Privacy Policy

Last updated: 2026-05-22

This document was generated and reviewed by multiple AI systems for accuracy. It is not a substitute for legal counsel. Customers requiring lawyer-attested legal documents should contact privacy@myemployees.ai for the formally-reviewed version (available on request).

1. Who we are

This Privacy Policy describes how AI Agency Group ("AI Agency", "we", "us", "our") collects, uses, and protects personal data when you use the AI Employees platform at myemployees.ai and our related services (the "Service").

For the personal data we process about our customers' end-users on behalf of those customers, AI Agency acts as a processor under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the UK GDPR. Our customers are the controllers of that data. For data we collect directly about you when you sign up, sign in, or use the Service yourself, AI Agency is the controller.

For privacy-related questions, requests, or complaints contact:

privacy@myemployees.ai

2. What personal data we process

We process the following categories of personal data:

We do not intentionally collect special-category personal data (health, biometrics, religious beliefs, etc.). If such data appears in content you upload (for example, a customer support transcript), it is processed only to the extent necessary to provide the Service and is subject to the same protections as other data.

2.1 Source of Personal Data (GDPR Art. 14)

Most Personal Data described in Section 2 is provided directly by you when you sign up, configure the Service, or upload content. However, some Personal Data we process is provided indirectly — for example, when our customers (your employer, your service provider, or a business you have contacted) upload contact records about you, sync a CRM, or have a conversation with one of our AI agents that involves you. In those cases, AI Agency acts as a processor on the customer's behalf, and the customer is the controller responsible for informing you under GDPR Art. 14. If you wish to exercise rights against your data, we will route your request to the relevant customer; you can also contact privacy@myemployees.ai and we will help you identify them.

2.2 Whether providing data is required

Where we collect Personal Data on a contractual basis (account, billing, authentication), providing that data is a requirement of using the Service — without it we cannot create your account or provide the contracted services. Where we collect Personal Data on the basis of consent (for example, marketing emails), providing that data is voluntary and you may withdraw consent at any time without affecting the lawfulness of prior processing.

3. Why we process it (legal bases under GDPR Art. 6)

For data we process on behalf of our customers (their end-users' data), the legal basis is set by the customer in their own privacy notice. We process that data only on the customer's documented instructions, as defined in our Data Processing Agreement.

4. How we use AI

The Service uses large language models ("LLMs") and embedding models from third-party providers (Anthropic, OpenAI) to generate AI agent responses, classify intent, and retrieve relevant knowledge. When the Service sends content to those providers, the content is processed under their zero-retention API terms and is not used to train their public models. AI Agency itself does not use your Personal Data or your content to train general-purpose AI models. See our Sub-processor list for transfer mechanisms.

Automated decision-making (GDPR Art. 22)

The Service does not make decisions about you that produce legal or similarly significant effects without human oversight. AI agent outputs are intended to be reviewed and supervised by you or your service provider. If you believe an AI-generated action has affected your legal rights or has produced a similarly significant effect on you, contact privacy@myemployees.ai to request human review, an explanation of the logic involved, and the right to contest the outcome.

5. Google Workspace and Gmail data

When you connect a Google Workspace mailbox to AI Employees (currently Gmail only), we receive limited information from Google APIs scoped to what you grant during the OAuth consent flow. The scopes we request and what we do with the data are summarized below.

5.1 Scopes and uses

5.2 Limited Use disclosure

AI Employees' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We do not transfer or sell Google user data to third parties for advertising, ad targeting, data brokerage, market research, training general-purpose AI models, or any purpose unrelated to providing you the AI Employees Service.
• We do not allow humans to read your Google user data except (a) with your explicit consent for a specific message (for example, you ask Support to review a ticket); (b) where it is necessary for security, abuse prevention, or fraud investigation; (c) where required by applicable law; or (d) where the data has been aggregated and anonymised for internal operations.
• We use Google user data only to provide or improve the user-facing AI Employees features you have explicitly requested by connecting your mailbox.

5.3 Storage, encryption, and retention

• OAuth access and refresh tokens are encrypted at rest with AES-256-GCM using a per-tenant key derivation, stored only on AI Employees infrastructure, and never exposed to other tenants or to third parties beyond Google itself when we refresh them.
• Message metadata and content that we ingest into a ticket (headers, plaintext body, sanitised HTML) are stored under your tenant's row-level security boundary and retained on the same schedule as other conversation data — see Section 8 (How long we keep it). Original messages remain in your Google account; we do not retain copies of the raw RFC 822 message bodies.
• The Gmail watch / Pub/Sub registration stores a Google historyId cursor so we know which messages are new. The cursor is overwritten on every notification; nothing about the content of un-ingested messages is retained.

5.4 Disconnect and deletion

You can disconnect Gmail at any time from Settings → Integrations. On disconnect we (a) revoke the OAuth token with Google, (b) stop the Pub/Sub watch, and (c) hard-delete the access/refresh tokens and the watch cursor from our database within 30 days. Ingested ticket content remains visible in your AI Employees workspace so you can finish handling those tickets; you can purge ticket content via the dashboard or via a deletion request to privacy@myemployees.ai.

If you revoke the connection directly from your Google account at myaccount.google.com/permissions, the same effects apply on our side the next time we attempt a refresh — typically within an hour.

6. Who we share it with

We share personal data with the sub-processors listed at /subprocessors. Each sub-processor is bound by a contractual agreement that requires GDPR-equivalent protections. We do not sell personal data, and we do not share personal data with third parties for their own marketing.

We may disclose personal data when legally required (subpoena, court order, regulatory request) or to protect the rights, property, or safety of AI Agency, our users, or the public — and in connection with a corporate transaction such as a merger, in which case the acquirer will be bound by this Policy.

7. International transfers

AI Agency and most of our sub-processors are based in the United States. When personal data of EU/UK/EEA data subjects is transferred to the United States, we rely on one or more of:

• EU Standard Contractual Clauses (SCCs) with each sub-processor;
• EU-US Data Privacy Framework (DPF) for sub-processors that have self-certified;
• UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs for UK transfers.

The transfer mechanism for each sub-processor is listed at /subprocessors. On request, we can provide copies of our SCCs or DPA at privacy@myemployees.ai.

8. How long we keep it

When you delete your account via the dashboard or via privacy@myemployees.ai, we soft-delete immediately (your data becomes inaccessible) and hard-delete after a 30-day grace period to allow accidental-deletion recovery. Backups containing your data continue to roll off on the schedule above.

9. Your rights under GDPR / UK GDPR

Subject to applicable law, you have the right to:

• Access — request a copy of the personal data we hold about you (Art. 15);
• Rectification — ask us to correct inaccurate or incomplete data (Art. 16);
• Erasure — ask us to delete your personal data ("right to be forgotten") (Art. 17);
• Restriction — ask us to pause processing while we investigate a complaint (Art. 18);
• Portability — receive your data in a structured, machine-readable format (Art. 20);
• Objection — object to processing based on legitimate interest, including profiling (Art. 21);
• Withdraw consent — at any time, where processing is based on consent (Art. 7(3));
• Lodge a complaint with your supervisory authority (Art. 77).

For California residents, equivalent rights are provided under the CCPA / CPRA, including the right to know, delete, correct, and opt out of "sales" or "sharing" (we do neither).

To exercise any of these rights, email privacy@myemployees.ai or use the "Export account data" and "Delete account" buttons under Settings → Account. We will respond within 30 days; complex requests may be extended once by an additional 60 days, with notice. We may need to verify your identity before fulfilling sensitive requests.

If you believe you have a privacy complaint we have not resolved, you may contact your local supervisory authority — for the UK that is the Information Commissioner's Office, and a list of EU authorities is available at edpb.europa.eu.

10. Security

We protect personal data using technical and organizational measures including:

• AES-256-GCM encryption at rest for sensitive credentials, with HKDF-SHA256 per-tenant key derivation and key rotation support;
• TLS 1.2+ encryption in transit for all customer traffic;
• PostgreSQL Row-Level Security on all tenant-scoped tables, enforced by FORCE ROW LEVEL SECURITY and a CI coverage test — tenants cannot read each other's data even if an application bug occurred. Cross-tenant-by-design tables (portal session, admin settings, etc.) use application-layer scoping;
• Audit logging covering authentication, GDPR requests, credential access, role/permission changes, and admin actions, with rollback-safe persistence so security events are recorded even if a transaction fails;
• Webhook signature verification (HMAC / Ed25519) on every inbound webhook;
• JWT-based authentication with revocation, JWKS rotation, and role-based access control.

You can read more in our public Service Status page and we describe our technical and organizational measures in detail in our Data Processing Agreement.

No security control is perfect. If you believe you have discovered a vulnerability, please email security@myemployees.ai. If a personal data breach occurs that is likely to result in a risk to your rights, we will notify you without undue delay in accordance with GDPR Art. 33–34.

11. Cookies and similar technologies

The Service sets a small number of strictly necessary cookies — for example, the portal_session cookie that authenticates customer-portal sessions. We do not use third-party tracking cookies or advertising pixels. If we add analytics or tracking in the future, we will update this Policy and (where required) request your consent first.

12. Children's privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@myemployees.ai and we will delete it.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated via email to active customer admins and posted at the top of this page with a new "Last updated" date. Your continued use of the Service after the effective date of a change constitutes acceptance of the updated Policy.

14. Contact

AI Agency Group does not currently maintain an EU-based representative. We will appoint one under GDPR Art. 27 if and when our processing activities require it.