Privacy Policy

Last updated: June 2026

Plain-language summary: we collect what we need to run your account, we encrypt your AI provider keys, we don’t sell your data, and your prompts are processed by the AI provider you connect with your own key.

1. Who we are

This policy explains how SikloAI (“we”, “us”) collects, uses, and protects information when you use the SikloAI platform and embeddable widget (the “Service”).

2. Information we collect

Account data: your email address, hashed password, role, and email-verification status.
Workspace data: the workspace names, settings, and knowledge documents you add.
Provider keys: the AI provider API key you supply, stored encrypted at rest (AES-256-GCM) and never displayed back to you.
Usage & activity: message counts, basic analytics, and an activity log of chats and tool runs, used for limits and insights.
Billing data: handled by our payment provider and merchant of record (Lemon Squeezy). We store identifiers and subscription status, not full card numbers.
Connected integrations: if you choose to connect a third-party app (Google — Gmail, Calendar, Drive; Slack; GitHub; Notion), we store the OAuth access/refresh tokens it issues — encrypted at rest — plus a basic account label (such as the connected email address or workspace name).
End-user chats: messages sent to your embedded assistant by visitors of your site, processed to generate answers.

3. How we use information

We use information to operate and secure the Service: authenticate you, run your assistants, enforce plan limits and rate limits, prevent abuse, provide analytics, process payments, and communicate with you (for example, verification and password-reset emails).

4. AI providers, connected integrations & sub-processors

AI provider. When your assistant answers, the relevant prompt and knowledge are sent to the third-party AI provider you connect using your own key (Anthropic). That provider processes that content under its own terms.

Connected integrations. When you connect a third-party app via OAuth — Google (Gmail, Google Calendar, Google Drive), Slack, GitHub, or Notion — you authorize SikloAI to access that app on your behalf to perform the actions you or your agent request (for example: reading and sending email; checking availability and creating calendar events; reading and creating files you choose; posting and reading messages; reading repositories and opening issues). We store the OAuth tokens encrypted at rest and use them only to carry out those requested actions. You can disconnect any integration at any time from the dashboard, which deletes its stored tokens.

Google API Limited Use. SikloAI’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We use Google user data only to provide the features you request; we do not sell it, do not use it for advertising or to train AI models, and do not allow humans to read it except as necessary for security, to comply with law, or with your explicit consent.

Sub-processors. We rely on infrastructure and service sub-processors, including our payment provider and merchant of record (Lemon Squeezy) and, if you enable it, email delivery (Resend). We share only what each needs to perform its function.

5. Encryption & security

Provider keys and connected-integration tokens are encrypted at rest. Passwords are salted and hashed (scrypt). Sessions store only a hash of the session token. We use HTTPS in production and apply rate limiting and access controls. No system is perfectly secure, but we take reasonable measures to protect your data.

6. Data sharing

We do not sell your personal data. We share data only with the sub-processors above to run the Service, when required by law, or to protect the rights and safety of users and the public.

7. Data retention

We retain account, workspace, and activity data for as long as your account is active and as needed to provide the Service. You can delete a workspace at any time, which removes its knowledge, usage, and activity. On account closure we delete or anonymize data after a reasonable period, except where retention is required by law.

8. Your rights

Depending on your location, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can manage much of this from the dashboard, or contact us to exercise these rights. If you provide end-user (visitor) data to your assistant, you are responsible for having a lawful basis and informing those individuals.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect their personal data.

10. Changes

We may update this policy; material changes will be posted here with a new date. Continued use after changes constitutes acceptance.

11. Contact

Questions or requests? Email [email protected].