← Back to Home

Privacy Policy

Last Updated: April 23, 2026

Introduction

cece ai ("we," "our," or "us") operates the meetcece.ai website and the cece ai email assistant service, including email processing via the cecemail.io domain (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our Service.

By using the Service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service. We encourage you to review this policy periodically for any changes.

Information We Collect

Information You Provide Directly

  • Account information: Email address, full name, and authentication credentials (via Google or Apple sign-in)
  • Business information: Business name, industry, description, website URL, business email address, phone number, address, business hours, and service/pricing details
  • Configuration data: AI tone preferences, custom instructions, FAQs, standard operating procedures, approved sender/recipient addresses, and domain settings
  • Uploaded content: Documents, files, or other materials you provide to configure the Service (e.g., SOPs, tone guides)

Information Collected Through Email Processing

When you use the Service, we process email communications sent to or through the Service, including:

  • Email sender and recipient addresses, names, and subject lines
  • Email body content (plain text and HTML)
  • Email attachments and metadata (timestamps, message IDs, thread IDs)
  • AI-generated analysis of emails (intent classification, sentiment analysis, confidence scores, summaries)
  • AI-generated email responses sent on your behalf

Important: The Service processes emails from your customers and contacts. When your customers email your cece-managed address, their email content is processed by our AI systems as described in the "AI Data Processing" section below.

Automatically Collected Information

  • Usage data (features accessed, interactions with the dashboard)
  • Device and browser information (browser type, operating system, IP address)
  • Performance and diagnostic data
  • Cookies and similar tracking technologies (see "Cookies" section below)

How We Use Your Information

  • To provide the Service: Processing incoming emails, classifying intent and sentiment, generating and sending email responses on your behalf
  • Autonomous email actions: By default, our AI assistant sends email responses directly to your customers and contacts without requiring your prior approval for each message. You may configure the Service to require approval before sending (see our Terms of Service)
  • To learn your business context: Analyzing your configuration, previous conversations, and feedback to improve the accuracy and relevance of AI-generated responses
  • To improve the Service: Analyzing usage patterns and performance to enhance features and fix issues
  • To communicate with you: Sending service updates, security alerts, and administrative messages
  • To ensure security: Detecting and preventing fraud, abuse, and unauthorized access
  • To comply with legal obligations: Responding to legal requests and enforcing our terms

Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing your personal data are:

  • Contract performance: Processing necessary to provide the Service you have subscribed to, including email processing and AI-generated responses
  • Legitimate interests: Improving the Service, ensuring security, preventing fraud, and analyzing usage patterns — where these interests are not overridden by your rights
  • Consent: Where we rely on consent (e.g., optional analytics or marketing communications), you may withdraw consent at any time
  • Legal obligation: Where processing is necessary to comply with applicable laws

AI Data Processing

Our Service uses artificial intelligence to process and respond to emails. We use the following AI providers:

Anthropic (Claude)

We use Anthropic's Claude AI models for email intent classification, sentiment analysis, and response generation. When emails are processed:

  • Email content (sender, subject, body) is transmitted to Anthropic's API
  • Your business context and configuration are included in prompts to generate relevant responses
  • Anthropic does not use data submitted via their API to train or improve their models (per Anthropic's Privacy Policy and API Terms)
  • Anthropic may retain API inputs and outputs for up to 30 days for safety and abuse monitoring purposes

OpenAI (GPT-4o mini)

We use OpenAI's GPT-4o mini model for email processing and response generation. When emails are processed:

  • Email content (sender, subject, body) is transmitted to OpenAI's API
  • Your business context and configuration are included in prompts to generate relevant responses
  • OpenAI does not use data submitted via their API to train or improve their models (per OpenAI's API Data Usage Policy)
  • OpenAI may retain API inputs and outputs for up to 30 days for abuse and misuse monitoring, unless a zero-data-retention agreement is in place

What This Means for You

  • Email content you and your customers send through the Service is processed by third-party AI systems
  • Neither Anthropic nor OpenAI uses your data to train their general-purpose models via API usage
  • Both providers may temporarily retain data for safety monitoring (typically up to 30 days)
  • We select AI providers based on their data protection commitments, but we encourage you to review their privacy policies directly

Data Sharing & Third-Party Processors

We share your information with the following categories of service providers who process data on our behalf:

ProviderPurposeData Shared
AnthropicAI email classification and response generationEmail content, business context
OpenAIAI email processing and response generationEmail content, business context
Postmark (ActiveCampaign)Email sending and receivingEmail messages (sender, recipient, subject, body, attachments)
SupabaseDatabase hosting, authentication, file storageAll account and email data (encrypted in transit)
VercelWebsite hosting and application deliveryAccess logs, IP addresses
RailwayBackend API hosting and computeApplication logs, request data

We do not sell your personal information to third parties. We may disclose your information if required by law, regulation, legal process, or governmental request.

International Data Transfers

Our Service and our third-party providers operate primarily in the United States. If you are located outside the United States (including in the EEA, UK, or Switzerland), your personal data will be transferred to and processed in the United States. We rely on standard contractual clauses and our providers' compliance frameworks (where applicable) to ensure adequate protection of your data during international transfers.

Data Retention

Email Content and Metadata

  • Email bodies (text and HTML): Automatically purged after 90 days
  • Email metadata: Sender, recipient, subject, AI classification, and timestamps are retained for as long as your account is active
  • Extracted business data: Tasks, quotes, invoices, and knowledge extracted from emails are retained separately and independently from email content

Usage Tracking and Logs

  • Raw metadata in usage logs: Email addresses, subjects, and other identifying metadata are automatically purged after 90 days
  • Aggregate counts: Statistical usage data (without personal identifiers) is retained for analytics purposes
  • Audit logs: Security and compliance logs are retained for 12 months

Account Data

  • Account information: Email address, name, authentication credentials, and business configuration are retained for as long as your account is active
  • Business context and configuration: Business profile, FAQs, tone settings, and domain configuration are retained for as long as your account is active
  • Backups: Database backups are retained for up to 30 days and are then automatically deleted

Account Deletion and Recovery

When you or an administrator requests account deletion:

  • Immediate deactivation: Your account is deactivated immediately and stops processing emails
  • 30-day grace period: You have 30 days to log back in and restore your account
  • Permanent deletion after 30 days: If you do not restore your account within 30 days, ALL data is permanently deleted, including:
    • User account and authentication data
    • Business profile and configuration
    • All messages and conversation history
    • Quotes, invoices, and extracted knowledge
    • Subscriptions and usage logs
  • Irreversible: After the 30-day window, deletion is permanent and cannot be undone

We may retain certain data for longer periods where required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution, legal compliance).

Data Security

We implement technical and organizational security measures designed to protect your information, including:

  • Encryption in transit via HTTPS/TLS for all data transmissions
  • Authentication via industry-standard OAuth 2.0 (Google and Apple sign-in)
  • Role-based access controls and tenant isolation
  • Rate limiting and abuse prevention on API endpoints
  • Webhook signature verification for email processing

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Functional cookies: Remember your preferences and settings to improve your experience.
  • Analytics cookies: Help us understand how you use the Service so we can improve it. You may opt out of analytics cookies.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service.

Your Rights

All Users

Regardless of your location, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion (Right to Erasure): Request deletion of your personal data. When you request deletion, your account is deactivated immediately. You have a 30-day grace period to restore your account if needed. After 30 days, all data is permanently and irreversibly deleted. See the "Data Retention" section for details on what is deleted and when
  • Data portability: Request an export of your data in a machine-readable format
  • Withdraw consent: Where processing is based on consent, withdraw at any time
  • Account closure: Close your account and have associated data deleted according to our retention schedule

Additional Rights for EEA/UK/Swiss Residents (GDPR)

  • Restriction: Request restriction of processing in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Automated decisions: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
  • Complaint: Lodge a complaint with your local data protection authority

Additional Rights for California Residents (CCPA/CPRA)

  • Right to know: Request details about the categories and specific pieces of personal information we collect, use, and disclose
  • Right to delete: Request deletion of personal information we have collected
  • Right to opt-out: We do not sell personal information. We do not use personal information for cross-context behavioral advertising
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact us at privacy@meetcece.ai. We will respond to verifiable requests within 30 days (or as required by applicable law).

Information About Your Customers

When your customers email your cece-managed address, we process their email content to provide the Service. In this context:

  • You are the data controller for your customers' personal data — you determine the purposes and means of processing
  • We act as a data processor on your behalf — we process your customers' data only as necessary to provide the Service
  • You are responsible for ensuring you have a lawful basis to process your customers' data through our Service
  • You should inform your customers that you use an AI email assistant to process and respond to their communications
  • If a customer of yours contacts us with a data rights request, we will direct them to you as the data controller

For enterprise customers, we offer a Data Processing Agreement (DPA) that formalizes our obligations as a data processor. Contact privacy@meetcece.ai to request a DPA.

Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will promptly delete it.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. For significant changes affecting your rights, we will provide notice via email or through the Service dashboard. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy or our data practices:

Back to Home