advertising, or share it with third parties outside the scope of providing the CadiBrains service.
When you instruct an AI agent to perform an action (for example, reading an email or querying an HR record), CadiBrains uses the OAuth 2.0 On-Behalf-Of (OBO) flow. This means the agent acts with your delegated permissions — it can only access resources you are personally authorised to access. No agent can access data beyond your permission scope.
All persistent data is stored in a PostgreSQL database. Messages and sensitive fields are encrypted at rest. Inter-service communication uses gRPC over HTTP/2 with authenticated channels. Access controls follow a role-based model (ADMIN, USER, AUDITOR) enforced at the service layer. Rate limiting protects against abuse at both the per-user and per-IP level.
While Cadi Labs implements industry-standard security measures, no system can guarantee absolute security. You are responsible for keeping your organisational credentials confidential.
Data retention periods are configured by your organisation's administrator in accordance with your organisation's policies and applicable legal requirements. Cadi Labs does not set independent retention schedules for your organisation's data.
CadiBrains relies on the following third-party services to operate:
CadiBrains can also integrate with third-party enterprise services (such as Microsoft 365, Google Workspace, Jira, and HR systems) via AI agents. Data exchanged with these services is governed by their respective privacy policies and your organisation's licence agreements with those providers. Cadi Labs does not store third-party service data beyond what is necessary to complete the requested action.
CadiBrains is intended solely for use by employed adults within licenced organisations. We do not knowingly collect information from individuals under the age of 16. If you believe a minor has been granted access in error, please contact your organisation's administrator immediately.
Depending on applicable law, you may have the right to access, correct, or request deletion of personal data held about you. Because your organisation is the data controller, such requests should typically be directed to your organisation's data protection officer. Cadi Labs will cooperate with your organisation to honour valid requests.
We may update this Privacy Policy from time to time. Material changes will be communicated to your organisation's administrator and will be reflected with an updated effective date at the top of this page. Continued use of CadiBrains after changes become effective constitutes acceptance of the revised Policy.
For privacy-related enquiries, please contact your organisation's CadiBrains administrator or reach out to Cadi Labs at [email protected].
© 2026 Cadi Labs. All rights reserved.