Privacy Policy
Last updated: June 2026 · We'll email you at least 7 days before any significant change.
The short version — plain English
- • We collect your email and name when you sign up. That's the extent of account basics.
- • If you connect Gmail, Salesforce, HubSpot, or another tool, we only read what's needed for the task you start — your emails and CRM records don't live on our servers.
- • Text you paste into our AI tools goes to Anthropic for processing and is not stored after your session ends.
- • We never sell your data. To anyone. Ever.
- • You can delete your account and all your data at any time.
- • We are not a HIPAA covered entity — don't submit patient or health records.
1. Who we are
AI Pro Service ("AI Pro," "we," "our") is an AI-implementation studio based in Dharamshala, Himachal Pradesh, India. We help service businesses — agencies, consultancies, IT firms — deploy AI into their revenue and delivery workflows.
The person responsible for your data: Ashish Mishra, founder and designated Grievance Officer. Contact details are in Section 13.
2. What data we collect — and why
Account data
When you create an account, we collect:
- Your email address — to identify your account and send you outputs you request
- Your name and profile photo — only if you sign in with Google; you can remove these anytime
- Sign-up date and last sign-in timestamp — for security and session management
Third-party integration data
When you connect an external tool — Gmail, Google Workspace, Salesforce, HubSpot, Pipedrive, Zoho CRM, or others — we receive an OAuth access token that lets our system act on your behalf. Here's exactly what we do with that access:
- We store the OAuth token securely (encrypted) so you don't need to reconnect every session
- We read only the specific data needed for the task you've started — for example, to draft a follow-up email, we may read your recent thread with that contact, not your entire inbox history
- We do notstore email content, CRM records, deal data, or contact lists on our servers once the task is complete
- We never access your integrations in the background without you explicitly starting a task
- Write actions (sending an email, creating a CRM record) require your explicit confirmation
Content you share with AI tools
Text, documents, and data you paste into tools like Proposal Diagnostics or AI workflow automations are sent to Anthropic (the maker of Claude) for processing. This content:
- Is not stored on our serversafter your session ends
- Is processed under Anthropic's data processing terms
- Should not include personal data of third parties (clients, employees, patients) unless they have consented to AI processing
Usage data
We collect basic analytics — pages visited, features used, browser type, and your IP address (used only to determine approximate country or region). This tells us what's working and what to improve. We don't build individual profiles for advertising purposes.
3. How we use your data
| Purpose | Legal basis |
|---|---|
| Running your account and delivering the service | Contract performance |
| Processing AI tool requests you initiate | Contract performance |
| Sending outputs and reports you request | Contract performance |
| Notifying you of updates and new features (you can opt out anytime) | Consent |
| Product improvement through aggregated usage analysis | Legitimate interest |
| Security, fraud prevention, and abuse detection | Legitimate interest |
| Complying with legal obligations (tax records, regulator requests) | Legal obligation |
We do not use your data for advertising. We do not sell or rent your data to third parties. We do not build profiles for third-party targeting.
4. Who we share data with
We share data only with vendors ("subprocessors") that help us run the service, and only the minimum data each vendor needs. Here's the full list:
| Vendor | What they do for us | Location |
|---|---|---|
| Anthropic | AI processing — your inputs are sent here to generate responses | USA |
| Supabase | Database, authentication, and secure token storage | EU / USA |
| Vercel | Website hosting and serverless API functions | USA / Global |
| Resend | Transactional emails (reports, notifications you request) | USA |
| Sign-in via Google OAuth; Gmail integration when you connect it | USA / Global | |
| Salesforce / HubSpot / Pipedrive / Zoho | CRM integrations — only when you choose to connect them | Varies |
We don't share your data with anyone else unless we're legally required to. If a law enforcement or regulatory body makes a valid legal request, we will notify you before complying unless we are legally prohibited from doing so.
5. How long we keep your data
- Account data — Until you delete your account, plus 90 days while backups expire, then permanently deleted.
- AI-processed content (proposals, diagnostics, etc.) — Not retained on our servers after your session ends.
- Integration OAuth tokens — Until you revoke access in our settings or directly through the provider, or 90 days after your account becomes inactive.
- Usage analytics — 24 months, then aggregated and anonymized (no personal identifiers retained).
- Financial and legal records — As required by applicable law, typically 7 years.
6. International data transfers
We're based in India; most of our vendors operate in the USA or EU. When your data crosses borders, we rely on:
- EU / UK transfers — Standard Contractual Clauses (SCCs) with all vendors that process EU/UK personal data, ensuring GDPR-equivalent protection regardless of where the server sits.
- India transfers — Adequate safeguards as required by the DPDP Act 2023 and, where applicable, cross-border data transfer rules notified by the Indian government.
- Anthropic, Supabase, Vercel — We use their standard Data Processing Agreements, which include the necessary transfer mechanisms.
7. Your rights
Everyone, everywhere
- Access — Request a copy of the personal data we hold about you.
- Correction — Ask us to correct anything that's wrong or incomplete.
- Deletion — Ask us to delete your account and personal data. We'll confirm when it's done.
- Portability — Get your data exported in a machine-readable format (JSON or CSV).
EU and UK residents — GDPR and UK GDPR
All of the above, plus:
- Restriction — Ask us to pause processing while a dispute about accuracy is resolved.
- Objection — Object to processing we do on the basis of legitimate interests. We'll stop unless we have compelling grounds to continue.
- No solely automated decisions — We don't make decisions with legal or similarly significant effects using only automated processes. A human is always involved in consequential decisions about your account.
- Withdraw consent — For anything based on your consent (like marketing emails), you can withdraw at any time. It won't affect processing that already happened.
If you're unhappy with how we've handled a request, you can escalate to your national supervisory authority — the ICO in the UK, or your EU Data Protection Authority.
India residents — DPDP Act 2023
- Access and correction — Know what data we hold; request corrections and updates.
- Erasure — Request deletion of data that is no longer necessary for its original purpose.
- Grievance redressal — File a complaint with our Grievance Officer. We must acknowledge within 48 hours and resolve within 15 working days.
- Nomination — Designate someone to exercise your privacy rights on your behalf in case of death or incapacity.
California residents — CCPA / CPRA
- Know — What categories of personal information we collect, why we collect it, and who we share it with.
- Delete — Your personal information (with limited exceptions, such as legal obligation).
- Correct — Inaccurate personal information we hold.
- Opt out of sale or sharing — We don't sell or share personal information for cross-context behavioral advertising, so this right isn't triggered by our practices.
- Non-discrimination — Exercising any CCPA right will never affect your ability to use our service.
8. HIPAA and health data
AI Pro Service is not a HIPAA covered entity.
Our tools are not designed, audited, or certified to handle Protected Health Information (PHI) as defined under HIPAA. We cannot sign Business Associate Agreements (BAAs) and cannot guarantee HIPAA-compliant handling of health data.
Do not submit patient records, clinical notes, insurance claims, mental health records, or any other health-related personal data through our service.
If you work in healthcare and need AI tooling that touches clinical data, please reach out beforesharing anything. We can discuss appropriate arrangements or point you toward HIPAA-ready alternatives.
10. Security
What we do to protect your data:
- All data in transit is encrypted using TLS 1.2 or higher
- Data at rest is encrypted by Supabase and Vercel infrastructure
- OAuth tokens are stored in encrypted form
- Access to production systems is restricted to the minimum number of people necessary
- We review security practices and access controls periodically
No system is perfectly secure. In the event of a personal data breach that poses a risk to you, we will notify you and relevant regulatory authorities within the timeframes required by law — 72 hours under GDPR, within the period required under the DPDP Act.
11. Children's data
Our service is for business professionals aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you have reason to believe a minor has registered an account, contact us immediately and we will delete it.
12. Changes to this policy
If we make a significant change — one that affects your rights or how we use your data — we'll email you and post a notice on the website at least 7 days beforethe change takes effect.
The "last updated" date at the top tells you when this version was published. Continued use after the effective date constitutes acceptance of the updated policy. If you don't agree with a change, you can delete your account before it takes effect.
13. Contact and Grievance Officer
For privacy questions, data requests, or complaints:
We acknowledge grievances within 48 hours and aim to resolve them within 15 working days. If you're unsatisfied with our resolution, you can escalate to the relevant Data Protection Authority in your jurisdiction, or to India's Data Protection Board once it is constituted.