Privacy Policy

1. Introduction

Smoo AI, LLC ("Smoo AI," "we," "us," or "our") operates an AI augmentation platform at smoo.ai and associated services (collectively, the "Platform"). This Privacy Policy describes how we collect, use, disclose, and protect information when you use the Platform.

By accessing or using the Platform, you agree to this Privacy Policy. If you do not agree, please do not use the Platform.

2. Information We Collect

2.1 Account and Profile Information

When you create an account, we collect your name, email address, organization name, and authentication credentials. We use Supabase Auth to manage authentication; your password is hashed and never stored in plaintext.

2.2 Conversation and Interaction Data

The Platform records conversations between users, end-customers, and AI agents. This includes text messages, AI-generated responses, metadata (timestamps, session IDs, agent identifiers), and conversation outcomes (escalations, resolutions). Conversation data is retained to provide analytics, improve AI performance, and fulfill your support history needs.

2.3 Voice and Audio Data

If you use voice features, we process audio through third-party providers including Twilio (telephony), ElevenLabs (text-to-speech), and Deepgram (speech-to-text). Audio recordings may be temporarily stored for transcription. Transcripts are retained as part of conversation records. We do not retain raw audio beyond what is required for transcription unless explicitly configured.

2.4 Knowledge Base Content

You may upload documents, connect cloud storage (Google Drive, Confluence, Notion), or provide URLs for knowledge ingestion. Uploaded content is processed, chunked, and stored as vector embeddings to power AI agent responses. You retain ownership of all content you provide; we process it solely to deliver the Platform services.

2.5 Integration Credentials and Synced Data

When you connect third-party integrations, we store OAuth access tokens, refresh tokens, and API keys in encrypted form. We also collect and cache data from connected services (contacts, tickets, deals, calendar events, etc.) as needed to power AI agent actions. The specific data depends on the integration and the scopes you authorize. Third-party integrations we support include, but are not limited to:

• CRM & Sales: Salesforce, HubSpot, GoHighLevel, Pipedrive, Zoho CRM
• Communication: Slack, Discord, Microsoft Teams, Twilio SMS/Voice
• Email: SendGrid, Gmail (Google), Microsoft Outlook
• Project Management: Jira (Atlassian), GitHub, Asana, Trello, ClickUp, Linear
• Social Media: Meta (Facebook/Instagram), Twitter/X, LinkedIn, Reddit, Bluesky
• Productivity: Google Drive, Confluence, Notion, Microsoft OneDrive
• Payments & Finance: Stripe, QuickBooks Online (Intuit)
• E-commerce: Shopify, WooCommerce
• Customer Support: Zendesk, Freshdesk, Intercom
• Scheduling: Calendly

2.6 Usage and Technical Data

We collect standard web analytics data including IP addresses, browser type, operating system, pages visited, and session duration. We also use browser fingerprinting technology (ThumbmarkJS) for fraud detection and session continuity. This fingerprint is a non-personally-identifiable device signature derived from browser properties; it does not capture personal information beyond what your browser makes available.

2.7 Real-Time Communication Data

The Platform uses WebSocket connections (AWS API Gateway) and Socket.IO for real-time features including live chat, agent status updates, and job notifications. Connection metadata (session tokens, connection IDs, timestamps) is stored in Redis for session management and is automatically expired after session end.

3. How We Use Your Information

We use collected information to:

• Provide, operate, and improve the Platform and AI agents
• Process and respond to customer interactions on your behalf
• Train and fine-tune AI responses using your organization's knowledge base (not shared across organizations)
• Execute actions through connected integrations as directed by you or your configured AI agents
• Send transactional communications (account alerts, billing receipts, security notifications)
• Detect, investigate, and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Provide analytics and reporting on AI agent performance and customer interactions

We do not sell your data. We do not use your organization's conversation data or knowledge base content to train general AI models that would benefit other customers.

4. AI Processing and Third-Party AI Providers

AI agent responses are generated using large language models (LLMs) from third-party providers. Currently, these include OpenAI and Groq. When your users interact with AI agents, conversation content is transmitted to these providers to generate responses.

Our LLM provider agreements prohibit them from using your data to train their general models. Conversation content sent to LLM providers is subject to their data processing agreements. We recommend reviewing:

• OpenAI Privacy Policy and API Data Usage Policies
• Groq Privacy Policy

AI responses are generated by automated systems and should be reviewed by your team for accuracy. Smoo AI is an augmentation platform — our AI assists your team and can escalate to human agents. AI outputs are not professional legal, medical, financial, or other regulated advice.

5. Data Sharing and Disclosure

We share data only in the following circumstances:

5.1 Service Providers

We share data with vendors who help us operate the Platform under data processing agreements, including:

• Infrastructure: Amazon Web Services (compute, storage, WebSocket API), Supabase (PostgreSQL database), Redis/ElastiCache (session state)
• AI Processing: OpenAI, Groq
• Voice: Twilio, ElevenLabs, Deepgram
• Email Delivery: SendGrid
• Payments: Stripe (billing and subscription management)
• Monitoring: AWS CloudWatch (logs and metrics)

5.2 Connected Integrations

When you connect third-party services, AI agents may read from and write to those services on your behalf using the credentials you provide. Data flows between the Platform and those services are governed by your agreements with those providers.

5.3 Legal Requirements

We may disclose data when required by law, regulation, legal process, or governmental request, or when necessary to protect the rights, property, or safety of Smoo AI, our users, or others.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy protections described here.

6. Data Residency and Storage

The Platform infrastructure is hosted on Amazon Web Services (AWS) in the United States. Your data — including database records (PostgreSQL via Supabase), file storage (S3), session state (Redis/ElastiCache), and real-time communication infrastructure (API Gateway) — is stored and processed in the US.

If your organization is subject to data residency requirements (GDPR, UK GDPR, etc.), please contact us to discuss your compliance needs before using the Platform.

7. Data Retention

We retain data for the following periods:

• Conversation records: Retained for the life of your account plus 90 days after account termination, unless you request earlier deletion
• AI agent logs: 90 days rolling retention
• WebSocket session state (Redis): Automatically expires at session end
• Voice transcripts: Retained as conversation records; raw audio deleted after transcription
• Integration credentials: Retained until you disconnect the integration or delete your account
• Knowledge base content: Retained until you delete it or close your account
• Billing records: Retained for 7 years as required by financial regulations

8. Cookies and Tracking

The Platform uses the following types of cookies and storage:

• Authentication cookies: Supabase session tokens required to maintain your login state (strictly necessary)
• Preference cookies: Store UI preferences such as theme and sidebar state
• Analytics cookies: First-party analytics to understand how the Platform is used
• Browser fingerprint (ThumbmarkJS): A client-side device identifier stored in localStorage, used for fraud detection and session continuity

You can disable non-essential cookies in your browser settings. Disabling authentication cookies will prevent you from logging in.

9. Security

We protect your data through:

• TLS encryption for all data in transit
• AES-256 encryption at rest for database and file storage
• Encrypted storage of OAuth tokens and API keys
• Row-Level Security (RLS) in the database ensuring tenant isolation
• JWT-based authentication with short-lived access tokens
• HMAC-signed OAuth state parameters to prevent CSRF attacks
• Rate limiting on all API endpoints and WebSocket connections

No system is completely secure. If you discover a security vulnerability, please contact us at [email protected].

10. Your Rights

Depending on your jurisdiction, you may have rights including access, correction, deletion, restriction of processing, data portability, and objection. To exercise these rights, contact us at [email protected]. We will respond within 30 days.

You may delete your account at any time from your account settings. Account deletion removes your personal data subject to the retention periods in Section 7.

11. Children's Privacy

The Platform is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected data from a child under 13, contact us immediately at [email protected].

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or prominent notice in the Platform at least 14 days before taking effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.