Privacy Policy

1. Introduction

Ask Lee ("we," "us," or "our") operates Lee ("the Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service. We are committed to protecting your privacy and being transparent about our data practices.

We have designed our Service with a privacy-first architecture. Unlike many services, we have deliberately built systems that minimize data collection and prevent us from accessing your personal communications. This is not just a policy choice - it is an architectural decision that means we technically cannot access most of your data even if we wanted to.

2. Data Controller

For the purposes of GDPR and other applicable data protection laws, the data controller is:

Ask Lee
Email: legal@asklee.ai

3. Information We Do NOT Collect

To be explicitly clear about our privacy-first approach, here is what we do NOT have access to:

3.1 Your Conversations

We do not read, store, analyze, or have any access to the content of your conversations with the AI assistant. Messages pass through our infrastructure as encrypted data packets and are immediately forwarded to the AI provider for processing. We maintain no logs, copies, or records of your chat content.

3.2 Your API Keys (in plaintext)

If you provide your own API keys (Starter plan), they are encrypted using AES-256 encryption before storage. The decryption keys are stored separately and keys are only decrypted within isolated, ephemeral runtime environments when making API requests. Our staff, systems, and databases cannot view your plaintext API keys.

3.3 Your WhatsApp/Telegram Messages History

We do not have access to your message history, contacts, or other data from your messaging applications. We only process messages that you actively send to your Lee assistant.

3.4 Your Location Data

We do not collect or process precise location data. We may infer approximate geographic region from IP addresses solely for fraud prevention and service optimization.

4. Information We Collect

We collect only the minimum information necessary to provide and improve our Service:

4.1 Account Information

• Email address (for authentication and communication)
• Account creation date
• Subscription plan and billing period
• Messaging platform identifier (WhatsApp phone number or Telegram user ID) - used only to route messages

4.2 Usage Metadata

• Message counts (for billing and rate limiting, not content)
• Timestamps of activity (for service functionality)
• Error logs (technical errors only, without message content)
• Feature usage statistics (aggregate, anonymized)

4.3 Payment Information

Payment processing is handled entirely by Stripe. We receive only:

• Confirmation of payment status
• Last four digits of your card (for your reference)
• Billing country (for tax purposes)
• Stripe customer ID (for subscription management)

We never receive or store your full credit card number, CVV, or other sensitive payment details.

4.4 Technical Information

• IP address (for security and fraud prevention)
• Browser/device type (for service optimization)
• Referring URL (for marketing attribution)

5. How We Use Your Information

We use the limited information we collect for the following purposes:

5.1 Service Provision

• Authenticating your account
• Routing messages between your messaging app and AI providers
• Processing payments and managing subscriptions
• Providing customer support

5.2 Service Improvement

• Analyzing aggregate usage patterns to improve performance
• Identifying and fixing technical issues
• Developing new features based on usage trends

5.3 Communication

• Sending transactional emails (receipts, account notifications)
• Providing important service announcements
• Responding to your inquiries

5.4 Security and Compliance

• Preventing fraud and abuse
• Enforcing our Terms of Service
• Complying with legal obligations

6. Legal Basis for Processing (GDPR)

For users in the European Economic Area, we process personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested
• Legitimate Interests: Processing for security, fraud prevention, and service improvement where our interests do not override your rights
• Legal Obligation: Processing required to comply with applicable laws
• Consent: Where required, we will obtain your explicit consent

7. Data Sharing and Disclosure

7.1 AI Providers

Your messages are transmitted to the AI provider you have selected (e.g., OpenAI, Anthropic) for processing. This transmission is necessary to provide the core functionality of our Service. We use API configurations that opt out of data training where available. Each AI provider has their own privacy policy governing how they handle data.

7.2 Service Providers

We use trusted third-party services to operate our business:

• Stripe: Payment processing
• Cloudflare: Infrastructure, security, and DDoS protection
• Vercel: Web hosting

These providers process data only as necessary to provide their services and are bound by data processing agreements.

7.3 Legal Requirements

We may disclose information if required by law, subpoena, or court order, or if we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. However, because we do not store conversation content, we cannot provide what we do not have.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice before your information becomes subject to a different privacy policy.

7.5 What We Never Do

We will NEVER:

• Sell your personal information to third parties
• Share your data with advertisers
• Use your conversations for AI training
• Share your API keys with anyone
• Provide conversation content to third parties (we don't have it to share)

8. Data Retention

8.1 Active Accounts

We retain your account information for as long as your account is active. Usage metadata is retained for up to 12 months for billing verification and service improvement purposes.

8.2 Account Deletion

When you delete your account:

• Your account information is immediately marked for deletion
• All associated data is permanently deleted within 30 days
• Encrypted API keys are immediately and irreversibly destroyed
• We may retain anonymized, aggregate data that cannot identify you
• We may retain certain data as required by law (e.g., billing records for tax purposes)

8.3 Conversation Data

As stated above, we do not store conversation content. Messages exist only in transit and are not retained after processing. Your conversation history exists only in your messaging app and with the AI provider (subject to their retention policies).

9. Data Security

We implement robust security measures to protect your information:

• Encryption in Transit: All data is transmitted over TLS 1.3
• Encryption at Rest: Sensitive data (including API keys) is encrypted using AES-256
• Access Controls: Strict role-based access with principle of least privilege
• Infrastructure Security: Deployed on Cloudflare with DDoS protection and WAF
• Regular Audits: Periodic security reviews and vulnerability assessments
• Incident Response: Documented procedures for security incident handling

While we implement strong security measures, no system is 100% secure. We cannot guarantee absolute security but commit to promptly notifying affected users of any breach involving their personal data.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

10.1 GDPR Rights (EEA Users)

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your personal data
• Right to Restriction: Request limitation of processing
• Right to Portability: Receive your data in a structured format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge Complaint: File a complaint with a supervisory authority

10.2 CCPA Rights (California Users)

• Right to Know: Request disclosure of data collected about you
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of sale of personal information (we do not sell data)
• Right to Non-Discrimination: Equal service regardless of privacy choices

10.3 Exercising Your Rights

To exercise any of these rights, please contact us at legal@asklee.ai. We will respond to verified requests within 30 days (or sooner if required by law). We may need to verify your identity before processing certain requests.

11. International Data Transfers

Our services are hosted in data centers located in the European Union and United States. If you are accessing our Service from outside these regions, your data may be transferred to and processed in these locations. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where required.

12. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we discover that we have collected personal information from a child under 16, we will promptly delete that information. If you believe we may have information from or about a child under 16, please contact us at legal@asklee.ai.

13. Cookies and Tracking

Our website uses minimal cookies necessary for functionality:

• Authentication cookies: To keep you logged in (essential)
• Preference cookies: To remember your settings (functional)

We do not use advertising cookies or third-party tracking pixels. We may use minimal, privacy-respecting analytics to understand aggregate usage patterns.

14. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes by:

• Posting the updated policy on our website
• Updating the "Last updated" date at the top of this page
• Sending an email notification for significant changes

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Inquiries: legal@asklee.ai

General Support: hello@asklee.ai

We aim to respond to all privacy-related inquiries within 5 business days.