Birch Privacy Policy

Last updated: April 8, 2026

DocMap Inc. (d/b/a “Birch”) (“Birch,” “we,” “us,” “our”) respects your privacy. This Policy explains how we collect, use, disclose, and protect Personal Data when you use the Platform.

“Personal Data” means information that identifies or relates to an identifiable individual.

1. Scope

This Policy applies when you:

  • visit birch.to (and subdomains),
  • create an account (via the web interface or by emailing hi@birch.to),
  • interact with the Builder Email Agent (hi@birch.to),
  • connect your email account (Gmail, Outlook, or other provider) for the Discover Service,
  • build, publish, purchase, or run Agents/Products,
  • receive email from the Platform (including scheduled automation results, deployment notifications, and Agent outputs),
  • call Birch APIs or use app pages,
  • connect Stripe (Creators),
  • interact with Tools integrated into Agents.

2. Data We Collect

2.1 Categories

Account & Contact

Name, email address, password hash, phone number, profile info; one-time passcodes (OTPs) are generated and transmitted via Twilio but are not stored by Birch after verification. For email-based users, your email address serves as your primary identifier, and your name is collected via email reply during TOS acceptance.

Business & Compliance (Creators)

Business name, EIN, beneficial owner info, government ID (collected primarily by Stripe)

Payment & Payout

Stripe transaction IDs, payout status, fees, dispute/chargeback data (from Stripe)

Agent & Product Configuration

Agent definitions (steps/nodes), prompts, tool selections, parameters, product listings, pricing, version history, trigger schemas, scheduler configurations

Runtime Inputs/Outputs

Buyer inputs (queries), step inputs/outputs, Tool responses, extracted web content, structured outputs, scheduled run results

Email Content (Builder Email Agent)

Email messages you send to and receive from hi@birch.to (including subject lines, message bodies, CC/BCC addresses, and thread context); email messages sent to and from deployed Agent email addresses; email attachments you send to the Platform

Email Content (Discover Service)

When you connect your email account for Discovery: email subjects, bodies (normalized and truncated), sender/recipient addresses, labels/folder metadata, contact frequency data, and attachment metadata. This data is accessed on a read-only basis via your authorized Composio OAuth connection.

Persona Data

AI-generated Persona summaries created by the Discover Service, including your inferred role, industry, key activities, frequent contacts (names and roles), tools and services you use, communication patterns, and pain points. Agent suggestions and colleague recommendations derived from your Persona.

Conversation Memory

Summaries of your interactions with the Builder Email Agent, including condensed representations of message content, tools used, and topics discussed, stored to provide continuity across email sessions

Usage & Logs

API keys, request/response metadata, telemetry (CPU-seconds, storage, bandwidth), error logs, audit logs, abuse/fraud signals, rate-limit counters, credit consumption records

Device & Cookies

Device identifiers, browser type, OS, IP address, analytics events, essential cookies

User Content

Files, code, data you upload (including email attachments uploaded to cloud storage); any personal data contained within such content

Referral & Sharing Data

Email addresses of contacts you CC on Builder Email Agent messages (used for referral credit tracking and share invitations)

Important Notice Regarding File Uploads

Files uploaded to an Agent (including as part of Agent inputs, configurations, or email attachments) may be publicly accessible via their URL and should be treated as public. Do not upload sensitive, confidential, or private information through file uploads to Agents. Birch does not guarantee the confidentiality of uploaded files.

We do not knowingly collect data from children under 13.

2.2 Sources

  • From you (account registration, Agent configurations, inputs, phone number for OTP, email messages to hi@birch.to)
  • From your connected email account (Gmail, Outlook, or other provider) when you authorize the Discover Service
  • From Buyers interacting with Products (inputs/usage)
  • From Stripe (payments/payouts/compliance)
  • From Twilio (SMS delivery status and metadata for OTP authentication)
  • From AgentMail (email delivery and inbox management for the Builder Email Agent, deployed Agents, and scheduled notifications)
  • Automatically from your device/browser
  • From Tool Providers as part of executing Tool calls (e.g., responses, usage metadata)
  • From Composio (OAuth connection status, credential management, tool execution results)
  • From AWS Bedrock (LLM processing responses for AI-powered features)

3. How We Use Data

We use Personal Data to:

  • provide, secure, and maintain the Platform;
  • execute Agents and deliver Product outputs (including via email);
  • operate the Builder Email Agent (processing your email instructions, generating AI responses, and managing your Agent builds, edits, and deployments);
  • run the Discover Service (scanning your connected email account, building your Persona, generating Agent suggestions, and producing colleague recommendations);
  • authenticate users and manage accounts, including sending SMS one-time passcodes (OTPs) via Twilio and processing email-based registration and TOS acceptance;
  • execute Scheduled Automations and deliver results to you via email;
  • maintain conversation memory to provide context across your email interactions with the Builder Email Agent;
  • process billing, payouts, refunds, and chargebacks via Stripe;
  • measure usage and calculate fees/credits (including referral credits);
  • prevent fraud and enforce Terms (including rate limiting and abuse detection);
  • communicate about updates, security incidents, and Agent build status;
  • comply with legal obligations (tax, KYC/AML, sanctions, lawful requests);
  • debug and improve the Platform (including aggregated or de-identified analytics).

4. Sharing & Disclosure

We share Personal Data only as needed:

Service Providers/Subprocessors

Stripe (payments); Twilio (SMS OTP delivery for sign-up and sign-in authentication — your phone number and OTP delivery metadata are shared with Twilio solely to send verification messages; Twilio processes this data under its own Privacy Policy); Composio (credential and secret storage for third-party tool integrations, and OAuth connections to your email provider for the Discover Service); AgentMail (email delivery, inbox management, and webhook processing for the Builder Email Agent, deployed Agents, and scheduled notifications); AWS including AWS Bedrock (LLM processing — your email messages, conversation history, workflow configurations, and Agent inputs/outputs may be sent to AWS Bedrock for processing by Anthropic Claude models); Vercel (hosting, serverless compute, and Blob storage for uploaded files and attachments); databases, analytics, and error tracking.

LLM Providers (via AWS Bedrock)

Content you provide — including email messages to the Builder Email Agent, email content accessed by the Discover Service, workflow configurations, and Agent inputs/outputs — is sent to large language model providers (currently Anthropic Claude via AWS Bedrock) for AI processing. This data is used to generate responses, build Personas, create and edit workflows, and evaluate Agent behavior. We use AWS Bedrock’s managed infrastructure; data is processed in accordance with AWS and Anthropic’s applicable terms and data handling practices.

Tool Providers

When your Agent calls a Tool, we may transmit relevant inputs (and sometimes extracted content) to the Tool Provider to execute that step. Tool Providers process such data under their own terms/policies.

Creators and Buyers

Creators receive data necessary to operate/support their Products (e.g., Buyer usage metrics, inputs/outputs) depending on Product configuration.

Buyers receive outputs generated by Products they use.

Referred/CC’d Contacts

If you CC other email addresses on messages to the Builder Email Agent, those contacts may receive invitations or awareness of the Platform. Their email addresses are processed for referral credit tracking.

Colleague Recommendation Recipients

If you elect to act on a Colleague Recommendation from the Discover Service, the Platform may send a note to the identified contact on your behalf. The note is sent at your direction and identifies you as the sender.

Authorities and Legal Requests

We may disclose data to comply with law, court orders, or to protect rights, safety, and property.

Corporate Transactions

We may share data in connection with a merger, acquisition, or sale of assets.

We do not sell Personal Data and do not permit third-party advertising cookies.

5. International Transfers

Birch operates primarily in the United States. Tool Providers, LLM providers (via AWS Bedrock), and infrastructure providers may process data in other jurisdictions. By using the Platform, you understand your data may be transferred and processed internationally.

6. Security

We use reasonable safeguards (access controls, encryption in transit, internal authentication secrets for service-to-service communication, and other measures appropriate to our size and risk profile). No method is 100% secure. You are responsible for safeguarding your credentials, API keys, and email account access.

Email attachments are stored in cloud object storage (Vercel Blob) with private access controls. Builder Email Agent sessions are protected by per-thread session management and internal authentication.

7. Data Retention

We retain Personal Data:

  • while your account is active, plus a limited period after closure (generally 30 days),
  • backups and logs may persist up to 90 days (or longer if required by law, dispute resolution, or security investigations),
  • payment/tax/compliance records as required by law,
  • agent logs/telemetry as needed for billing, abuse prevention, and reliability,
  • conversation memory summaries are retained while your account is active to provide continuity across sessions,
  • Persona data and Discovery suggestions are retained while your account is active and may be deleted upon request,
  • Builder Email Agent session data (including build status, pipeline state, and email thread context) is retained while your account is active,
  • scheduled automation run logs are retained for billing and debugging purposes.

Creators are responsible for their own retention practices for data they export or store outside Birch.

Email content accessed by the Discover Service is processed in-session and is not stored in raw form by Birch after the discovery session completes. Normalized/truncated excerpts may be retained within Persona summaries and suggestion descriptions.

8. Your Rights

Depending on your location, you may have rights to access, correct, delete, or port your data, or object/restrict certain processing.

To exercise rights, email hi@birch.to. We may verify identity before responding.

You may disconnect your email provider (Gmail, Outlook, etc.) from the Discover Service at any time through your Composio connection settings, which will revoke the Platform’s access to your email account. You may also request deletion of your Persona data and Discovery suggestions.

9. Creator Responsibilities to Buyers

Creators may build Products that collect or process personal data. Creators are responsible for:

  • providing any legally required disclosures to Buyers,
  • ensuring a lawful basis for processing,
  • complying with applicable privacy and data protection laws for their Products.

10. SMS and OTP Communications

When you register or sign in using phone-based OTP authentication, we collect your phone number and use it solely to send one-time passcodes via SMS through Twilio. Specifically:

  • What we send: transactional SMS messages containing one-time passcodes for account verification. We do not send marketing SMS messages.
  • Data retention: your phone number is stored as part of your account record. OTP codes are ephemeral and are not retained after verification or expiry.
  • Carrier charges: standard message and data rates from your carrier may apply.
  • Opt-out: if you no longer wish to use phone-based OTP sign-in, contact us at hi@birch.to to request removal of your phone number from your account. Note that disabling OTP may affect your ability to sign in if it is your only authentication method.

Your phone number is never sold or shared with third parties except Twilio (for delivery of verification messages) and as required by law.

11. Email Communications

11.1 Builder Email Agent

When you interact with the Builder Email Agent at hi@birch.to:

  • your email messages (including subject, body, attachments, and CC/BCC addresses) are received via AgentMail and processed by the Platform;
  • message content is sent to an LLM (Anthropic Claude via AWS Bedrock) for AI-powered responses;
  • conversation summaries are stored in conversation memory for context continuity;
  • email attachments may be downloaded and stored in Vercel Blob storage with private access controls;
  • CC’d email addresses are processed for referral credit tracking and may receive invitations to the Platform.

11.2 Discover Service Email Scanning

When you connect your email account for the Discover Service:

  • the Platform accesses your email account on a read-only basis through Composio’s OAuth integration;
  • an AI agent searches, lists, and retrieves email messages to understand your workflows, activities, and contacts;
  • email content is normalized (stripped of quoted replies, truncated) before being sent to the LLM for analysis;
  • the AI agent focuses on substantive correspondence (especially emails you have sent) and attempts to filter out advertisements and automated notifications;
  • contact frequency data is derived from your sent-mail To fields and subject lines;
  • raw email content is not stored after the discovery session; only derived Persona data and suggestions are retained.

11.3 Scheduled Automation Email Delivery

When you create a Scheduled Automation with email delivery:

  • Agent run results are sent to your email address (or a designated email address) via AgentMail or the Platform’s email notification system;
  • scheduled run results and metadata are logged for billing and debugging purposes;
  • email sends from scheduled runs may be converted to drafts rather than sent directly, depending on Agent configuration.

11.4 Deployed Agent Email

Deployed Agents may have dedicated email addresses (via AgentMail). Email messages to and from deployed Agents are processed by the Platform and subject to this Policy.

12. Cookies

We use essential cookies and may use first-party analytics. You can disable cookies in your browser, but the Platform may not function properly.

13. Changes to This Policy

We may update this Policy. For material changes, we will provide notice (e.g., by email — including to your Builder Email Agent address — or dashboard) and, where required, 30 days’ notice. Continued use after the effective date constitutes acceptance.

14. Contact

DocMap Inc. (d/b/a Birch)

Email: hi@birch.to