askthe.bot

Privacy Policy

Last updated: May 13, 2026

1. Introduction

This Privacy Policy describes the practices of askthe.bot (the “Service”) with respect to information processed in connection with your access to and use of the Service. Our guiding principle is data minimization: we do not collect, sell, rent, monetize, profile, or analyze personal data beyond what is strictly necessary to operate the Service and provide the functionality requested by the User.

2. No Analytics or Behavioral Tracking

We do not employ third-party analytics platforms, advertising networks, behavioral tracking pixels, fingerprinting technologies, or cross-site tracking mechanisms. We do not build advertising profiles of Users or end-users, do not sell or rent any personal data to third parties, and do not use personal data for any form of automated decision-making other than the agent functionality the User has expressly configured.

3. Information Processed

The Service processes only the categories of information necessary to operate:

  • Account information: Identifiers (such as email address and OAuth subject identifier) provided by you or your authentication provider for the sole purpose of authenticating your access to the Service.
  • User Content: Configuration, knowledge base materials, and other content you voluntarily submit in order to configure your Agents.
  • Conversation data: Messages exchanged with your Agents, retained solely to provide conversation continuity and deliver the Service.
  • Operational logs: Minimal technical logs (e.g., error events) retained transiently for the purposes of security and service reliability.

We do not derive secondary insights, perform behavioral analysis, or train models on your data.

4. Legal Basis for Processing

Where applicable law requires a legal basis for processing personal data, we rely on: (a) the performance of our agreement with you under the Terms of Service; (b) our legitimate interest in operating, securing, and maintaining the Service; and (c) your consent, where consent is required.

5. Data Security and Access Controls

The Service is built on managed cloud infrastructure that enforces row-level security (“RLS”) policies at the database layer. RLS ensures that records are accessible only to the authenticated principal authorized to view them, such that one User’s data is not exposed to another User. Authentication is performed against signed access tokens, and authorization decisions are evaluated by the database itself rather than relying solely on application code. While no system can be guaranteed to be completely secure, we maintain administrative, technical, and organizational safeguards designed to protect personal data against unauthorized access, alteration, disclosure, or destruction.

6. Sub-processors and Data Sharing

We do not sell, rent, or trade personal data, and we do not share personal data with advertisers, data brokers, or any third party for their own independent purposes. To deliver the Service we share the minimum data necessary with the following categories of sub-processors, each of which processes data only on our instructions and only to provide its contracted service:

  • Supabase, Inc. — managed authentication, Postgres database, and serverless function hosting. Processes account identifiers, agent configuration, conversation data, and (where you have connected an integration) encrypted OAuth refresh tokens.
  • Cloudflare, Inc. — web application hosting, edge runtime, object storage (R2) for transient response caching, and DNS/CDN. Processes IP addresses, request metadata, and operational logs.
  • Google LLC — large language model inference via the Google Gemini API (generativelanguage.googleapis.com) and, where you have explicitly connected a Google account, Google Calendar APIs. Processes prompts, agent instructions, and conversation messages submitted to the model in order to return a response; and, where applicable, calendar metadata you have authorized the agent to read or write.
  • Amazon Web Services, Inc. — transactional email delivery via Amazon Simple Email Service (SES). Processes recipient email addresses and message bodies for Service-related notifications.
  • Stripe, Inc. — payment processing and subscription billing for paid plans. Processes billing identifiers and payment metadata; full payment card numbers are submitted directly to Stripe and are not received or stored by us.

We may also disclose information where required by law, valid legal process, or to protect the rights, property, or safety of our users, the public, or the Service.

7. Google User Data

If you connect a Google account to an Agent (for example, to enable calendar-aware scheduling), the Service receives and processes the following Google user data, in accordance with the Google API Services User Data Policy, including its Limited Use requirements:

Google user data falls into two distinct categories with very different handling, and we describe each separately.

(a) Minimal Google account identifier. When you connect a Google account, we receive your Google email address and OpenID subject identifier. This identifier is used solely to display which Google account is currently connected to the Agent in your dashboard, and to scope subsequent API calls to that account. The identifier is stored in our managed database (Supabase) so the Service can remember which account you connected. It is the same kind of email address you would give to any vendor; it is not Google Calendar content.

(b) Google Calendar content. Under the scopes you grant on the Google OAuth consent screen (calendar.events, calendar.freebusy, and calendar.calendarlist.readonly), the Service may read your calendar availability, list your calendars, and create or update events that you or your end-users request. This is the sensitive category. It is treated strictly as follows:

  • Calendar content is fetched on-demand from Google’s Calendar APIs at the moment the Agent needs it to respond to a request. We do not perform background scraping, mirroring, indexing, or analytics over your calendar.
  • The only external service that ever receives your Google Calendar content is Google Gemini (the LLM provider that generates Agent responses), and only as part of the prompt for the single request the Agent is currently answering. Gemini is also a Google service, so calendar content does not leave Google’s own systems for the purpose of LLM inference.
  • Calendar content is never sent to Amazon Web Services, Stripe, or any other sub-processor named in §6. Those sub-processors handle billing, transactional email delivery, and infrastructure unrelated to calendar data, and have no need for and no access to it.
  • Where calendar content appears verbatim in an Agent conversation (because the Agent quoted it back in its response), it is stored at rest in our managed Supabase database as part of the conversation history, protected by row-level security so that only the authorized account can read it. You can delete that conversation at any time.

(c) OAuth tokens. Google issues refresh and access tokens that allow the Service to call Google APIs on your behalf. These tokens are encrypted at rest in our managed database, are never transmitted to any third party, and are revoked with Google and deleted from our systems when you disconnect the integration.

Limited Use. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide the user-facing features of the Service that the User has configured the Agent to perform (for example, reading availability and creating calendar events on the User’s behalf). We do not use Google user data for analytics, product improvement, internal research, or any purpose other than directly providing the requested Agent functionality.
  • We do not sell, transfer, or disclose Google user data to any third party. Google user data is not treated as a transferable business asset and will not be conveyed in connection with any merger, acquisition, or sale of assets.
  • We do not use Google user data to serve advertisements.
  • We do not allow humans to read Google user data. The only exception is where you have given us your explicit, case-specific consent (for example, to assist you with a support ticket you have opened).
  • We do not use Google user data to develop, improve, or train generalized AI or machine-learning models. Google user data passed to the Gemini API is sent solely to obtain a response to the User’s own prompt and is subject to Google’s applicable API terms.

You may revoke the Service’s access to your Google account at any time from within the Agent editor (Tools tab → Disconnect) or from your Google account at myaccount.google.com/permissions. Upon disconnection we revoke the refresh token with Google and delete the associated stored credentials.

8. AI / Large Language Model Processing

The Service uses third-party large language model providers to generate Agent responses; we do not operate our own foundation model. The current model provider is Google (Gemini family of models, accessed via the Google Gemini API at generativelanguage.googleapis.com). Image-related features (such as “try-on”) use Google’s Gemini image preview models accessed through the same Google Gemini API. Prompts, Agent instructions, knowledge-base content, and conversation messages necessary to produce a response are transmitted to the model provider on a per-request basis. We do not authorize, and do not knowingly permit, model providers to use your content to train their generalized models; provider behavior is governed by the provider’s own terms (the Google APIs Terms of Service for the Gemini API). We may change or add model providers in the future and will update this Policy accordingly.

9. Data Retention

We retain personal data only for as long as is necessary to provide the Service or as required by applicable law. You may request deletion of your account and associated data at any time, subject to our retention obligations under applicable law.

10. International Transfers

Personal data may be processed in jurisdictions outside your country of residence. Where such transfers occur, we rely on the safeguards offered by our infrastructure providers, including standard contractual clauses where applicable.

11. Your Rights

Depending on your jurisdiction, you may have the right to access, rectify, port, restrict, or erase personal data we hold about you, and to object to or withdraw consent for certain processing activities. To exercise any of these rights, please contact us using the information provided below.

12. Children’s Privacy

The Service is not directed to, and we do not knowingly process personal data concerning, children under the age of thirteen (13), or under the minimum age of digital consent in the User’s jurisdiction.

13. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last updated” date above. Your continued use of the Service following any such update constitutes your acknowledgment of the revised Policy.

14. Contact

For questions regarding this Privacy Policy or to exercise your rights, please contact us through the channels published on the Service.

← Back to home