Privacy Policy
Last updated: 23 February 2025
1. Who we are
iamcleo.ai (“Cleo”, “we”, “us”, “our”) is operated by Aldo Troiano, a sole trader based in the United Kingdom. We are the data controller for the personal data described in this policy.
Contact: aldo@hello.iamcleo.ai
2. What this policy covers
This policy explains how we collect, use, store, and share personal data when you use the iamcleo.ai website, dashboard, API, and managed AI assistant service (collectively, the “Service”).
3. Data we collect
3.1 Account data
When you create an account we collect:
- Email address (required)
- Display name (optional)
- Timezone preference
3.2 Authentication & security data
- Magic-link tokens (hashed, auto-expire after 15 minutes)
- Session tokens (JWT stored in an HttpOnly cookie)
- Two-factor authentication secrets (AES-256-GCM encrypted) and backup codes (SHA-256 hashed), if you enable 2FA
- IP address and browser user-agent string (recorded for security and audit purposes)
3.3 AI assistant configuration
Settings you provide such as assistant name, tone, response style, custom instructions, and user context.
3.4 API keys & OAuth credentials
If you use “Bring Your Own Key” mode, you provide an API key for your chosen AI provider (e.g. OpenAI, Anthropic). Keys are encrypted at rest. We store only a short prefix for display purposes — never the full key in plaintext.
If you connect third-party services (Google, Notion), we store encrypted OAuth access and refresh tokens plus the scopes you authorised.
3.5 Messaging & channel data
When you connect Telegram, Discord, Slack, or WhatsApp we store the external user/chat IDs, usernames, and channel configuration needed to deliver messages. We also record a timestamp of your last message per channel.
Conversation content is ephemeral. Messages are delivered directly to your isolated agent container. They are not persisted in our database. Conversation context is held in memory within your container and cleared when the container stops.
3.6 Billing data
Payments are processed by Stripe. We store your Stripe customer ID, subscription tier, billing interval, subscription status, and credit usage. We do not store your card number or bank details — those are held solely by Stripe.
3.7 Waitlist data
If you join our waitlist we collect your email address and an optional note. Disposable email addresses are rejected.
3.8 Feedback
If you submit feedback via the dashboard we store the message, its type (bug, feature, general), and the timestamp.
3.9 Audit logs
We maintain an internal audit log of security-relevant actions (login, logout, profile changes, billing events, agent lifecycle events). Each entry records the action, your IP address, user-agent, and timestamp. If you delete your account the user ID in these records is set to null, but the anonymised record is retained for compliance.
4. How we use your data
We process your personal data to:
- Provide and operate the Service (account management, AI assistant delivery, channel integration)
- Authenticate you securely (magic links, 2FA, session management)
- Process payments and manage subscriptions via Stripe
- Send transactional emails (magic links, waitlist approvals)
- Monitor service health and investigate security incidents
- Respond to your feedback and support requests
- Comply with legal obligations
We do not use your data to train AI models, serve advertising, or build marketing profiles.
5. Legal basis for processing (UK GDPR)
| Purpose | Lawful basis |
|---|---|
| Providing the Service | Performance of a contract (Art. 6(1)(b)) |
| Security & fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Payment processing | Performance of a contract (Art. 6(1)(b)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
| Waitlist management | Consent (Art. 6(1)(a)) |
6. Third-party processors
We share data with the following processors only to the extent necessary to operate the Service:
| Processor | Purpose | Data shared |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, compute, storage, database | All Service data (encrypted in transit & at rest) |
| Stripe | Payment processing | Email, subscription details, payment method |
| OpenAI / Anthropic | AI model inference (via your API key or platform credits) | Message content sent to the model during your session |
| Telegram / Discord / Slack | Message delivery | Messages and channel metadata |
| Google / Notion | Optional integrations you connect | Data within the scopes you authorise |
Each processor is subject to its own privacy policy. We encourage you to review them.
7. Data retention
| Data | Retention |
|---|---|
| Account & configuration data | Until you delete your account |
| Session tokens | 24 hours (auto-expire) |
| Magic-link tokens | 15 minutes (auto-expire) |
| In-memory conversation context | Until container stops (auto-stop after inactivity) |
| Billing & credit records | 7 years (legal/tax obligations) |
| Audit logs | 7 years (anonymised after account deletion) |
| Waitlist entries | Until approval/rejection, then 12 months |
| Feedback | Until you delete your account |
8. International transfers
The Service is hosted on AWS in the UK (eu-west-2, London). Some third-party processors (Stripe, OpenAI, Anthropic) may process data in the United States. Where data is transferred outside the UK, we rely on Standard Contractual Clauses or adequacy decisions as appropriate.
9. Cookies & local storage
We use only what is strictly necessary to operate the Service:
| Name | Type | Purpose | Duration |
|---|---|---|---|
cleo_session | HttpOnly cookie | Authentication | 24 hours |
theme | Local storage | Light/dark mode preference | Persistent |
We do not use any analytics, advertising, or tracking cookies. No third-party trackers are loaded.
10. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — delete your account and all associated data (available via Dashboard → Settings → Delete Account)
- Restriction — ask us to limit processing in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent (e.g. waitlist), you may withdraw at any time
To exercise any of these rights, email aldo@hello.iamcleo.ai. We will respond within 30 days.
11. Data security
We protect your data with:
- Encryption in transit (TLS) and at rest (AES-256)
- Isolated per-user containers (no shared runtime between accounts)
- API keys and OAuth tokens encrypted before storage
- Passwordless authentication (magic links only, no password database)
- Optional two-factor authentication (TOTP)
- Rate limiting and input validation on all endpoints
- Comprehensive audit logging
12. Age restriction
The Service is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.
13. Changes to this policy
We may update this policy from time to time. If we make material changes we will notify you by email or via a notice on the Service. The “Last updated” date at the top reflects the most recent revision.
14. Complaints
If you are unhappy with how we handle your data you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
15. Contact
For any privacy-related questions or requests, contact us at: aldo@hello.iamcleo.ai