Privacy Policy

Introduction

cece ai ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered email assistant service.

By using cece, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

AI-Powered Email Processing

What cece Does

cece is an AI-powered email assistant that helps you manage customer communications. When you connect cece to your business email account, she:

• Reads incoming customer emails to understand inquiries, requests, and conversations
• Composes responses based on your business information and preferences
• Learns from your emails to improve future responses by building a knowledge base about your business
• Sends emails on your behalf (if you enable autonomous mode)

cece operates 24/7 to ensure your customers receive timely responses, even when you're unavailable.

What Data cece Processes

Email Content

cece processes the content of emails sent to and from your business email account, including:

• Email body text
• Subject lines
• Sender and recipient information
• Email metadata (timestamps, message IDs)
• Attachments (if relevant to the conversation)

Business Knowledge Base

As cece processes emails, she extracts and stores general facts about your business, such as:

• Frequently asked questions and answers
• Services you offer
• Business policies (hours, returns, shipping, etc.)
• Communication preferences

What cece Does NOT Store

• Personal information about your customers (names, email addresses, phone numbers, addresses) beyond what's needed for active conversations
• Credit card numbers, bank account details, or other financial information
• Social Security numbers, government IDs, or sensitive identification numbers
• Health or medical information
• Passwords or authentication credentials
• Raw email content in the knowledge base (only extracted, anonymized facts)

Legal Basis for Processing (GDPR)

If you or your customers are located in the European Economic Area (EEA), UK, or Switzerland, we process email data under the following legal bases:

• Performance of a contract (GDPR Art. 6(1)(b)) — Processing is necessary to provide cece's email assistant service, which you've contracted for
• Legitimate interests (GDPR Art. 6(1)(f)) — You and your business have a legitimate interest in managing customer communications efficiently, and cece's processing is reasonable and proportionate to that interest

cece does not rely on consent as the primary legal basis, because requiring explicit consent from every email sender would make the service impractical. However, we provide transparency and opt-out mechanisms (see below).

Your Customers' Rights

Transparency

Every email cece sends on your behalf includes a disclosure: "This email was composed by cece, an AI assistant from meetcece.ai. Your messages are processed to improve service quality. To opt out of AI processing, reply 'NO AI'."

Right to Object (GDPR Art. 21)

Your customers can opt out of AI processing at any time by:

• Replying to any cece email with "NO AI" or "Opt out"
• Clicking the opt-out link in cece's email signature
• Contacting you directly

Once a customer opts out, their future emails will be delivered to you without AI processing. You'll handle their emails manually.

Right to Access (GDPR Art. 15)

Your customers can request a copy of any data we have about them. They can email privacy@meetcece.ai.

Right to Deletion (GDPR Art. 17 / CCPA)

Your customers can request deletion of their data at any time. When we receive a deletion request, we will:

• Delete all messages involving that customer
• Remove any knowledge base entries derived solely from that customer's emails
• Remove the customer's personal information from aggregated knowledge entries (but retain anonymized facts)
• Confirm deletion within 30 days (GDPR) or 45 days (CCPA)

Right to Data Portability (GDPR Art. 20)

Your customers can request their email data in a portable format (JSON or CSV) by contacting privacy@meetcece.ai.

Data Minimization & Anonymization

cece is designed to minimize data collection:

1. Automatic PII Stripping: Before storing any fact in the knowledge base, cece removes personal information (names, emails, phone numbers, addresses). Only general business facts are kept.
2. Aggregation: Knowledge entries are created from patterns across multiple emails, not individual conversations. For example: "Customers frequently ask about shipping times" (not "John Smith asked about shipping on March 1st").
3. No Raw Storage: cece does not store complete email threads in the knowledge base—only extracted, sanitized facts.
4. Sensitive Categories Excluded: cece never stores health information, financial account details, government IDs, or other sensitive personal data in the knowledge base.

Data Retention

We retain data only as long as necessary to provide the service:

"Inactive customer" means no email interaction for 90+ days. You can customize retention periods in your account settings (subject to minimum legal requirements).

Security Measures

We protect email data with:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access controls: Only authorized personnel can access data, limited to what's necessary for service delivery
• PII detection: Automated systems scan for and remove personal information before storage
• Audit logging: All access and changes to your data are logged for security monitoring
• Regular security reviews: Conducted by our security team and third-party auditors

For more details, contact security@meetcece.ai.

Data Sharing

We do NOT sell your email data. Period.

We share email data only in these limited circumstances:

1. With your explicit authorization — You control cece and can instruct her to share information
2. AI model providers — cece uses third-party AI services (currently Anthropic Claude and OpenAI GPT-4o) to generate email responses. Email content is sent to these providers for processing but is NOT used to train their public models. We have data processing agreements with all AI providers.
3. Email infrastructure — Email is transmitted through Postmark (our email service provider) for delivery. Postmark has a data processing agreement and does not use your data for purposes other than email delivery.
4. Legal obligations — If required by law, court order, or regulatory request
5. Service providers — Hosting (Vercel), database (Supabase), and other infrastructure providers that support the service. All providers have data processing agreements.

Google Calendar Integration

cece ai offers an optional Google Calendar integration to help schedule meetings on your behalf. This section describes how we access, use, store, and share your Google Calendar data.

Data Accessed:

• Calendar events — cece reads your calendar events to check your availability when scheduling meetings on your behalf.
• Free/busy information — Used to determine open time slots for meeting requests.
• Event creation — When you authorize read-write access, cece can create calendar events and send meeting invites to attendees.

How We Use Your Google Calendar Data:

• To check your availability when someone requests a meeting via email
• To create calendar events when you instruct cece to schedule a meeting
• To send meeting invitations to attendees on your behalf

How We Do NOT Use Your Google Calendar Data:

• We do NOT use your calendar data for advertising or marketing purposes
• We do NOT sell, share, or transfer your calendar data to third parties except as necessary to provide the service
• We do NOT use your calendar data to train AI models
• We do NOT retain calendar data beyond what is needed to fulfill your scheduling requests

Data Storage and Security:

• OAuth tokens (access and refresh tokens) are encrypted at rest using AES-256-GCM before storage
• Calendar data is accessed in real-time when needed and is not permanently cached
• You can disconnect your Google Calendar at any time from Settings, which immediately revokes access and deletes stored tokens

cece ai's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Your Control Over Data

As a cece business user, you have full control:

• View Your Knowledge Base: See what cece has learned about your business in your account dashboard.
• Edit or Delete Knowledge: Correct inaccurate facts, delete outdated information, or mark entries as sensitive.
• Adjust Retention: Set custom retention periods for emails and knowledge entries.
• Export Your Data: Download all your business data (emails, knowledge entries, settings) at any time in JSON or CSV format.
• Delete Your Account: You can delete your cece account at any time. Upon deletion, all your emails and knowledge base are permanently deleted within 30 days (audit logs retained for 7 years per legal requirement).

International Data Transfers (GDPR)

For EEA/UK/Swiss Users:

cece's infrastructure is primarily hosted in the United States. If you or your customers are located in the EEA, UK, or Switzerland, your data will be transferred to and processed in the United States.

We rely on the following safeguards for international transfers:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to US providers
• Data Processing Agreements (DPAs) with all subprocessors that include SCCs
• Additional security measures beyond SCCs, including encryption, access controls, and data minimization

Children's Privacy

cece is not intended for use by individuals under 18 years old. We do not knowingly collect or process personal information from children under 16 (or 13 in the United States). If you become aware that cece has processed a child's personal information, please contact us immediately at privacy@meetcece.ai, and we will delete it promptly.

California Residents (CCPA / CPRA)

If you or your customers are California residents, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request details about the personal information we've collected about you in the last 12 months
• Right to Delete: Request deletion of your personal information (subject to certain exceptions)
• Right to Opt-Out: We do NOT sell personal information. However, you can opt out of AI processing as described above.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

How to Exercise CCPA Rights: Email privacy@meetcece.ai. We will respond within 45 days.

Financial Data & Payment Information

When you configure payment methods in your cece settings, we securely encrypt and store your payment account details (such as PayPal email, Venmo handle, or bank transfer instructions). This information is used solely to include payment instructions on invoices sent on your behalf.

We use AES-256-GCM encryption for all stored payment details. We do not process payments directly or store credit card numbers. Payment method data is retained while your account is active and deleted within 90 days of account closure.

AI-Generated Documents

cece ai generates business documents including quotes, invoices, and other materials on your behalf. All AI-generated documents include a disclosure footer. You are responsible for reviewing AI-generated content before it is sent to recipients. cece ai is not liable for errors in AI-generated financial documents.

Changes to This Policy

We may update this policy as we add new features or comply with new regulations. If we make material changes, we will:

• Notify you by email at least 30 days before the changes take effect
• Update the "Last Updated" date at the top of this policy
• Post a notice in your account dashboard

Your continued use of cece after changes take effect constitutes acceptance of the updated policy.

Contact Us