Skip to main content

Privacy Policy

Effective Date: March 9, 2026  |  Last Updated: April 14, 2026

Clockwork AI Partners, LLC (“Clockwork AI,” “we,” “us,” or “our”) operates the Chief of Staff AI assistant and related services (the “Service”). This Privacy Policy explains what personal information we collect, how we use it, with whom we share it, and the choices you have regarding your information. By using the Service, you agree to the practices described in this policy.

Information We Collect

1.1 Information You Provide Directly

  • Account registration data: name, email address, time zone, and communication preferences.
  • OAuth2 authorization tokens for third-party services you connect (Gmail, Google Calendar, Microsoft Outlook/365, fitness platforms). We never store your passwords.
  • Messages and queries you send to the Service via Telegram or other channels.
  • Preferences and settings you configure within the Service.

1.2 Information We Collect Automatically from Connected Services

When you authorize a third-party integration, we retrieve data from that service solely to generate your briefings and perform Service functions:

  • Email: message subjects, senders, recipients, timestamps, and body content for priority scoring and draft generation (Gmail API / Microsoft Graph API).
  • Calendar: event titles, times, attendees, and locations (Google Calendar / Microsoft Graph API).
  • Fitness & Biometrics: sleep duration and stages, HRV, resting heart rate, readiness scores, step counts, and active calories from connected wearables (Oura Ring, Whoop, Apple HealthKit, Garmin Connect, Fitbit, Polar).
  • Weather: location-based weather conditions retrieved via OpenWeatherMap or Tomorrow.io based on your configured location.
  • News & Market Data: publicly available news headlines and market data based on your configured topic preferences.

1.3 Automatically Collected Technical Data

  • Service usage logs: timestamps of briefings delivered, features used, and error events.
  • Telegram chat identifiers (chat ID) to route messages to the correct user.
  • Device type and operating system (when using smart home integrations).

How We Use Your Information

We use the information we collect to:

  • Generate and deliver your personalized morning briefings, afternoon summaries, and on-demand responses.
  • Draft email reply suggestions for your review and approval.
  • Send calendar reminders, meeting prep alerts, and follow-up task notifications.
  • Summarize your fitness and biometric data alongside your daily schedule.
  • Learn your communication preferences and priorities to improve briefing quality over time.
  • Maintain session continuity and conversation history within the Service.
  • Diagnose technical issues, monitor Service performance, and prevent abuse.

Third-Party Integration Disclosures

When you connect a third-party service to the Service, we access data from that service under the terms described below. Each integration is user-initiated, narrowly scoped, and governed by both this Privacy Policy and the third party's own privacy policy.

3.1 Google Workspace Data

Scopes Requested

When you connect your Google account, the Service requests the following OAuth2 scopes:

  • Gmail (Read-Only): https://www.googleapis.com/auth/gmail.readonly — used to retrieve email subjects, senders, recipients, timestamps, and body content for priority scoring, summarization, and draft reply generation.
  • Google Calendar (Read-Only): https://www.googleapis.com/auth/calendar.readonly — used to retrieve event titles, times, attendees, locations, and descriptions for your daily briefing and meeting preparation alerts.

We request only read-only access. The Service does not send emails, create calendar events, or modify any data in your Google account.

How Google Workspace Data Is Used

  • Email and calendar data is retrieved at the start of each briefing cycle (typically once daily).
  • Email content is processed by our AI inference provider (Anthropic) to generate priority scores, summaries, and draft reply suggestions. Draft replies are presented to you for review and approval before any action is taken.
  • Calendar data is used to generate schedule summaries, meeting preparation alerts, and time-block recommendations.
  • Raw email and calendar data is processed in memory and is not stored beyond the current briefing cycle.
  • Summarized briefing output (not raw email content or calendar event details) may be stored in our encrypted PostgreSQL database for up to 90 days to provide you with historical briefing access.

What We Do Not Do with Google Workspace Data

  • We do not use Google Workspace data to serve advertisements, including personalized, retargeted, or interest-based advertising.
  • We do not sell, rent, or transfer Google Workspace data to third parties, data brokers, or information resellers.
  • We do not use Google Workspace data to train, improve, or build general-purpose AI or machine learning models. Data is used only for personalized briefing generation for the individual user who authorized access.
  • We do not use Google Workspace data to determine creditworthiness or for lending purposes.
  • We do not allow humans to read your email or calendar data except (a) with your explicit consent for a specific message, (b) where necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where data has been aggregated and anonymized such that it contains no personally identifiable information.

Google API Services Limited Use Disclosure

Clockwork AI Partners' use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Revoking Google Access

You may disconnect the Google Workspace integration at any time by using the /disconnect_google command in the Service or by revoking access directly in your Google Account settings (myaccount.google.com → Security → Third-party apps with account access). Upon disconnection, we will stop retrieving new data and will delete cached Google Workspace data within 7 days. You may also request immediate deletion of all stored Google-derived data at any time (see Section 8).

3.2 Garmin Connect Data

What We Collect

When you connect your Garmin account via OAuth2, we retrieve the following data from the Garmin Connect API:

  • Daily summary: steps, distance, calories burned, active minutes, and intensity minutes.
  • Sleep: duration, stages (light, deep, REM), and sleep score.
  • Heart rate: resting heart rate, HRV (heart rate variability) status, and stress levels.
  • Body Battery: current charge level and trend.
  • Activities: recent workout type, duration, and heart rate zones (if applicable).

We do not access GPS location data, raw accelerometer data, or any data beyond what is described above.

How Garmin Data Is Used

  • Garmin data is retrieved once per briefing cycle (typically once daily) and processed by our AI inference provider (Anthropic) to generate a plain-language wellness summary included in your morning briefing.
  • We use your biometric data only to inform your personalized briefing — for example, noting that your sleep quality was below your baseline or that your Body Battery suggests a recovery day.
  • Raw Garmin API responses are temporarily cached (encrypted, AES-256) for up to 24 hours to avoid redundant API calls.
  • Garmin data is not sold, shared with third parties for advertising, or used to train AI or machine learning models.
  • Summarized briefing output (not raw biometric values) may be stored in our PostgreSQL database for up to 90 days to provide you with historical briefing access.
  • You may request deletion of all stored Garmin data at any time (see Section 8).

Revoking Garmin Access

You may disconnect the Garmin integration at any time by using the /disconnect_garmin command in the Service or by revoking access directly in your Garmin Connect account settings. Upon disconnection, we will stop retrieving new data and will delete cached Garmin data within 7 days.

How We Share Your Information

We do not sell your personal information.

We share your information only in the following limited circumstances:

  • Service Providers: We engage third-party vendors who process data on our behalf under strict confidentiality agreements. Current service providers include Anthropic (AI inference), Amazon Web Services or Google Cloud (hosting and database infrastructure), and Telegram (message delivery). These providers may only use your data to provide their services to us.
  • Third-Party APIs (at your direction): When you connect a third-party account (Gmail, Google Calendar, Garmin, Oura, etc.), we retrieve data from those services as authorized by you. Your data is governed by both this policy and the third party's privacy policy.
  • Legal Requirements: We may disclose information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect rights, property, or safety.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify you before your data is subject to a different privacy policy.

Data Retention

  • Email and calendar data retrieved from connected accounts is processed in memory and not stored beyond the current briefing cycle, except for summarized output retained for up to 90 days in your briefing history.
  • Fitness and biometric raw data is cached for up to 24 hours; summarized output for up to 90 days.
  • Conversation logs (on-demand assistant history) are retained for up to 30 days to maintain context continuity.
  • OAuth2 access tokens are stored encrypted and automatically refreshed. Tokens are deleted immediately upon account disconnection.
  • Account and preference data is retained for the duration of your subscription plus 30 days following cancellation, after which it is permanently deleted.

Security

We implement technical and organizational safeguards to protect your information:

  • All data at rest is encrypted using AES-256.
  • All data in transit is protected by TLS 1.3.
  • OAuth2 tokens are never stored in plaintext.
  • Our multi-tenant database architecture uses row-level security to ensure strict per-user data isolation.
  • We maintain an audit log of all actions taken on behalf of users.
  • Webhook endpoints are protected by secret token verification.

No system is completely secure. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal information (subject to legal retention obligations).
  • Portability: Request your data in a machine-readable format.
  • Objection / Restriction: Object to or request restriction of certain processing activities.
  • Withdraw Consent: Disconnect any third-party integration at any time, which stops further data collection from that source.

California residents have additional rights under the CCPA, including the right to know, delete, and opt out of sale (we do not sell data). EU/EEA residents have rights under the GDPR.

Contact Us & Data Requests

To exercise any of your privacy rights, request data deletion, or ask questions about this policy, contact us at:

Clockwork AI Partners, LLC

Email: privacy@clockworkaipartners.com

Website: www.clockworkaipartners.com

We will respond to all requests within 30 days.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via Telegram message and update the Effective Date at the top of this document. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.