Privacy Policy
Last Updated: January 29, 2026
Table of Contents
- 1. Introduction
- 2. Information We Collect
- 3. How We Use Your Information
- 4. Google API Services & User Data
- 5. Email Integration (Gmail & Microsoft Outlook)
- 6. Third-Party Data Sources (Apollo.io)
- 7. Data Sharing and Disclosure
- 8. Data Security
- 9. Data Retention
- 10. Your Rights
- 11. Cookies and Tracking
- 12. Children's Privacy
- 13. International Transfers
- 14. Changes to This Policy
- 15. Contact Us
1. Introduction
SMALT AI ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered research and analysis platform at smaltai.com (the "Service").
By using our Service, you consent to the data practices described in this policy. If you do not agree with our policies and practices, please do not use our Service.
2. Information We Collect
2.1 Information You Provide
- Account Information: Name, email address, password (encrypted), and profile details when you create an account
- Payment Information: Billing address and payment method details (processed securely by Stripe; we do not store full card numbers)
- User Content: Messages, documents, and files you upload or generate through the Service
- Communications: Information you provide when contacting support or communicating with us
2.2 Information Collected Automatically
- Usage Data: Features used, queries made, documents generated, and service interactions
- Device Information: Browser type, operating system, IP address, and device identifiers
- Log Data: Access times, pages viewed, and error reports
- Cookies: Session cookies and analytics cookies (see Section 9)
2.3 Information from Third Parties
- Google OAuth: If you sign in with Google, we receive your name, email, and profile picture from Google
- Payment Provider: Transaction status and subscription information from Stripe
3. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Provide, maintain, and improve the Service | Contract performance |
| Process payments and manage subscriptions | Contract performance |
| Communicate with you about your account and updates | Contract performance / Legitimate interest |
| Respond to support requests and inquiries | Contract performance |
| Detect and prevent fraud and abuse | Legitimate interest |
| Analyze usage patterns to improve the Service | Legitimate interest |
| Comply with legal obligations | Legal obligation |
| Send marketing communications (with consent) | Consent |
4. Google API Services & User Data
Google API Disclosure: SMALT AI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
4.1 Google Services We Access
When you connect your Google account to SMALT AI, we may request access to the following Google services:
- Google Drive: To create, read, and manage files and folders in your Google Drive
- Google Sheets: To create, read, and edit spreadsheets for data analysis and financial modeling
- Google Docs: To create and edit documents for reports and research outputs
- Google Account Profile: To retrieve your name, email address, and profile picture for authentication
4.2 How We Use Google Data
We use data from Google APIs solely for the following purposes:
- Authentication: To verify your identity and allow you to sign in securely
- Document Creation: To create spreadsheets, documents, and files in your Drive when you request them through your AI employee
- Data Analysis: To read and analyze data from your sheets when you explicitly request analysis
- File Management: To organize and manage files you create through our Service
Limited Use Compliance: We only access the minimum data necessary to provide requested features. Your Google data is never used for advertising, sold to third parties, or used to train AI models.
4.3 Google Data Storage & Retention
We handle your Google data with the following practices:
- Minimal Storage: We do not persistently store the contents of your Google files. File contents are processed in real-time to fulfill your requests.
- Authentication Tokens: We securely store OAuth tokens to maintain your connection. These are encrypted and can be revoked at any time.
- Session Data: Temporary session data related to Google API calls is cleared when your session ends.
- No Secondary Use: We do not use Google data for any purpose other than providing the Service features you explicitly request.
4.4 Google Data Sharing
We do NOT share your Google data with third parties except:
- With service providers necessary to operate our platform (e.g., cloud infrastructure)
- When required by law or valid legal process
- With your explicit consent
We Never: Sell your Google data, use it for advertising purposes, allow it to be used by third parties for advertising, or use it to train AI/ML models outside of providing the Service to you.
4.5 Revoking Google Access
You can revoke SMALT AI's access to your Google account at any time:
- Visit your Google Account Permissions page
- Find "SMALT AI" in the list of connected apps
- Click "Remove Access" to revoke all permissions
- Alternatively, contact us at support@smaltai.com to request disconnection
After revoking access, we will delete any stored OAuth tokens associated with your account within 30 days.
4.6 Google Data Security
We protect your Google data with the following measures:
- OAuth 2.0 authentication with PKCE for secure token exchange
- Encrypted storage of authentication tokens
- HTTPS encryption for all API communications
- Regular security audits and monitoring
- Access controls limiting employee access to user data
5. Email Integration (Gmail & Microsoft Outlook)
Privacy First: SMALT AI's email integration is designed with your privacy as the top priority. We can only send emails on your behalf - we do NOT read, access, or monitor your inbox.
5.1 Email Services We Integrate With
When you connect your email account to SMALT AI, we integrate with:
- Gmail: Via Google OAuth and Composio integration
- Microsoft Outlook: Via Microsoft OAuth and Composio integration
5.2 What Email Data We Access
Send-Only Access: We ONLY have permission to send emails through your account. We do NOT have access to read your inbox, sent items, drafts, or any other email content.
When you use our email features, we access:
- Send Permission: The ability to send emails through your connected account
- Basic Profile: Your email address for identification purposes
We do NOT access:
- Your inbox or received emails
- Your sent folder or email history
- Your contacts or address book
- Your drafts, folders, or labels
- Any email metadata or analytics
5.3 How We Use Email Integration
Your email connection is used solely for:
- Composing Emails: Your AI employee helps you draft professional emails based on your instructions
- Sending Emails: After your explicit review and approval, we send emails through your connected account
Your Approval Required: We will NEVER send an email without your explicit approval. You will always see and review the full email content before it is sent. You maintain complete control over all outgoing communications.
5.4 Email Data Storage
We handle your email-related data as follows:
- OAuth Tokens: Securely encrypted and stored to maintain your email connection
- Composed Content: Email drafts you create are stored in your conversation history
- Sent Email Records: We may log that an email was sent (timestamp, recipient) for your reference
- Email Content: The content of emails you compose is processed only to send the email and is not used for any other purpose
5.5 Third-Party Integration (Composio)
We use Composio as our integration platform for email services. Composio:
- Securely manages OAuth connections to Gmail and Outlook
- Processes email send requests on our behalf
- Does not store email content beyond what is necessary for transmission
- Is bound by data processing agreements to protect your information
5.6 Revoking Email Access
You can disconnect your email account at any time:
- From SMALT AI: Visit Settings → Connections and disconnect your email
- From Gmail: Visit Google Account Permissions and remove SMALT AI
- From Outlook: Visit Microsoft Privacy Settings and remove SMALT AI
Upon disconnection, we will delete stored OAuth tokens within 30 days. Your email account and all existing emails remain completely unaffected.
6. Third-Party Data Sources (Apollo.io)
Important: Our Service integrates with Apollo.io to provide business contact discovery features. This section explains how we handle data from this source.
6.1 What Data Apollo.io Provides
When you use our business contact search features, we retrieve publicly available professional information from Apollo.io, which may include:
- Professional names and job titles
- Business email addresses
- Company names and information
- Professional LinkedIn profile URLs
- Business phone numbers
- Industry and company size information
6.2 Source and Nature of Apollo Data
Apollo.io compiles business contact data from publicly available sources including:
- Public websites and company pages
- Professional networking sites (public profiles)
- Business directories
- Press releases and public filings
- Self-reported professional information
6.3 How We Use Apollo Data
Business contact data retrieved through Apollo.io is used to:
- Display search results in response to your queries
- Facilitate business research and professional networking
- Support sales and marketing research activities
Your Responsibility: When using business contact data, you must comply with applicable laws including GDPR, CCPA, and CAN-SPAM. You are responsible for obtaining necessary consents before sending marketing communications to contacts discovered through our Service.
6.4 Data Retention for Apollo Data
We do not permanently store Apollo.io data in our systems. Search results are:
- Retrieved in real-time from Apollo.io's API
- Displayed in your conversation context
- Stored temporarily in conversation history (subject to our data retention policy)
- Not used for purposes other than providing the Service to you
6.5 Opting Out of Apollo Data
If you are a business professional whose information appears in Apollo.io's database and wish to opt out:
- Visit Apollo.io's privacy center at apollo.io/privacy-center
- Submit a data removal request directly to Apollo.io
- Contact us at privacy@smaltai.com if you need assistance
7. Data Sharing and Disclosure
We do not sell your personal information. We may share your information in the following circumstances:
7.1 Service Providers
We share data with trusted third-party service providers who assist us in operating the Service:
- Supabase: Database and authentication infrastructure
- Stripe: Payment processing
- Anthropic (Claude AI): AI language model processing
- Google (Gemini): Image generation and AI services
- OpenBB: Financial data retrieval
- Apollo.io: Business contact data
- Composio: Email integration services (Gmail, Outlook)
- Upstash: Redis caching and rate limiting
7.2 Legal Requirements
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas).
7.3 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
7.4 With Your Consent
We may share your information for other purposes with your explicit consent.
8. Data Security
We implement appropriate technical and organizational measures to protect your information, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Secure password hashing using industry-standard algorithms
- Regular security assessments and monitoring
- Access controls and authentication mechanisms
- CSRF protection and rate limiting
However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
9. Data Retention
We retain your information for as long as necessary to provide the Service and fulfill the purposes outlined in this policy:
- Account Data: Retained while your account is active and for up to 30 days after deletion request
- Conversation History: Retained while your account is active; deletable at your request
- Payment Records: Retained for 7 years as required for tax and legal compliance
- Usage Logs: Retained for up to 90 days for analytics and security purposes
10. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
10.1 Access and Portability
You can request a copy of your personal data in a structured, machine-readable format.
10.2 Correction
You can update your account information through your profile settings or request corrections to inaccurate data.
10.3 Deletion
You can request deletion of your personal data. Some data may be retained as required by law or for legitimate business purposes.
10.4 Restriction and Objection
You can request restriction of processing or object to certain processing activities.
10.5 Withdraw Consent
Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
10.6 How to Exercise Your Rights
To exercise these rights, please contact us at privacy@smaltai.com. We will respond within 30 days.
California Residents (CCPA): You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information (we do not sell personal information). You will not be discriminated against for exercising these rights.
11. Cookies and Tracking
We use cookies and similar technologies to:
- Essential Cookies: Required for the Service to function (authentication, security)
- Analytics Cookies: Help us understand how you use the Service
- Preference Cookies: Remember your settings and preferences
You can control cookies through your browser settings. Disabling essential cookies may affect functionality.
12. Children's Privacy
The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us so we can delete it.
13. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses where required.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website
- Updating the "Last Updated" date
- Sending an email notification for significant changes
Your continued use of the Service after changes constitutes acceptance of the updated policy.
15. Contact Us
Privacy Inquiries
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:
Support Email: support@smaltai.com
Founder Direct: ethan@smaltai.com
Website: app.smaltai.com
For Google data access concerns, you can revoke access at Google Account Permissions.
For Apollo.io data opt-out requests, please visit Apollo.io Privacy Center.