Privacy Policy

1.1 Account Information

When you create an account, we collect:

• Name and email address
• Account credentials (password stored securely via Supabase Auth)
• User profile information you choose to provide
• Account preferences and settings

1.2 Voice Data

What We Collect:

• Voice recordings when you interact with the App
• Audio files of your spoken commands and queries
• Voice input duration and frequency

How Voice Data is Processed:

• On-Device Processing: When possible, voice recognition happens locally on your device for faster response times
• Cloud Processing: Voice recordings may be sent to our servers and third-party speech recognition services for transcription and processing
• AI Processing: Transcribed text is sent to Anthropic's Claude API for natural language understanding and response generation

Third-Party Voice Processing Services:

We may use the following third-party services for voice processing:

• Speech-to-text transcription services
• Natural language processing engines
• Cloud-based voice recognition providers

Voice Data Retention:

• Voice recordings are automatically deleted after processing and transcription
• We do not store raw audio files after your request has been completed
• Transcribed text is retained as part of your conversation history (which you can delete at any time)

1.3 Conversation Data

• Messages and chat history with the AI assistant
• Task execution requests and results
• Conversation timestamps and context
• Service integration usage patterns

1.4 Third-Party Service Integration Data

When you connect third-party services to Andrea (such as Gmail, Google Calendar, Slack, etc.), we collect and store:

OAuth Tokens:

We store encrypted authentication tokens that allow Andrea to access your connected services on your behalf. These tokens include:

• Access tokens (short-lived, typically 1 hour)
• Refresh tokens (long-lived, used to obtain new access tokens)
• Token expiration times and scopes

Integration Usage Data:

• Which services you have connected
• When you connected each service
• Frequency of service interactions
• Success/failure rates of service actions

Data Accessed from Third-Party Services:

Depending on which services you connect, Andrea may access:

• Gmail: Read, send, and manage your emails
• Google Calendar: View and create calendar events
• Google Drive: Access and manage your files
• Slack: Send messages and access workspace information
• Other services: As authorized by you during the OAuth connection process

1.5 Automatically Collected Information

• Device information (model, operating system, version)
• Mobile network information
• App usage analytics (features used, session duration)
• Error logs and crash reports
• IP address and general location (country/region level)

1.6 Permissions

The App requires the following device permissions:

• Microphone: Required for voice input and commands
• Internet: Required to communicate with our servers and AI services
• Storage: To cache data and improve performance
• Network State: To detect connectivity and adjust functionality

2.1 Core Service Functionality

• Process your voice commands and provide AI-powered responses
• Execute tasks across your connected third-party services
• Maintain conversation history and context
• Authenticate your account and maintain security

2.2 Service Improvement

• Analyze usage patterns to improve AI accuracy
• Debug errors and optimize performance
• Develop new features and integrations
• Conduct research and analytics (in aggregated, anonymized form)

2.3 Communication

• Send service-related notifications and updates
• Respond to your support requests
• Notify you of important changes to our service
• Send optional promotional communications (with your consent)

2.4 Legal and Safety

• Comply with legal obligations and law enforcement requests
• Protect against fraud, abuse, and security threats
• Enforce our Terms of Service
• Protect our rights and property

3.1 Third-Party Service Providers

We share your information with carefully selected service providers who assist in operating our App:

3.2 Connected Third-Party Services

When you authorize Andrea to connect to third-party services (Gmail, Calendar, Slack, etc.):

• We access these services on your behalf using OAuth tokens
• Data flows between Andrea and these services to execute your requests
• Each service's privacy policy governs how they handle your data
• You can revoke Andrea's access at any time through the App or the third-party service's settings

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

3.4 Legal Requirements

We may disclose your information when required by law, court order, or to:

• Comply with legal process
• Protect our rights and property
• Prevent fraud or abuse
• Protect the safety of users or the public

3.5 Aggregated/Anonymized Data

We may share aggregated, anonymized data that cannot identify you personally for:

• Research and analytics
• Marketing and partnerships
• Public reporting

4.1 Encryption

• In Transit: All data transmitted between your device and our servers uses TLS/SSL encryption
• At Rest: Sensitive data (including OAuth tokens) is encrypted using AES-256 encryption
• Mobile Storage: Credentials stored on your device use secure keychain storage (iOS) or encrypted storage (Android)

4.2 Access Controls

• Strict role-based access controls limit who can access your data
• Multi-factor authentication required for administrative access
• Regular security audits and penetration testing
• Row-level security policies in our database prevent unauthorized access

4.3 Security Practices

• Regular security updates and patches
• Continuous monitoring for security threats
• Incident response procedures
• Employee security training and confidentiality agreements

4.4 Data Isolation

• Per-user data isolation (your data is separate from other users)
• Separate processes for each user's third-party service connections
• Database-level security policies enforce data boundaries

5.1 Access and Portability

You have the right to:

• Access your personal information
• Request a copy of your data in a portable format
• Review your conversation history

How to Exercise: Contact privacy@silverflightgroup.com

5.2 Correction and Deletion

You have the right to:

• Correct inaccurate information
• Delete your account and associated data
• Remove specific conversations or messages

How to Exercise: Use the App's settings or contact support@silverflightgroup.com

5.3 Voice Data Control

• Pause Voice Input: You can switch to text-only mode in settings
• Delete Voice History: Conversation history (derived from voice) can be deleted at any time
• Opt-Out of Voice: Use the App in text-only mode

5.4 Third-Party Service Disconnection

You can:

• Disconnect any third-party service at any time through the App
• Revoke Andrea's access through the third-party service's settings
• When disconnected, associated OAuth tokens are deleted

5.5 Marketing Communications

• Opt-out of promotional emails using the unsubscribe link
• Control push notifications in your device settings
• Service-related communications cannot be opted out while using the service

5.6 Do Not Track

Our service does not currently respond to Do Not Track signals as there is no industry standard for compliance.

6.1 Account Data

• Retained while your account is active
• Deleted within 90 days of account deletion request

6.2 Voice Recordings

• Deleted immediately after transcription and processing
• Not retained in raw audio format

6.3 Conversation History

• Retained until you delete it or close your account
• You can delete conversations at any time

6.4 OAuth Tokens

• Retained while the service connection is active
• Deleted immediately when you disconnect a service or delete your account

6.5 Logs and Analytics

• Anonymized usage logs: 90 days
• Error logs: 30 days
• Security logs: 1 year (for security and fraud prevention)

6.6 Legal Retention

We may retain certain data longer if required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements).

10.1 Right to Know

You can request information about:

• Categories of personal information collected
• Sources of personal information
• Purposes for collection and sharing
• Categories of third parties we share with
• Specific pieces of personal information we hold

10.2 Right to Delete

You can request deletion of your personal information, subject to certain exceptions.

10.3 Right to Opt-Out

You can opt-out of the "sale" of personal information. Note: We do not sell personal information.

10.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

10.5 How to Exercise Your Rights

• Email: privacy@silverflightgroup.com
• Phone: +1 408-883-9011
• Authorized Agent: You may designate an authorized agent to make requests on your behalf

We will respond to verified requests within 45 days.

11.1 Legal Bases for Processing

We process your personal data based on:

• Contract: To provide the service you requested
• Consent: For voice processing and optional features
• Legitimate Interests: To improve our service and prevent fraud
• Legal Obligation: To comply with applicable laws

11.2 Your GDPR Rights

• Access: Obtain a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion ("right to be forgotten")
• Restriction: Limit how we use your data
• Portability: Receive your data in a portable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time (doesn't affect prior processing)

11.3 Data Protection Officer

For GDPR-related inquiries, contact our privacy team at privacy@silverflightgroup.com

11.4 Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority.

How We Notify You:

• Update the "Last Updated" date at the top
• Notify you via email for material changes
• Display an in-app notification for significant changes
• Post the updated policy on our website

14.1 Voice Data Processing Chain

For transparency, here is how your voice data flows through our system:

1. Your Device: Voice recorded using device microphone
2. On-Device (Optional): Basic speech recognition (if available)
3. Andrea Servers: Encrypted transmission to our servers
4. Speech-to-Text Service: Transcription by third-party provider
5. Claude API (Anthropic): AI processing of transcribed text
6. Response Generation: AI creates response
7. Your Device: Response delivered as text and/or voice
8. Deletion: Original voice recording deleted after transcription

14.2 OAuth Token Security

OAuth tokens for connected services:

• Encrypted with AES-256 before database storage
• Stored in separate per-user database rows with access restrictions
• Never exposed in API responses or logs
• Automatically refreshed before expiration
• Immediately revoked upon service disconnection or account deletion

14.3 AI Model Provider

We use Anthropic's Claude AI models for natural language processing:

• Models Used: Claude Sonnet 4.5 and Claude Opus 4.1
• Data Sent: Your messages (text or transcribed voice), conversation context
• Data Use: Anthropic may use conversation data to improve their models (subject to their privacy policy)
• Data Retention: Governed by Anthropic's data retention policies
• Learn More: https://www.anthropic.com/legal/privacy