Artificial Intelligence Usage Policy

Scope of this policy

This document describes how Pilot uses artificial intelligence within its product: what types of data it processes, what decisions the AI can make, how automated actions are logged and what controls you, as a customer, have to limit, audit or reverse the AI's behavior.

It applies to all product modules (CRM, accounting, calendar, messaging agents, etc.) and to all active plans.

What the AI does in Pilot

The AI operates within Pilot to automate repetitive tasks and propose actions. Specifically:

• It drafts emails, WhatsApp messages and replies to customers.
• It moves opportunities between CRM stages when there are clear signals (customer reply, invoice paid, meeting confirmed).
• It summarizes chat threads, meeting transcripts and long notes.
• It proposes meetings, reminders, tasks and approvals.
• It answers the team's queries from WhatsApp, Telegram, Slack or email.

Every action the AI executes is recorded in an audit log with a timestamp, requesting user, context and result.

What data the AI processes

The AI processes the data your company uploads or synchronizes with Pilot. This includes:

• Contacts, customers and opportunities in your CRM.
• Messages and files shared in internal and external chats.
• Emails sent and received in connected mailboxes.
• Calendar events and meeting transcripts.
• Invoices, expenses and accounting entries.

The AI does not access data outside your workspace. Each workspace is isolated by row-level permissions in the database. The AI uses the same permissions as the user who invokes it: if a salesperson cannot see other people's opportunities, the AI does not use them for that salesperson either.

Processing and subprocessors

Pilot uses language models and AI services hosted on secure infrastructure. The specific providers may change as the product evolves; at all times we apply the following minimum safeguards:

• Data travels encrypted in transit (TLS 1.3) and at rest.
• Providers sign data processing agreements compatible with the GDPR and Costa Rica's Law 8968.
• Your data is not used to train public models.
• Processing logs are retained for a maximum of 30 days for diagnostics, unless required for legal reasons.

The up-to-date list of subprocessors is published on the security page and is updated 30 days in advance of any relevant change.

Automated decisions

The AI can execute automatic actions (send emails, move opportunities, approve expenses within configured limits). For each action category you can configure:

• Proposal mode: the AI proposes, a person confirms with a single tap.
• Direct mode with audit: the AI executes on its own; the action is logged and reversible within N minutes.
• Blocked mode: the AI only reads; it executes nothing.

We recommend starting all workflows in proposal mode for 2-3 weeks and migrating to direct mode only the workflows that completed the period without repeated corrections.

Audit log retention

The AI action audit log is retained by default for 24 months. You can extend the retention in your plan or export the log to your own infrastructure. When canceling the account, you can request the full export of the logs before deletion.

Available opt-outs

You have several ways to limit the AI's reach:

• Disable modules: each module can be turned off individually.
• Disable the AI per module: you keep the module but the AI does not operate on it.
• Exclude sensitive contacts: you mark contacts or conversations as 'no AI' and they are excluded from automated processing.
• Restrict by user permissions: you limit which users can activate automatic actions.

Your rights

As the owner of the data uploaded to Pilot, you have the right to access, rectify, erase, object to the processing of, or request the portability of the data processed by the AI. Requests are handled within a maximum of 30 days.