Skip to content
← Back to Point

Point Terms and Conditions

Version: 1.0
Effective date: July 7, 2026
Entity: Advanced Mail Solutions, Inc., a Delaware corporation, DBA “Point”, with primary offices in California.
Legal contact: legal@getpoint.ai
Privacy contact: privacy@getpoint.ai
Website: getpoint.ai

These Terms and Conditions (“Terms”) govern access to and use of Point’s websites, applications, software-as-a-service platform, APIs, connected-account integrations, automation features, and related services ( collectively, the “Services”).

These Terms are drafted for two relationship models:

  1. Organization Customers. A company, partnership, nonprofit, government body, or other organization that creates or administers a Point workspace or purchases Services for its personnel.
  2. Individual Customers. A person who creates or uses a Point account directly for personal, professional, or sole-proprietor use.

If you use the Services on behalf of an organization, “Customer” means that organization, and you represent that you have authority to bind it. If you use the Services directly as an individual, “Customer” means you. “Point,” “we,” “us,” and “our” mean Point.


1. Agreement structure and order of precedence

1.1 Agreement documents

The agreement between Point and Customer consists of the following documents, to the extent applicable:

  1. an accepted order form, online checkout, in-product subscription selection, statement of work, or other written ordering document accepted by Point (each, an “Order”);
  2. any written regulated-data supplement, business associate agreement, industry-specific addendum, security addendum, or similar supplemental terms expressly accepted by Point for the ordered Services (each, a “Regulated Data Supplement”);
  3. the applicable service description, plan description, documentation, or product-specific terms made available by Point (the “Service Documentation”);
  4. the Data Processing Addendum in Schedule 1 to these Terms, to the extent Point processes Customer Personal Data on behalf of an Organization Customer;
  5. these Terms; and
  6. the then-current Point Price List, solely for commercial matters referenced by the Order, Service Documentation, or these Terms.

Together these documents are the “Agreement.”

1.2 Order scope

An Order is intended to state only commercial and configuration matters, such as the ordered Services, subscription period, fees, billing cadence, payment terms, quantities, usage metrics, selected plan, support level, region or hosting selections if offered, and any professional-services scope.

An Order does not modify legal terms unless the modification is in a separate written amendment that expressly identifies the sections amended and is signed by an authorized Point officer.

1.3 Precedence

If there is a conflict, the following order applies to the extent of the conflict:

  1. a Regulated Data Supplement prevails for the specific regulated-data commitments and Services it expressly covers;
  2. the Data Processing Addendum prevails for Processing of Customer Personal Data;
  3. a statement of work prevails solely for professional-services scope, milestones, dependencies, delivery dates, and objective acceptance criteria stated in that statement of work;
  4. the Service Documentation prevails for standardized service descriptions, support levels, deployment options, usage definitions, feature availability, and counting rules;
  5. the Order prevails for commercial and configuration matters selected for that transaction; and
  6. these Terms prevail in all other respects.

Point’s Privacy Policy is referenced for information about Point’s controller processing of personal information. It is not a contractual term of the Agreement unless expressly incorporated.

1.4 Customer terms excluded

Any purchase order terms, vendor portal terms, click-through terms, procurement terms, handwritten terms, or other Customer-proposed terms are rejected and have no effect unless agreed in an amendment signed by an authorized Point officer.

1.5 Separate regulated-data documents

Point does not offer HIPAA, business associate, financial-services, tax-return, payment-card, government, education, or other regulated-data commitments by implication. Any such commitment must be in a separate written document signed or otherwise accepted by Point through an authorized contracting process and must identify the covered Services, workspace, plan, data category, effective date, and any additional fees or technical requirements.

A regulated-data addendum may be attached to an Order, incorporated by express reference, or accepted through a Point contracting workflow. No sales material, security questionnaire, privacy policy statement, support response, or product feature creates a regulated-data commitment unless the applicable addendum is executed or expressly accepted by Point.


2. Definitions

Account” means a Point user account.

Admin” means a User authorized to manage a Customer workspace, billing, connected accounts, Users, settings, or other administrative functions.

Affiliate” means an entity that controls, is controlled by, or is under common control with a party.

AI Output” or “Output” means content, summaries, rankings, labels, tasks, suggestions, drafts, recommendations, schedules, decisions, or other material generated or assisted by the Services.

Automation” means a Point feature that performs, proposes, drafts, classifies, prioritizes, schedules, archives, labels, notifies, or otherwise acts in response to Customer Content, Customer instructions, User settings, connected-account data, or other events.

Authorized User” or “User” means an individual authorized by Customer to access or use the Services under Customer’s Account or workspace.

Connected Account” means an email, calendar, storage, messaging, identity, or other third-party account that a User connects to the Services, such as Gmail, Google Workspace, Google Calendar, Microsoft 365, Outlook, Outlook Calendar, or a comparable service.

Customer Content” means emails, messages, calendar data, contacts, tasks, notes, files, attachments, prompts, inputs, instructions, preferences, account data, connected-account data, metadata, and other content submitted to, synced with, stored in, processed by, or made available to the Services by or on behalf of Customer.

Customer Data” means Customer Content and other electronic data submitted to or generated in the Services for Customer, excluding Point Technology.

Documentation” means Point’s then-current technical, support, security, product, or user documentation.

Individual Customer” means a Customer who uses the Services directly as a natural person and not on behalf of an organization.

Organization Customer” means a Customer that is an entity or organization.

Personal Data,” “Personal Information,” “Process,” “Controller,” “Processor,” “Business,” “Service Provider,” “Contractor,” “Consumer,” and similar terms have the meanings given under applicable data protection law.

Point Technology” means the Services, software, applications, systems, APIs, interfaces, models, model configurations, prompts, workflows, templates, orchestration logic, security controls, data models, schemas, documentation, designs, processes, methods, analytics, and other technology owned or licensed by Point or its providers, including improvements to them. Point Technology excludes Customer Content and Customer-specific Work Product.

Price List” means Point’s then-current commercial price list for the Services.

Professional Services” means onboarding, migration, configuration, implementation, training, consulting, custom work, or other professional services ordered by Customer.

Regulated Data” means data subject to specialized legal, regulatory, contractual, industry, or professional-secrecy requirements that are not expressly included in Point’s standard Services, such as protected health information subject to HIPAA, payment-card data subject to PCI DSS, tax-return information, GLBA-covered nonpublic personal information, children’s data, biometric data, classified information, or data subject to comparable restrictions.

Regulated Data Supplement” means a separate written supplement expressly accepted by Point that applies additional terms to specified Regulated Data, such as a HIPAA business associate agreement, financial-services addendum, tax-data addendum, professional-secrecy addendum, security addendum, or other industry-specific schedule.

Service Unit” means a usage unit identified in the Price List or Order, such as a User, connected inbox, connected calendar, message processed, automation action, storage unit, API call, or other unit.

Subscription Period” means the initial or renewal period for the relevant ordered Services.

Usage Limits” means the limits, entitlements, caps, Service Units, fair-use rules, metered quantities, or restrictions applicable to the Services under the Agreement.

Work Product” means deliverables created specifically for Customer under paid Professional Services and identified in the applicable statement of work, excluding Point Technology.


3. Eligibility, account creation, and authority

3.1 Minimum age

You must be at least 16 years old, or the age of majority in your jurisdiction if higher, to use the Services. The Services are not directed to children under 13, and Point does not knowingly collect personal information from children under 13.

3.2 Account information

Customer and Users must provide accurate account, billing, and contact information and keep it current. Customer is responsible for all activity under its Accounts except to the extent caused by Point’s breach of the Agreement.

3.3 Organization administration

For Organization Customers, Admins may manage Users, connected accounts, workspace settings, data retention settings if offered, billing, plan selection, and other configuration. Customer is responsible for Admin actions and for determining which Users may access Customer Data.

3.4 Approved jurisdictions and export compliance

Customer may use the Services only where lawful and not prohibited by applicable sanctions, export controls, or Point’s compliance obligations. Customer will not permit use of the Services by anyone who is the target of sanctions or located in an embargoed jurisdiction.


4. Services

4.1 Subscription access

During the applicable Subscription Period and subject to the Agreement, Point grants Customer a non-exclusive, non-transferable, non-sublicensable right for Authorized Users to access and use the Services for Customer’s internal business, professional, or individual productivity purposes.

For Organization Customers, Users may use the Services for Customer’s own operations and client work, provided Customer has all required rights and permissions for the relevant Customer Content. Customer’s clients and other third parties may not access the Services under Customer’s subscription unless they are authorized Users or hold their own valid subscription.

4.2 Service description

Point is an AI-native productivity and communications workspace. The Services may include, depending on plan and configuration:

  1. connected email ingestion, sync, search, triage, summary, drafting, and automation;
  2. connected calendar sync, scheduling, availability analysis, public scheduling pages, calendar notifications, and meeting coordination;
  3. native Point messaging and secure communication features;
  4. tasks, reminders, follow-up rules, watch tasks, and notification automation;
  5. progressive disclosure, semantic search, labels, circles, summaries, points, memory/imprints, and activity logs;
  6. automation settings, autonomy controls, draft/review flows, undo support where technically available, and audit trails;
  7. browser, web, desktop, mobile, API, and related client applications as made available by Point; and
  8. Professional Services, if ordered.

Feature availability depends on the Customer’s plan, region, platform, Connected Accounts, third-party provider availability, and Point’s current product stage.

4.3 Connected Accounts

A User may connect third-party accounts to the Services. Customer authorizes Point to access, sync, retrieve, store, process, and send data through Connected Accounts as necessary to provide the Services and as directed by Customer or Users.

Customer is responsible for:

  1. having all rights, permissions, notices, and consents needed to connect each Connected Account;
  2. complying with applicable third-party provider terms;
  3. maintaining provider accounts, credentials, and permissions;
  4. reviewing OAuth scopes and permissions before authorizing access; and
  5. disconnecting accounts that should no longer be used.

Point is not responsible for third-party provider outages, rate limits, account suspensions, changes to APIs, changes to terms, or provider decisions that affect the Services.

4.4 No migration requirement

Point may allow Customers to use existing email addresses, calendars, messages, and accounts without migrating away from third-party providers. Point does not guarantee that any third-party account can be connected or remain connected.

4.5 Changes to Services

Point may update, modify, add, replace, limit, or discontinue features, models, providers, integrations, user interfaces, or technical components from time to time. Point will use commercially reasonable efforts to avoid materially reducing the core functionality of paid Services during a paid Subscription Period, except where reasonably necessary for security, legal compliance, third-party provider changes, operational reliability, or emergency maintenance.

If Point materially reduces core functionality purchased under an Order, Customer may terminate the affected paid Services by written notice, and Point will refund prepaid unused fees for the terminated portion on a pro-rata basis. This is Customer’s exclusive remedy for such change.

4.6 Beta, preview, and experimental features

Point may offer alpha, beta, preview, pilot, trial, or experimental features. These features are provided “as is,” may be changed or discontinued at any time, may be subject to additional terms, may not be covered by service commitments, and should not be used for critical workflows unless Point states otherwise in writing.


5. Customer responsibilities

Customer is responsible for:

  1. Users’ compliance with the Agreement;
  2. the accuracy, quality, legality, and integrity of Customer Content;
  3. all notices, consents, lawful bases, permissions, and rights needed for Point to process Customer Content as contemplated by the Agreement;
  4. secure configuration and use of the Services, including Admin roles, account access, credentials, authorization settings, Connected Account permissions, automation settings, and review settings;
  5. reviewing, validating, approving, and controlling AI Output and Automation before relying on it, especially before any external communication, legal, financial, tax, medical, employment, security, or other high-impact use;
  6. determining whether the Services are appropriate for Customer’s industry, legal, confidentiality, recordkeeping, professional, security, or regulatory obligations;
  7. maintaining backups or records where Customer is legally or operationally required to do so; and
  8. promptly notifying Point of suspected unauthorized access to an Account or Customer Data.

5.1 Regulated data

Point’s standard Services are not designed, priced, or offered as a regulated-data service unless Point expressly accepts a Regulated Data Supplement for the specific data type and ordered Services.

Unless a Regulated Data Supplement expressly permits the relevant use, Customer must not use the Services to store or process:

  1. protected health information subject to HIPAA;
  2. classified information;
  3. payment-card data requiring PCI DSS compliance, except through Point’s approved payment processor;
  4. tax-return information, nonpublic financial information, children’s data, biometric data, or other data subject to specialized statutory, regulatory, professional-secrecy, or contractual controls that Point has not expressly accepted; or
  5. special categories of Personal Data or sensitive Personal Information where Customer has not determined that use of the Services is lawful and appropriate for Customer’s purpose.

A Regulated Data Supplement may include additional security controls, retention rules, deletion rules, audit rights, support procedures, breach-notice commitments, product limitations, plan requirements, fees, or configuration requirements. A Regulated Data Supplement applies only to the Regulated Data, Services, Customer, and time period expressly covered by that supplement. For clarity, Point’s standard Terms, DPA, Privacy Policy, security documentation, or general product descriptions do not by themselves create a HIPAA business associate relationship or any other regulated-data commitment.

Customer remains responsible for professional secrecy, attorney-client privilege, tax-preparer confidentiality, financial-industry safeguards, client confidentiality, employment, consumer-protection, and other obligations applicable to Customer. Customer acknowledges that Connected Accounts may contain sensitive or regulated information and is responsible for ensuring that connecting those accounts and enabling Point to process their contents is lawful and consistent with Customer’s obligations.

5.2 High-impact decisions

Customer must not use the Services as the sole basis for decisions that have legal, financial, employment, credit, housing, education, healthcare, insurance, immigration, criminal justice, or similarly significant effects on individuals. Customer must apply human review and any legally required procedures.


6. AI, automation, and human review

6.1 Probabilistic systems

The Services use probabilistic systems, including machine learning and large language models. The same or similar inputs may produce different outputs at different times.

6.2 No guarantee of correctness

AI Output may be inaccurate, incomplete, outdated, misleading, biased, non-compliant, unsafe, or unsuitable for Customer’s purposes. Point does not guarantee that AI Output will be correct, complete, secure, legally sufficient, or appropriate.

6.3 Customer review

Customer is solely responsible for reviewing, editing, testing, validating, approving, sending, filing, relying on, or otherwise using AI Output and Automation. Point may provide review flows, approval states, undo functions, activity logs, or safety controls, but these controls do not replace Customer’s own judgment and obligations.

6.4 Automation settings

The Services may allow Users or Admins to configure autonomy levels, review requirements, watch tasks, reminders, follow-up rules, scheduling rules, draft settings, and other automation preferences. Customer is responsible for configuring these settings appropriately.

6.5 Outbound communications

Point may generate drafts, suggestions, scheduling messages, follow-ups, notifications, or other outbound communications. Customer authorizes Point to send outbound communications through Connected Accounts, native Point channels, or other configured channels when Customer’s settings, approvals, or instructions permit it.

Outbound communications may not be reversible after sending. Point may provide an undo or cancellation window only where technically and legally available.

6.6 No professional advice

The Services do not provide legal, tax, accounting, financial, medical, security, compliance, or other professional advice. AI Output may help organize, draft, summarize, or surface information, but Customer remains responsible for obtaining qualified professional advice when needed.

6.7 Model and provider changes

Point may select, route, replace, or change AI models, embedding models, model providers, infrastructure providers, and processing methods at any time, subject to the Agreement and applicable law.

6.8 No training of generalized models from Customer Content

Point will not use Customer Content to train generalized third-party large language models or generalized foundation models, unless Customer expressly authorizes such use. Point may process Customer Content to provide, secure, support, troubleshoot, measure, and improve the Services for Customer, and to develop aggregated or de-identified information that does not identify Customer, Users, or individuals.

6.9 LLM costs included in Point pricing

Point does not support customer-provided LLM keys, bring-your-own-key, LLM provider pass-through billing, or direct reimbursement of underlying LLM provider costs unless Point expressly states otherwise in an Order. Any metered Services are priced by Point per Service Unit as stated in the applicable Price List or Order.


7. Acceptable use

Customer will not, and will not permit any User or third party to:

  1. use the Services unlawfully or in violation of third-party rights;
  2. send spam, phishing, malware, deceptive, abusive, harassing, threatening, defamatory, obscene, or unlawful communications;
  3. attempt unauthorized access to the Services, Point Technology, other customers’ data, third-party systems, or Connected Accounts;
  4. interfere with, disrupt, overload, scan, probe, scrape, or attack the Services or networks;
  5. upload, transmit, or store malware, exploit code, credential-harvesting content, or content intended to compromise systems or individuals;
  6. use the Services for surveillance, stalking, unlawful tracking, or unlawful profiling;
  7. use the Services to generate or distribute misleading impersonations, fraudulent messages, business email compromise, or social-engineering attacks;
  8. circumvent Usage Limits, billing, access controls, safety controls, rate limits, review flows, logging, or security measures;
  9. reverse engineer, decompile, disassemble, extract, inspect, copy, benchmark for competitive purposes, or attempt to discover non-public aspects of Point Technology, except to the extent non-waivable law permits;
  10. use the Services or Point Technology to build, train, benchmark, validate, or improve a competing product, model, dataset, or service;
  11. remove proprietary notices;
  12. misuse OAuth scopes, connected-account data, or provider APIs;
  13. use the Services in a manner that violates third-party platform policies;
  14. attempt to re-identify aggregated or de-identified data; or
  15. assist anyone in doing the foregoing.

Point may suspend, restrict, throttle, or terminate access for suspected or actual prohibited use, security risk, legal compliance, third-party provider requirement, or material breach.


8. Usage Limits, plans, and metering

8.1 Usage Limits

Customer’s use of the Services is subject to the Usage Limits in the applicable Order, Service Documentation, Price List, and in-product plan description.

8.2 Measurement

Point may measure usage using reasonable methodologies, including by counting Users, connected inboxes, connected calendars, connected accounts, messages processed, automation actions, AI processing events, notifications, API calls, indexed storage, file storage, or other Service Units.

Point may update measurement methodologies prospectively. Point will not retroactively restate a completed billing period except to correct manifest error, fraud, misuse, or non-payment.

8.3 Overages

If Customer exceeds ordered quantities or Usage Limits, Point may:

  1. charge overage fees stated in the Price List or Order;
  2. require Customer to purchase additional quantities;
  3. throttle, pause, or limit usage;
  4. reduce usage to the ordered scope; or
  5. suspend access for material or persistent overuse.

8.4 Fair use

Plans may include fair-use restrictions to protect the Services, other customers, and third-party provider environments. Point may take protective action where usage is abusive, unreasonable, harmful, unlawful, or likely to impair the Services.


9. Fees, trials, renewals, and taxes

9.1 Fees

Customer will pay all fees stated in the Order, in-product checkout, or Price List. Fees are in U.S. dollars unless stated otherwise.

9.2 Subscription fees

Subscription fees are charged in advance unless the Order states otherwise. Usage-based and overage fees may be charged in arrears or as otherwise stated in the Price List or Order.

9.3 Price changes

Point may change products, plans, entitlements, Service Units, overage rates, and pricing at any time on a prospective basis. Prices for a paid Subscription Period are fixed for that Subscription Period unless the Order states otherwise. Renewal periods, new orders, plan changes, additional quantities, and usage incurred after the effective date of a price change may be charged at the then-current prices.

For Individual Customers and other customers entitled to consumer renewal notices, Point will provide legally required notice of material price changes before the change applies.

9.4 Automatic renewal

Paid subscriptions renew automatically for the renewal period stated in the Order or checkout flow, or if none is stated, for a period equal to the expiring Subscription Period, unless Customer cancels before renewal.

Before obtaining payment information for an automatically renewing subscription or free-to-paid conversion, Point will present automatic-renewal terms as required by applicable law. Point will provide a post-purchase acknowledgment with renewal terms, cancellation instructions, and other required information.

9.5 Trials and promotions

Point may offer free trials, promotional pricing, pilot programs, beta programs, credits, or discounts. Unless Point states otherwise, trials and promotions may be changed, limited, or discontinued at any time and may not be combined.

If a free trial converts to a paid subscription, Point will obtain any legally required consent and provide any legally required notices before charging.

9.6 Cancellation

Customer may cancel a subscription through the account settings, billing portal, or other cancellation method Point makes available. Cancellation takes effect at the end of the current paid Subscription Period unless Point states otherwise or applicable law requires otherwise. Point will not charge for renewal after effective cancellation.

9.7 Refunds

Except as expressly stated in the Agreement or required by law, fees are non-refundable and non-creditable.

9.8 Payment

Customer authorizes Point and its payment processors to charge the payment method on file for fees, taxes, and other amounts due. Customer must keep payment information current. Point may suspend access for late payment after notice, except where prohibited by law.

9.9 Taxes

Fees exclude taxes, duties, levies, and governmental charges unless stated otherwise. Customer is responsible for all applicable taxes other than taxes based on Point’s net income.


10. Support, service levels, and maintenance

Point provides support as stated in the applicable plan, Order, or Service Documentation. Response times are targets, not guarantees, unless Point expressly agrees to a service-level commitment in an Order.

Point may perform planned or emergency maintenance. Point will use commercially reasonable efforts to provide notice for material planned maintenance when practical.

Unless an Order expressly states an uptime commitment, Point does not provide an uptime, availability, continuity, or fixed-resolution-time guarantee.


11. Professional Services

11.1 Scope

Point will provide Professional Services described in a statement of work or Order using commercially reasonable skill and care.

11.2 Customer dependencies

Customer will provide timely access, decisions, materials, credentials, and personnel reasonably needed for Professional Services. Delays caused by Customer may adjust schedules and fees.

11.3 Acceptance

Unless the applicable statement of work states objective acceptance criteria, test method, and acceptance period, Work Product is deemed accepted 14 days after delivery unless Customer provides written notice of material non-conformity in reasonable detail.

If Work Product is timely rejected for material non-conformity, Point will use commercially reasonable efforts to correct and re-deliver it.

11.4 Expenses

Professional Services fees exclude travel, accommodation, and out-of-pocket expenses unless stated otherwise. Point will not incur billable expenses without Customer’s prior approval. Approved expenses will be invoiced at cost unless the statement of work states otherwise.

11.5 Tools and third-party items

Point will provide customary working tools and general-purpose software for Professional Services. Customer-specific tools, special environments, third-party licenses, and paid services required to access or work within Customer systems are excluded unless expressly included in the statement of work.


12. Confidentiality

12.1 Confidential Information

Confidential Information” means non-public information disclosed by or on behalf of one party to the other that is designated confidential or should reasonably be understood as confidential given its nature and the circumstances of disclosure. Confidential Information includes business, technical, product, security, pricing, and contractual information.

Customer Content is Customer Confidential Information.

12.2 Use and protection

The receiving party will:

  1. use Confidential Information only to perform or receive the Services or exercise rights under the Agreement;
  2. protect Confidential Information using reasonable care; and
  3. disclose Confidential Information only to representatives who need to know it and are bound by confidentiality obligations at least as protective as these Terms.

12.3 Exclusions

Confidentiality obligations do not apply to information that is publicly available without breach, already known without restriction, rightfully received from a third party, or independently developed without use of Confidential Information.

12.4 Compelled disclosure

A party may disclose Confidential Information to the extent required by law, court order, or government authority, provided it gives reasonable notice where legally permitted and cooperates with reasonable protective measures.

12.5 Duration

Confidentiality obligations apply during the Agreement and for five years after the later of termination or the last disclosure of Confidential Information. Trade secrets remain protected for as long as they remain trade secrets under applicable law.


13. Intellectual property

13.1 Point Technology

Point and its licensors retain all right, title, and interest in Point Technology. No rights are granted except as expressly stated in the Agreement.

13.2 Customer Content

Customer retains all right, title, and interest in Customer Content. Customer grants Point and its Affiliates, subcontractors, providers, and processors a limited right to access, use, host, transmit, store, copy, disclose, process, analyze, index, summarize, transform, and otherwise handle Customer Content solely to provide, operate, secure, support, troubleshoot, improve, and enforce the Services and comply with law.

13.3 AI Output

As between Point and Customer, Customer owns AI Output generated for Customer through the Services, subject to Point Technology, third-party rights, and applicable law. Point does not represent that AI Output is protectable by intellectual-property rights or that it does not resemble third-party content.

Customer is responsible for reviewing AI Output for accuracy, suitability, infringement, confidentiality, and compliance before use.

13.4 Work Product

As between Point and Customer, Customer owns Work Product created specifically for Customer under paid Professional Services, subject to Point Technology and third-party rights. Point retains all rights in Point Technology used to create or deliver Work Product.

13.5 Feedback

If Customer or Users provide feedback, suggestions, requests, or recommendations, Point may use them without restriction or compensation, provided Point does not disclose Customer Confidential Information.

13.6 No implied licenses

No rights are granted by implication, estoppel, exhaustion, or otherwise.


14. Privacy, data protection, and security

14.1 Privacy Policy

Point’s Privacy Policy explains how Point processes personal information as a controller, including for account administration, billing, security, sales, marketing, website operation, support, Individual Customer use, and Point-controlled advertising, analytics, measurement, attribution, and retargeting. Point may use Google advertising and measurement technologies for Point’s own public websites and marketing campaigns as described in the Privacy Policy.

14.2 Organization Customer processing

For Organization Customers, where Point processes Customer Personal Data on Customer’s behalf, the Data Processing Addendum in Schedule 1 applies.

14.3 Individual Customer processing

For Individual Customers, Point generally acts as a controller for personal information processed in providing the Services, subject to the Privacy Policy and applicable law. Point may process data in connected accounts and communications to provide the Services requested by the Individual Customer.

14.4 Security measures

Point will maintain administrative, technical, and organizational safeguards appropriate to the nature of the Services and the risks involved. These may include access controls, encryption in transit and at rest where supported, logging, monitoring, vulnerability management, incident response, backup and restore, credential isolation, token-vault controls, prompt-injection controls, quarantine/flagging controls, and human-access restrictions.

Security measures may evolve over time, provided Point maintains a level of security appropriate to the risk.

14.5 No absolute security

No method of transmission, storage, or processing is completely secure. Point does not guarantee absolute security.

14.6 Provider-policy commitments

Where Point accesses data from third-party provider APIs, Point will use that data in accordance with applicable provider policies and permissions, including using connected-account data only to provide, improve, secure, support, and maintain user-facing features of the Services and not to sell that data or use it for advertising. Point’s use of Google as an advertising or measurement vendor for Point-controlled public websites and marketing campaigns is separate from Point’s use of Google APIs for Gmail, Google Calendar, Google Sign-In, Google Workspace APIs, or other Connected Account functions, and does not authorize use of Customer Content or connected-account data for advertising, retargeting, Customer Match, enhanced conversions, or advertising profile creation.

14.7 Regulated-data addenda

If Point offers a HIPAA Business Associate Agreement, tax-return-data addendum, financial-services addendum, government-data addendum, or other regulated-data document, that document is separate from these Terms and applies only as expressly stated in that document. Customer may not rely on general product functionality, AI safety features, privacy disclosures, security controls, or subprocessor disclosures as a substitute for a required regulated-data agreement.


The Services may integrate with or link to third-party services, websites, APIs, app stores, models, providers, or platforms. Third-party services are not controlled by Point and are governed by their own terms and policies.

For mobile or desktop apps obtained through an app store, the app store’s terms may also apply. The app store provider is not responsible for the Services except to the extent required by applicable law.


16. Publicity

Unless Customer opts out in the Order or by written notice, Point may identify Organization Customer as a Point customer and use Customer’s name and logo in customer lists and marketing materials. Point will not disclose Customer Confidential Information, non-public technical details, security findings, or pricing without Customer’s consent.

Individual Customers will not be used as public references without consent.


17. Warranties and disclaimers

17.1 Mutual authority

Each party represents that it has authority to enter into the Agreement.

17.2 Professional Services warranty

Point warrants that Professional Services will be performed using commercially reasonable skill and care.

17.3 Disclaimers

Except as expressly stated in the Agreement, the Services, AI Output, beta features, trial features, integrations, and Professional Services are provided “as is” and “as available.” Point disclaims all warranties, whether express, implied, statutory, or otherwise, including warranties of merchantability, fitness for a particular purpose, title, non-infringement, accuracy, availability, security, uninterrupted operation, and error-free operation.

Point does not warrant that the Services will detect all threats, prevent all harmful communications, identify all important messages, extract all tasks, schedule all meetings, or produce correct outputs.

Some jurisdictions do not allow certain disclaimers. In those jurisdictions, disclaimers apply only to the maximum extent permitted by law.


18. Indemnification

18.1 Customer indemnity

Customer will defend and indemnify Point, its Affiliates, and their representatives against third-party claims, damages, liabilities, costs, and expenses, including reasonable attorneys’ fees, arising from:

  1. Customer Content;
  2. Customer’s or Users’ use of the Services in violation of the Agreement or law;
  3. Customer’s failure to obtain required rights, notices, consents, or lawful bases;
  4. Customer’s use of AI Output;
  5. Customer’s violation of third-party provider terms; or
  6. Customer’s regulated, professional, or client obligations.

18.2 Point IP indemnity

For paid Services, Point will defend and indemnify Customer against a third-party claim alleging that the Services, as provided by Point and used as authorized, infringe that third party’s U.S. patent, copyright, or trademark, or misappropriate that third party’s trade secret.

Point has no obligation for claims arising from Customer Content, AI Output, third-party services, modifications not made by Point, combination with items not provided by Point, unauthorized use, continued use after Point provides a non-infringing alternative, or use of free, beta, trial, or evaluation Services.

18.3 Process

The indemnified party must promptly notify the indemnifying party, provide reasonable cooperation, and allow the indemnifying party to control the defense and settlement. The indemnifying party may not settle a claim in a way that admits fault or imposes non-monetary obligations on the indemnified party without consent.

18.4 Remedies

If the Services are or may be subject to an infringement claim, Point may procure continued rights, modify the Services, replace the Services, or terminate the affected Services and refund prepaid unused fees. This Section states Point’s entire liability for infringement claims.


19. Limitation of liability

19.1 Exclusion of damages

To the maximum extent permitted by law, neither party is liable for indirect, incidental, special, consequential, exemplary, punitive, or enhanced damages, or for lost profits, lost revenues, lost goodwill, loss of data, business interruption, or cost of substitute services, even if advised of the possibility.

19.2 Liability cap

To the maximum extent permitted by law, each party’s total aggregate liability arising out of or relating to the Agreement is limited to the greater of:

  1. amounts paid or payable by Customer for the affected paid Services during the 12 months before the event giving rise to liability; or
  2. US $100 for free, trial, or unpaid Services.

19.3 Exclusions from cap

The liability cap does not apply to:

  1. Customer’s payment obligations;
  2. Customer’s breach of Sections 7, 13.1, or 13.6;
  3. a party’s fraud, willful misconduct, or gross negligence;
  4. a party’s indemnification obligations; or
  5. liability that cannot be limited by law.

19.4 Consumer rights

Nothing in these Terms limits rights that cannot be waived under applicable consumer-protection law.


20. Term, suspension, and termination

20.1 Term

The Agreement begins when Customer accepts these Terms, creates an Account, starts using the Services, or enters an Order, and continues until terminated.

20.2 Termination for convenience

Customer may stop using free Services at any time. Paid subscriptions may be cancelled as described in Section 9.6.

Unless an Order states otherwise, either party may terminate Professional Services for convenience on 30 days’ written notice. Customer remains responsible for fees for work performed and non-cancellable commitments incurred before termination.

20.3 Termination for cause

Either party may terminate the affected Services for material breach if the breach is not cured within 30 days after written notice. Point may terminate or suspend immediately for breach of Sections 7, 13, or 14 that creates security, confidentiality, legal, intellectual-property, or operational risk.

20.4 Suspension

Point may suspend or restrict access immediately if reasonably necessary to:

  1. address a security emergency;
  2. comply with law or third-party provider requirements;
  3. prevent prohibited use;
  4. investigate suspected misuse or breach;
  5. protect the Services, Point Technology, Customer Data, other customers, or third-party systems; or
  6. address non-payment.

Point will use reasonable efforts to limit suspension to the affected Accounts, features, or data.

20.5 Effect of termination

Upon termination, Customer’s access to the affected Services ends. Data export, deletion, and return are governed by the Agreement, Service Documentation, Privacy Policy, and, for Organization Customer processor data, the Data Processing Addendum.

20.6 Survival

Sections that by their nature should survive survive termination, including payment obligations, confidentiality, intellectual property, disclaimers, indemnities, limitation of liability, dispute resolution, and miscellaneous provisions.


21. Governing law and dispute resolution

21.1 Governing law

The Agreement is governed by the laws of the State of Delaware and applicable U.S. federal law, without regard to conflicts-of-law rules, except that California consumer-protection rules or other mandatory local laws apply where they cannot be waived.

21.2 Informal resolution

Before filing a claim, the parties will attempt in good faith to resolve the dispute by written notice and discussion for at least 30 days, unless urgent equitable relief is needed.

21.3 Arbitration and class waiver

Except for small-claims matters, claims for equitable relief, or claims that cannot be arbitrated by law, disputes arising out of or relating to the Agreement will be resolved by binding individual arbitration administered by JAMS under its Comprehensive Arbitration Rules and Procedures (or, where applicable, its Streamlined Arbitration Rules and Procedures), including the JAMS Consumer Arbitration Minimum Standards where they apply. The seat and venue will be San Francisco County, California, unless mandatory law requires otherwise.

Claims must be brought only on an individual basis and not as a class, collective, consolidated, private attorney general, or representative action, except where this waiver is prohibited by law.

21.4 Equitable relief

A breach of confidentiality, intellectual-property, security, access-control, acceptable-use, or reverse-engineering obligations may cause irreparable harm. Either party may seek injunctive or equitable relief in any court of competent jurisdiction.

21.5 EU, UK, and other mandatory rights

Nothing in this Section limits mandatory rights of individuals or consumers under applicable local law.


22. Changes to these Terms

Point may update these Terms from time to time. Updated Terms become effective when posted or otherwise communicated, unless a later effective date is stated. If required by law or if changes are material, Point will provide additional notice. Continued use of the Services after the effective date constitutes acceptance of the updated Terms.

For paid Organization Customer subscriptions, material changes to legal terms will not apply to the then-current Subscription Period if Customer objects in writing within 30 days after notice, except where changes are required by law, security, third-party provider requirements, or new features.


23. Notices

Point may provide notices by email, in-product notice, posting, account dashboard, or other reasonable means. Customer may provide legal notices to Point at legal@getpoint.ai.

Customer must keep contact information current.


24. Miscellaneous

24.1 Assignment

Neither party may assign the Agreement without the other’s consent, except to an Affiliate or successor in connection with a merger, reorganization, sale of substantially all assets, or change of control. Any prohibited assignment is void.

24.2 Subcontractors

Point may use Affiliates, subcontractors, infrastructure providers, AI providers, support providers, security providers, payment processors, and other service providers to provide the Services. Point remains responsible for its subcontractors as required by the Agreement.

24.3 Force majeure

Neither party is liable for delay or failure caused by events beyond its reasonable control, including natural disasters, war, terrorism, labor disputes, internet or utility failures, third-party provider failures, government action, or denial-of-service attacks.

24.4 Severability

If any provision is unenforceable, the remaining provisions remain in effect, and the unenforceable provision will be modified to the minimum extent necessary to make it enforceable.

24.5 Waiver

Failure to enforce a provision is not a waiver.

24.6 Entire agreement

The Agreement is the entire agreement between Point and Customer regarding the Services and supersedes prior discussions or agreements on that subject.


Schedule 1 — Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Agreement where Point processes Customer Personal Data on behalf of an Organization Customer.

For Individual Customers, Point generally processes personal information as a controller as described in the Privacy Policy. This DPA does not apply unless Point expressly agrees otherwise.

1. Definitions

Capitalized terms not defined in this DPA have the meaning given in the Agreement.

Applicable Data Protection Law” means laws applicable to the Processing of Customer Personal Data under the Agreement, including the GDPR, UK GDPR, Swiss data protection law, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), and other U.S. state privacy laws, to the extent applicable.

Connected Service Provider” means a third-party email, calendar, identity, messaging, storage, app-store, or similar provider that Customer or a User authorizes Point to access, read from, write to, subscribe to, or otherwise interact with through a Connected Account or integration.

Customer Personal Data” means Personal Data processed by Point on behalf of Customer under the Agreement.

GDPR” means Regulation (EU) 2016/679.

Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Point under this DPA.

Subprocessor” means a third party engaged by Point to process Customer Personal Data on Point’s behalf in connection with the Services.

2. Roles and scope

2.1 Roles

As between Customer and Point, Customer is the Controller or Processor, as applicable, and Point is the Processor or Subprocessor, respectively, for Customer Personal Data.

If Customer is a Processor, Customer represents that it is authorized by the relevant Controller to appoint Point, authorize Point’s Subprocessors, and provide the instructions contemplated by the Agreement.

2.2 Controller processing by Point

This DPA does not apply to Point’s processing of personal information as an independent controller, including for account administration, contracting, billing, security, fraud prevention, legal compliance, business-contact management, website analytics, sales, marketing, or Individual Customer Services. That processing is governed by Point’s Privacy Policy.

2.3 Customer instructions

Point will process Customer Personal Data only on Customer’s documented instructions, including to provide, operate, secure, support, troubleshoot, maintain, improve, and enforce the Services and the Agreement, and as otherwise described in Annex A.

Point may also process Customer Personal Data where required by law. If legally permitted, Point will inform Customer before such processing.

2.4 Infringing instructions

If Point believes an instruction infringes Applicable Data Protection Law, Point will inform Customer unless prohibited by law.

3. Customer responsibilities

Customer is responsible for:

  1. lawfulness of processing, including lawful bases, notices, consents, permissions, and data-subject rights;
  2. ensuring Customer instructions comply with Applicable Data Protection Law;
  3. determining whether the Services are suitable for Customer’s data categories and purposes;
  4. the content Customer submits to, syncs with, or makes accessible through the Services;
  5. configuring accounts, roles, permissions, Connected Accounts, and automation settings securely; and
  6. ensuring that special categories of Personal Data, sensitive Personal Information, regulated data, or restricted data are not provided except as permitted by the Agreement, any applicable regulated-data addendum, and applicable law.

4. Confidentiality

Point will ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations or an appropriate statutory duty of confidentiality.

5. Security

Point will implement appropriate technical and organizational measures taking into account the risks of Processing, including measures described in Annex B.

Customer is responsible for secure use and configuration of the Services where Customer controls such configuration or use.

6. Subprocessing

6.1 General authorization

Customer authorizes Point to engage Subprocessors as necessary to provide the Services, including Affiliates, cloud infrastructure providers, hosting providers, AI and LLM providers, security providers, logging and monitoring providers, support providers, communications providers, payment providers, and other operational providers.

Point’s current initial Subprocessor List is included in Annex D. Not every listed Subprocessor is used for every Customer. Use depends on the ordered Services, plan, region, model routing, integrations, support interactions, and technical configuration.

6.2 Flow-down obligations

Point will impose data protection obligations on each Subprocessor that are substantially similar to those in this DPA for the relevant Processing.

6.3 Subprocessor list

Point will make available a current list of Subprocessors used in connection with the Services. The list may be maintained in Annex D, a separate subprocessor schedule, website, portal, trust center, or other written or electronic form made available by Point. Point may update the list from time to time, and no amendment to this DPA is required solely to reflect an updated list.

6.4 Subprocessor changes

Point may add, remove, replace, or reorganize Subprocessors from time to time. Where required by Applicable Data Protection Law, Point will provide notice and an opportunity to object on reasonable data-protection grounds.

If Customer objects, Point will use commercially reasonable efforts to resolve the objection. If Point cannot reasonably resolve the objection, Customer may terminate the affected Services and receive a pro-rata refund of prepaid unused fees for those Services.

6.5 Responsibility

As between Point and Customer, Point remains responsible for Subprocessors’ performance to the extent required by Applicable Data Protection Law.

6.6 Connected Service Providers and customer-authorized recipients

Customer and Users may authorize Point to interact with Connected Service Providers, including Google and Microsoft services, to read email or calendar content, write or send content, manage user identity information, subscribe to events, receive change notifications, and perform similar integration functions.

Connected Service Providers are not Point Subprocessors solely because Customer or a User connects an account or instructs Point to read from, write to, or subscribe to that provider’s service. In those cases, the provider generally processes the relevant data under Customer’s or the User’s separate account relationship, product terms, privacy notices, and admin or OAuth settings. For transparency, Point identifies current Connected Service Providers in Annex E.

To the extent Point uses a provider such as Google or Microsoft as Point-controlled infrastructure, AI, hosting, identity, support, or other operational service provider, that provider will be treated as a Subprocessor for that Processing and listed in Annex D or Point’s then-current Subprocessor List.

6.7 Connected-account policy commitments

Point will use connected-account data obtained through provider APIs only for disclosed user-facing Services, security, support, troubleshooting, maintenance, and compliance purposes. Point will not sell connected-account data or use connected-account data for advertising, retargeting, cross-context behavioral advertising, Google adtech audience creation, Customer Match, Enhanced Conversions, or Google adtech conversion measurement.

6.8 Advertising and marketing providers outside this DPA

Point may use advertising, analytics, measurement, attribution, and retargeting providers, including Google advertising and measurement services, for Point websites, marketing pages, public pages, campaigns, and other Point-controlled marketing activities in Point’s controller/business capacity. Those providers are not Subprocessors for Customer Personal Data solely because Point uses them for Point’s own marketing, analytics, or advertising.

Point will not disclose Customer Content, connected-account content, Google API data, Microsoft API data, prompts, AI Output, search indexes, embeddings, summaries, points, OAuth tokens, or Regulated Data to advertising or retargeting providers for cross-context behavioral advertising, targeted advertising, retargeting, Customer Match, enhanced conversions, audience building, or similar advertising purposes.

If Point uses an advertising, analytics, or marketing provider to process Customer Personal Data on Customer’s behalf as part of the ordered Services, Point will treat that provider as a Subprocessor for that Processing and list it in Annex D or Point’s then-current Subprocessor List.

7. AI and LLM Subprocessors

7.1 No-training configuration

Where the Services use third-party large language models or AI services, Point will use configurations intended to prevent Customer Personal Data from being used to train or improve generalized third-party models, consistent with applicable provider controls and terms.

7.2 Operational processing

Customer acknowledges that AI providers and other Subprocessors may process prompts, requests, outputs, metadata, logs, and telemetry for safety, abuse prevention, fraud prevention, security, operational reliability, and legal compliance, subject to applicable provider terms and controls.

7.3 Provider and model changes

Point may change AI providers, models, model routing, and technical components, provided Point continues to meet its obligations under this DPA.

8. Data location and international transfers

8.1 Data location

Point may process Customer Personal Data in the United States and other locations where Point and its Subprocessors operate, unless the applicable Order expressly states region-specific storage commitments.

8.2 Region selections

If the Order provides a data-region selection, Point will store Customer Personal Data at rest in the selected region, except for transient routing, backups, support access, logs, legal compliance, or other exceptions stated in the Order or Service Documentation.

8.3 International transfer safeguards

Where Point transfers Customer Personal Data from the EEA, UK, or Switzerland to a country not subject to an adequacy decision, Point will implement appropriate safeguards, such as standard contractual clauses, the UK Addendum, the UK International Data Transfer Agreement, Swiss transfer safeguards, or another valid transfer mechanism.

Customer authorizes Point to implement such transfer mechanisms on Customer’s behalf or for Customer’s benefit, including with Subprocessors.

9. Assistance

Taking into account the nature of Processing and information available to Point, Point will provide reasonable assistance to Customer for:

  1. data subject requests;
  2. Security Incident response and notifications;
  3. data protection impact assessments and prior consultations; and
  4. information reasonably necessary to demonstrate compliance with this DPA.

Assistance beyond standard support may be chargeable at Point’s then-current professional-services rates or as stated in an Order.

10. Security Incident notice

Point will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data and will provide reasonably available information needed for Customer’s notification and response obligations.

Point’s notice of a Security Incident is not an admission of fault or liability.

11. Audits and information

At Customer’s reasonable request, Point will make available information reasonably necessary to demonstrate compliance with this DPA. Point may satisfy this obligation by providing security documentation, summaries, third-party audit reports, certifications, questionnaires, or other materials.

Any audit must be reasonable in scope, occur on reasonable notice during normal business hours, avoid disruption, and be subject to confidentiality and security requirements. If the provided materials are insufficient to address a material compliance concern, Customer may request additional information.

12. Return and deletion

Upon termination or expiry of the Services, Point will delete or return Customer Personal Data within 60 days at Customer’s choice if supported by the Services and specified in the Agreement; otherwise Point may delete it.

Backups may be retained until overwritten in accordance with Point’s normal backup cycles, subject to appropriate security and access restrictions. Point may retain data where required by law, for dispute resolution, security, fraud prevention, accounting, legal compliance, or as otherwise permitted by Applicable Data Protection Law.

13. CCPA and U.S. state privacy terms

Where Point processes Personal Information on behalf of Customer as a Service Provider, Contractor, Processor, or similar role under U.S. state privacy laws:

  1. Point will not sell or share Customer Personal Data;
  2. Point will not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer except as permitted by Applicable Data Protection Law;
  3. Point will not combine Customer Personal Data with personal information received from other sources except as permitted by Applicable Data Protection Law;
  4. Point will process Customer Personal Data only for the business purposes described in the Agreement;
  5. Point will provide the same level of privacy protection required by applicable law;
  6. Customer may take reasonable and appropriate steps to help ensure Point uses Customer Personal Data consistently with Customer’s obligations; and
  7. Point will notify Customer if Point determines it can no longer meet applicable obligations.

14. EU AI Act support

To the extent the EU AI Act or similar law imposes obligations on Customer in relation to use of the Services, Point will provide information about the Services that Point reasonably controls and that is necessary to support Customer’s compliance, upon request and subject to the Agreement, including any applicable fees for additional assistance.

Customer remains responsible for decisions and actions taken based on AI Output and for determining its role and obligations under applicable AI laws.

15. Order of precedence

If this DPA conflicts with the Agreement regarding Processing of Customer Personal Data, this DPA prevails.


Annex A — Processing details

Subject matter: Provision of the Services and Professional Services.

Duration: The term of the Agreement plus the deletion or return period in this DPA.

Nature and purpose of Processing: Hosting, ingesting, syncing, storing, retrieving, indexing, searching, summarizing, classifying, prioritizing, triaging, labeling, detecting tasks, generating drafts, scheduling, notifying, automating, transmitting, securing, supporting, troubleshooting, analyzing, and otherwise processing Customer Personal Data as necessary to provide the Services.

Categories of data subjects: Users; Customer personnel; Customer clients, customers, suppliers, contacts, counterparties, and business partners; email senders and recipients; calendar participants; message participants; individuals referenced in Customer Content; and other individuals whose data Customer submits to or makes accessible through the Services.

Categories of Personal Data: Names, email addresses, phone numbers, titles, employers, identities, contact records, email and message content, headers, metadata, calendar events, invitations, availability information, contacts, files, attachments, tasks, notes, labels, circles, summaries, points, search indexes, embeddings, prompts, AI outputs, drafts, notification logs, activity logs, audit logs, connected-account identifiers, provider account IDs, OAuth scopes, usage data, device data, support materials, and security logs.

Special categories / sensitive information: None intentionally required by Point by default. Customer Content may contain special categories of Personal Data, sensitive Personal Information, confidential client data, financial data, tax data, health references, or other sensitive content if Customer or Users provide it. Customer is responsible for determining whether such use is lawful and appropriate.

Processing frequency: Continuous or as triggered by Customer, Users, Connected Account sync, scheduled jobs, automation settings, or support requests.

Subprocessor categories: Cloud hosting and storage; AI, LLM, and embedding providers; security, logging, monitoring, and analytics providers; support and communications providers; payment processors if used; professional advisers; and other operational service providers. Customer-authorized Connected Service Providers are identified separately in Annex E and are not Subprocessors solely because Customer or a User connects an account.


Annex B — Security measures

Point maintains measures appropriate to the Services and risk, which may include:

  1. access controls, least privilege, and multi-factor authentication where available;
  2. encryption in transit and encryption at rest where supported;
  3. credential and token storage controls;
  4. logging, monitoring, and audit trails;
  5. prompt-injection screening, quarantine, and flagged-content workflows;
  6. network and application security controls;
  7. vulnerability and patch management;
  8. secure development practices and code review;
  9. incident-response procedures;
  10. backup and restore processes;
  11. availability and resilience controls;
  12. personnel confidentiality obligations;
  13. vendor and Subprocessor management; and
  14. data deletion and retention controls.

Security measures may evolve over time, provided Point maintains a level of security appropriate to the risk.


Annex C — Optional region selections

If an Order includes region selections, the allowed storage region(s) are:

If no region is selected, Point may process and store Customer Personal Data in the United States and other locations where Point or its Subprocessors operate, subject to the Agreement and applicable law.


Annex D — Initial Subprocessor List

This initial list identifies providers Point is authorized to use as Subprocessors to the extent relevant to the Services. Point may maintain the operational Subprocessor List outside this document, and the operational list controls if it is more current.

ProviderRole / purposeCategories of Customer Personal Data processedExpected processing location(s)Notes
Amazon Web Services, Inc.Cloud infrastructure, hosting, storage, databases, networking, logs, backups, security, and operational services.Customer Content, account data, metadata, service logs, files, indexes, embeddings, summaries, points, prompts, outputs, and related service data.United States by default; other regions if selected or enabled.Listed as a Subprocessor where Point uses AWS infrastructure for the Services.
Anthropic, PBC, or the applicable Anthropic contracting entityAI and LLM processing for summarization, classification, drafting, task extraction, scheduling, search assistance, and other user-facing AI features.Prompts, connected-account excerpts, Customer Content excerpts, AI Output, metadata, and operational telemetry needed to provide AI functionality.As made available by provider and selected configuration.Use must be in no-training configuration where provider controls allow.
OpenAI OpCo, LLC / OpenAI Ireland Ltd., as applicableAI and LLM processing for summarization, classification, drafting, task extraction, scheduling, search assistance, real-time voice interaction, and other user-facing AI features.Prompts, connected-account excerpts, Customer Content excerpts, voice audio and voice transcripts when voice mode is used, AI Output, metadata, and operational telemetry needed to provide AI functionality.As made available by provider and selected configuration.Use must be in no-training configuration where provider controls allow.
Google LLC / Google Cloud, as applicableText-embedding generation through the Google Generative AI API (model gemini-embedding-2) for semantic search and related AI features.Text excerpts of Customer Content and connected-account content submitted for embedding, resulting embeddings, metadata, and operational telemetry needed for the embedding service.As made available by provider and selected configuration.Listed as a Subprocessor where Point uses the Google Generative AI API for embeddings or other Point-controlled service processing. Google as a Connected Service Provider is listed separately in Annex E. Google as an adtech / marketing vendor is disclosed in the Privacy Policy and operational transparency list and is not a Subprocessor for Customer Personal Data solely by virtue of Point marketing use.
Google LLC (Firebase Cloud Messaging)Mobile push-notification delivery.Device push tokens and notification payload fragments, which may include message-derived snippets.United States / global.Separate from Google’s Connected Service Provider role (Annex E) and embedding role above.
Plus Five Five, Inc. (d/b/a Resend)Transactional email delivery, including verification, notification, and waitlist emails.Recipient names and email addresses, and the content of transactional messages.United States.Listed as a Subprocessor where Point sends transactional email through Resend.
Stripe, Inc.Payment processing and subscription billing.Billing name and email address, payment method details (card data is handled by Stripe directly), and subscription records.United States / global.Point does not store full payment card numbers; Stripe processes card data directly.
Cloudflare, Inc.Marketing-website hosting, content delivery network, and edge network services.Website visitor IP addresses and request metadata.Global network.Serves Point’s public marketing website and related edge traffic.

Advertising, retargeting, attribution, and marketing vendors used only for Point’s controller-side public websites and campaigns, including Google advertising and measurement products if enabled, are disclosed in the Privacy Policy and operational transparency list rather than in this DPA Annex unless they process Customer Personal Data on Point’s behalf for the Services. Point may update this list from time to time as described in Section 6 of this DPA.


Annex E — Connected Service Providers and authorized integration recipients

This Annex identifies providers that may receive or provide Customer Personal Data when Customer or a User connects an account or instructs Point to interact with a third-party service. These providers are disclosed for transparency. They are not Point Subprocessors solely because Customer or a User authorizes the integration.

ProviderIntegration functionData involvedSubprocessor status
Google LLC, including Gmail, Google Calendar, Google Sign-In, Google OAuth, Google Workspace APIs, and related Google servicesReading and syncing email and calendar data; sending or writing content at User direction; reading identity/profile information; managing OAuth authorization; receiving or sending event, push, webhook, or subscription information.Emails, headers, recipients, attachments, labels/folders, calendar events, availability, participants, user identity/profile information, OAuth scopes, provider identifiers, sync state, and event subscription data.Customer-authorized Connected Service Provider / recipient. Not a Subprocessor solely for Connected Account functions. Google is a Subprocessor only where Point uses Google as Point-controlled AI, cloud, infrastructure, or operational provider. Google adtech / marketing use is disclosed separately in the Privacy Policy and operational transparency list.
Microsoft Corporation, including Microsoft 365, Outlook, Exchange Online, Microsoft Graph, Microsoft Entra ID, Microsoft OAuth, Outlook Calendar, and related Microsoft servicesReading and syncing email and calendar data; sending or writing content at User direction; reading identity/profile information; managing OAuth authorization; receiving or sending webhook, change-notification, or subscription information.Emails, headers, recipients, attachments, folders, calendar events, availability, participants, user identity/profile information, OAuth scopes, provider identifiers, sync state, and event subscription data.Customer-authorized Connected Service Provider / recipient. Not a Subprocessor solely for Connected Account functions. Microsoft is a Subprocessor only where Point uses Microsoft as Point-controlled cloud, AI, identity, support, infrastructure, or operational provider.

Customer is responsible for ensuring that Customer and Users have appropriate rights, notices, consents, permissions, licenses, admin approvals, and lawful bases for Point to access and act on data in Connected Service Providers.


Annex F — Optional regulated-data addenda

The following regulated-data documents may be offered separately if Point chooses to support the relevant use case. They are not included by default and do not apply unless separately executed or expressly accepted by Point.

DocumentWhen neededInclusion mechanism
HIPAA Business Associate AgreementRequired before Point creates, receives, maintains, or transmits protected health information on behalf of a HIPAA covered entity or business associate.Separate BAA identifying covered Services, workspace, permitted PHI uses/disclosures, safeguards, breach notice terms, subcontractor terms, return/deletion, and any additional fees or technical restrictions.
Tax-return-data / IRC 7216 addendumIf Point agrees to process U.S. tax-return information for a tax preparer or similar regulated use case requiring specific consents or confidentiality terms.Separate addendum identifying permitted tax-return-data uses, consent handling, disclosure restrictions, and Customer obligations.
Financial-services / GLBA addendumIf Point agrees to support financial-institution use cases requiring additional safeguards, audit, vendor-management, or confidentiality terms.Separate addendum or Order terms identifying covered data, controls, audit materials, and Customer obligations.
PCI / payment-card addendumIf Point agrees to process payment card data outside an approved third-party payment processor.Separate PCI-scoped agreement; not included by default.
Government, education, biometric, children’s, or other regulated-data addendumIf Point expressly offers support for the relevant data category or legal regime.Separate addendum identifying the applicable law, covered Services, covered data, and technical or operational restrictions.