← Back to Home

Privacy Policy

Last Updated: April 28, 2026

Introduction

cece ai ("we," "our," or "us") operates the meetcece.ai website and the cece ai email assistant service, including email processing via the cecemail.io domain (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our Service.

By using the Service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service. We encourage you to review this policy periodically for any changes.

Information We Collect

Information You Provide Directly

  • Account information: Email address, full name, and authentication credentials (via Google or Apple sign-in)
  • Business information: Business name, industry, description, website URL, business email address, phone number, address, business hours, and service/pricing details
  • Configuration data: AI tone preferences, custom instructions, FAQs, standard operating procedures, approved sender/recipient addresses, and domain settings
  • Uploaded content: Documents, files, or other materials you provide to configure the Service (e.g., SOPs, tone guides)
  • Reminder data: Reminder text/description, due date/time, associated email thread, completion status, and user-assigned tags

Information Collected Through Email Processing

When you use the Service, we process email communications sent to or through the Service, including:

  • Email sender and recipient addresses, names, and subject lines
  • Email body content (plain text and HTML)
  • Email attachments and metadata (timestamps, message IDs, thread IDs)
  • AI-generated analysis of emails (intent classification, sentiment analysis, confidence scores, summaries)
  • AI-generated email responses sent on your behalf

Important: The Service processes emails from your customers and contacts. When your customers email your cece-managed address, their email content is processed by our AI systems as described in the "AI Data Processing" section below.

Automatically Collected Information

  • Usage data (features accessed, interactions with the dashboard)
  • Device and browser information (browser type, operating system, IP address)
  • Performance and diagnostic data
  • Cookies and similar tracking technologies (see "Cookies" section below)

How We Use Your Information

  • To provide the Service: Processing incoming emails, classifying intent and sentiment, generating and sending email responses on your behalf
  • Autonomous email actions: By default, our AI assistant sends email responses directly to your customers and contacts without requiring your prior approval for each message. You may configure the Service to require approval before sending (see our Terms of Service)
  • To learn your business context: Analyzing your configuration, previous conversations, and feedback to improve the accuracy and relevance of AI-generated responses
  • To improve the Service: Analyzing usage patterns and performance to enhance features and fix issues
  • To communicate with you: Sending service updates, security alerts, and administrative messages
  • To ensure security: Detecting and preventing fraud, abuse, and unauthorized access
  • Reminder management: Creating, storing, and delivering reminders based on email content or your explicit instructions
  • To comply with legal obligations: Responding to legal requests and enforcing our terms

Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing your personal data are:

  • Contract performance: Processing necessary to provide the Service you have subscribed to, including email processing and AI-generated responses
  • Legitimate interests: Improving the Service, ensuring security, preventing fraud, and analyzing usage patterns — where these interests are not overridden by your rights
  • Consent: Where we rely on consent (e.g., optional analytics or marketing communications), you may withdraw consent at any time
  • Legal obligation: Where processing is necessary to comply with applicable laws

AI Data Processing

Our Service uses artificial intelligence to process and respond to emails. We use the following AI providers:

Anthropic (Claude)

We use Anthropic's Claude AI models for email intent classification, sentiment analysis, and response generation. When emails are processed:

  • Email content (sender, subject, body) is transmitted to Anthropic's API
  • Your business context and configuration are included in prompts to generate relevant responses
  • Anthropic does not use data submitted via their API to train or improve their models (per Anthropic's Privacy Policy and API Terms)
  • Anthropic may retain API inputs and outputs for up to 30 days for safety and abuse monitoring purposes

OpenAI (GPT-4o mini)

We use OpenAI's GPT-4o mini model for email processing and response generation. When emails are processed:

  • Email content (sender, subject, body) is transmitted to OpenAI's API
  • Your business context and configuration are included in prompts to generate relevant responses
  • OpenAI does not use data submitted via their API to train or improve their models (per OpenAI's API Data Usage Policy)
  • OpenAI may retain API inputs and outputs for up to 30 days for abuse and misuse monitoring, unless a zero-data-retention agreement is in place

What This Means for You

  • Email content you and your customers send through the Service is processed by third-party AI systems
  • Neither Anthropic nor OpenAI uses your data to train their general-purpose models via API usage
  • Both providers may temporarily retain data for safety monitoring (typically up to 30 days)
  • We select AI providers based on their data protection commitments, but we encourage you to review their privacy policies directly

Data Sharing & Third-Party Processors

We share your information with the following categories of service providers who process data on our behalf:

ProviderPurposeData Shared
AnthropicAI email classification and response generationEmail content, business context
OpenAIAI email processing and response generationEmail content, business context
Postmark (ActiveCampaign)Email sending and receivingEmail messages (sender, recipient, subject, body, attachments)
SupabaseDatabase hosting, authentication, file storageAll account and email data (encrypted in transit)
VercelWebsite hosting and application deliveryAccess logs, IP addresses
Google CalendarOptional calendar availability checks, event creation, meeting invites, and reminder synchronizationRead-only free/busy and event timing information for availability; event titles, descriptions, dates/times, attendee info, and calendar owner email address when you authorize read-write scheduling
RailwayBackend API hosting and computeApplication logs, request data

We do not sell your personal information to third parties. We may disclose your information if required by law, regulation, legal process, or governmental request.

Google Calendar Integration and Limited Use

Google Calendar connection is optional. cece uses Google Calendar data only for scheduling features you choose to enable.

  • Read-only availability checks: cece may use free/busy and event timing information to find available meeting times. This does not allow cece to create, edit, or delete events.
  • Read-write scheduling: If you authorize scheduling access, cece may create calendar events and send meeting invitations on your behalf. Event details may include titles, descriptions, dates/times, attendee names and email addresses, and your Google Calendar owner email address. cece does not edit or delete existing calendar events unless you explicitly instruct it to do so.
  • Owner email/API sharing: Your Google Calendar owner email address and event information are sent to Google's Calendar API as needed to check availability, create events, associate events with your calendar, and send invitations.
  • Data storage: OAuth access and refresh tokens are encrypted at rest and used only to provide the calendar features you authorize. Calendar data is accessed when needed and is not permanently cached beyond what is necessary to complete scheduling requests, maintain audit/security logs, or comply with law.
  • Revocation and deletion: You can disconnect Google Calendar in Settings or revoke access in your Google Account. Disconnecting stops future calendar access and we delete or invalidate stored OAuth tokens; account deletion permanently removes connected calendar tokens and related account data after the stated recovery period.
  • Limited Use: cece ai's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, use it for advertising, use it for generalized AI model training, or allow humans to read it except with your consent, for security purposes, to comply with law, or after it has been aggregated and anonymized.
  • Auto-confirmation risk: If you enable automatic meeting confirmation, cece may create events and send calendar invites without separate manual approval for each meeting. You are responsible for reviewing auto-confirmed calendar events and disabling auto-confirmation if you prefer manual review.

International Data Transfers

Our Service and our third-party providers operate primarily in the United States. If you are located outside the United States (including in the EEA, UK, or Switzerland), your personal data will be transferred to and processed in the United States. We rely on standard contractual clauses and our providers' compliance frameworks (where applicable) to ensure adequate protection of your data during international transfers.

Data Retention

Email Content and Metadata

  • Email bodies (text and HTML): Automatically purged after 90 days
  • Email metadata: Sender, recipient, subject, AI classification, and timestamps are retained for as long as your account is active
  • Extracted business data: Tasks, quotes, invoices, and knowledge extracted from emails are retained separately and independently from email content

Reminder Data

  • Reminder data: Retained until manually deleted by you, 90 days after the reminder due date (whichever comes first), or upon account deletion

Usage Tracking and Logs

  • Raw metadata in usage logs: Email addresses, subjects, and other identifying metadata are automatically purged after 90 days
  • Aggregate counts: Statistical usage data (without personal identifiers) is retained for analytics purposes
  • Audit logs: Security and compliance logs are retained for 12 months

Account Data

  • Account information: Email address, name, authentication credentials, and business configuration are retained for as long as your account is active
  • Business context and configuration: Business profile, FAQs, tone settings, and domain configuration are retained for as long as your account is active
  • Backups: Database backups are retained for up to 30 days and are then automatically deleted

Account Deletion and Recovery

When you or an administrator requests account deletion:

  • Immediate deactivation: Your account is deactivated immediately and stops processing emails
  • 30-day grace period: You have 30 days to log back in and restore your account
  • Permanent deletion after 30 days: If you do not restore your account within 30 days, ALL data is permanently deleted, including:
    • User account and authentication data
    • Business profile and configuration
    • All messages and conversation history
    • Quotes, invoices, and extracted knowledge
    • Subscriptions and usage logs
  • Irreversible: After the 30-day window, deletion is permanent and cannot be undone

We may retain certain data for longer periods where required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution, legal compliance).

Data Security

We implement technical and organizational security measures designed to protect your information, including:

  • Encryption in transit via HTTPS/TLS for all data transmissions
  • Authentication via industry-standard OAuth 2.0 (Google and Apple sign-in)
  • Role-based access controls and tenant isolation
  • Rate limiting and abuse prevention on API endpoints
  • Webhook signature verification for email processing

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

Privacy Choices and Cookie Preferences

We use a standard cookie notice so you can accept or decline optional cookies. We use cookies and similar technologies for:

  • Essential cookies: httpOnly session cookies, inaccessible to JavaScript, transmitted only over HTTPS. Required for authentication, session management, and security. These cannot be disabled.
  • Functional cookies: Remember your preferences and settings to improve your experience.
  • Analytics cookies: Help us understand aggregate website and product usage so we can improve the Service. Google Analytics is not loaded and analytics storage is not granted by default; optional analytics only runs after you select Accept cookies in the cookie notice.

When Google Analytics is enabled after cookie acceptance, we configure it with IP anonymization where supported and do not enable Google Signals, ads personalization signals, remarketing, User-ID, or collection of customer email content or other intentional PII in analytics events. You can decline optional cookies in the cookie notice, revoke analytics consent by deleting site data or blocking analytics cookies, limit analytics by using browser privacy controls, enabling a trusted content blocker, or using Google's browser opt-out tools. For privacy choices questions, contact privacy@meetcece.ai. Disabling essential cookies may prevent you from using certain features of the Service.

Your Rights

All Users

Regardless of your location, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion (Right to Erasure): Request deletion of your personal data. When you request deletion, your account is deactivated immediately. You have a 30-day grace period to restore your account if needed. After 30 days, all data is permanently and irreversibly deleted. See the "Data Retention" section for details on what is deleted and when
  • Data portability: Request an export of your data in a machine-readable format
  • Withdraw consent: Where processing is based on consent, withdraw at any time
  • Account closure: Close your account and have associated data deleted according to our retention schedule

Additional Rights for EEA/UK/Swiss Residents (GDPR)

  • Restriction: Request restriction of processing in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Automated decisions: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
  • Complaint: Lodge a complaint with your local data protection authority

Additional Rights for California Residents (CCPA/CPRA)

  • Right to know: Request details about the categories and specific pieces of personal information we collect, use, and disclose
  • Right to delete: Request deletion of personal information we have collected
  • Right to opt-out: We do not sell personal information. We do not use personal information for cross-context behavioral advertising
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact us at privacy@meetcece.ai. We will respond to verifiable requests within 30 days (or as required by applicable law).

Information About Your Customers

When your customers email your cece-managed address, we process their email content to provide the Service. In this context:

  • You are the data controller for your customers' personal data — you determine the purposes and means of processing
  • We act as a data processor on your behalf — we process your customers' data only as necessary to provide the Service
  • You are responsible for ensuring you have a lawful basis to process your customers' data through our Service
  • You should inform your customers that you use an AI email assistant to process and respond to their communications
  • If a customer of yours contacts us with a data rights request, we will direct them to you as the data controller

For enterprise customers, we offer a Data Processing Agreement (DPA) that formalizes our obligations as a data processor. Contact privacy@meetcece.ai to request a DPA.

Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will promptly delete it.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. For significant changes affecting your rights, we will provide notice via email or through the Service dashboard. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy or our data practices:

Back to Home