← Back to Assist

Privacy Policy

Effective date: Jun 1, 2026 Last updated: Jun 1, 2026

This Privacy Policy describes how Assist Technologies LLC, a California limited liability company ("Assist AI", "we", "us", or "our") collects, uses, and shares information when you use the Assist AI application, website, APIs, and related services (collectively, the "Service"). By using the Service, you agree to this Policy.

1. Who we are

Assist AI is an AI workspace platform. It provides conversational AI, document search, project planning, workflow automation, custom tool/agent execution, and integrations with third‑party services such as Google, Microsoft, Slack, LinkedIn, Attio, and others.

The Service can be accessed at https://app.withassist.xyz and any related subdomains.

2. Information we collect

2.1 Information you provide

  • Account information. When you sign up, we collect your email address and a one-time password (OTP) code used to verify it. You may optionally provide a username, full name, avatar image, and website URL for your profile.
  • Workspace content. We collect and store the content you create or upload in the Service, including:
    • Chat messages and saved conversations
    • Documents and files you upload
    • To-dos, tags, checklists, and due dates
    • Workflows, projects, and project plans
    • Agent and subagent configurations
    • Sandcastle interactive code components
    • Skills, tools, and tool configurations you create
  • Connection credentials. When you connect a third-party account (Google, Microsoft Outlook, Slack, LinkedIn Ads, Attio, and others), we receive and store OAuth access tokens and refresh tokens issued by that provider. Access tokens are stored encrypted at rest.
  • Billing information. If you purchase a paid plan, payment details are collected and processed by our payment processor (Stripe). We do not store full payment card numbers on our servers.
  • Communications. If you contact us for support, we keep a record of that correspondence.

2.2 Information collected automatically

  • Usage and device data. We log requests to our servers, including IP address, browser/user-agent, pages and features accessed, timestamps, and error reports.
  • Cookies and session storage. We use first-party cookies and similar technologies to keep you signed in (via Supabase Auth), remember your preferences, and maintain workspace context.
  • Tool and AI usage records. We record metadata about tool invocations, AI prompts, and AI responses to power features such as tool history, usage limits, billing, debugging, and audit logs.

2.3 Information from connected third‑party services

When you authorize the Service to connect to a third party, we may access data from that provider on your behalf, scoped to the permissions you grant. This can include, depending on the connection:

  • Google Workspace — Gmail messages, Calendar events, YouTube Analytics data
  • Microsoft Outlook — mail, calendar events, user profile
  • Slack — channel messages, direct messages, reactions, workspace and user identity
  • LinkedIn Ads — ad account and reporting data
  • Attio — CRM records and contacts
  • Web search and browsing — pages and search results retrieved via integrated search and browser-automation providers

We access and process this data only to perform the actions you or your configured agents request.

3. How we use information

We use the information described above to:

  • Provide, operate, and maintain the Service
  • Authenticate you and protect your account
  • Run AI features, including answering chats, executing agents and tools, generating embeddings for semantic search, and producing summaries
  • Process payments, manage subscriptions, and prevent fraud
  • Send transactional email (via Resend) and, where applicable, SMS or voice communications (via Twilio) related to your account or actions you take
  • Respond to support requests
  • Monitor, debug, and improve reliability, security, and performance
  • Comply with legal obligations and enforce our terms

We do not sell your personal information, and we do not use the content of your chats, documents, or connected-service data to train foundation AI models that are made available to third parties.

4. AI processing and third‑party model providers

To deliver AI features, content you submit (such as messages, documents, selected context, and tool results) is transmitted to one or more model providers we use, which may include OpenAI, Anthropic, Google, Perplexity, xAI, Cerebras, and self-hosted inference endpoints. Which provider is used depends on the model you (or your workspace) select.

  • Each provider processes your data under its own terms and privacy policy.
  • We send only the data necessary to produce a response.
  • Document content you upload may also be sent to OpenAI for embedding and storage in OpenAI's Vector Store to enable semantic search across your documents.
  • Background processing of long-running jobs (such as document ingestion or workflow runs) is handled by Trigger.dev on our behalf.

If you do not want your data processed by a particular provider, do not use features that route to that provider, and do not upload data you do not wish to send to AI services.

5. How we share information

We share information only as described below.

  • With service providers ("subprocessors") that operate the Service on our behalf. Current subprocessors include, among others:

    • Supabase — database, authentication, and file storage
    • Stripe — payment processing
    • Resend — transactional email
    • Twilio — SMS / voice communications
    • Trigger.dev — background job execution
    • OpenAI, Anthropic, Google, Perplexity, xAI, Cerebras — AI inference and embeddings
    • Exa, SEMrush — web search and marketing intelligence
    • Browserless (and an optional residential proxy provider) — browser automation
    • MongoDB Atlas, AWS Athena, Snowflake — when you configure these as data sources

    These providers are bound by contractual obligations to handle your data only as instructed by us and to maintain appropriate security.

  • With third parties you authorize — when you connect an external service (Google, Outlook, Slack, LinkedIn, Attio, etc.), data flows between Assist AI and that service under your authorization. Their use of your data is governed by their own privacy policies.

  • With other members of your workspace. The Service is multi-tenant and workspace-based. Profiles, connections, documents, chats, and other resources may be visible to other members of the same workspace, according to the access controls and permissions configured for that workspace.

  • For legal reasons. We may disclose information when we believe in good faith it is necessary to comply with a law, regulation, legal process, or governmental request; to protect the safety, rights, or property of any person; or to detect, prevent, or address fraud, security, or technical issues.

  • In a business transfer. If we are involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction, subject to standard confidentiality protections and to this Policy.

6. Data storage and security

  • Primary storage. Account data, workspace content, and OAuth tokens are stored in a managed Supabase Postgres database. Uploaded files are stored in Supabase Storage. Document embeddings are stored in OpenAI's Vector Store.
  • Encryption. Connection tokens and similar sensitive fields are encrypted at rest using application-managed encryption keys. Traffic to and from the Service is encrypted in transit using TLS.
  • Access control. Workspace data is isolated using Postgres row-level security policies and workspace-membership checks. Administrative access to production systems is restricted to authorized personnel.
  • No method of transmission or storage is 100% secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security.

7. Data retention

  • Active accounts. We retain your account information and workspace content for as long as your account is active.
  • Unverified signups. Accounts that never complete email verification are deleted automatically within a short period (currently 24 hours by default).
  • Account deletion. When you delete your account or your workspace, we delete or anonymize the associated content within a reasonable period, subject to backups and legal retention requirements.
  • Logs and operational data. Request logs, usage metrics, and audit records are retained for a limited period for security, debugging, and compliance.
  • Backups. Residual copies in encrypted backups may persist for a limited period after deletion before being overwritten.

8. Your rights and choices

Depending on where you live, you may have rights regarding your personal information, including the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Delete your information
  • Object to or restrict certain processing
  • Receive a copy of your information in a portable format
  • Withdraw consent for processing that relies on consent
  • Disconnect a third-party integration at any time from the Connections settings in the Service

To exercise any of these rights, contact us at support@withassist.xyz. We may need to verify your identity before responding.

You can also manage many choices directly in the product:

  • Disconnect an integration to revoke our access to that third-party service
  • Delete individual chats, documents, todos, workflows, agents, sandcastles, and tool configurations
  • Delete your workspace or your account

9. International transfers

The Service is hosted in regions configured by us and our subprocessors, which may be outside your country of residence. By using the Service, you acknowledge that your information may be transferred to and processed in those regions. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.

10. Children

The Service is not directed to children under the age of 16 (or the higher minimum age required by your jurisdiction), and we do not knowingly collect personal information from such children. If you believe a child has provided us with personal information, contact us at support@withassist.xyz and we will take appropriate steps to delete it.

11. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you through the Service or by email before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact us

If you have questions or concerns about this Policy or our handling of your information, contact us at:

  • Email: support@withassist.xyz
  • Entity: Assist Technologies LLC
  • Governing law: the State of California, United States