Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how PROXI AI LLC, a California limited liability company ("Proxi," "we," "us," or "our"), collects, uses, discloses, and protects information when you use our data integration and analytics platform (the "Service"). This Policy applies to all users of the Service, including business customers ("Customers") and authorized users within Customer organizations ("Authorized Users").

PROXI AI LLC is located at 886 Washington Blvd, Fremont, CA 94539. If you have questions about this Policy, you may contact us at aditmittalhs@gmail.com.

By accessing or using the Service, you acknowledge that you have read and understand this Privacy Policy. If you are using the Service on behalf of an organization, you represent that you have the authority to bind that organization to this Policy.

2. Information We Collect

2.1 Information You Provide Directly

When you register for the Service or interact with us, we may collect the following categories of information:

• Account registration information, including your name, email address, and organization name.
• Billing and payment information processed through our third-party payment processor (we do not store full credit card numbers).
• Communications you send to us, such as support requests and feedback.
• OAuth tokens and API credentials you authorize to connect third-party integrations (stored encrypted; see Section 5).

2.2 Information Collected Through Integrations

The core function of the Service is to ingest data from third-party platforms that Customers connect. When a Customer authorizes an integration, we collect and store data from those platforms. The categories of data vary by integration source and may include:

• Identifiers: email addresses, full names, usernames, user IDs, and phone numbers.
• Contact information: phone numbers, physical addresses, and contact methods (e.g., from HubSpot, PagerDuty, Monday.com, Intercom).
• Financial information: payment amounts, subscription details, deal values, and revenue data (e.g., from Stripe, HubSpot).
• Communications content: Slack messages, Intercom conversation transcripts, Monday.com comments, email subjects and snippets from Google Workspace, and form submissions from Typeform and Formspark.
• Document content: exported document content from Google Workspace, Notion page content, and Airtable record data, which may contain arbitrary user-generated content.
• Calendar and meeting data: event titles, descriptions, locations, and attendee information (e.g., from Google Workspace).
• User behavioral and analytics data: event names, timestamps, session information, page views, feature clicks, NPS ratings, and poll responses (e.g., from PostHog, Amplitude, Mixpanel, Pendo).
• Technical and device information: IP addresses, browser type, operating system, device information, and geolocation data (city, region, country) (e.g., from Amplitude, Mixpanel).
• Source code metadata: pull request details, issue details, commit information, branches, and pipeline data (e.g., from GitHub, GitLab).
• Error and incident data: error titles, severity levels, incident details, and on-call schedules (e.g., from Sentry, PagerDuty).
• Project and task management data: task details, project status, board schemas, and workflow data (e.g., from Linear, Asana, Monday.com, Notion).

Important: The specific data collected depends entirely on which integrations a Customer chooses to connect. We only access data that the integration's API makes available and that the Customer's authorization scope permits.

2.3 Information Collected Automatically

When you use the Service, we may automatically collect:

• Log data, including your IP address, browser type, pages visited, and timestamps.
• Device information, such as operating system, hardware model, and unique device identifiers.
• Usage data, including features used and frequency of use.

3. How We Use Information

We use the information we collect for the following purposes:

• To provide, maintain, and improve the Service, including ingesting, normalizing, and displaying data from connected integrations.
• To authenticate users and manage Customer accounts.
• To communicate with you, including responding to support requests, sending service-related notices, and providing updates.
• To ensure the security and integrity of the Service, including detecting and preventing fraud, abuse, and unauthorized access.
• To comply with legal obligations, including responding to lawful requests from government authorities.
• To enforce our Terms of Service and other agreements.

We do not sell personal information. We do not use personal information collected through Customer integrations for advertising, profiling, or any purpose unrelated to providing the Service to the Customer.

4. How We Share Information

We may share information in the following limited circumstances:

• With service providers: We use third-party service providers (such as Supabase for data hosting) that process data on our behalf to help us operate the Service. These providers are contractually bound to use data only as directed by us.
• With Customers: Integration data is accessible to the Customer who connected the integration and their Authorized Users. We do not share one Customer's data with another Customer.
• For legal compliance: We may disclose information if required by law, subpoena, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, the safety of any person, or to investigate fraud.
• In a business transfer: If Proxi is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify Customers before their data is transferred and becomes subject to a different privacy policy.

5. Data Storage and Security

All data is stored in Supabase-hosted infrastructure located in the United States. Our storage architecture includes:

• Raw API responses are stored immutably as the source of truth and retained for the duration of the Customer's account.
• Normalized tables (users, events, payments, subscriptions) are derived from raw data and scoped by workspace, ensuring strict tenant isolation with no cross-tenant data access at the query layer.
• OAuth tokens and API credentials are stored encrypted on a per-connection basis.

We implement commercially reasonable technical and organizational security measures to protect information against unauthorized access, alteration, disclosure, or destruction. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

6. Data Retention

We retain data collected through integrations for as long as a Customer's account is active or as needed to provide the Service. Raw API responses are retained indefinitely as the immutable source of truth while the account remains active.

Customers may request deletion of their data at any time by emailing aditmittal@berkeley.edu. Upon receiving a verified deletion request, we will delete the Customer's data as soon as reasonably practicable. Please note that some data may persist in encrypted backups for a limited period before being overwritten.

7. Your California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

7.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers (e.g., name, email address, IP address, phone number).
• Commercial information (e.g., payment records, subscription history).
• Internet or other electronic network activity information (e.g., browsing history, interactions with the Service, event data from analytics platforms).
• Geolocation data (e.g., city, region, and country-level location from analytics integrations).
• Professional or employment-related information (e.g., job title, company name from CRM integrations).
• Communications data (e.g., message content, email subjects, conversation transcripts collected through authorized integrations).

7.2 Your CCPA Rights

As a California resident, you have the right to:

• Right to Know: Request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. Therefore, there is no need to opt out.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

7.3 How to Exercise Your Rights

To exercise any of the above rights, please submit a verifiable request by emailing us at aditmittal@berkeley.edu. We will respond to verifiable requests within 45 days, as required by the CCPA. If we need additional time (up to 45 additional days), we will inform you of the reason and the extension period in writing.

To verify your identity, we may ask you to provide information that matches the information we have on file. If you are an authorized agent making a request on behalf of a California resident, we may require proof of authorization.

7.4 Do Not Track

The Service does not currently respond to "Do Not Track" browser signals. However, you may exercise your privacy rights as described above.

8. Data Collected from End-Users of Our Customers

Proxi processes data on behalf of our Customers. When a Customer connects an integration, the data ingested may include personal information about the Customer's own end-users (e.g., a Customer's Stripe customers, Intercom chat participants, or form respondents). In these cases:

• Proxi acts as a data processor (or "service provider" under the CCPA) with respect to such end-user data.
• The Customer is the data controller (or "business" under the CCPA) and is responsible for ensuring they have a lawful basis to share their end-users' data with Proxi.
• End-users of our Customers who wish to exercise privacy rights should contact the Customer directly. The Customer may then instruct us to delete or modify data accordingly.

9. Third-Party Services

The Service integrates with third-party platforms as directed by Customers. We are not responsible for the privacy practices of these third-party services. We encourage you to review the privacy policies of any third-party service you connect to Proxi.

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will promptly delete it. If you believe a child has provided us with personal information, please contact us at aditmittalhs@gmail.com.

11. International Data Transfers

The Service is hosted in the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify Customers of material changes by email or through the Service at least 30 days before the changes take effect. The "Effective Date" at the top of this Policy indicates when the latest revisions were made. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us at: