Privacy Policy

1. Definitions. "Personal data" means information that identifies or reasonably relates to an identifiable individual. "Customer Data" means content and information submitted to, generated within, or processed through the Services by or on behalf of a Customer, including messages, files, prompts, inputs, outputs, and other communications. "Other Information" means information collected or generated in connection with operation of the Services that is not Customer Data. Customer Data that has been aggregated or de-identified such that it no longer constitutes Personal Data is not Customer Data and is treated as Other Information for the purposes of this Privacy Policy. Capitalized terms not defined here have the meanings given in the User Terms of Service, Acceptable Use Policy, or Enterprise Services Agreement.

2. Scope and Purpose. This Privacy Policy explains how A Dream Inc. (d/b/a "Popcorn") ("we," "us," or "our") collects, uses, discloses, retains, and protects personal data in connection with the Popcorn services available at popcorn.ai (the "Services"). It applies to users, visitors, and other individuals whose personal data is processed by us in connection with operation of the Services and related websites, support channels, and communications.

This Privacy Policy does not apply to third-party applications, tools, artificial intelligence services, or other software that integrate with or are accessible through the Services ("Third-Party Services" or "Third-Party Integrations"). Third-Party Services operate under their own terms of service and privacy policies, and we do not control how such third parties collect, use, or process personal data. You are responsible for reviewing and complying with the terms and privacy practices of any Third-Party Services you enable or use.

Access to and use of the Services may be governed by a separate written agreement between the Customer and A Dream Inc. (an "Enterprise Services Agreement") where applicable. That agreement governs delivery, configuration, and use of the Services, including the processing of messages, files, prompts, outputs, and other content submitted through the Services ("Customer Data").

The organization or individual that enters into the Enterprise Services Agreement (the "Customer") controls its workspace, including user access, settings, integrations, retention configurations, and administrative actions, as well as all Customer Data associated with that workspace. If you access the Services through a workspace, your use of the Services and the processing of Customer Data are subject to the Customer's policies and instructions. Questions regarding workspace-specific practices should be directed to the applicable Customer.

This Privacy Policy describes our general data practices and does not override or modify the Enterprise Services Agreement or Customer instructions regarding Customer Data.

3. Controller and Processor Roles. For Customer Data, the applicable Customer is the data controller and we act as a service provider or data processor, processing Customer Data only in accordance with the Customer's instructions, the Enterprise Services Agreement, and applicable law. For Other Information, we act as the data controller (or "business," "controller," as applicable under relevant law). Responsibilities, rights, and obligations differ depending on this distinction.

4. Applicability of Enterprise Services Agreements. The processing of Customer Data is governed by the Enterprise Services Agreement and any applicable data processing addendum between us and the Customer. Requests relating to Customer Data, including access, deletion, or export, should generally be directed to the Customer that controls the workspace.

5. Categories of Personal Data Collected. In the course of providing the Services, we collect and process certain personal data and operational data as necessary to enable core functionality, including collaboration, automation, integrations, and artificial-intelligence features. This data may be processed transiently or in real time and may not be retained beyond what is necessary to perform the requested operation.

This includes, without limitation:

• Conversations, messages, prompts, and content submitted within workspaces, channels, threads, and direct messages;
• Decisions, actions, and events initiated through the Services, such as triggering workflows, creating or updating records in third-party systems (e.g., filing a bug in an issue-tracking tool), executing webhooks, or invoking integrations;
• Contextual and configuration information, including user time zone, workspace settings, permissions, and feature configurations;
• Information retrieved from or transmitted to external services through authorized integrations, such as documents, metadata, usernames, identifiers, or status information made available through an API;
• Webhook payloads, API requests, and responses necessary to perform requested actions;
• AI-related inputs and contextual data required to generate outputs or perform automated tasks.

Some of this data is processed dynamically to fulfill user requests and enable functionality and may not be persistently stored by us except as described in this Privacy Policy, the User Terms of Service, or the applicable Enterprise Services Agreement.

The Services may generate derived data from Customer Data, including summaries, decisions, action items, participant associations, contextual inferences, and User Memory generated through AI-enabled features. Such derived information may be stored as Communication Memory or User Memory (collectively "Derived Data" or "Memory").

Certain information processed through the Services is stored, logged, or retained for limited periods in order to operate, secure, support, and improve the Services, comply with legal obligations, and enforce agreements. Subject to the retention practices described below, such information may include:

• Messages, conversations, and content processed through the Services, subject to system-defined retention limits, including automatic deletion of private messages after approximately twenty-four (24) hours;
• Metadata and logs associated with service usage, such as timestamps, workspace and channel identifiers, feature usage, administrative actions, error logs, and audit-related records;
• Information received from Third-Party Tools, integrations, and artificial-intelligence services to the extent necessary to execute actions, maintain service integrity, or troubleshoot issues;
• Account-level, subscription, billing-administration, and workspace-management information for Customers;
• Security, fraud-prevention, and operational logs maintained to protect the Services and Users.

We do not retain private messages, private channel content, or direct messages beyond the applicable retention period described in Section 14, except where required to comply with legal obligations or valid legal process.

6. AI-Related Data Processing. When users interact with AI-enabled features, inputs and outputs are processed to provide functionality of the Services. AI-generated outputs are probabilistic and may vary over time for identical inputs.

• Derived Data may be used to personalize interactions, generate summaries, or support future actions within the Services, including but not limited to user-specific interactions.
• Unless otherwise specified in the Enterprise Services Agreement, Customer Data submitted to AI features is not used by us to train general-purpose artificial intelligence models.
• We may process limited data to operate, secure, monitor, and improve the Services, including AI-related performance, reliability, and safety monitoring, consistent with Customer instructions and applicable law.
• AI-related processing may involve transient storage, caching, or logging for performance, security, or abuse-prevention purposes, consistent with the retention practices described in this Privacy Policy.
• Third-party artificial intelligence service providers may process Customer Data to generate outputs or perform requested tasks. Such providers may retain or use data to the extent permitted under their terms and privacy policy and as necessary for safety, security, abuse prevention, quality assurance, legal compliance, or auditing, and we do not control such internal practices beyond contractual commitments.

7. Artificial Intelligence Service Providers. To provide AI-enabled functionality, we may transmit conversation data, messages, contextual information, and related metadata to third-party artificial intelligence service providers. These providers process such data on our behalf in accordance with contractual arrangements and their applicable terms.

Use of AI-enabled features requires this processing. By accessing or using the Services, you acknowledge and agree that your data will be processed in this manner to provide AI functionality. You may not opt out of such processing while continuing to use the Services. If you do not agree to this processing, you must discontinue use of the Services.

Processing by third-party AI providers is subject to their terms and privacy practices, which may change over time.

8. Sources of Personal Data. Personal data is collected directly from users or Customers, automatically through use of the Services, from third-party services authorized by Customers, and from our service providers and affiliates supporting operation of the Services.

9. Purposes of Processing. We process personal data for the following business purposes:

• To provide, operate, maintain, and secure the Services;
• To authenticate users and manage accounts and workspaces;
• To enable collaboration, messaging, file sharing, integrations, and AI-enabled features;
• To provide customer support and respond to inquiries;
• To monitor performance, diagnose errors, support quality assurance and safety, and improve reliability and functionality;
• To detect, prevent, and investigate fraud, abuse, security incidents, and policy violations;
• To comply with legal obligations and enforce agreements;
• To send operational, security, legal, and administrative communications that are part of the Services;
• To develop new features and improve existing functionality; and
• To generate aggregated or de-identified analytics for business and product improvement.

Where permitted by law, we may also send marketing or promotional communications, which recipients may opt out of.

10. Legal Bases for Processing. Where required by law, we process personal data based on performance of a contract, legitimate business purposes, compliance with legal obligations, and consent where applicable. Legitimate business purposes include operating and improving the Services, maintaining security, preventing misuse, and supporting Customers; see paragraph 9 for more detail.

11. Data Sharing and Disclosure. We share personal data in the following circumstances:

• With Customers and workspace administrators, in accordance with Customer instructions, workspace configurations, and applicable law. Customers control access to Customer Data within their workspaces.
• Within the Services, where information submitted by users may be visible to other authorized users in the same workspace or to connected workspaces or external collaborators if enabled by the Customer.
• With service providers and subprocessors, including providers of hosting, infrastructure, analytics, customer support, security, AI inference, and operational services, subject to contractual safeguards.
• With third-party services, when enabled by a Customer or user, subject to the third party's terms and privacy practices. We do not receive or store third-party service passwords; authentication is typically handled through token-based authorization mechanisms.
• With professional advisers, such as legal, accounting, and insurance providers.
• In connection with corporate transactions, including mergers, acquisitions, reorganizations, or asset sales.
• For legal and safety purposes, including to comply with lawful requests, court orders, subpoenas, or legal process, or to protect our rights, property, or safety, or the rights, property, or safety of our users, Customers, or others. Where legally permitted, we may notify the applicable Customer before producing Customer Data.
• With consent, where an individual has authorized the disclosure.

Certain disclosures of personal data may be subject to opt-out rights under applicable U.S. state privacy laws. Please see Section 17 (User Rights) and 18 (California and U.S. State Privacy Rights) for additional information regarding available opt-out rights and how to exercise them.

Depending on workspace configuration and how AI agents are invoked, information derived from Memory, including both Communication Memory and User Memory, may be visible to other authorized users within a workspace, channel, or shared context.

12. Third-Party Integrations. If a Customer enables third-party services, those services may access personal data as required for integration. We do not control third-party practices, and their terms and privacy policies apply.

13. Cookies and Similar Technologies. We use cookies and similar technologies on our public-facing websites to support functionality, security, analytics, and marketing activities, including interest-based advertising. These technologies may collect information, including but not limited to device identifiers, browser information, IP address, and interaction data when you visit our websites.

We do not use advertising cookies or third-party ad tracking technologies within Customer workspaces or within the core Services. Use of cookies and similar technologies may be controlled through browser settings and other available tools. Additional information regarding cookies and advertising practices is provided in our Cookie Policy.

14. Data Retention. We retain personal data only for as long as reasonably necessary to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and maintain security and integrity. We also retain Customer Data in accordance with the Customer's instructions (in accordance with the applicable Enterprise Services Agreement).

Private messages, including direct messages and messages within private or shared channels, are automatically deleted after a short retention period, generally within approximately twenty-four (24) hours, and are not recoverable thereafter. Retention settings for private messages are fixed and not configurable.

Deletion of Customer Data may also result in deletion or de-identification of associated metadata, logs, or references, subject to operational and legal requirements.

Public messages and posts are retained unless deleted or subject to retention settings configured by the applicable Customer, where supported by the Services.

Other account, usage, and technical information is retained for operational, security, audit, and legal purposes, typically for several months to a few years depending on the nature and purpose of the data after which it is deleted, anonymized, or aggregated, in accordance with all applicable law. We may retain such data longer if required by law or necessary to enforce legal rights.

15. Security. We implement reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or disclosure, taking into account the nature of the data and current industry practices. No system can be guaranteed to be completely secure. Clicking links to third-party sites navigates you off our website and platform; we do not control or endorse content and the security of third-party sites.

Access to Customer Data and Memory by our personnel is limited and subject to internal controls; developers generally have access only to error logs and operational diagnostics.

16. Children. The Services are not directed to individuals under sixteen (16) years of age. We do not knowingly collect personal data from children under that age and will take reasonable steps to delete such data if discovered.

17. User Rights. Depending on your jurisdiction, you may have certain rights with respect to your personal data, subject to limitations under applicable law. These rights may include the right to request access to, correction of, deletion of, or information about the processing of your personal data, as well as the right to receive a copy of certain data in a portable format.

Where supported by the Services, users may request correction or removal of certain Memory elements, including in some instances via directly prompting the AI agent. Requests relating to Memory associated with Customer Data are subject to the Customer's controls and instructions.

If your request relates to Customer Data processed on behalf of a Customer (such as messages, files, prompts, or content submitted within a workspace), we process such data solely as a service provider or processor. Requests to exercise rights relating to Customer Data must be directed to the Customer that controls the applicable workspace. We may be unable to respond directly to such requests without Customer authorization.

Requests relating to personal data that we process as a controller (such as account-level, usage, device, or support information) may be submitted directly to us using the contact information below. We may require verification of identity before responding to a request. Certain requests may be limited or denied where permitted by law, including where fulfilling the request would impair the rights of others, conflict with legal obligations, or relate to data that we are required to retain for legal, security, compliance, or operational purposes.

Nothing in this Section is intended to create, and does not create, any legal obligation, promise, or guarantee beyond what is required under applicable law. The availability and scope of any rights described above may depend on your jurisdiction, the nature of the data at issue, and the technical capabilities and configuration of the Services.

To the extent we, in our discretion, provide assistance, accommodations, or functionality beyond what is required under applicable law, such actions are voluntary, subject to the applicable Enterprise Services Agreement and Service configuration, and do not create any obligation, precedent, or guarantee that similar actions will be taken in the future for the same or different users or Customers.

18. California and U.S. State Privacy Rights. This section supplements the disclosures in this Privacy Policy and applies to individuals residing in California and other U.S. states with comprehensive privacy laws, including but not limited to the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), and similar statutes in other U.S. jurisdictions.

We collect, use, and disclose the categories of personal data described in Section 5 (Categories of Personal Data Collected) of this Privacy Policy for the business and commercial purposes described in Section 9 (Purposes of Processing) and share such data as described in Section 11 (Data Sharing and Disclosure).

We do not collect additional categories of personal data beyond those described elsewhere in this Privacy Policy solely because an individual resides in California or another U.S. state.

For purposes of U.S. state privacy laws, the personal data we collect may include identifiers, commercial information, internet or electronic network activity information, financial information, geolocation information, professional or employment-related information, audio or visual information, and in limited circumstances sensitive personal data, as those terms are defined under applicable law. These categories correspond to and are further described in Section 5 of this Privacy Policy.

We collect and use such personal data for the business and commercial purposes described in Section 9, including to provide and operate the Services, support Customers, secure and maintain the platform, comply with legal obligations, and improve functionality.

We do not sell personal data as those terms are defined under the CCPA/CPRA or similar U.S. state laws. We may disclose personal data to service providers, subprocessors, Customers, and third-party services as described in Section 11 for business purposes.

To the extent we engage in data sharing for targeted advertising on third-party websites (if any), such sharing does not apply to Customer Data processed within the Services and may be subject to separate opt-out mechanisms, including browser-based privacy controls, where required by law.

Subject to applicable law and certain limitations, individuals covered by U.S. state privacy laws may have the right to:

• Request access to the personal data we maintain about them;
• Request correction of inaccurate personal data;
• Request deletion of personal data;
• Obtain information about our collection, use, and disclosure practices;
• Opt out of certain disclosures or uses of personal data, where applicable; and
• Not be discriminated against for exercising privacy rights.

To the extent required by applicable California or other U.S. state privacy laws, individuals may have the right to opt out of certain disclosures or sharing of personal data. Because the Services operate through Customer-controlled workspaces and integrations, users may exercise applicable opt-out rights by discontinuing use of the Services, disconnecting or disabling Third-Party Tools or integrations where available, requesting removal from channels or workspaces where Third-Party Tools are enabled, or otherwise coordinating with the applicable Customer or channel manager to limit or discontinue data sharing within the Services.

Requests relating to Customer Data (such as messages, files, prompts, or content submitted within a workspace) must be directed to the Customer that controls the applicable workspace, as we process such data solely on the Customer's behalf.

Requests relating to Other Information processed by us as a controller may be submitted directly to us using the contact information provided below.

We may take reasonable steps to verify the identity of individuals submitting requests and may deny or limit requests where permitted by law, including where compliance would impair the rights of others, conflict with legal obligations, or relate to data we are required to retain for security or compliance purposes.

Where permitted by law, individuals may designate an authorized agent to submit privacy rights requests on their behalf. We may require proof of authorization and verification of identity before processing such requests.

19. Changes to This Privacy Policy. We may update this Privacy Policy from time to time. Material changes will be communicated through the Services or other reasonable means. Continued use of the Services after changes become effective constitutes acceptance. If you do not agree with the changes, you should stop using the Services and contact the applicable Customer regarding account deactivation.

20. Contact Information. Questions or requests regarding this Privacy Policy may be directed to:

A Dream Inc. (d/b/a "Popcorn")

Email: contact@popcorn.ai

Mailing Address: 5214F Diamond Heights Blvd #3226, San Francisco, CA 94131

At A Dream Inc. (d/b/a "Popcorn"), we value transparency about how we collect and use information. This Cookie Policy explains how and when we use cookies and similar technologies in connection with our websites and related online properties. Capitalized terms not defined in this Cookie Policy have the meanings set forth in our Privacy Policy, which provides additional details about our data practices.

What Are Cookies?

Cookies are small text files that are placed on your computer or mobile device when you visit a website. Cookies allow a website to recognize your browser or device and to store certain information. Cookies may be session-based, meaning they last only while your browser is open and are deleted when you close it, or persistent, meaning they remain on your device until they expire or are deleted. In addition to cookies, we may use similar technologies such as pixels, tags, web beacons, or software development kits (SDKs) for similar purposes.

Do We Use Cookies?

Yes. We use cookies and similar technologies on our websites to support functionality, security, analytics, and marketing activities. Cookies may be set by us or by third parties that provide services on our behalf.

Importantly, cookies and similar tracking technologies described in this Cookie Policy are used on our public-facing websites and are not used within the core collaboration Services themselves, including workspaces, channels, threads, direct messages, and AI-enabled features.

How Do We Use Cookies?

Cookies are used for several purposes, depending on context. Some cookies are associated with your browser or device and help us understand how visitors interact with our websites. Other cookies may remember preferences or settings to improve usability.

We generally use cookies for the following categories of purposes:

These technologies also enable aggregated auditing, measurement, research, and reporting, including understanding whether and how advertising or content has been delivered (shown to you) or displayed.

Third parties that place advertising or analytics cookies may collect information about your interactions with our websites in accordance with their own privacy policies. See the next section for more information.

Third-Party Cookies

Some cookies on our websites are placed by third-party service providers that assist us with analytics, marketing, or website functionality. While we strive to keep information current, the specific third-party cookies used may change over time.

We do not control how third-party providers use information collected through their cookies, and their practices are governed by their own privacy policies.

Your Choices and Cookie Controls

You have choices regarding the use of cookies and similar technologies on our websites.

Most web browsers allow you to control cookies through their settings. Depending on your browser, you may be able to block cookies entirely, delete existing cookies, or configure your browser to notify you when cookies are set. Some browsers also allow you to manage cookies on a site-by-site basis, which enables you to permit cookies from trusted sites while restricting others.

Where available, you may also adjust your cookie preferences through any cookie preference or consent management tools we provide on our websites.

Browser manufacturers provide documentation on how to manage cookies in their products. You may find additional information at the following resources:

• Google Chrome
• Mozilla Firefox
• Safari (Desktop)
• Safari (Mobile)
• Microsoft Edge
• Opera

For other browsers, please consult the documentation provided by the browser manufacturer.

Interest-Based Advertising Choices

We may use cookies and similar technologies on our websites (not the Services) to support advertising, marketing, analytics, and measurement. These technologies may be used to help us and our advertising partners understand, in aggregate, whether advertising or other content has been delivered or displayed, and how it performs.

You may opt out of interest-based advertising provided by participating ad networks through the Digital Advertising Alliance at https://optout.aboutads.info/.

In addition, many mobile devices allow you to control interest-based advertising through device-level privacy or advertising settings.

Please note that opting out of interest-based advertising does not mean you will stop seeing ads; it means the ads you see may be less relevant to your interests.

Impact of Disabling Cookies

If you choose to limit or disable cookies, certain features of our websites may not function properly. For example, you may not be able to remain logged in, save preferences, or access personalized features. Disabling cookies may also affect the performance or usability of the websites.

Do Not Track Signals

Some browsers offer a "Do Not Track" ("DNT") setting. Because there is not a common understanding of how to interpret DNT signals, we do not currently respond to them. Our core Services do not use advertising cookies or third-party ad tracking technologies within Customer workspaces.

Updates to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in technology, law, or our business practices. Updates will be posted on our websites, and the revised policy will apply as of the effective date indicated.

For more information about how we collect, use, and share information, please review our Privacy Policy.