Privacy Policy

1.1 The Chief of Staff AI Assistant

(“Chief of Staff” or the “CoS Service”): a personal AI briefing assistant delivered through Telegram and other channels, which integrates with third-party services at the user's direction to produce daily briefings, draft email replies for the user's review, and propose calendar events for the user's review.

1.2 ADA Accessibility Services

(the “ADA Services”): automated WCAG accessibility reviews, remediation work, and recurring monitoring services performed for business clients under (a) the Clockwork Master Services Agreement for ADA Website Accessibility Review and Remediation (the “MSA”) or (b) the Clockwork Complimentary ADA Review Agreement (the “CRA”), including the no-fee review program operated under the CRA.

1.3 The Clockwork Website

the marketing and informational website at clockworkaipartners.com and its subdomains (the “Website”), including any contact, inquiry, or acceptance forms presented on the Website.

1.4 Outreach to Prospective ADA Clients

pre-engagement communications directed to businesses we have identified through publicly available sources, where we may provide a sample accessibility review and offer the recipient the opportunity to engage Clockwork formally under the CRA or MSA.

1.5 Relationship to Written Agreements

Where a written agreement between Clockwork and a client (including the MSA or the CRA) contains provisions governing the treatment of that client's information, those provisions control with respect to information processed under that agreement in the event of any conflict with this Policy. This Policy supplements, and does not replace, those agreements.

2.1 Information from Chief of Staff Users

Provided directly by the user:

• Account registration data: name, email address, time zone, and communication preferences.
• OAuth 2.0 authorization tokens for third-party services the user connects (Gmail, Google Calendar, Microsoft Outlook/365, Garmin Connect, and other fitness and biometric platforms). We never store passwords for any connected account.
• Messages and queries sent to the CoS Service via Telegram or other channels.
• Preferences and settings the user configures within the CoS Service.

Collected automatically from authorized third-party services: see Section 4 for a complete list of integrations, the scopes requested, and the uses made of the data retrieved.

2.2 Information from ADA Clients and Prospective ADA Clients

Clockwork collects the following information in connection with the ADA Services. The precise scope for any given engagement is further described in the applicable written agreement.

2.2.1 Complimentary Review Acceptance Data

When a representative of a business completes the electronic acceptance form for the Complimentary ADA Review program, Clockwork collects, per CRA §18.2:

• full legal name of the accepting individual;
• full legal name of the business entity and state of formation;
• business role or title of the accepting individual;
• principal business address of the business entity;
• business email address;
• the URL(s) the business has designated for the review;
• the accepting individual's affirmative authorizations (authorization to scan, agreement to be bound, and optional marketing opt-in); and
• timestamp and IP address of acceptance, for record-keeping and dispute resolution.

2.2.2 Scan Data

In performing an accessibility review (whether under the CRA, the MSA, or as a sample review accompanying pre-engagement outreach under §1.4), Clockwork collects:

• the URLs designated for review;
• publicly accessible page content at those URLs, including rendered HTML, DOM snapshots, and page state;
• screenshots of designated pages where applicable;
• scan outputs produced by Clockwork's automated accessibility tooling; and
• Clockwork's internal analysis metadata derived from the foregoing.

Scan access is rate-limited (no fewer than two seconds between page loads), respects the target site's robots.txt file, and is limited to publicly accessible portions of the site.

2.2.3 Paid Engagement Data

Where a client engages Clockwork for Remediation Services or Monitoring Services under the MSA, Clockwork may additionally receive:

• credentials provided by the client for access to the client's website code repository, CMS administrative interface, hosting account, or similar systems reasonably necessary to perform the services;
• code snapshots, configuration data, and content accessed or modified during the engagement; and
• review reports, remediation documentation, and other deliverables produced in connection with the engagement.

Clockwork accesses only such information as is reasonably necessary to perform the services specified in the applicable Statement of Work. Clockwork does not access a client's customer databases, patient records, financial records, or human resources records except where expressly authorized in writing. Client credentials are stored in encrypted form and destroyed within seven business days following completion or termination of the engagement, per MSA §13.4.

2.3 Information about Prospective ADA Clients (Pre-Engagement Outreach)

When Clockwork identifies a business as a candidate for ADA outreach, we may collect from publicly available sources or scan as described in §2.2.2:

• the business's name, public website URL, principal place of business, and industry or category signals;
• publicly listed business contact channels (general business email address, phone number, contact form URL);
• the name and publicly listed business role of the principal contact, where available from the business's own website or from a public business directory;
• a sample accessibility review (scan data per §2.2.2) performed against the business's public website to inform the outreach communication; and
• records of any outreach communication sent and any response received.

Clockwork uses pre-engagement information solely to evaluate the prospect, send outreach communications, and follow up if the prospect engages. Pre-engagement information is retained per Section 3.3 (Retention Periods).

2.4 Information from Website Visitors

When a person visits clockworkaipartners.com or any subdomain, we may collect:

• contact or inquiry form submissions (name, email, message content, and any information the visitor chooses to include);
• technical information about the request (IP address, user-agent, referring URL, request timestamp, approximate location derived from IP);
• analytics data as described in Section 7; and
• aggregated, non-identifying server-log statistics about how the Website is accessed.

We do not knowingly direct the Services to children under the age of 13, and we do not knowingly collect personal information from children under the age of 13. See Section 13.

2.5 Technical and Service Operation Data (All Services)

• Service usage logs: timestamps of briefings delivered, features used, scan cycles performed, and error events.
• Telegram chat identifiers (chat ID) used to route messages to the correct CoS user.
• Device type and operating system information for smart-home and similar integrations authorized by a CoS user.
• Audit-log records of administrative actions taken on Clockwork systems relating to client information.

3.1 Service-Provider Categories

Clockwork engages third-party vendors to operate the Services. These vendors process information on Clockwork's behalf under written confidentiality and data-protection obligations and may use information only to provide their services to Clockwork. Current service-provider categories include:

• LLM inference: large language model API providers processing content to generate briefings, accessibility classifications, and plain-English guidance.
• Cloud hosting and compute: infrastructure providers hosting Clockwork's databases, application servers, and background processing.
• Message delivery: messaging-platform providers routing CoS Service communications.
• Website hosting and delivery: hosting and content-delivery providers serving the Website and any customer-facing dashboards.
• Transactional email: email-infrastructure providers sending service notices, outreach, and reports.
• Document execution: electronic- signature providers processing CRA and MSA acceptance.
• Payment processing: payment- infrastructure providers processing billing for paid engagements (where applicable).
• Analytics: server-side or cookieless first-party analytics providers measuring aggregate Website usage (see Section 7).
• Wearable and biometric platforms: fitness-platform providers from whom the CoS Service retrieves user-authorized biometric and activity data at the user's direction (see Sections 4.3 and 4.4).
• Business operations: standard providers for accounting, legal, and administrative support.

3.2 Named Sub-Processors

The following sub-processors are named because they are load-bearing to Clockwork's data-handling commitments or because clients' counsel commonly ask about them:

• Anthropic PBC (San Francisco, CA): LLM inference for all Services. Content is processed under Anthropic's commercial terms; as of the Last Updated date, those terms provide that customer inputs and outputs are not used to train Anthropic's models absent the customer's opt-in. Clockwork has not opted in to any such training use.
• Vercel, Inc. (San Francisco, CA): Website hosting and Vercel Analytics (see Section 7). Personal data is processed in accordance with Vercel's data processing addendum.
• Google LLC (Mountain View, CA): Gmail and Google Calendar data accessed via OAuth 2.0 where a CoS user has connected a Google account (see Section 4.1). Use adheres to the Google API Services User Data Policy, including the Limited Use requirements.
• Microsoft Corporation (Redmond, WA): Outlook and Microsoft 365 data accessed via Microsoft Graph API where a CoS user has connected a Microsoft account (see Section 4.2).
• Garmin International, Inc. (Olathe, KS): Garmin Connect biometric and activity data accessed via OAuth 2.0 where a CoS user has connected a Garmin account (see Section 4.3). Use is limited to the data fields enumerated in Section 4.3 and is processed under Garmin's developer-program terms.

Clockwork updates this list when sub-processors materially change. The category list in §3.1 supplements this named list for categories not covered above. Other fitness and biometric platforms described in Section 4.4 are engaged at the individual user's direction under the same no-sale, no-advertising, and no-training commitments described in this Policy; Clockwork names additional wearable sub-processors here if and when the firm relies on them at a scale that warrants named disclosure.

3.3 Retention Periods (All Categories)

Data retention periods are described by category:

• CoS email, calendar, and biometric data: processed in memory, not stored beyond the current briefing cycle; summarized briefing output retained up to 90 days.
• CoS conversation logs: up to 30 days.
• CoS raw biometric cache (Garmin and other wearables): up to 24 hours, in encrypted form, to avoid redundant API calls.
• CoS OAuth tokens: encrypted; deleted immediately on account disconnection.
• CoS account and preference data: retained for the subscription term plus 30 days.
• ADA scan outputs, screenshots, and reports (engaged clients): up to 12 months post-delivery; longer if the client requests for Monitoring Services (MSA §13.5, CRA §8.3).
• ADA CRA acceptance records: up to 2 years.
• ADA MSA client credentials: destroyed within 7 business days of engagement completion or termination (MSA §13.4).
• ADA non-engaged prospect scan data: deleted 12 months after the most recent outreach if no engagement. URL-only record retained up to 36 months for internal pipeline analytics.
• Website inquiry records: up to 24 months from last interaction.
• Website server logs: up to 90 days.

4.2 OAuth Scopes (Chief of Staff: Microsoft 365)

Where a CoS user connects a Microsoft 365 account (Outlook and Calendar), Clockwork uses the narrowest Microsoft Graph scopes consistent with the draft-staging and event-proposal workflow described in §4.1 above. The same no-sale, no-advertising, no-training, and limited-human-access commitments described in §4.1 apply equally to Microsoft 365 data.

4.4 Other Fitness and Biometric Platforms (Chief of Staff)

The CoS Service may offer similar integrations with Oura Ring, Whoop, Apple HealthKit, Fitbit, Polar, and other wearable or biometric platforms. Each integration is user-initiated under OAuth 2.0 or an equivalent consent mechanism, is narrowly scoped to the data needed to produce the user's briefing, and is subject to the same no-sale, no-advertising, no-training, 24-hour raw-cache, and 90-day summarized-retention limits described in §4.3 for Garmin. A user may disconnect any such integration at any time using the corresponding CoS disconnect command or by revoking access in the third-party platform's own account settings; on disconnection, Clockwork stops retrieving new data and deletes cached data from that platform within seven days.

4.5 AI Inference (All Services)

Clockwork uses large language models provided by Anthropic PBC (“Anthropic”) to process content for the purposes described in this Policy, including (a) priority scoring, summarization, and draft generation for Chief of Staff users and (b) classification and plain-English remediation guidance for ADA Services.

Content transmitted to Anthropic's API is processed under Anthropic's then-current commercial terms. As of the Last Updated date of this Policy, those terms provide that customer inputs and outputs are not used to train Anthropic's models absent the customer's opt-in, and Clockwork has not opted in to any such training use. Clockwork does not use client data to train any artificial intelligence models, does not sell client data, and does not contribute it to any third-party training dataset.

4.6 ADA Scan Data (ADA Services)

Scan data collected under §2.2.2 is used to:

• generate WCAG accessibility findings for the designated URLs;
• produce the written review report delivered to the client or prospect;
• support Clockwork's internal quality review of scan accuracy;
• generate aggregated, non-identifying statistics about accessibility-finding prevalence (MSA §7.4, CRA §8.4); and
• where the prospect becomes an engaged client, support Monitoring Services and remediation tracking.

Licensing optionality note: Clockwork does not currently license or sell scan outputs, accessibility findings, or prospect data to third parties. This Policy preserves Clockwork's right to offer optional data-licensing arrangements in the future if Clockwork introduces such a program and obtains the relevant consent. Clockwork will update this Policy and notify affected parties before any such program launches.

4.7 General Use Purposes (All Services)

Clockwork uses the information it collects to:

• operate, maintain, and improve the Services;
• generate and deliver personalized briefings, summaries, and on-demand responses (Chief of Staff);
• stage email drafts and propose calendar events for user review and approval (Chief of Staff);
• perform accessibility reviews, produce review reports, and, where engaged, perform remediation and monitoring work (ADA Services);
• evaluate prospective ADA clients and send pre-engagement outreach communications (per §2.3);
• respond to inquiries submitted through the Website and process electronic acceptance of the CRA;
• send transactional communications (service updates, scheduled briefings, review-report delivery, account notices);
• send marketing communications where the recipient has expressly opted in, consistent with the federal CAN-SPAM Act (see Section 9);
• diagnose technical issues, monitor Service performance, and prevent abuse or fraud;
• meet legal, tax, and audit obligations, and enforce our agreements; and
• produce aggregate and anonymized statistics that do not identify any individual, user, client, or site.

6.1 Service Providers

We share information with third-party vendors as described in Section 3. Those vendors process information on Clockwork's behalf, under written obligations, and may use it only to provide their services to Clockwork.

6.2 Third-Party APIs at User Direction (Chief of Staff)

Where a CoS user connects a third-party account, Clockwork retrieves data from that service as authorized by the user. The user's own interaction with that third party is also governed by the third party's own privacy policy.

6.3 Legal Requirements

Clockwork may disclose information where required by law, subpoena, court order, or other legal process, or where it believes in good faith that disclosure is necessary to protect rights, property, or safety. Where legally permitted, Clockwork will provide prompt notice to the affected client or user before complying, so that the client or user may seek a protective order or other appropriate relief at its own expense.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred to the successor. Clockwork will notify affected users and clients before their information becomes subject to a different privacy policy.

6.5 Aggregated and Anonymized Data

Clockwork may publish and share aggregated and anonymized data that does not identify any individual, client, user, or website (for example, statistics on accessibility-finding prevalence across scans), consistent with MSA §7.4 and CRA §8.4.

7.1 Essential session technologies

The Website may set short-lived session cookies required for normal page operation (for example, session continuity during form submission). These technologies do not track visitors across sites and are not used for advertising.

7.2 First-party analytics

The Website may use Vercel Analytics, a server-side, cookieless first-party analytics service that aggregates page-view and performance data. Vercel Analytics does not deposit cookies on visitor browsers, does not build individual visitor profiles, and does not share data with advertising networks. Aggregate analytics data is used solely to understand how the Website is performing and how visitors navigate the site.

7.3 No advertising or cross-site trackers

The Website does not use Google Analytics, Meta Pixel, LinkedIn Insight Tag, HubSpot tracking, advertising cookies, browser fingerprinting, third-party retargeting tags, or any other technology that profiles visitors across sites or sessions.

7.4 Fonts

The Website uses Playfair Display and Inter typefaces, fetched from Google Fonts at build time and self-hosted from the same origin in production. Visitor browsers do not contact Google Fonts servers when rendering Website pages.

7.5 Future changes

If Clockwork later adds analytics or other tracking technologies to the Website beyond what is described in this Section 7, this section will be updated and the change disclosed per Section 16.

8.1 Safeguards (In Transit and At Rest)

Clockwork maintains commercially reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. At minimum, these safeguards include:

• encryption at rest using AES-256 or a comparable standard;
• encryption in transit using TLS 1.2 or higher (TLS 1.3 where supported);
• storage of authentication credentials and API tokens in encrypted form, never in plaintext;
• role-based access controls limiting access to personnel with a need to know;
• multi-tenant database architecture with row-level security for per-user data isolation (Chief of Staff);
• audit logging of administrative actions; and
• secret-token verification for webhook endpoints.

8.2 Security Incident Notification (72-Hour Commitment and NY SHIELD Act)

Clockwork will notify affected users and clients of any confirmed unauthorized access to, or unauthorized disclosure of, their personal information without undue delay, and in any event within 72 hours of Clockwork's confirmation of the incident (consistent with MSA §13.8), with available information about the nature and scope of the incident and any remedial steps taken or planned. Clockwork will also comply with breach-notification obligations imposed by applicable law, including the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and analogous state laws.

No system is completely secure. Despite these safeguards, no data transmission over the internet or storage system can be guaranteed to be 100% secure.

9.1 Transactional Communications

Clockwork may send transactional electronic communications relating to the Services, including service delivery (briefings, review reports), account notices, scheduled or requested outputs, billing notices, agreement-related notices, and responses to inquiries. Transactional communications are necessary to operate the Services and cannot be opted out of while a user or client relationship is active.

9.2 Marketing and Outreach Communications

Clockwork sends marketing communications to recipients who have affirmatively opted in (including through the marketing-communications checkbox on the CRA acceptance form, CRA §15.3, or equivalent consent obtained on the Website) and pre-engagement outreach communications to prospective ADA clients identified per §2.3. Marketing and pre-engagement outreach communications are sent in compliance with the federal CAN-SPAM Act (15 U.S.C. §§ 7701 et seq.), including a clear sender identification, a physical postal address (97 Runyon Place, Scarsdale, New York 10583), and a functioning unsubscribe mechanism in every commercial message.

9.3 Unsubscribe

A recipient may opt out of marketing or outreach communications at any time by clicking the unsubscribe link in any commercial communication or by emailing privacy@clockworkaipartners.com. Clockwork will honor the opt-out within 10 business days. Opting out has no effect on the delivery of transactional communications or on any Service the recipient is receiving.

11.1 HIPAA

The ADA Services are limited to review and remediation of publicly accessible portions of a client's website and are not intended to involve access to, storage of, transmission of, or processing of Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), consistent with MSA §13.9 and CRA §8.6. Clockwork is not a “business associate” of any ADA client under HIPAA, and nothing in this Policy or in the agreements governing the ADA Services is intended to create a business-associate relationship. Clients are solely responsible for ensuring that no PHI is included in the pages or administrative interfaces made available to Clockwork.

11.2 GLBA and Financial Privacy

The ADA Services are not intended to involve access to, storage of, transmission of, or processing of nonpublic personal information (“NPI”) as defined under the Gramm-Leach-Bliley Act (“GLBA”) or under any analogous state financial privacy law (including Regulation P, the FTC Safeguards Rule, and the New York Department of Financial Services Cybersecurity Regulation at 23 NYCRR Part 500), consistent with MSA §13.10 and CRA §8.6. Clockwork is not a “service provider” of any ADA client within the meaning of GLBA or those regulations. Clients are solely responsible for ensuring that no NPI is included in the pages or administrative interfaces made available to Clockwork.

11.3 Separate Written Addendum Required

Any engagement that would involve Clockwork's access to PHI, NPI, or other regulated data categories requires a separate written addendum or business- associate agreement executed by both parties in advance of any such access.

14.1 Contractual Incorporation

MSA §13.1 and CRA §8.5 each incorporate this Privacy Policy by reference. The version of this Policy in effect on the date of a given MSA or CRA acceptance is the version incorporated by reference into that agreement, unless and until superseded by a later version that both parties agree in writing applies to the ongoing relationship.

14.2 Version Archive

To allow existing clients to reference the policy version their agreement incorporates, Clockwork maintains prior versions of this Policy. Prior versions are available at clockworkaipartners.com/privacy/archive or on request to privacy@clockworkaipartners.com. The version-archive path for the policy published immediately before this v6.5 is clockworkaipartners.com/privacy/archive/v6-1 (v6.1, effective March 9, 2026, last updated May 5, 2026, published to the Website on May 5, 2026). The original v5 (effective March 9, 2026) remains available at clockworkaipartners.com/privacy/archive/v5. v6.2, v6.3, and v6.4 are available on request to privacy@clockworkaipartners.com; v6.2 and v6.3 were pre-publication drafts and were never published to the Website, while v6.4 (published May 26, 2026) is superseded by this v6.5.

14.3 Material Changes

When Clockwork makes material changes to this Policy, it will update the Last Updated date at the top of this document and will, where practicable, notify affected users and clients through the channels they have authorized (for Chief of Staff users, by Telegram message; for ADA clients, by the business email address provided at acceptance or in the applicable Statement of Work).