🔒 The short version: adiuvAI is local-first. Your personal data — emails, tasks, notes, files — is processed and stored on your device. We never see it, and we can't access it.
1. Who We Are
adiuvAI ("we", "us", "our") is a desktop application and optional cloud service developed by Roberto Musso, based in the European Union. This Privacy Policy explains how we collect, use, and protect your information when you use the adiuvAI desktop application, our website (adiuvai.com), and any related services.
For questions about this policy, contact us at privacy@adiuvai.com.
2. Our Privacy Architecture
adiuvAI is built on a local-first, privacy-by-design architecture. This means:
- Processing happens on your device. When adiuvAI reads your email, organizes tasks, or generates your daily brief, all processing occurs locally in the Electron desktop application.
- Your data stays on your machine. Tasks, notes, projects, files, and extracted email content are stored in a local SQLite database and local vector store (LanceDB) on your device.
- EU AI Act compliant. Our AI features are designed in accordance with the EU Artificial Intelligence Act (Regulation 2024/1689).
3. What We Collect
3a. Data You Provide Directly
| Data | Purpose | Stored Where |
|---|---|---|
| Email address | Account creation, waitlist, communications | Our server (PostgreSQL) |
| Name | Account personalization | Our server |
| Password | Authentication | Our server (bcrypt hash only) |
| Payment info | Subscription billing | Stripe (PCI-compliant) — we never store card numbers |
3b. Data the App Processes Locally
The following data is processed and stored exclusively on your device. We do not have access to it:
- Email content, attachments, and metadata
- Tasks, projects, notes, and checkpoints
- Calendar events and meeting notes
- Files and folders you choose to monitor
- AI conversation history
- Vector embeddings of your content
3c. Data Shared with AI Providers
When you use adiuvAI's AI features, portions of your data are sent to third-party large language model (LLM) providers for processing. This includes:
- What is sent: Text snippets relevant to the current AI task (e.g., an email you're asking about, task context for prioritization). We send the minimum context needed.
- Providers: OpenAI, Anthropic, or other LLM providers as configured. The specific provider depends on the task for optimal cost and performance.
- Retention: We use provider tiers that do not retain your data for training. Refer to each provider's data processing terms for details.
3d. Data We Collect Automatically
| Data | Purpose | Legal Basis |
|---|---|---|
| IP address | Rate limiting, abuse prevention | Legitimate interest |
| API usage patterns | Service improvement, tier enforcement | Legitimate interest |
| Crash reports (opt-in) | Bug fixing | Consent |
3e. Website (Waitlist)
When you join the waitlist, we collect only your email address. We do not use tracking pixels, analytics scripts, or third-party cookies on our website.
4. How We Use Your Data
- Account management: Create and maintain your account, process subscriptions.
- Service delivery: Authenticate your desktop app, provide cloud backup/sync if opted in.
- Communications: Send product updates, security notices, and waitlist notifications. You can unsubscribe anytime.
- Security: Detect abuse, enforce rate limits, prevent unauthorized access.
- Improvement: Aggregate, anonymized usage patterns to improve the product. Never individual content.
5. Data Sharing
We do not sell, rent, or trade your personal information. We share data only with:
- Stripe — for payment processing (PCI DSS Level 1 compliant)
- Brevo (Sendinblue SAS) — for transactional emails (waitlist confirmation, product updates). Your email address is shared with Brevo solely to deliver these messages. Brevo acts as a data processor under GDPR and stores data in the EU. Brevo Privacy Policy
- LLM providers (OpenAI, Anthropic) — text snippets for AI processing, under no-training data agreements
- Cloud infrastructure (hosting provider) — encrypted data only for cloud backup/sync features
- Law enforcement — only when required by law, and limited to data we actually possess (account info, not your local content)
6. Your Rights (GDPR)
As an EU-based service, we respect the rights granted by the General Data Protection Regulation (GDPR) and equivalent UK/Swiss legislation:
- Access: Request a copy of any personal data we hold about you.
- Rectification: Correct inaccurate personal data.
- Erasure: Request deletion of your account and all associated data from our servers.
- Portability: Export your data in a machine-readable format.
- Restriction: Request we limit processing of your data.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Where processing is based on consent, withdraw it at any time.
For local data: since it's stored on your device, you have full control already — you can view, export, or delete it at any time without contacting us.
To exercise your rights for server-side data, email privacy@adiuvai.com. We respond within 30 days.
7. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
- Encrypted backups: Deleted within 30 days of account deletion, or on your request.
- Waitlist (confirmed): Retained until beta launch, then migrated to account data or deleted on request. Every email includes an unsubscribe link that immediately anonymizes your data.
- Waitlist (unconfirmed): Automatically anonymized after 48 hours. The anonymized record (signup date, source) is retained for aggregate analytics but contains no personal data.
- Server logs: Retained for 90 days, then purged.
- Local data: Under your control — persists until you delete it or uninstall the app.
8. Security
We implement appropriate technical and organizational measures to protect your data:
- End-to-end encryption (AES-256) for all cloud-stored content
- Device-bound encryption keys via OS-level secure storage (Electron safeStorage)
- bcrypt for password hashing, SHA-256 for refresh token storage
- Rate limiting and abuse detection on all API endpoints
- JWT-based authentication with short-lived access tokens
- Regular security reviews of the codebase
9. Children's Privacy
adiuvAI is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Third-Party Integrations
adiuvAI integrates with third-party services at your direction:
- Gmail / Google Workspace: OAuth 2.0 access. Email content is fetched and processed locally. We request read-only scopes.
- Microsoft Outlook / Teams: OAuth 2.0 access. Same local-only processing model.
- Telegram Bot: Messages you send to the adiuvAI bot are processed to execute commands (check tasks, get brief, add notes). We do not store Telegram message history on our servers.
Each integration can be disconnected at any time from within the app, which revokes our access.
11. International Transfers
Account data may be processed in the EU. If data is transferred outside the EEA, we ensure adequate safeguards are in place (Standard Contractual Clauses or adequacy decisions) in compliance with GDPR Chapter V.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email (for registered users) or a prominent notice on our website. The "Last updated" date at the top reflects the most recent revision.
13. Contact
For any privacy-related questions, concerns, or requests:
Email: privacy@adiuvai.com
Data Controller: Roberto Musso, adiuvAI
Location: European Union
You also have the right to lodge a complaint with your local data protection authority.