Nicole Assist
Get Started

Privacy Policy

Last updated: April 23, 2026 — Private Beta

Private beta. This policy describes how we handle data during the private beta. A final, counsel-reviewed version will replace this document before general availability. Questions: support@nicoleassist.com.

1. Data we collect

Account data

  • Your email address and display name, provided at signup.
  • A password hash (argon2id) — we never store the plaintext password. An optional TOTP secret, stored encrypted, if you enable multi-factor authentication.
  • Session records tied to cookies in your browser. We expire sessions and you can log out any time.

Calendar and mailbox data

  • OAuth refresh tokens for the Microsoft 365 account(s) you connect. Stored encrypted at rest with a per-tenant key.
  • Free/busy schedule data from your calendars, fetched on demand to propose times. We do not mirror your full calendar into our database.
  • Inbound emails sent to your scheduling address (e.g., yourhandle@schedule.nicoleassist.com). Subject, headers, body, and message IDs are stored so threads can be continued and audited.
  • Outbound emails and calendar-event actions we perform on your behalf — stored so you can review what was sent.

Contacts

We store contact metadata (name, email, role, preferences, VIP flag) that we learn from your scheduling threads. You can delete contact rows from the dashboard.

Operational telemetry

  • Per-request logs tagged with your tenant id and a trace id, retained for 30 days.
  • Errors, retained in Sentry for 90 days.
  • Audit rows for every agent action, draft approval, admin access, and sign-in event. Retention is 2 years for tenant audit (audit_log) and 7 years for platform audit (audit_log_platform) so we can reconstruct operator access after the fact.

2. How we use it

  • To run the scheduling assistant on your behalf.
  • To detect and respond to security incidents and abuse.
  • To bill and enforce rate limits (beta is free; billing is v2).
  • To improve the product. We do not use your email bodies or calendar contents to train third-party models. See §4.

3. Who we share it with

Our infrastructure providers receive data strictly to run the Service. The full list with a description of what each receives is at /subprocessors. We do not sell your data, and we do not share it with advertisers.

4. AI and your data

Nicole is powered by Anthropic’s Claude. Content we send to Claude is limited to the specific scheduling thread being handled, your tenant’s rules, and availability for the requested window. Anthropic processes data under their API terms and does not use API-submitted content to train models by default.

5. Security

  • TLS in transit, HSTS enforced.
  • Row-level security on every tenant-scoped table; tenants cannot read each other’s data.
  • Refresh tokens and MFA secrets encrypted at the column level.
  • Operator (platform admin) access requires MFA and is audit-logged per use.
  • See SECURITY.md for the full security model.

6. Your rights

  • Access + export. You can download your tenant’s audit log from the dashboard (JSON). Full account export on request.
  • Correction. Edit display name, timezone, and assistant name in settings. Email us for anything else.
  • Deletion. Email support@nicoleassist.com to close and delete your tenant. Live records removed within 30 days; encrypted backups roll off within 90 days.
  • Portability. Export is JSON; calendar events live in your own Microsoft 365 tenant and are not affected by deletion here.

7. Data location

Data is stored in the United States during beta. European / regional residency is on our post-beta roadmap.

8. Children

The Service is not intended for children under 16 and we do not knowingly collect data from them.

9. Changes

Material changes will be emailed to the address on file before they take effect.

10. Contact

Privacy questions: support@nicoleassist.com.