Privacy Policy

1. Information We Collect

• Account data: name, email address, company details, phone number, and role.
• Authentication and security data: credentials, OAuth tokens (encrypted at rest), and audit logs.
• Usage data: application interactions, configuration choices, device and browser metadata, and diagnostics.
• Content you provide: prompts, messages, uploaded documents, and AI agent configurations.
• Integration data: when you connect third-party services (see Section 3 below), we access only the minimum data needed to perform the requested actions.

2. How We Use Information

• Provide, operate, maintain, and improve the Services and AI agents.
• Secure the platform, detect fraud or abuse, and maintain audit trails.
• Personalize experiences, recommend configurations, and support users.
• Send transactional communications (updates, security notices, service messages).
• Comply with legal obligations and enforce our Terms of Service.

3. Google API Services — Limited Use Disclosure

Our platform integrates with Google API Services to provide AI-powered automation features. We request only the permissions strictly necessary for each integration:

4. OAuth Token Storage and Security

When you connect a third-party service (Google, Microsoft, etc.), the OAuth access and refresh tokens are encrypted at rest before being stored in our database. Tokens are automatically refreshed before expiration and can be revoked by the user at any time from the Integrations settings page. Upon disconnection, tokens are permanently deleted from our systems.

5. Legal Bases for Processing (EEA/UK)

We process personal data based on: performance of a contract (providing the Services), legitimate interests (platform security, fraud prevention), legal obligations, and consent where required (e.g., optional marketing communications or certain cookies).

6. Sharing and Disclosure

• Service providers: cloud hosting (Vercel, Supabase), AI model providers (OpenAI, Google), communications (Twilio), and payment processors (Stripe), each bound by confidentiality obligations.
• Integrations you enable: we share only the minimum data needed to perform the requested action (e.g., event details to Google Calendar, email content to Gmail for sending).
• Legal and safety: to comply with law, protect rights, or respond to lawful requests.
• Business transfers: in mergers, acquisitions, or asset sales, subject to this Policy.

We do not sell personal information. We do not share personal information with third parties for their own marketing purposes.

7. International Transfers

We may process data in the United States and other locations where our service providers operate. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.

8. Data Retention

We retain information as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. When you delete your account or disconnect an integration, associated data (including OAuth tokens) is permanently removed within 30 days.

9. Security

• OAuth tokens encrypted at rest using industry-standard encryption.
• All data transmitted over HTTPS/TLS.
• SQL queries are read-only (SELECT only), validated by a parser before execution.
• Input validation and output filtering to prevent prompt injection and data leakage.
• Per-tenant rate limiting to prevent abuse.
• Role-based access controls within the platform.

No system is fully secure. We encourage users to use strong passwords, enable multi-factor authentication where available, and protect their credentials.

10. Your Rights and Choices

• Access and update your account data from your profile settings.
• Disconnect integrations at any time from the Integrations page — this immediately revokes access and deletes stored tokens.
• Delete your account by contacting us at the email below. We will remove your data within 30 days.
• Revoke Google access at any time from your Google Account permissions page.
• Opt out of non-essential marketing communications.
• EEA/UK residents: you may exercise rights to object, restrict processing, data portability, or lodge a complaint with a data protection authority.

11. Cookies and Similar Technologies

We use cookies and similar technologies for authentication, security, preferences, and analytics. See our Cookie Policy for details and management options.

12. Third-Party Links

Our Services may contain links to third-party sites. We are not responsible for their privacy practices; review their policies before providing personal information.

13. Children

The Services are not directed to children under 13 (or under the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Policy from time to time. We will post the updated version with a new effective date. Material changes will be communicated via email or in-app notice.

15. Contact Us