Privacy Policy for Anytype for Business

Last updated: May 2026

Any Association (“Any”, “we”, “us”) believes privacy is a fundamental right. This policy explains what personal data we process when you use Anytype for Business, why we process it, and what choices and rights you have.

This policy applies to:

  • Anytype for Business, including the app, business account features, organization administration, and business sign-in services.
  • The business.anytype.io website and forms.
  • Communications with us about Anytype for Business.

It does not cover the personal Anytype app or the general anytype.io website, which may have separate privacy notices.

Short Version

  • We do not sell your personal data.
  • We do not share your personal data with third parties for their own advertising.
  • We do not use Google or Microsoft for analytics or advertising in Anytype for Business. They are used only for sign-in when you or your organization choose Google or Microsoft login.
  • Content you create in Anytype is encrypted. We do not use your content for advertising or to train AI models.
  • Anytype for Business may use a separate sign-in service to connect your corporate email address with encrypted private key material so your devices can log in through Google or Microsoft and decrypt business content locally.
  • For full zero-knowledge guarantees, Anytype for Business can be self-hosted on your own infrastructure.
  • We collect the minimum personal data needed to provide, secure, bill for, support, and improve Anytype for Business.
  • The public business.anytype.io website is designed to be cookie-free and uses cookie-free analytics.

Who Is Responsible for Your Data

Any Association is the data controller for personal data we process to run Anytype for Business, such as account data, billing data, support requests, product security logs, and business website forms.

Any Association c/o Sielva Management AG Gubelstrasse 11 CH-6300 Zug Switzerland

Email: association@anytype.io

Our representative in the European Union for the purposes of Article 27 GDPR is:

Anylab GmbH Meinekestrasse 27 10719 Berlin Germany

Email: anylab@anytype.io

If your organization provides Anytype for Business to you, your organization may also be responsible for some personal data, such as your organization membership, channel access, billing relationship, and content or metadata inside organization-managed channels. In those cases, your organization may act as an independent controller, and Any may act as a processor under a separate agreement with that organization.

What We Collect

Account and Identity Data

We may process:

  • Your name.
  • Your corporate email address.
  • Your Anytype ID.
  • Your organization name, domain, role, plan, and seat status.
  • Cryptographic identifiers.
  • Device identifiers used to recognize your authorized devices.
  • Profile details you choose to provide, such as avatar or display name.

Your Anytype ID is a cryptographic identifier. By itself, it is not intended to reveal your real-world identity, but it can become associated with you when you use it with a business account, corporate email address, payment, support request, or organization membership.

Google or Microsoft Sign-In Data

If you or your organization use Google or Microsoft login, we receive the information needed to authenticate you. This may include:

  • Corporate email address.
  • Name and profile picture, if provided by the sign-in provider.
  • Provider account identifier.
  • Organization or tenant identifier.
  • Sign-in status, timestamps, and authentication metadata.

We do not receive your Google or Microsoft password. For login, we request only the authentication and account-profile information needed to verify your identity and connect you to the correct organization. We do not use Google or Microsoft login to access your Gmail, Google Drive, Microsoft Outlook, OneDrive, Teams, or other account content unless a separate feature asks for that access and you approve it.

Google and Microsoft may process sign-in information under their own privacy notices when you use their login services.

Business Sign-In and Key-Management Data

Anytype for Business may use a separate sign-in service to enable Google or Microsoft login. This service stores an association between your corporate email address and encrypted private key material needed for your device to access and decrypt business content.

This key material is encrypted using master-key encryption and protected with access controls, monitoring, and operational security measures. Encryption and decryption of your content happens on your device.

Content and Channel Data

Anytype content is organized into channels. Depending on the product mode and organization settings, we may process:

  • Encrypted content and files.
  • Channel IDs, object IDs, account IDs, device IDs, and membership records.
  • Data needed to sync, back up, share, or delete channels and objects.
  • Organization settings, permissions, and audit or security information.

We do not use your content for advertising or AI model training.

Some operational metadata may be visible to us even when content is encrypted. This metadata is used to provide, secure, sync, troubleshoot, and delete the service.

Website, Form, and Communication Data

If you visit business.anytype.io, request a trial, apply for a discount, contact us, or subscribe to communications, we may process:

  • Name.
  • Email address.
  • Company or organization.
  • Team size, role, industry, and similar business information.
  • Messages, feedback, survey answers, and support requests.
  • Communication preferences, such as opt-in or opt-out status.

Payment and Billing Data

If you purchase or administer a paid plan, we may process:

  • Billing contact details.
  • Organization name and billing address.
  • Plan, seat count, invoice, tax, and transaction information.
  • Payment status.

Payment card or bank details are processed by our payment provider. We do not directly store full card numbers.

Device, Usage, Security, and Diagnostics Data

We may process limited technical data, such as:

  • App version and configuration.
  • Operating system, device model, and language.
  • Network mode and sync status.
  • Session, activation, and feature usage events.
  • Crash reports, error messages, and diagnostic metadata.
  • IP address and request logs for security, fraud prevention, abuse prevention, and service reliability.

We use analytics to understand whether Anytype for Business works reliably and how to improve it. We do not use analytics for third-party advertising.

Data You Choose to Put in Anytype

You may choose to store personal data or sensitive data in Anytype content. We process that content only to provide the service and according to the product architecture, organization settings, and applicable agreement.

Please do not send us sensitive personal data through support, forms, or surveys unless it is necessary for your request.

How We Collect Data

We collect data:

  • From you, when you create an account, use the app, submit a form, pay for a plan, or contact us.
  • From your organization, when it invites you, manages seats, configures access, or administers a business organization.
  • From Google or Microsoft, when you use their sign-in services.
  • Automatically from the app, website, network, and service infrastructure.
  • From service providers, such as payment processors, when needed to operate the service.

When Data Is Required

Some personal data is needed to use Anytype for Business. For example, we need account, authentication, organization, and key-management data to let you sign in and access business content. We need billing data to provide paid plans. We need security and diagnostic data to keep the service reliable and secure.

If you do not provide required data, or if your organization does not provide it for you, some features may not work or we may not be able to provide Anytype for Business to you.

Why We Use Your Data

We use personal data for the following purposes:

Purpose Examples Legal basis under GDPR
Provide Anytype for Business Create accounts, authenticate users, sync channels, manage organizations, enable SSO, provide support Contract
Secure the service Detect abuse, prevent fraud, protect accounts, investigate incidents, maintain logs Legitimate interests; legal obligation where applicable
Manage business plans and billing Process payments, invoices, subscriptions, tax records, account administration Contract; legal obligation
Communicate with you Service messages, support replies, onboarding, product notices, requested information Contract; legitimate interests; consent where required
Improve the product Diagnostics, anonymized or aggregated analytics, usability and reliability analysis Legitimate interests; consent where required
Handle legal and compliance matters Enforce terms, respond to lawful requests, keep required records Legal obligation; legitimate interests
Send optional marketing Newsletters or product updates when you opt in or where otherwise permitted Consent; legitimate interests where permitted

We do not make decisions about you based solely on automated processing that have legal or similarly significant effects.

When We Share Data

We share personal data only when needed for the purposes described in this policy.

We may share data with:

  • Your organization, if your account is part of an organization-managed Anytype for Business environment.
  • Service providers that help us host, secure, analyze, support, bill for, and communicate about the service.
  • Google or Microsoft, when you use their sign-in services.
  • Payment providers, when you make or administer a payment.
  • Professional advisers, auditors, insurers, and legal advisers.
  • Authorities, courts, or regulators when required by law or necessary to protect rights, safety, and security.
  • Another entity in connection with a merger, restructuring, financing, or similar transaction, subject to appropriate safeguards.

We do not sell personal data. We do not share personal data for cross-context behavioral advertising.

Service Providers

Provider Purpose Typical data Main processing location
Cloudflare Hosting, security, network delivery, form queue infrastructure IP address, request logs, encrypted form payloads, operational metadata Global
Google Optional Google login Email, name, profile picture, account identifiers, authentication metadata Global
Microsoft Optional Microsoft login Email, name, profile picture, tenant/account identifiers, authentication metadata Global
Stripe Payments and billing Billing contact, transaction, payment, tax, and invoice data United States and global
Loops Transactional emails, service communications, opt-in/opt-out preferences Email, name, communication preferences, message metadata United States
Amplitude App analytics Usage events and technical analytics identifiers United States
Fathom Analytics Cookie-free website analytics Aggregated website analytics, technical request data Global
Typeform Surveys, if used Survey responses and contact details if requested United States and global

We require service providers to protect personal data and use it only for the purposes we authorize.

International Transfers

Any Association is based in Switzerland. We may process and store personal data in Switzerland, the European Economic Area, the United States, and other countries where we or our service providers operate.

When personal data is transferred internationally, we use appropriate safeguards where required, such as:

  • Adequacy decisions, including for Switzerland where applicable.
  • Standard Contractual Clauses.
  • Additional technical and organizational safeguards, such as encryption and access controls.

You can contact us for more information about transfer safeguards.

How Long We Keep Data

We keep personal data only as long as needed for the purposes described in this policy, unless a longer period is required or permitted by law.

Typical retention periods:

  • Account and organization data: while the account or organization is active, then for a limited period needed for deletion, backup, security, dispute, and legal purposes.
  • Encrypted content: until you or your organization delete it, close the account, or remove the relevant channel, subject to backup and technical deletion cycles.
  • Business sign-in key associations and encrypted private key material: while needed to provide SSO-based access, and after that only as long as needed to complete account deletion, organization removal, SSO disablement, backup deletion cycles, security checks, dispute handling, and legal obligations.
  • Billing records: as long as required for tax, accounting, audit, and legal obligations.
  • Support and communications: as long as needed to handle the request and maintain business records.
  • Security logs: for a limited period needed for security and abuse prevention, unless retained longer for an investigation or legal requirement.
  • IP addresses collected for abuse prevention around account creation: typically up to 7 days, unless needed longer for security, fraud, or legal reasons.
  • Optional marketing records: until you unsubscribe or we no longer need the record to honor your preferences.

Security

We use technical and organizational measures designed to protect personal data against accidental loss, unauthorized access, misuse, alteration, and disclosure.

These measures include, where appropriate:

  • Strong encryption for content, including encryption in transit and at rest.
  • Master-key encryption for business sign-in private key material.
  • Access controls and least-privilege permissions.
  • Monitoring, logging, and incident response processes.
  • Provider and infrastructure security controls.
  • Backups and recovery processes.

No service can guarantee perfect security. You are responsible for keeping your devices, accounts, recovery information, and organization access secure.

If you believe your privacy or account security has been compromised, contact us at association@anytype.io.

Your Choices and Rights

Depending on where you live, you may have the right to:

  • Access personal data we hold about you.
  • Correct inaccurate personal data.
  • Delete personal data.
  • Restrict or object to processing.
  • Receive a portable copy of personal data.
  • Withdraw consent where processing is based on consent.
  • Opt out of marketing communications.
  • Lodge a complaint with a data protection authority.

To exercise your rights, contact association@anytype.io.

If your account is managed by your organization, we may direct you to that organization for requests related to organization-controlled data. We will still help where we are responsible for the processing.

You can also manage Google or Microsoft sign-in permissions through your Google or Microsoft account settings. Removing those permissions may affect your ability to use Anytype for Business if your organization requires SSO.

Children

Anytype for Business is not intended for children under 13 years old, or a higher minimum age where local law requires it. We do not knowingly collect personal data from children for Anytype for Business.

Changes to This Policy

We may update this policy to reflect product, legal, or operational changes. If changes are material, we will provide appropriate notice. We will keep prior versions available where required or practical.

Contact Us

Questions, requests, or complaints can be sent to:

Any Association c/o Sielva Management AG Gubelstrasse 11 CH-6300 Zug Switzerland

Email: association@anytype.io

EU representative:

Anylab GmbH Meinekestrasse 27 10719 Berlin Germany

Email: anylab@anytype.io