Privacy Policy

DRAFT — FOR ATTORNEY REVIEW

Privacy Policy

Effective Date: [DATE]

Last Updated: [DATE]

This Privacy Policy describes how The Deliberate Company, LLC ("the Company," "we," "us," or "our") collects, uses, stores, and protects your information when you use OkHenry ("the Service") at okhenry.ai. By using the Service, you agree to the practices described in this policy.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, and password when you create an account.
  • Organization Information: Business name, location, and organizational context you provide during discovery and foundation-building conversations.
  • Conversation Content: Messages you exchange with AI Agents, including business descriptions, operational details, problem statements, and other information you share during conversations.
  • Operational Designs: Operation Maps, workflows, stages, steps, specifications, and other structured content you create through the Service.
  • Payment Information: Billing details provided through our payment processor, Stripe. We do not directly store credit card numbers or full payment credentials.
  • Communications: Emails, support requests, and other correspondence you send to us.

1.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, session duration, and interaction patterns within the Service.
  • Device and Browser Information: Browser type, operating system, device type, screen resolution, and language preferences.
  • Log Data: IP addresses, access times, referring URLs, and server logs.
  • Cookies and Similar Technologies: Session cookies for authentication and functionality. See Section 6 for details.

1.3 Information from Third Parties

  • Payment Processor: Stripe provides us with transaction confirmation, subscription status, and limited billing information (such as the last four digits of your card and billing address).

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Operate and maintain the Service, including processing your conversations with AI Agents, generating diagnoses, and creating operational designs.
  • Process Payments: Manage subscriptions, billing, and payment processing through Stripe.
  • Communicate with You: Send account-related notifications, respond to support requests, and provide service updates.
  • Improve the Service: Analyze usage patterns to improve features, performance, and user experience.
  • Ensure Security: Detect and prevent fraud, abuse, and unauthorized access.
  • Comply with Legal Obligations: Meet applicable legal, regulatory, and compliance requirements.

3. AI Processing and Third-Party AI Providers

The Service uses AI-powered agents that process your conversation content and business information to generate responses, diagnoses, and operational designs.

  • Third-Party AI Models: Your conversation content is transmitted to third-party large language model providers for processing. We primarily use Anthropic's Claude models. In the event of a service outage, we may fall back to alternative large language model providers; however, we do not use OpenAI or ChatGPT models. These transmissions are made via API and are subject to the respective AI provider's data handling policies.
  • No Training on Your Data: We do not use your Content to train AI models. Our API agreements with AI providers prohibit the use of your data for model training purposes.
  • Data Minimization: We transmit only the information necessary for the AI to generate a relevant response. We do not transmit your payment information, passwords, or account credentials to AI providers.
  • Conversation Storage: Pre-account discovery conversations are stored in temporary server-side sessions. Post-account conversations are stored in our database and associated with your Organization.

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

  • Within Your Organization: Other members of your Organization may access shared operational designs, conversations, and organizational data within the Service, subject to role-based access controls.
  • Service Providers: We share information with third-party service providers who assist us in operating the Service, including:
    • Stripe (payment processing)
    • AI model providers (conversation processing)
    • Infrastructure providers (hosting and data storage)
    These providers are contractually obligated to use your information only for the purposes of providing services to us.
  • Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer.
  • With Your Consent: We may share your information for any purpose with your explicit consent.

5. Data Retention

  • Active Accounts: We retain your information for as long as your account is active or as needed to provide the Service.
  • Pre-Account Sessions: Discovery session data for users who do not create an account is retained for up to 30 days, after which it is automatically deleted.
  • Deleted Accounts: Upon account deletion, we will delete or anonymize your Content within 90 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or dispute resolution).
  • Backups: Your data may persist in encrypted backups for up to 90 days after deletion from the active system.

6. Cookies and Tracking Technologies

  • Essential Cookies: We use session cookies that are strictly necessary for authentication, security, and core functionality of the Service. These cannot be disabled.
  • Analytics: We may use analytics tools to understand how the Service is used. [SPECIFY ANALYTICS PROVIDER IF APPLICABLE, e.g., Plausible, PostHog, or "We do not currently use third-party analytics services."]
  • No Advertising Cookies: We do not use cookies for advertising purposes. We do not serve ads within the Service.

7. Data Security

We implement reasonable administrative, technical, and physical security measures to protect your information, including:

  • Encryption of data in transit (TLS/SSL) and at rest.
  • Secure authentication and session management.
  • Role-based access controls within Organizations.
  • Regular security assessments and monitoring.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your personal information, subject to legal and contractual retention requirements.
  • Data Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to certain processing of your information.
  • Withdrawal of Consent: Where processing is based on consent, you may withdraw consent at any time.

To exercise any of these rights, contact us at privacy@okhenry.ai. We will respond within 30 days.

9. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will take steps to delete that information promptly.

10. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other jurisdictions where our service providers operate. By using the Service, you consent to the transfer of your information to jurisdictions that may have different data protection laws than your home jurisdiction.

11. California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including:

  • The right to know what personal information we collect, use, and disclose.
  • The right to request deletion of your personal information.
  • The right to opt out of the sale of personal information. We do not sell personal information.
  • The right to non-discrimination for exercising your privacy rights.

To exercise these rights, contact us at privacy@okhenry.ai.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you may have additional rights under the General Data Protection Regulation (GDPR), including those described in Section 8. Our legal basis for processing your information includes:

  • Contract Performance: Processing necessary to provide the Service you requested.
  • Legitimate Interests: Processing for our legitimate business interests, such as improving the Service and ensuring security.
  • Consent: Where you have provided explicit consent for specific processing activities.
  • Legal Obligation: Processing necessary to comply with applicable laws.

For GDPR-related inquiries, contact us at privacy@okhenry.ai.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service prior to the changes taking effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

14. Contact

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

The Deliberate Company, LLC
Email: privacy@okhenry.ai
Web: okhenry.ai