Privacy Policy
Belt builds focused desktop apps for sensitive business workflows, backed by single-tenant cloud storage and end-to-end encryption. This policy explains what information we collect, how we use and protect it, and the choices and rights you have.
Last updated: June 21, 2026
This policy applies to belt.ai and to Belt's desktop applications and associated cloud services (collectively, the "Services"). Processing of customer data within the Services is also governed by our Data Processing Addendum and described in our Security overview.
1. Scope & our role
Belt acts in two distinct roles depending on the data involved:
- Controller. For our website, marketing, sales inquiries, and account administration, Belt determines the purposes and means of processing and acts as a data controller (or "business" under U.S. law).
- Processor. For content and data that customers and their authorized users create, upload, or process within the Services ("Customer Data"), Belt acts as a data processor (or "service provider") and processes that data solely on the customer's documented instructions, as set out in our Data Processing Addendum and the applicable order form or Master Services Agreement ("MSA").
Where this policy and a signed agreement conflict with respect to Customer Data, the signed agreement and DPA control.
2. Information we collect
Information you provide
- Account & contact details — name, business email, company, role, and similar details when you create an account, request a trial, or contact us.
- Single sign-on (SSO) profile data — when you sign in with Google or Microsoft 365, we receive limited profile information from your identity provider (such as your name, email address, and directory/tenant identifier). We never receive or store your SSO password.
- Support & communications — messages, attachments, and details you send when you request support or otherwise communicate with us.
- Billing information — billing contact and transaction details; payment card data is handled by our payment processor, not stored by Belt.
Information collected automatically
- Product & usage telemetry — limited diagnostic, performance, and feature-usage data used to operate, secure, and improve the Services. Where required, telemetry is configurable or can be minimized for enterprise deployments.
- Device & log data — IP address, app/OS version, timestamps, and error logs.
Customer Data is different. Content you process inside the apps (documents, prompts, knowledge bases, and the data in your single-tenant database) is processed on your behalf as a processor. We do not use Customer Data for our own purposes and do not use Customer Data to train AI models.
3. How we use information
As a controller, we use the information described above to:
- provide, operate, maintain, and secure the Services;
- authenticate users and administer accounts (including SSO);
- respond to inquiries, provide support, and manage customer relationships;
- process billing and manage subscriptions;
- diagnose problems, monitor performance, and improve our products;
- detect, prevent, and investigate fraud, abuse, and security incidents; and
- comply with legal obligations and enforce our agreements.
We do not sell or share personal information, and we do not use personal information or Customer Data for cross-context behavioral advertising or to train AI models.
4. Local & cloud AI models
Belt's apps let you choose where AI processing happens, and that choice affects how data is handled:
- Local models. When you run a local/on-device model, prompts and content are processed on your device or your own infrastructure and are not transmitted to Belt or to an external model provider for inference.
- Cloud models. When you choose a cloud model, the relevant prompts and content are transmitted to the configured model provider to generate a response. That processing is subject to the model provider's terms and privacy practices. Belt does not control, and is not responsible for, third-party model providers; see our Terms.
The customer controls which models are enabled and used. Where supported, administrators can restrict the Services to local models only for sensitive workflows.
5. Legal bases for processing (GDPR/UK GDPR)
Where the GDPR or UK GDPR applies, we process personal data on the following legal bases:
- Performance of a contract — to provide the Services and fulfil our agreements;
- Legitimate interests — to secure, support, and improve the Services, provided those interests are not overridden by your rights;
- Consent — where we ask for it (for example, certain communications), which you may withdraw at any time; and
- Legal obligation — to comply with applicable law.
6. Sharing & sub-processors
We share information only as needed to run the Services and never sell it. Categories of recipients include:
- Cloud infrastructure providers that host our single-tenant databases and services;
- AI model providers you choose to enable for cloud inference;
- Identity providers (Google, Microsoft 365) for SSO;
- Service providers for billing, communications, analytics, and support; and
- Legal & safety recipients where required by law, to protect rights and safety, or in connection with a corporate transaction.
A current list of sub-processors that handle Customer Data is maintained in our Data Processing Addendum.
7. International data transfers
Belt may process information in countries other than your own. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum) or another lawful transfer mechanism. Customers may also be able to select a data residency region for single-tenant deployments where offered.
8. Data retention
We retain personal data for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Customer Data is retained according to the applicable agreement; upon termination, Customer Data in the customer's single-tenant environment is deleted or returned as described in the DPA and order form.
9. Security
We protect data with technical and organizational measures including end-to-end encryption, encryption in transit (TLS) and at rest, single-tenant database isolation, least-privilege access controls, logging and monitoring, and a documented incident response process. No method of transmission or storage is perfectly secure, but we work continuously to safeguard your information. Learn more on our Security page.
10. Your privacy rights
Depending on where you live, you may have rights to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request deletion of your data;
- request a portable copy of your data;
- object to or restrict certain processing; and
- withdraw consent where processing is based on consent.
To exercise these rights, contact the Belt team. We will respond as required by applicable law. If you are an authorized user of a customer's account, please direct requests to that customer (the controller); we will assist them as described in the DPA. You may also have the right to lodge a complaint with your supervisory authority.
11. California privacy rights (CCPA/CPRA)
If you are a California resident, you have the right to know, access, correct, and delete personal information, and to opt out of "sale" or "sharing" of personal information. Belt does not sell or share personal information and does not use it for cross-context behavioral advertising. We will not discriminate against you for exercising your rights. To make a request, contact us; we may need to verify your identity before responding.
12. Cookies & analytics
Our website uses a limited set of essential and analytics cookies to operate the site and understand aggregate usage. You can control cookies through your browser settings. We do not use cookies for cross-context behavioral advertising.
13. Children's privacy
The Services are intended for business use and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us and we will delete it.
14. Changes & contact
We may update this policy from time to time. Material changes will be reflected by updating the "Last updated" date above and, where appropriate, by additional notice. Questions about privacy? Contact the Belt team.