Cynthia Concierge

Privacy Policy

Effective Date: February 12, 2026 · Last Updated: February 12, 2026

Cynthia Concierge ("we," "us," or "our") operates the Cynthia AI personal assistant platform, including integrations with third-party services such as Intuit QuickBooks Online, Google Workspace, and other connected applications (collectively, the "Service"). This Privacy Policy describes how we collect, use, share, and protect your personal information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

Information you provide directly:

• Name, email address, phone number, and contact details
• Messages, instructions, and communications you send through the Service
• Account credentials and API keys you provide for third-party service integrations
• Files, documents, and data you upload or share with the Service
• Payment and billing information processed through our payment provider (Stripe)

Information from connected third-party services:

When you authorize the Service to connect to third-party platforms, we access data as permitted by the scopes you authorize. This includes:

• QuickBooks Online: Company information, customer records, invoices, payments, expenses, bills, estimates, vendor records, account balances, and financial reports. We access this data using OAuth 2.0 with the scopes com.intuit.quickbooks.accounting and com.intuit.quickbooks.payment.
• Google Workspace: Calendar events, email messages, contacts, Google Drive files, and Google Sheets data, as authorized through OAuth 2.0.
• Other integrations: Data from other connected services (e.g., Slack, HubSpot, CRM platforms) as authorized through their respective OAuth flows.

Information collected automatically:

• Usage data such as interaction timestamps, features used, and session information
• Device and browser information when accessing web-based components of the Service
• Log data including IP addresses and error reports for troubleshooting

We do not knowingly collect sensitive personal information such as Social Security numbers, government-issued identification, biometric data, or health information unless you voluntarily include such data in your communications with the Service.

2. How We Use Your Information

We use the information we collect solely to provide, maintain, and improve the Service for your benefit:

• Service delivery: Executing tasks you request, such as managing invoices, scheduling calendar events, sending emails, and performing research on your behalf
• Integration functionality: Accessing and managing your connected third-party accounts (e.g., creating QuickBooks invoices, reading Gmail messages) as instructed by you
• Personalization: Remembering your preferences, communication style, and relevant context to provide a more helpful and consistent experience
• Customer support: Responding to your inquiries and resolving issues with the Service
• Service improvement: Analyzing aggregate, de-identified usage patterns to improve the Service
• Security and compliance: Protecting against unauthorized access, fraud, and ensuring compliance with applicable laws
• Billing and account management: Processing payments and managing your subscription

We do not use your QuickBooks data, Google Workspace data, or any other connected service data for any purpose other than to provide products and services directly to you. We do not use your data for advertising, marketing to third parties, or any purpose unrelated to the Service.

3. Legal Basis for Processing

We process your personal information based on the following legal grounds:

• Contract performance: Processing necessary to fulfill our service agreement with you
• Consent: Where you have explicitly authorized access to third-party data (e.g., OAuth connections to QuickBooks or Google). You may withdraw consent at any time by disconnecting the integration.
• Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service and ensuring security, balanced against your privacy rights
• Legal obligation: Processing necessary to comply with applicable laws and regulations

4. How We Share Your Information

We do not sell, rent, license, or trade your personal information to any third party. We do not allow one customer's data from Intuit or any other connected service to be viewed by or shared with any other customer.

We may share your information only in the following limited circumstances:

• Third-party service providers: We use trusted service providers to operate the Service (e.g., cloud hosting, payment processing via Stripe, OAuth management via Nango). These providers are bound by confidentiality obligations and process data only on our behalf and in accordance with our instructions.
• Connected integrations: When you instruct us to perform actions on connected services (e.g., sending an email via Gmail, creating a QuickBooks invoice), we transmit the necessary data to those services via their APIs as directed by you.
• Legal requirements: We may disclose information if required by law, court order, subpoena, or regulatory request, or to protect the rights, property, or safety of our users, our company, or the public.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change and your choices regarding your data.

5. Data Security

We implement industry-standard technical and organizational measures to protect your data:

• All data in transit is encrypted using TLS 1.2 or higher
• OAuth 2.0 with PKCE for all third-party authentication flows — no passwords stored
• OAuth tokens are stored securely and are never hardcoded, logged, or exposed in client-side code
• Access controls restrict data access to authorized systems only
• Each user's data is stored in isolated workspaces — no cross-user data access is possible
• Regular monitoring and logging for unauthorized access attempts
• Secure credential storage with encryption at rest

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy:

• Account data: Retained for the duration of your account and for up to 30 days after account closure to allow for reactivation
• Connected service data: QuickBooks, Google, and other integration data is accessed in real-time via APIs and is not permanently stored in bulk. Cached data (such as conversation context and task history) is retained during your active subscription and deleted upon disconnection or account closure.
• Conversation logs and memory: Retained during your active subscription to provide continuity of service. Summarized over time; older raw logs are periodically purged.
• Billing records: Retained as required by applicable tax and accounting laws

After the applicable retention period, data is securely deleted or anonymized.

7. Your Rights and Choices

You have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data. Upon request, we will delete your data within 30 days, except where retention is required by law.
• Portability: Request your data in a structured, commonly used, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Disconnect any third-party integration at any time through the Service. Withdrawal does not affect the lawfulness of prior processing.
• Opt out of marketing: We do not send marketing communications. If we ever do, you may opt out at any time.

To exercise any of these rights, contact us at cynthia@cynthiaconcierge.com. We will verify your identity and respond within 30 days (or within the timeframe required by applicable law).

8. Disconnecting Integrations

You may disconnect any connected service (QuickBooks, Google, Slack, etc.) at any time by contacting us through the Service. Upon disconnection:

• We immediately revoke and discard the OAuth access tokens for that service
• We stop accessing data from that service
• Cached data from that service is purged within 30 days
• This does not affect data you previously instructed us to export or send elsewhere

9. QuickBooks-Specific Disclosures

When you connect your QuickBooks Online account to Cynthia Concierge:

• We access your QuickBooks data exclusively through Intuit's official OAuth 2.0 API
• We request only the permissions necessary to provide our Service (com.intuit.quickbooks.accounting for accounting data access and com.intuit.quickbooks.payment for payment processing)
• Your QuickBooks data is used solely to perform tasks you request (e.g., generating invoices, pulling reports, managing customers)
• We do not use your QuickBooks data for any purpose other than providing services directly to you
• We do not share your QuickBooks data with other users or third parties beyond what is described in Section 4
• We comply with Intuit's Data Stewardship Principles and Developer Terms of Service

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You may request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties we share it with.
• Right to Delete: You may request deletion of your personal information, subject to legal exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To submit a request, email cynthia@cynthiaconcierge.com. You may also designate an authorized agent to act on your behalf. We will verify your identity before processing any request.

11. Other State Privacy Rights

Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia may have similar rights under their respective state privacy laws, including rights to access, delete, correct, and opt out. Contact us at cynthia@cynthiaconcierge.com to exercise these rights. If we deny a request, you may appeal by contacting us at the same address.

12. International Users

Our Service is primarily operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer. For users in the European Economic Area (EEA) or United Kingdom, transfers are conducted using appropriate safeguards such as Standard Contractual Clauses. You may lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

13. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a minor, we will promptly delete it. If you believe a minor has provided us with personal information, please contact us at cynthia@cynthiaconcierge.com.

14. Do-Not-Track Signals

Our Service does not track users across third-party websites and therefore does not respond to Do-Not-Track (DNT) browser signals.

15. Cookies and Tracking Technologies

Our web-based components may use essential cookies for session management and authentication. We do not use advertising cookies, analytics trackers, or third-party tracking pixels. We do not engage in cross-site tracking or behavioral advertising.

16. Third-Party Links and Services

The Service may interact with third-party websites and services (e.g., QuickBooks, Google, Stripe). These services have their own privacy policies, and we encourage you to review them. We are not responsible for the privacy practices of third-party services.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last Updated" date, and by notifying you through the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: cynthia@cynthiaconcierge.com
• Website: cynthiaconcierge.com