Privacy Policy

Introduction

Crafty Codr Inc. ("Company," "we," "us," or "our") operates the OughtaBee AI platform ("Platform," "Service"), accessible at app.oughtabee.ai and through custom tenant applications deployed on customer domains.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform. Please read this policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address (required, used as unique identifier)
• Name/display name (optional)
• Profile image (optional, URL reference only)
• Password (if using email/password authentication, stored as bcrypt hash)
• Authentication provider information (if using Google OAuth)

1.2 Organization Information

When you create or join an organization, we collect:

• Organization name
• Organization description (optional)
• Billing contact email
• Payment information (processed via Stripe; we store only card brand, last 4 digits, and expiration date)
• Organization preferences and settings

1.3 Connected Account Data

When you connect third-party data sources, we collect:

Google Drive:

• OAuth access and refresh tokens (stored securely, never exposed to frontend)
• File metadata (names, sizes, modification dates, folder structure)
• File contents (for processing and analysis)

YouTube:

• OAuth access and refresh tokens
• Video metadata (titles, descriptions, publish dates, durations)
• Video transcripts (generated via transcription services)

Vimeo:

• OAuth access token
• Video metadata and content

Zoom:

• OAuth tokens
• Meeting recordings and metadata
• Transcripts

Manual Uploads:

• Files you directly upload (up to 2GB per file)
• File metadata and contents

1.4 Processed Content Data

When files are processed through our Platform, we generate and store:

• Extracted text content from documents, videos, and audio
• AI-generated summaries and analysis
• Content classifications (topics, categories, tags)
• Semantic embeddings (vector representations for search)
• Metadata analysis (sentiment, complexity, quality scores)
• Extracted entities (people, organizations, locations mentioned)
• Keywords and key topics

1.5 Usage and Technical Data

We automatically collect:

• Log data (error messages, function execution data, timestamps)
• API usage metrics (tokens processed, operations performed)
• Session information (encrypted JWT tokens)
• Device and browser information (user agent for admin sessions)

1.6 Payment and Billing Data

For paid services, we collect via Stripe:

• Payment method details (card brand, last 4 digits, expiration)
• Billing history and transaction records
• Credit balance and usage

2. How We Use Your Information

We use the information we collect to:

2.1 Provide and Maintain the Service

• Create and manage your account
• Process and analyze your uploaded content
• Generate AI-powered insights and summaries
• Enable search and retrieval of your knowledge base
• Process payments and manage billing

2.2 Improve and Develop the Service

• Monitor and analyze usage patterns
• Identify and fix technical issues
• Develop new features and functionality
• Optimize AI analysis and processing

2.3 Communicate With You

• Send transactional emails (verification, password reset, invitations)
• Provide customer support
• Send service-related notifications

2.4 Ensure Security and Compliance

• Detect and prevent fraud or abuse
• Enforce our Terms of Service
• Comply with legal obligations

2.5 SMS Opt-In Details

Crafty Codr collects phone numbers for the purpose of sending SMS communications to users who have explicitly opted in via our application form. We send a low volume mix of application updates, follow-up messages, and appointment reminders. SMS consent is not a condition of purchase or service. Users may opt out at any time by replying STOP to any message.

2.6 Mobile Information Sharing Statement

Crafty Codr does not share, sell, rent, or disclose mobile phone numbers or SMS opt-in data to third parties for marketing purposes. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes.

3. Third-Party Service Providers

We use the following third-party services to operate our Platform. Your data may be processed by these providers according to their respective privacy policies:

3.1 AI and Analysis Services

3.2 Infrastructure and Storage

3.3 Authentication and Communication

3.4 Payment Processing

3.5 Background Processing

4. Data Storage and Security

4.1 Data Storage

• Primary Database: MySQL database storing account information, file metadata, and analysis results
• Vector Database: Pinecone storing semantic embeddings with organization-level namespace isolation
• Temporary Storage: Files are temporarily stored during processing and deleted immediately after

4.2 Security Measures

We implement industry-standard security measures including:

• Encryption at Rest: Sensitive data such as API keys are encrypted using AES-256-GCM
• Password Hashing: User passwords are hashed using bcrypt with 12 rounds
• Token Protection: OAuth tokens are stored securely and never exposed to frontend applications
• Session Security: JWT-based sessions with cryptographic signing
• Access Control: Role-based access control (Owner, Admin, Member) within organizations
• Multi-Tenant Isolation: All data is isolated by organization with enforced access boundaries

4.3 Data Residency

Our primary services operate in the United States. Third-party providers may process data in various locations according to their infrastructure. For specific data residency requirements, please contact us.

5. Data Retention

5.1 Account Data

• Retained for the duration of your account
• Deleted upon account deletion request

5.2 Content Data

• Retained until you delete specific files or your account
• Vector embeddings deleted when source files are removed

5.3 System Logs

• Retention Period: 30 days
• Automatically purged after retention period

5.4 Payment Records

• Retained as required by financial regulations and tax laws
• Typically 7 years for transaction records

6. Your Rights and Choices

6.1 Access Your Data

You can access your account information, connected sources, and processed content through the Platform dashboard.

6.2 Update Your Information

You can update your profile information, organization details, and preferences through account settings.

6.3 Delete Your Data

You have the right to delete your data:

• Individual Files: Delete specific files through the "Manage Content" interface
• Source Connections: Disconnect data sources to stop syncing (with option to delete associated files)
• Account Deletion: Delete your entire account through account settings

Important: If you are the sole Owner of an organization, deleting your account will delete the entire organization and all associated data for all members.

6.4 Disconnect Third-Party Services

You can disconnect Google Drive, YouTube, Vimeo, or Zoom connections at any time through the Platform. This will:

• Revoke our access to fetch new data
• Optionally delete previously synced content

6.5 Export Your Data

To request an export of your data, please contact us at the email address below. We will provide your data in a commonly used, machine-readable format.

6.6 Opt-Out of Communications

You can opt out of non-essential communications, but you will continue to receive transactional emails necessary for service operation.

7. Multi-Tenant Architecture

7.1 Tenant Applications

Our Platform supports deployment through custom tenant applications on your own domain. When you access our Service through a tenant application:

• Authentication and data synchronization occurs through app.oughtabee.ai
• Your data is associated with your organization regardless of access point
• The same privacy protections apply across all access methods

7.2 Organization Isolation

Each organization's data is strictly isolated:

• Database queries are scoped to your organization
• Vector embeddings are stored in organization-specific namespaces
• No cross-organization data access is possible

8. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us immediately.

9. International Data Transfers

If you are accessing our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

By using our Service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection rules.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending an email notification for significant changes

Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

11. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights regarding your personal information:

• Right to Know: Request disclosure of personal information collected
• Right to Delete: Request deletion of your personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights
• Right to Opt-Out of Sale: We do not sell personal information

To exercise these rights, contact us using the information below.

12. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have additional rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data
• Right to Restrict Processing: Request limitation of processing
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time

Legal Basis for Processing:

• Contract Performance: Processing necessary to provide our Service
• Legitimate Interests: Improving our Service, ensuring security
• Consent: Where you have provided explicit consent
• Legal Obligation: Compliance with applicable laws

To exercise these rights or file a complaint, contact us or your local data protection authority.

13. Automated Decision Making

Our Platform uses AI to automatically:

• Classify and categorize your content
• Generate summaries and analysis
• Extract topics, entities, and keywords
• Assign visibility and audience classifications

These automated processes help organize your knowledge base. You can manually review and modify AI-generated classifications through the Platform interface.

14. Cookies and Tracking

Our Platform uses essential cookies for:

• Session Management: Maintaining your authenticated session
• Security: Protecting against unauthorized access

We do not use advertising cookies, tracking pixels, or third-party analytics that track your activity across websites.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Crafty Codr Inc.
Email: trevor@oughtabee.ai
Website: oughtabee.ai

16. Data Protection Officer

For privacy-related concerns, you may contact our designated privacy representative at:

Email: trevor@oughtabee.ai

This Privacy Policy is effective as of the date stated above and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.