Privacy Policy
Last updated May 29, 2026
This Privacy Policy explains how Geodesic Labs, Inc. handles information when you use Workbench, including the managed web service, command-line interface, APIs, hosted evidence and source, billing, and authentication.
This Privacy Notice for Geodesic Labs, Inc. ("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use Workbench and related products and services ("Services"), including when you:
- Visit our website at https://workbench.ai or any website of ours that links to this Privacy Notice.
- Install or use the Workbench command-line interface, connect it to Workbench Cloud, approve CLI device login, or use Workbench APIs.
- Create, upload, publish, install, measure, or improve Workbench-managed skills through the Services.
- Use Workbench Cloud, billing, or authentication features.
- Engage with us in other related ways, including support, feedback, marketing, or events.
Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use the Services. If you still have questions or concerns, contact us at privacy@geodesiclabs.com.
Summary of key points
This summary provides key points from our Privacy Notice. You can find more detail by using the table of contents above.
What personal information do we process? When you visit, use, or navigate the Services, we may process personal information depending on how you interact with Workbench, the choices you make, and the features you use.
Do we process sensitive personal information? We may process sensitive information when necessary to provide requested features, such as account login data, CLI access tokens, provider API keys or OAuth tokens, adapter credentials, secrets, and private skill files that you choose to submit.
Do we collect information from third parties? We may receive limited information from authentication providers, payment processors, analytics providers, and agent, model, cloud, or package providers when you choose to use features that depend on them.
How do we process your information? We process your information to provide, secure, administer, and improve the Services; manage Workbench evidence, source, and requested measurement workflows; manage accounts, CLI access, billing, support, and abuse prevention; and comply with law.
How do you exercise your rights? The easiest way to exercise your rights is by contacting us at privacy@geodesiclabs.com. We will consider and act upon any request in accordance with applicable data protection laws.
1. What information do we collect?
Personal information you disclose to us
In short: We collect personal information that you provide to us.
We collect personal information that you voluntarily provide when you register for the Services, authenticate through the web or CLI, create a username profile, connect provider credentials, manage a Workbench plan, upload or publish skill source, run measurements or improvements where available, request support, or otherwise contact us.
Account and contact information. This may include names, email addresses, usernames, authentication provider identifiers, account settings, support messages, and feedback.
CLI and authentication information. This may include device authorization codes, browser session information, Workbench access tokens, token revocation records, account login metadata, and related security records.
Workbench skill and measurement content. This may include skill files, eval cases, prompts, expected outputs, private verifier files, agent configuration, evaluation results, traces, logs, usage metadata, source file paths contained in uploaded skill workspaces, and other artifacts you submit or generate through the Services.
Adapter authentication and secrets. If you connect agent or model provider credentials, API keys, OAuth tokens, or other secrets for requested Workbench features, we process that material only as needed to provide, secure, and troubleshoot the requested Services.
Payment and billing data. We may collect data necessary to process Workbench plan subscriptions, invoices, hosted-compute usage, and billing support. Payment card details are handled and stored by Stripe. You may find Stripe's privacy notice at https://stripe.com/privacy.
Social login data. We may provide the option to log in using a third-party account, such as Google through Cognito. If you choose to log in this way, we receive certain profile information from the provider, as described in How do we handle your social logins?.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes.
Information automatically collected
In short: Some information, such as your IP address, browser and device characteristics, CLI/API request metadata, and service diagnostics, is collected automatically when you use our Services.
We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include device and usage information, including IP address, browser and device characteristics, operating system, language preferences, referring URLs, approximate location, pages viewed, features used, request timestamps, status codes, error diagnostics, and information about how and when you use our Services.
- Log and usage data. Service-related, diagnostic, usage, and performance information our servers collect when you access or use the Services, including authentication events, CLI/API request metadata, page paths, feature events, skill-state transitions, billing status events, browser type, settings, date/time stamps, and crash or error diagnostics.
- Device data. Information about the computer, browser, or other device you use to access the Services, such as IP address, browser type, operating system, internet service provider, and system configuration information.
- Workbench workflow metadata. Information needed to operate and secure requested workflows, such as skill versions, agent names, run status, evaluation summaries, trace metadata, resource usage, normalized provider usage where available, and operational logs. This metadata is used to troubleshoot, bill, and improve the managed service.
Like many businesses, we use cookies and similar technologies. When analytics are enabled, Workbench analytics captures path-only page views and product lifecycle metadata. Skill source, prompts, file contents, file paths, query values, traces, adapter auth material, and secrets are not sent to analytics.
Information from third parties
We may receive limited information from third parties when you choose to use features that depend on them. This may include authentication profile information from Google or Cognito, payment confirmation and customer identifiers from Stripe, delivery status from email providers, analytics events from our analytics provider, and usage information from agent, model, cloud, package, or repository providers used to deliver the requested Services.
Google API
Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
2. How do we process your information?
In short: We process your information to provide, improve, and administer our Services; support requested skill workflows; communicate with you; secure the Services; prevent fraud and abuse; and comply with law.
- To facilitate account creation, authentication, CLI login, and account management. We process your information so you can create and log in to your account, approve CLI device login, maintain a username profile, manage sessions, and keep your account in working order.
- To deliver and facilitate delivery of the Services. We process skill source, eval cases, agent configuration, traces, outputs, and credentials you provide to run the Workbench features you request.
- To operate hosted evidence, source, and workflows. We process version, agent, run, trace, source, and usage metadata to store, inspect, troubleshoot, secure, and finalize requested workflows.
- To manage plans and billing. We process Stripe customer, subscription, invoice, seat, hosted-compute usage, and payment information to provide plan access, collect payments, support invoices, and maintain billing records.
- To publish and display public skills. If you choose to publish a skill, we process the public skill content and metadata needed to display public pages, public APIs, and installable source.
- To evaluate and improve our Services. We process aggregated or limited usage information to understand product usage, diagnose issues, improve reliability, and evaluate feature performance.
- To protect our Services. We process information to detect, prevent, and respond to security incidents, fraud, abuse, unauthorized access, policy violations, and technical failures.
- To comply with legal obligations. We process information when necessary to comply with applicable laws, lawful requests, audits, tax, accounting, billing, and recordkeeping obligations.
3. What legal bases do we rely on to process your information?
In short: We only process your personal information when we believe it is necessary and we have a valid legal reason to do so under applicable law.
Depending on where you are located, we may process your personal information because you have consented to a specific use; because we need the information to perform a contract with you; because we have a legitimate interest in providing, securing, improving, and supporting the Services; because processing is necessary to protect vital interests; or because we need to comply with legal obligations.
If you are located in Canada, this section applies to you. We may process your information if you have given us specific permission, or express consent, to use your personal information for a specific purpose, or in situations where your permission can be inferred, or implied consent. You can withdraw your consent at any time.
In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including for investigations and fraud detection and prevention, for business transactions provided certain conditions are met, to comply with court orders or subpoenas, when collection is clearly in an individual's interests and consent cannot be obtained in a timely way, or when the information is publicly available and specified by regulation.
5. Do we use cookies and other tracking technologies?
In short: We use cookies and similar technologies to operate, secure, and improve the Services.
We may use cookies and similar tracking technologies, like web beacons and pixels, when you interact with our Services. Some online tracking technologies help maintain the security of our Services and your account, support authentication, prevent crashes, fix bugs, save preferences, and assist with basic site functions.
We may use analytics technologies to understand product usage and reliability. Workbench analytics is disabled unless configured by us, and when enabled it captures path-only page views and product lifecycle metadata. It does not send skill source, prompts, file contents, file paths, query values, traces, adapter auth material, or secrets to analytics.
We do not use third-party advertising cookies in the Services. Most web browsers accept cookies by default. You can usually choose to remove or reject cookies, but doing so could affect certain features or services, including sign-in and account security.
6. Do we offer artificial intelligence-based products?
In short: We offer products, features, or tools for evaluating and improving agentic and artificial-intelligence workflows.
Workbench helps you measure skill performance, compare skill versions and agents, inspect traces, and improve agent workflows. The Services may run AI, agent, model, and related tools through providers you select, connect, or configure. Your prompts, source files, eval cases, traces, outputs, provider credentials, and other personal information may be shared with and processed by those providers when necessary to enable the requested feature.
Requested Workbench features may also process your content through cloud, package, and repository infrastructure needed to sync skill state, collect artifacts, and produce evaluation results.
All personal information processed using our AI or Workbench workflow features is handled in line with this Privacy Notice and our agreements with service providers. Third-party providers may also process information under their own terms and privacy policies.
8. How long do we keep your information?
In short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.
We keep account, authentication, billing, support, skill, evaluation, and operational information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and preserve billing or audit records.
Hosted skill source, public skill content, evaluation results, traces, files, and generated artifacts may remain available while the related account, skill, run, public page, or billing record remains active or as needed for support, security, integrity, backups, or legal obligations.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible because it has been stored in backup archives, securely store it and isolate it from further processing until deletion is possible.
9. How do we keep your information safe?
In short: We aim to protect your personal information through organizational and technical security measures.
We have implemented appropriate and reasonable technical and organizational security measures designed to protect personal information we process. Workbench uses account authentication, scoped CLI access, access controls, limited credential handling, and managed infrastructure controls to help protect account and skill data.
However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.
10. What are your privacy rights?
In short: Depending on your state of residence in the US or in some regions, such as Canada, you have rights that allow greater access to and control over your personal information.
In some regions, you may have the right to request access and obtain a copy of your personal information, request rectification or erasure, restrict processing, data portability where applicable, and not be subject to automated decision-making. If a decision that produces legal or similarly significant effects is made solely by automated means, we will inform you, explain the main factors, and offer a simple way to request human review.
Withdrawing your consent: If we rely on your consent to process personal information, you have the right to withdraw your consent at any time by contacting us.
Opting out of marketing communications: You can unsubscribe from marketing and promotional communications by clicking the unsubscribe link in emails that we send or by contacting us.
Account information: You may review, change, or terminate your account by contacting us or using account features made available in the Services. Upon a request to terminate your account, we will deactivate or delete your account and information from active databases, although we may retain some information to prevent fraud, troubleshoot problems, assist investigations, enforce legal terms, or comply with legal requirements.
Most web browsers accept cookies by default. You can usually choose to remove or reject cookies, but doing so could affect certain features or services. If you have questions about your privacy rights, email privacy@geodesiclabs.com.
11. Controls for Do-Not-Track features
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal a privacy preference not to have data about online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.
California law requires us to let you know how we respond to web browser DNT signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.
12. Do United States residents have specific privacy rights?
In short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have specific privacy rights.
Categories of personal information we collect
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Name, email address, account name, username, online identifier, IP address, and similar contact or account details. | YES |
| B. California Customer Records personal information | Name, contact information, account records, billing account identifiers, and payment-related records. | YES |
| C. Protected classification characteristics | Age, race, ethnicity, national origin, sex, marital status, and other protected demographic characteristics. | NO |
| D. Commercial information | Transaction records, plan subscriptions, invoices, hosted-compute usage, purchase history, and billing status. | YES |
| E. Biometric information | Fingerprints, voiceprints, faceprints, or similar biometric identifiers. | NO |
| F. Internet or other similar network activity | Page views, authentication events, CLI/API request metadata, product usage events, diagnostic logs, and interactions with the Services. | YES |
| G. Geolocation data | Approximate location derived from IP address or infrastructure logs. | YES |
| H. Audio, electronic, sensory, or similar information | Audio, video, call recordings, or similar sensory information created in connection with business activities. | NO |
| I. Professional or employment-related information | Business contact details, job title, work history, or qualifications. | NO |
| J. Education information | Student records and directory information. | NO |
| K. Inferences drawn from collected personal information | Profiles or summaries about preferences, characteristics, behavior, attitudes, or abilities. | NO |
| L. Sensitive personal information | Account login information, access tokens, API keys, provider credentials, adapter auth material, secrets, and private files you choose to submit. | YES |
We only collect sensitive personal information, as defined by applicable privacy laws, for the purposes allowed by law or with your consent. We do not collect or process sensitive personal information for the purpose of inferring characteristics about you.
We may also collect other personal information when you interact with us online, by email, or through the Services in the context of customer support, facilitation of the Services, and responses to inquiries.
We will use and retain categories A, B, D, F, G, L as described in this Privacy Notice and for as long as necessary to provide the Services, maintain accounts and billing records, secure the Services, comply with legal obligations, and resolve disputes.
Sources, use, and sharing
Learn more about the sources of personal information we collect in What information do we collect? and how we use your personal information in How do we process your information?.
We may disclose personal information to service providers pursuant to written contracts. We have not sold or shared personal information to third parties for cross-context behavioral advertising in the preceding twelve months.
Your rights
- Right to know whether or not we are processing your data.
- Right to access your personal data.
- Right to correct inaccuracies in your personal data.
- Right to request deletion of your personal data.
- Right to obtain a copy of the personal data you previously shared with us.
- Right to non-discrimination for exercising your rights.
- Right to opt out of processing for targeted advertising, sale of personal data, or profiling in furtherance of legally or similarly significant decisions.
- Depending on where you live, additional rights may include access to categories of personal data being processed, lists of third parties to which data has been disclosed or sold, review of profiling, and limits on use or disclosure of sensitive personal data.
How to exercise your rights
To exercise these rights, email us at privacy@geodesiclabs.com. Under certain US state laws, you can designate an authorized agent to make a request on your behalf. We may deny a request from an authorized agent that does not submit proof that they are authorized to act on your behalf.
Upon receiving your request, we will need to verify your identity. If we cannot verify your identity from information already maintained by us, we may request additional information for verification, security, or fraud-prevention purposes.
Under certain US state laws, if we decline to take action regarding your request, you may appeal by emailing privacy@geodesiclabs.com. If your appeal is denied, you may submit a complaint to your state attorney general.
California "Shine the Light" law
California Civil Code Section 1798.83 permits California residents to request and obtain, once a year and free of charge, information about categories of personal information disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year.
13. Do we make updates to this notice?
In short: Yes, we will update this notice as necessary to stay compliant with relevant laws.
We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Notice. If we make material changes, we may notify you by prominently posting a notice or directly sending you a notification.
14. How can you contact us about this notice?
If you have questions or comments about this notice, contact us by email at privacy@geodesiclabs.com.
15. How can you review, update, or delete the data we collect from you?
Based on the applicable laws of your country or US state of residence, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correction of inaccuracies, deletion of personal information, or withdrawal of consent to processing. To request to review, update, or delete your personal information, email privacy@geodesiclabs.com.
7. How do we handle your social logins?
In short: If you choose to register or log in to our Services using a third-party account, we may have access to certain information about you.
Our Services may offer the ability to register and log in using a third-party account, such as Google through Cognito. Where you choose to do this, we receive certain profile information from your provider. This may include your name, email address, profile picture, and other information you choose to make available.
We use the information we receive only for the purposes described in this Privacy Notice or otherwise made clear to you on the relevant Services. We do not control, and are not responsible for, other uses of your information by your third-party identity provider.