Last updated: February 3rd, 2026

This Privacy Policy explains how Anatypical, Inc. (“Scheme,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards personal information when you visit schemebig.com (the “Site”) and when you use our software-as-a-service platform and related services (together, the “Services”).

By using the Site or Services, you agree to this Policy. If you do not agree, please do not use the Site or Services.

1) Who we are & scope

Controller: Anatypical, Inc., a Delaware corporation.

Applies to: Site visitors, beta testers, trial users, customers, and authorized users of customer accounts.

Not covered: Third-party sites or services you connect to the Services (e.g., Stripe, Microsoft Outlook, Slack, Google Drive). Those parties’ privacy policies govern their handling of your data.

Contact (privacy): privacy@schemebig.com

Mailing address: Anatypical, Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, USA

2) What we collect

We collect personal information in three main ways: (A) you provide it, (B) it’s collected automatically, or (C) we receive it from third parties you connect.

A. Information you provide

Account & profile: Name, email, password (hashed), role, organization.

Business, Billing & Credits: Company name, tax info, billing contact, and payment metadata. Card data is processed by Stripe—we do not store full card numbers.

Credit System: We collect and maintain records of your Credit Balance (purchased or awarded) and your Credit Consumption History (credits deducted for AI generation, storage, or premium feature usage).

Marketplace Payouts: If you sell via the Scheme Marketplace, we collect payout details required by our payment processor.

Content you upload or connect (“Customer Content”):

Spatial Data: Mind-map structures, nodes, logic flows, and knowledge graphs generated within the platform.

Active Node & External Platform Data: When you authorize integrations (e.g., Outlook, Teams, Slack, Discord), we import specific data points to power Active Nodes:

Email Content: Message bodies (text/HTML), headers (sender, recipient, subject, timestamp), and attachments for summarization and context.

Calendar Data: Event titles, descriptions, start/end times, attendee lists, and location data/links for schedule tracking.

Messaging History: Channel names, thread IDs, message content, sender display names, and timestamps from connected communication platforms.

Communications: Support requests, survey responses, feedback, and beta interviews.

B. Information collected automatically

Usage & telemetry: Device/browser info, IP address, timestamps, pages viewed, product events, performance logs, crash reports.

Real-Time Collaboration Data: To enable multi-player features, we temporarily process "presence data" (who is online), cursor positions, active selections, and live keystrokes. This data is broadcast to other users in the same workspace session to facilitate real-time co-authoring.

Cookies & similar tech: Used for sign-in, preferences, analytics, and (if enabled) marketing attribution. Used to verify sign-in status and subscription authentication for the Chrome Extension. Sign-in authentication for external platform connections. See Cookies (Section 9).

C. Information from third parties (you connect)

Integrations you authorize: We connect with third-party services you authorize, including but not limited to Microsoft Outlook, Microsoft Teams, Discord, Slack, Google Drive, ChatGPT, and Perplexity. We receive only the scopes you grant. You can disconnect integrations at any time within the product.

3) How we use information

Provide & operate the Services: Authenticate users, ingest and transform Customer Content, generate reports, and maintain your workspaces.

Manage Credits & Billing: Calculate credit consumption in real-time based on your usage of AI features, storage, or other metered services; update your account balance; and generate billing history.

Power Active Nodes & GraphRAG: We process your imported external data (emails, calendars, messages) to execute specific "Active Node" functions (e.g., summarizing emails, tracking calendar events) and to generate dynamic knowledge graphs (GraphRAG) personalized to your workspace.

Facilitate the Marketplace: If you choose to sell or share your spaces, we use your information to list your projects and facilitate transactions/access for other users.

Improve & secure: Monitor performance, debug issues, prevent fraud/abuse, develop new features, and conduct analytics (aggregated/de-identified where possible).

Communicate: Send service, security, and transactional emails (including credit balance alerts); with your consent or as permitted by law, send product and marketing updates.

Compliance: Meet legal, regulatory, tax, and audit obligations; enforce Terms of Use; handle disputes.

AI functionality: We use your Customer Content to generate outputs for you and your workspace. Unless you explicitly opt in, we do not use Customer Content to train foundation models shared across customers.

4) Legal bases (EEA/UK only)

Where GDPR/UK GDPR applies, our legal bases include contract (to provide the Services), legitimate interests (product improvement, security, fraud prevention), consent (marketing/cookies), and legal obligation.

5) How we share information

We do not sell personal information. We may share as follows:

Service providers / subprocessors: Hosting, storage, analytics, email, error tracking, support tools, and payments (e.g., Stripe). These providers process data under contract and only on our instructions. We maintain a current subprocessor list:

Stripe

AWS

MongoDB

Neo4j

Redis

Real-Time Collaboration & Other Users:

Live Collaboration: When you are active in a shared workspace, other users currently in that workspace can see your presence (avatar/name), cursor location, and live edits.

Shared Content: If you invite others to your workspace, they can see the content you share.

Marketplace: If you publish a space or project to the Scheme Marketplace, the content within that space is shared with purchasers or public viewers according to your listing settings.

Business transfers: In a merger, financing, acquisition, or sale, data may transfer as part of the transaction.

Legal, safety, and rights: To comply with law, lawful requests, or to protect you, us, and others.

With your direction: When you connect integrations or share reports/links, we disclose according to your settings.

6) Data retention & deletion

Account information: Retained for the life of the account and a reasonable period thereafter (e.g., up to 24 months) for records, audits, and dispute resolution.

Customer Content: Retained until you delete it, your admin deletes it, or the account terminates.

Credit History: Transaction records regarding credit purchases and consumption are retained for tax and accounting purposes for at least 7 years.

Logs/telemetry: Typically kept 12–18 months; backups 30–90 days.

You can export/delete data from within the product where available or by contacting us at privacy@schemebig.com. We may retain limited data as required by law or for legitimate business purposes.

7) Security

We use reasonable administrative, technical, and physical safeguards, including encryption in transit and at rest, access controls (least-privilege), audit logging, and vulnerability management. No system is 100% secure; please use strong passwords and protect your credentials. We will notify you of breaches as required by law and applicable contracts.

8) Your rights & choices

A. Global

Access, update, delete: Manage your profile; request access or deletion via dawson@anatypical.com.

Marketing opt-out: Use unsubscribe links or contact us.

Integration control: Connect/disconnect third-party integrations (e.g., Outlook, Slack) at any time via your workspace settings.

B. U.S. state privacy rights (e.g., CA, CO, CT, VA, UT)

Depending on your state, you may have the right to know/access, delete, correct, port, and opt-out of certain processing (e.g., targeted advertising or “sale/share” of personal information). Submit requests to privacy@anatypical.com. We will verify your request and respond within the required timeframe. Global Privacy Control (GPC) signals are honored where legally required.

C. EEA/UK

You may have rights to access, correct, delete, restrict, or object to processing, and to data portability. You may also complain to your local supervisory authority. Where we rely on consent, you may withdraw it at any time.

9) Cookies & tracking

We use:

Strictly necessary cookies for login and core functionality.

Analytics cookies to understand product usage and improve performance.

(Optional) Marketing/attribution cookies if we run campaigns.

Controls: You can manage cookies in your browser and, where required (e.g., EEA/UK), via our Cookie Banner & Preferences tool. For U.S. state laws, if we “sell” or “share” personal information for cross-context behavioral advertising, you can opt out via the “Do Not Sell or Share My Personal Information” link and GPC signals.

10) Children’s privacy

The Services are not directed to children under 13 (or under 16 where applicable). We do not knowingly collect personal information from children. If you believe a child has provided data, contact us and we will take appropriate steps to delete it.

11) International transfers

If we transfer personal information outside your region, we rely on lawful mechanisms (e.g., Standard Contractual Clauses and, if applicable, the UK IDTA/Addendum). You may request a copy of relevant safeguards at privacy@schemebig.com.

12) AI, output ownership & human review

Model use: Customer prompts and outputs are processed to deliver features. By default, Customer Content is not used to train foundation models shared across customers unless you opt in.

GraphRAG & Active Nodes: We automatically process your connected data (emails, calendars, files) to build your personal knowledge graph and execute node actions. This processing is strictly limited to your workspace context.

Credit Usage: Certain AI features consume credits. We track prompt tokens, output tokens, and model complexity to calculate this usage.

Human review: We may review limited samples (e.g., for abuse, debugging, or support) under strict access controls and confidentiality.

Outputs: Subject to our Terms of Use and applicable law, you are responsible for reviewing AI-generated outputs for accuracy and suitability before relying on them.

13) Third-party services & links

When you connect a third-party service (e.g., Microsoft Outlook, Teams, Discord, Slack, ChatGPT, Perplexity), their terms and privacy policies apply to their handling of your data. We request only the permissions needed and provide ways to disconnect.

14) California “Notice at Collection” (summary)

We collect the following categories of personal information for the purposes described in Sections 3 and 5:

Category (examples)

Sources

Business/Commercial purposes

Retention (typical)

Identifiers (name, email, IP)

You; automatic; integrations you connect

Provide Services; security; communications; marketing (with consent/legitimate basis)

Life of account + up to 24 months

Commercial info (billing, credit balance, subscription)

You; Stripe

Billing, fraud prevention, support, credit management

As required by tax/finance laws

Internet/telemetry (logs, device, usage, cursor/presence)

Automatic

Security, analytics, improvement, real-time collaboration

12–18 months (logs); 30–90 days (backups)

Customer Content (files, email bodies, calendar details, messages)

You; integrations

Core AI, Active Node functionality, reporting

Until deletion/account closure

Inferences (product preferences, GraphRAG relationships)

Derived from use

Personalize and improve Services

While relevant; then de-identified/aggregated

Sensitive data: We do not intentionally collect sensitive data unless you choose to upload it. Do not upload sensitive data unless necessary and permitted by law/contract.

Selling/Sharing: We do not sell personal information as commonly defined. If we engage in activities considered “sharing” for cross-context behavioral advertising, you can opt out via our Do Not Sell/Share link and GPC signals.

Financial incentives: None at this time.

15) Data Processing Addendum (DPA)

For business customers, our DPA (including SCCs/UK addenda and U.S. state requirements) is available upon request or via our customer agreement workflow. We also publish a subprocessor list and provide change notifications.

16) Changes to this Policy

We may update this Policy from time to time. Material changes will be notified via email and/or in-app notice. Continued use of the Services after the effective date constitutes acceptance.

17) How to contact us

Email: privacy@schemebig.com

Mail: Anatypical, Inc., 131 Continental Dr, Suite 305, Newark, DE 19713 US, USA