Privacy Policy

1. Information you provide

When you create an account we collect your name, email address, and authentication identifier (typically via Google or another OAuth identity provider). When you subscribe, our payment processor (Stripe) collects billing details on our behalf; we do not store full payment card numbers.

When you connect an external service (Gmail, Google Calendar, Google Drive, Slack, Outlook, Microsoft Teams, iMessage, or others added over time), you grant the Service the OAuth scopes you select. Those tokens are stored encrypted, scoped to your user, and used solely to execute the actions you delegate. You may revoke any integration at any time from your dashboard.

2. Audio and transcripts

Speech-to-text runs entirely on your Mac. Audio captured by the microphone is transcribed locally on the Apple Neural Engine via WhisperKit. Raw audio is never transmitted to our servers, never stored on our infrastructure, and never available to us. Only the resulting text transcript and the structured action you confirm are forwarded to your dedicated instance for routing.

Transcripts and the resulting messages, drafts, calendar events, and other actions are retained on your private instance so you can audit and recall what was sent. You may delete individual records or your entire history at any time from the dashboard.

3. Information collected automatically

• Diagnostic and crash telemetry — anonymized error reports, performance counters, and feature usage events used to fix bugs and improve the product.
• Device and environment data — operating system version, app version, locale, and a randomly generated device identifier.
• Service logs — IP address, request timestamps, and routing metadata generated when your Mac talks to your private instance. Retained for security and abuse-prevention.

4. How we use your information

• To operate, maintain, and improve the Service.
• To execute the actions you explicitly delegate to the Service.
• To bill you and prevent payment fraud.
• To detect, investigate, and prevent security incidents and abuse.
• To comply with applicable law and respond to lawful requests.

We do not sell your personal information. We do not use your content, transcripts, or connected-service data to train AI models. We do not use your data for third-party advertising.

5. Sub-processors

We use the following sub-processors to operate the Service. Each is contractually bound to maintain confidentiality and security commensurate with our own:

• Amazon Web Services (us-east-2) — hosting of your dedicated instance, storage, networking, and authentication (Cognito).
• Anthropic, PBC — large language model inference. Requests are proxied through our infrastructure with per-user metering; the content of your prompts and responses is processed under Anthropic’s commercial terms and is not used to train Anthropic’s models.
• Stripe, Inc. — subscription billing and payment processing.
• Brave Software — web and news search lookups (only the search query is forwarded; no user identity).
• Google LLC — Gmail, Calendar, Drive, and Gemini (“Nano Banana”) image generation, used only when you connect those services.
• Microsoft Corporation — Outlook and Teams, used only when you connect those services.

6. Data location and retention

Your dedicated instance is provisioned in AWS us-east-2 (Ohio, USA). Account metadata is stored in the same region. Account data is retained for the life of your account; deleted records and deleted accounts are purged from primary storage within 30 days and from backups within 90 days, except where retention is required by law.

7. Security

We use industry-standard safeguards including TLS 1.2+ in transit, AES-256 at rest, KMS envelope encryption for OAuth tokens, per-user instance isolation, and least-privilege IAM. No system, however, is perfectly secure. You are responsible for safeguarding your account credentials, devices, and the services you connect to Delegate OS. That includes keeping your Mac up to date, using a strong account password, enabling multi-factor authentication on your identity provider, and revoking integrations you no longer use. We strongly recommend you do all of the above. We are not liable for losses caused by your failure to secure your own credentials or devices, by malware on your Mac, or by your decision to grant Delegate OS access to a particular connected service.

8. Your choices

• Access and export. You may export your account data from the dashboard.
• Deletion. You may delete individual records, disconnect integrations, or permanently delete your account from the dashboard.
• Correction. You may update your profile and connected accounts at any time.
• Marketing communications. Transactional emails (security alerts, billing) are required while your account is active. You may opt out of all other email.

9. Regional rights

California (CCPA / CPRA)

California residents have the right to know, access, correct, and delete personal information we hold, and to opt out of any “sale” or “sharing.” We do not sell or share personal information as those terms are defined under the CCPA. To exercise your rights, email privacy@delegateos.ai.

European Economic Area, United Kingdom, Switzerland

If you are in the EEA, UK, or Switzerland, you have rights under the GDPR / UK GDPR including access, rectification, erasure, restriction, portability, and objection. Our lawful basis for processing is performance of contract (to provide the Service), legitimate interests (to secure and improve the Service), and consent (where required for optional features). To exercise your rights, email privacy@delegateos.ai.

10. International transfers

Our primary infrastructure is located in the United States. If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms.

11. Children

The Service is not directed to and may not be used by anyone under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with information, please contact us and we will delete it.

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes we will notify you by email or in-app notice at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance.

13. Contact

Questions, requests, or complaints? Email privacy@delegateos.ai. You also have the right to lodge a complaint with your local data protection authority.