Privacy Policy for Secretary AI

Last Updated: December 15, 2024

1. Introduction

Welcome to Secretary AI ("we," "our," or "us"). We are committed to protecting your privacy and handling your data with transparency and care. This privacy policy explains how we collect, use, and protect your information when you use our AI secretary service.

2. Information We Collect

We collect and process only the minimum information necessary to provide our service:

  • Message content from your iMessage conversations with our AI
  • Basic user information (phone number or email address)
  • Time zone settings
  • User preferences and settings
  • Service interaction data (timestamps, reminders, notes)
  • Calendar data through Google Calendar API (with your explicit permission)
  • Google account information necessary for calendar integration

3. How We Use Your Information

We use your information solely for:

  • Providing and maintaining our AI secretary service
  • Processing and responding to your messages
  • Managing your reminders and notes
  • Accessing and managing your calendar events (with your permission)
  • Improving our service functionality
  • Ensuring proper timezone-based operations

4. Third-Party Services

Our service integrates with Google Calendar:

  • We request access to your Google Calendar only after explicit user authorization
  • Calendar data is accessed and processed according to Google's API services user data policy
  • We only access calendar data necessary for providing our scheduling services
  • You can revoke our access to your Google Calendar at any time through your Google account settings
  • We do not share your calendar data with any other third parties

5. Data Storage and Retention

We implement strict data minimization practices:

  • Message data is stored locally on your device through iMessage
  • Messages are automatically deleted after 30 days
  • We do not maintain permanent copies of your conversations
  • Calendar data is accessed in real-time and not stored permanently
  • Reminder and note data is stored only as long as necessary to provide the service
  • All reminder and note data can be immediately deleted upon user request
  • Users can request deletion of specific reminders or notes at any time through the service
  • Google Calendar access tokens are stored securely and can be revoked at any time

6. Data Protection Mechanisms

We implement security measures through our cloud infrastructure:

  • Encryption:
    • All data in transit is encrypted using TLS
    • Data at rest is encrypted in our secure database
    • OAuth tokens are securely stored in our authentication system
  • Access Controls:
    • Row-level security ensures users can only access their own data
    • All database access is restricted to authenticated service accounts
    • No direct database access from client applications
    • Strict API-level access controls for all data operations
  • Infrastructure Security:
    • Hosted on enterprise-grade cloud infrastructure
    • Automatic security updates and patches
    • Built-in DDoS protection
  • Backup and Recovery:
    • Automated database backups
    • Point-in-time recovery capabilities

7. Google API & Data Usage

For Google Calendar integration:

  • We request and use the following specific Google API scopes:
    • calendar.events (to manage calendar events)
    • calendar.readonly (to read calendar information)
    • userinfo.email (to identify your account)
    • userinfo.profile (for basic profile information)
  • Google OAuth tokens are encrypted using industry-standard AES-256 encryption and stored in secure, access-controlled databases
  • We maintain detailed audit logs of all API access
  • We implement strict rate limiting and monitoring of API usage
  • We do not use your Google Workspace data for training AI/ML models
  • Calendar data is accessed only for specific user-requested operations
  • You can revoke access at any time through Google security settings: https://myaccount.google.com/permissions

8. Data Deletion & User Control

You have full control over your data:

  • You can request complete deletion of your data at any time by contacting support@secretary.my
  • Data deletion requests are processed within 30 days
  • Upon deletion request, we remove all associated data including:
    • Authentication tokens
    • User preferences
    • Calendar access information
    • Message history
    • Any stored personal information
  • We provide confirmation of data deletion upon request
  • You can export your data before deletion if desired

9. Compliance & Certifications

We maintain compliance with:

  • Google API Services User Data Policy
  • GDPR requirements
  • CCPA requirements
  • Industry standard security practices
  • Regular security assessments and audits

10. AI/ML Training Policy

Regarding the use of data for AI/ML training:

  • We do not use any Google Workspace API data for training AI or machine learning models
  • Calendar data is used solely for providing the requested calendar management services
  • Any AI features in our service use pre-trained models that are not updated with user data
  • We maintain strict separation between our AI systems and user data from Google APIs

Contact Information

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

Email: support@secretary.my

Website: https://secretary.my