Privacy Policy

Introduction

cece ai ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered email assistant service.

By using cece, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

AI-Powered Email Processing

What cece Does

cece is an AI-powered email assistant that helps you manage customer communications. When you connect cece to your business email account, she:

• Reads incoming customer emails to understand inquiries, requests, and conversations
• Composes responses based on your business information and preferences
• Learns from your emails to improve future responses by building a knowledge base about your business
• Sends emails on your behalf (if you enable autonomous mode)

cece operates 24/7 to ensure your customers receive timely responses, even when you're unavailable.

What Data cece Processes

Email Content

cece processes the content of emails sent to and from your business email account, including:

• Email body text
• Subject lines
• Sender and recipient information
• Email metadata (timestamps, message IDs)
• Attachments (if relevant to the conversation)

Business Knowledge Base

As cece processes emails, she extracts and stores general facts about your business, such as:

• Frequently asked questions and answers
• Services you offer
• Business policies (hours, returns, shipping, etc.)
• Communication preferences

What cece Does NOT Store

• Personal information about your customers (names, email addresses, phone numbers, addresses) beyond what's needed for active conversations
• Credit card numbers, bank account details, or other financial information
• Social Security numbers, government IDs, or sensitive identification numbers
• Health or medical information
• Passwords or authentication credentials
• Raw email content in the knowledge base (only extracted, anonymized facts)

Legal Basis for Processing (GDPR)

If you or your customers are located in the European Economic Area (EEA), UK, or Switzerland, we process email data under the following legal bases:

• Performance of a contract (GDPR Art. 6(1)(b)) — Processing is necessary to provide cece's email assistant service, which you've contracted for
• Legitimate interests (GDPR Art. 6(1)(f)) — You and your business have a legitimate interest in managing customer communications efficiently, and cece's processing is reasonable and proportionate to that interest

cece does not rely on consent as the primary legal basis, because requiring explicit consent from every email sender would make the service impractical. However, we provide transparency and opt-out mechanisms (see below).

Your Customers' Rights

Transparency

Every customer-facing email cece sends on your behalf includes a disclosure: "Composed by cece, an AI assistant for small businesses." The footer also includes links to learn more at meetcece.ai and to this Privacy Policy.

Right to Object (GDPR Art. 21)

Your customers may object to AI-assisted processing by:

• Contacting you directly
• Contacting us at privacy@meetcece.ai

If a customer objects, you are responsible for reviewing the request and handling that customer's future messages manually where required by applicable law or your business policy.

Right to Access (GDPR Art. 15)

Your customers can request a copy of any data we have about them. They can email privacy@meetcece.ai.

Right to Deletion (GDPR Art. 17 / CCPA)

Your customers can request deletion of their data at any time. When we receive a deletion request, we will:

• Delete all messages involving that customer
• Remove any knowledge base entries derived solely from that customer's emails
• Remove the customer's personal information from aggregated knowledge entries (but retain anonymized facts)
• Confirm deletion within 30 days (GDPR) or 45 days (CCPA)

Right to Data Portability (GDPR Art. 20)

Your customers can request their email data in a portable format (JSON or CSV) by contacting privacy@meetcece.ai.

Data Minimization & Anonymization

cece is designed to minimize data collection:

1. Automatic PII Stripping: Before storing any fact in the knowledge base, cece removes personal information (names, emails, phone numbers, addresses). Only general business facts are kept.
2. Aggregation: Knowledge entries are created from patterns across multiple emails, not individual conversations. For example: "Customers frequently ask about shipping times" (not "John Smith asked about shipping on March 1st").
3. No Raw Storage: cece does not store complete email threads in the knowledge base—only extracted, sanitized facts.
4. Sensitive Categories Excluded: cece never stores health information, financial account details, government IDs, or other sensitive personal data in the knowledge base.

Data Retention

We retain data only as long as necessary to provide the service:

"Inactive customer" means no email interaction for 90+ days. Contact us if you need a different retention period; availability may depend on your plan, legal requirements, and technical feasibility.

Privacy Choices and Cookie Preferences

cece uses a standard cookie notice so visitors can accept or decline optional cookies. We may use consent-gated analytics to understand how visitors and customers use our website and product pages, improve onboarding, measure product performance, and identify usability issues. If optional cookies are accepted, Google Analytics may process device and usage information such as pages viewed, approximate location derived from IP address, browser/device information, referrer, and interaction events.

We do not grant analytics storage or load Google Analytics by default. Optional analytics cookies start denied and are only enabled after you select Accept cookies in the cookie notice. Essential cookies and storage needed for login, security, account operation, and service delivery may still be used.

When Google Analytics is enabled after cookie acceptance, we configure it with IP anonymization where supported and do not enable Google Signals, ads personalization signals, remarketing, User-ID, or collection of customer email content or other intentional PII in analytics events. Analytics data is used for service improvement, not to sell personal information or target advertising.

Cookie choices: You can decline optional cookies in the cookie notice, revoke analytics consent by deleting site data or blocking analytics cookies, limit analytics with browser privacy controls or a trusted content blocker, or use Google's browser opt-out tools. You can also contact privacy@meetcece.ai with privacy choices questions.

Security Measures

We protect email data with:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access controls: Only authorized personnel can access data, limited to what's necessary for service delivery
• PII detection: Automated systems scan for and remove personal information before storage
• Audit logging: Security-relevant access and changes are logged where operationally available for monitoring and troubleshooting
• Regular security reviews: Conducted by our security team and third-party auditors

For more details, contact security@meetcece.ai.

Data Sharing

We do NOT sell your email data. Period.

We share email data only in these limited circumstances:

1. With your explicit authorization — You control cece and can instruct her to share information
2. AI model providers — cece uses third-party AI services (currently Anthropic Claude and OpenAI GPT-4o) to generate email responses. Email content is sent to these providers for processing but is NOT used to train their public models. We have data processing agreements with all AI providers.
3. Email infrastructure — Email is transmitted through Postmark (our email service provider) for delivery. Postmark has a data processing agreement and does not use your data for purposes other than email delivery.
4. Website analytics — Limited website and product usage data may be processed by consent-gated analytics, including Google Analytics if enabled with consent, to help us understand aggregate usage and improve cece. Google Analytics is not used to process customer email content, train AI models, personalize ads, remarket, or identify users with Google User-ID.
5. Legal obligations — If required by law, court order, or regulatory request
6. Service providers — Hosting (Vercel), database (Supabase), and other infrastructure providers that support the service. All providers have data processing agreements.

Google Calendar Integration

cece ai offers an optional Google Calendar integration to help schedule meetings on your behalf. This section describes how we access, use, store, and share your Google Calendar data.

Data Accessed:

• Read-only availability checks — cece uses Google Calendar free/busy and event timing information only to determine when you are available. This does not allow cece to create, edit, or delete events.
• Read-write event creation — If you choose to authorize scheduling access, cece can create calendar events and send meeting invites to attendees. cece does not edit or delete existing calendar events unless you explicitly instruct it to do so.
• Calendar owner email address — Your Google Calendar owner email address is sent to the Google Calendar API when creating calendar events. This is required by Google's API to properly associate events with your calendar and send invitations on your behalf.
• Event details and attendee information — When you authorize scheduling access, event titles, descriptions, dates/times, locations, attendee names, attendee email addresses, and invitation details may be sent to Google Calendar only as needed to create, update, or manage the meetings you request.

How We Use Your Google Calendar Data:

• To check your availability when someone requests a meeting via email, using read-only free/busy information where possible
• To create calendar events only when you authorize read-write calendar access and instruct cece to schedule a meeting
• To update or cancel meetings only when you ask cece to manage those meetings or when a scheduling workflow you enabled requires it
• To send meeting invitations to attendees on your behalf when creating those events

If auto-confirmation is enabled for meeting scheduling, cece may confirm eligible meeting requests, create calendar events, and send confirmations without separate manual approval for each meeting. Auto-confirmed meetings may create scheduling commitments on your behalf, so you are responsible for monitoring your calendar and disabling auto-confirmation if you want to review each meeting before it is confirmed.

How We Do NOT Use Your Google Calendar Data:

• We do NOT use your calendar data for advertising or marketing purposes
• We do NOT sell, share, or transfer your calendar data to third parties except as necessary to provide the service
• We do NOT use your calendar data to train AI models
• We do NOT retain calendar data beyond what is needed to fulfill your scheduling requests
• We do NOT use Google Calendar data for generalized AI model training or to develop unrelated products

Data Storage and Security:

• OAuth tokens (access and refresh tokens) are encrypted at rest using AES-256-GCM before storage
• Calendar data is accessed in real time when needed and is not permanently cached beyond what is necessary for scheduling, audit, security, troubleshooting, legal, or service-integrity needs
• Meeting records stored in cece may include scheduled meeting dates/times, attendee email addresses, invitation status, and related conversation context so cece can track scheduling work, follow up appropriately, and show you what happened in the product.
• OAuth tokens are retained only while your Google Calendar connection is active. Stored tokens are deleted or invalidated when you disconnect Google Calendar or delete your account, subject to account recovery, backup, legal, security, or audit retention requirements described in this policy.
• You can disconnect your Google Calendar at any time from Settings or revoke cece's access directly from your Google Account permissions. Disconnecting or revoking access stops future calendar access.

cece ai's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google user data to provide and improve user-facing scheduling features you request, do not sell Google user data, do not use Google user data for advertising, do not transfer Google user data except as necessary to provide the scheduling features you request or as legally required, and do not allow humans to read Google user data except with your consent, for security purposes, to comply with law, or after it has been aggregated and anonymized.

If we materially change how cece accesses, uses, stores, or shares Google user data, we will update this Privacy Policy version and effective date, post an in-product notice, and notify affected users by email or another prominent in-product method before the change takes effect when required by law or Google policy.

Your Control Over Data

As a cece business user, you have full control:

• View Your Knowledge Base: See what cece has learned about your business in your account dashboard.
• Edit or Delete Knowledge: Correct inaccurate facts, delete outdated information, or mark entries as sensitive.
• Retention Requests: Contact us if you need a different retention period; availability may depend on your plan, legal requirements, and technical feasibility.
• Access or Export Your Data: Contact us to request a copy of available account data. We will respond as required by applicable law and may need to verify your identity before fulfilling the request.
• Delete Your Account: You can delete your cece account at any time. Upon deletion, your account is deactivated immediately and account data is scheduled for deletion after the 30-day recovery window. We may retain limited records where required for security, fraud prevention, dispute resolution, backups, or legal compliance.

International Data Transfers (GDPR)

For EEA/UK/Swiss Users:

cece's infrastructure is primarily hosted in the United States. If you or your customers are located in the EEA, UK, or Switzerland, your data will be transferred to and processed in the United States.

We rely on the following safeguards for international transfers:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to US providers
• Data Processing Agreements (DPAs) with all subprocessors that include SCCs
• Additional security measures beyond SCCs, including encryption, access controls, and data minimization

Children's Privacy

cece is not intended for use by individuals under 18 years old. We do not knowingly collect or process personal information from children under 16 (or 13 in the United States). If you become aware that cece has processed a child's personal information, please contact us immediately at privacy@meetcece.ai, and we will delete it promptly.

California Residents (CCPA / CPRA)

If you or your customers are California residents, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request details about the personal information we've collected about you in the last 12 months
• Right to Delete: Request deletion of your personal information (subject to certain exceptions)
• Right to Opt-Out: We do NOT sell personal information. Customers may object to AI-assisted processing as described above.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

How to Exercise CCPA Rights: Email privacy@meetcece.ai. We will respond within 45 days.

Financial Data & Payment Information

When you configure payment methods in your cece settings, we securely encrypt and store your payment account details (such as PayPal email, Venmo handle, or bank transfer instructions). This information is used solely to include payment instructions on invoices sent on your behalf.

We use AES-256-GCM encryption for all stored payment details. We do not process payments directly or store credit card numbers. Payment method data is retained while your account is active and deleted within 90 days of account closure.

AI-Generated Documents

cece ai generates business documents including quotes, invoices, and other materials on your behalf. All AI-generated documents include a disclosure footer. You are responsible for reviewing AI-generated content before it is sent to recipients. cece ai is not liable for errors in AI-generated financial documents.

Changes to This Policy

We may update this policy as we add new features or comply with new regulations. If we make material changes, including any material change to how cece accesses, uses, stores, or shares Google user data, we will:

• Notify you by email at least 30 days before the changes take effect when feasible and legally required
• Post a prominent notice in your account dashboard or other in-product surface
• Update the policy version, effective date, and "Last Updated" date at the top of this policy
• Clearly identify changes that affect Google user data before applying them to connected Google Calendar accounts when required by Google policy

Your continued use of cece after changes take effect constitutes acceptance of the updated policy.

Contact Us