ABRAM

Privacy Policy

Effective Date: June 15, 2026 | Last Updated: June 8, 2026 Thomas Abram, Inc. | privacy@abram.network

1. Overview

Thomas Abram, Inc. ("ABRAM," "we," "us," or "our") operates the ABRAM creative intelligence platform. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Platform.

We comply with applicable privacy laws, including the GDPR (EU/EEA), UK GDPR, CCPA (California), and applicable US state privacy laws.

2. Information We Collect

2.1 Information You Provide

  • Account information: Name, email address, role (Client/Contractor), profile photo.
  • Professional profile: Skills, experience, portfolio links, availability, hourly rates, location.
  • Resume & documents: Uploaded resume files (parsed by AI), certifications, portfolio materials.
  • Project information: Project briefs, deliverables, work orders, call sheets, run-of-shows.
  • Financial information: Bank account details (via Stripe), billing information, invoices, transaction records.
  • Communications: Messages, invitations, and notifications sent through the Platform.

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, time spent, click patterns.
  • Device & technical data: IP address, browser type, operating system, device identifiers.
  • Calendar data: Events and availability from connected calendars (Google/Microsoft).
  • Log data: Error logs and API call logs processed via Sentry for error monitoring.

2.3 Log Data and Diagnostics (Crash Reports)

When you encounter an error or crash while using the Platform, we automatically collect diagnostic information ("Crash Reports"). This includes your web browser type, operating system, preferred language, screen dimensions, the exact page URL you were visiting, the error message, and a technical stack trace. If you are logged into your account, this diagnostic data may be associated with your User ID to help our team debug and resolve the issue.

Crash Report data may also include React component tree information captured at the time of the error, which could in limited circumstances contain data you had entered immediately before the crash. We process this data solely to identify, diagnose, and resolve technical issues. This data is processed under Legitimate Interest (GDPR Article 6(1)(f)) as described in Section 3.

2.4 Information From Third Parties

  • WorkOS: Authentication identity, organization membership, SSO session data.
  • Stripe: Payment confirmation, payout status, account verification status.
  • Frame.io: Project and media asset metadata when Frame.io is connected.
  • Slack: Workspace identity when Slack notifications are enabled.

3. How We Use Your Information

We use your information for the following purposes. Where ABRAM relies on legitimate interest as a legal basis, we have conducted and documented a Legitimate Interest Assessment (LIA) confirming our interests are not overridden by your rights. You may request a copy by contacting privacy@abram.network.

| Purpose | Legal Basis (GDPR) | |---|---| | Operate and provide the Platform | Contractual necessity | | Process payments and payouts | Contractual necessity | | Send transactional emails and notifications | Contractual necessity | | AI-powered matching and recommendations | Contractual necessity / Legitimate interest | | Train and improve AI models | Separate opt-in consent (NOT bundled with Terms) | | Calendar sync and scheduling features | Consent (at integration connection) | | Third-party integrations (Frame.io, Slack) | Consent (at integration connection) | | Monitor for fraud and security threats | Legitimate interest (LIA on file) | | Diagnostics, crash reports, error monitoring | Legitimate interest — Art. 6(1)(f) GDPR (LIA on file) | | Analytics and Platform improvement | Legitimate interest (LIA on file) | | Comply with legal obligations | Legal obligation |

4. AI & Automated Processing

ABRAM uses artificial intelligence and automated processing as core functions of the Platform.

4.1 What We Process With AI

Your data may be processed by AI systems to: parse your resume to extract skills and attributes; analyze project briefs; match you to projects or contractors; generate call sheets, run-of-shows, and project summaries; power the ABRAM AI Assistant; and index documents into your organization's knowledge base.

4.2 Company Brain (Private Organizational Knowledge)

Your organization's Company Brain is a private, organization-specific knowledge base. Data uploaded to the Company Brain:

  • is not shared with other users or organizations;
  • is never used to train ABRAM's shared AI models regardless of your AI training consent setting; and
  • is stored and processed solely to power AI features within your organization's account.

4.3 Automated Decision-Making & Your Rights (GDPR Article 22)

While ABRAM's matching and recommendation features involve automated processing, final hiring and engagement decisions are made by human users. If you believe an automated process has significantly and adversely affected you, you may contact legal@abram.network to request human review of the relevant automated output. We will respond to human review requests within 30 days.

5. Third-Party Integrations & Data Sharing

5.1 Service Providers and Sub-processors

We share your data with the following categories of third parties. ABRAM has executed Data Processing Agreements (DPAs) with each of the below service providers in accordance with GDPR Article 28.

| Provider | What We Share | Why | |---|---|---| | Stripe | Payment info, transaction data, payout details | Payment processing & payouts | | WorkOS | User identity, organization data | Authentication & SSO | | Sentry (Functional Software, Inc.) | Error logs, stack traces, browser/device info, User ID (where logged in) | Error monitoring and crash diagnostics | | Frame.io | Project IDs, media file references | Video review collaboration | | Slack | Name, notification content | In-app Slack messaging | | Google/Microsoft | Calendar events, availability | Calendar sync | | Resend | Email address, email content | Transactional email delivery | | Anthropic, PBC | User inputs and context passed through AI features | AI inference for Platform features |

Sentry's privacy policy is available at sentry.io/privacy. Anthropic's privacy policy is available at anthropic.com/privacy. Stripe's privacy policy is available at stripe.com/privacy.

5.2 Between Users

Certain profile information (name, skills, availability, profile photo, professional experience) is visible to other users for the purpose of crew matching and collaboration.

5.3 Legal Compliance

We may disclose your information if required by law, court order, or to protect the rights and safety of ABRAM, our users, or the public.

5.4 Business Transfers

If ABRAM is acquired by or merged with another company, your data may be transferred as part of that transaction. We will notify you prior to its completion.

6. Cookies & Tracking

We use a Consent Management Platform (CMP) to manage cookie preferences. Cookies are categorized as:

  • Strictly Necessary Cookies: Required for the Platform to function (authentication, session management, security). Cannot be disabled without preventing core functionality.
  • Analytics & Performance Cookies: Used to understand Platform usage. Require opt-in consent.
  • Third-Party / Integration Cookies: Set by integrated tools such as Sentry. Require opt-in consent.

We do not use advertising cookies or behavioral tracking cookies for marketing purposes.

Upon your first visit, a cookie consent banner will be displayed. You may Accept All, Reject All, or manage preferences by category. Accept and Reject options are presented with equal visual prominence. No optional categories are pre-selected. You may update your preferences at any time through the Cookie Settings link in the Platform footer.

7. Data Retention

| Data Type | Retention Period | |---|---| | Personal profile data | Until account deletion, then deleted within 30 days | | Resume files and uploaded documents | Until deleted by user or upon account deletion | | Project data | Retained while active; deleted upon account deletion | | Financial & transaction records | 7 years (anonymized) for legal and tax compliance | | AI chat session data | 90 days, then deleted | | Crash reports / diagnostic logs | 30 days | | Log and error data | 30 days | | AI training consent records | Account lifetime + 3 years (regulatory compliance evidence) | | Cookie consent records | 3 years (regulatory compliance evidence) | | Calendar sync data | Deleted upon integration disconnect or account deletion |

You may request account deletion through your account settings or by contacting legal@abram.network. Personal data will be deleted within 30 days of the request. You may request an export of your personal data at any time through your account settings.

8. Your Rights

8.1 For All Users

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data (subject to legal retention requirements).
  • Data Export / Portability: Download your data in a portable, machine-readable format.
  • Withdraw AI Training Consent: Withdraw at any time through account settings. Withdrawal is prospective only.

8.2 Additional Rights for EU/EEA Users (GDPR)

  • Object to Processing: Object to processing based on legitimate interests.
  • Restrict Processing: Request restriction of processing while a dispute is resolved.
  • Automated Decision Rights: Request human review of automated processing that significantly affects you (Section 4.3).
  • Lodge a Complaint: With your national Data Protection Authority — see edpb.europa.eu.

8.3 Additional Rights for UK Users

The same rights as EU/EEA users above apply under the UK GDPR. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8.4 Additional Rights for California Residents (CCPA)

  • Know: The categories and specific pieces of personal information collected about you.
  • Delete: Personal information we hold about you.
  • Opt-Out: Of the sale or sharing of personal information (ABRAM does not sell personal data).
  • Non-Discrimination: You will not be discriminated against for exercising your CCPA rights.

To exercise any of these rights, contact legal@abram.network. We will respond within 30 days (CCPA) / 1 month (GDPR).

9. Data Security

We implement the following security measures:

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Row-level security (RLS) on all database records via Supabase.
  • Access control and permission management via WorkOS.
  • Error monitoring and alerting via Sentry.
  • Regular security reviews of third-party integrations.
  • Least-privilege access controls for ABRAM personnel.

No method of transmission over the internet is 100% secure. While we use commercially reasonable security measures, we cannot guarantee absolute security.

10. International Data Transfers

ABRAM is based in the United States. If you are accessing the Platform from the EEA or UK, your personal data may be transferred to and processed in the United States.

We rely on the following safeguards:

  • Standard Contractual Clauses (SCCs): We use the 2021 EU SCCs for transfers of personal data from the EEA to the United States.
  • Transfer Impact Assessments (TIAs): Completed for each international transfer and maintained on file.
  • UK IDTA: For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement or the UK addendum to the EU SCCs.

You may request information about our international transfer safeguards by contacting privacy@abram.network.

11. Data Breach Notification

In the event of a personal data breach, ABRAM will notify the relevant supervisory authority within 72 hours where required by GDPR Article 33 or applicable US state law, and will notify affected individuals without undue delay where the breach is likely to result in high risk to their rights and freedoms. All breaches are documented in ABRAM's internal breach register.

Report a potential breach: security@abram.network

12. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. Contact legal@abram.network if you believe we have collected data from a minor.

13. Changes to This Policy

We will notify you of material changes via email and/or in-app notification at least 30 days before changes take effect. Where changes require new consent, we will obtain that consent separately. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.

14. Contact & Data Controller

Data Controller: Thomas Abram, Inc.

| Contact | Email | |---|---| | Legal & Terms | legal@abram.network | | Privacy Inquiries | privacy@abram.network | | Security / Breach Reports | security@abram.network |

Address: Washington, DC

EU Data Protection Representative (GDPR Article 27): Thomas Abram, Inc. is in the process of appointing an EU representative. In the interim, contact privacy@abram.network.

For GDPR-related complaints, EU/EEA users may contact their national Data Protection Authority (edpb.europa.eu). UK users may contact the ICO at ico.org.uk.

© 2026 Thomas Abram, Inc. All rights reserved.