Privacy Policy

1. What Information Do We Collect?

2. How Do We Process Your Information?

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To facilitate account creation and authentication and otherwise manage user accounts
• To deliver and facilitate delivery of services to you, including AI-powered assistant functionality
• To respond to user inquiries and offer support
• To send administrative information, such as changes to our terms and policies
• To fulfill and manage your orders, payments, and credits
• To request feedback and contact you about your use of our Services
• To send you marketing and promotional communications (with your consent)
• To evaluate and improve our Services, products, marketing, and your experience — using aggregated or anonymized operational data only, and never using data obtained from connected Google or Microsoft accounts for improvement or model training
• To comply with our legal obligations and enforce our terms

3. What Legal Bases Do We Rely On?

We only process your personal information when we believe it is necessary and we have a valid legal reason to do so under applicable law. Depending on your location, we may rely on your consent, the performance of a contract with you, our legitimate business interests, or compliance with legal obligations as the legal basis for processing your personal information. You may withdraw your consent at any time by contacting us.

4. When and With Whom Do We Share Your Information?

We do not sell your personal information. We share information only with the categories of third parties described below, and only as needed to deliver the Services:

• Sub-processors: We rely on a small number of trusted vendors to operate parts of the Services. Our primary sub-processors are OpenAI (AI inference, embeddings, and vector storage for knowledge bases), Twilio (telephony and SMS), Bunny CDN (file hosting and media delivery), Stripe (payment processing), Mailgun (transactional email delivery), and Google Analytics (aggregated website analytics). Each sub-processor receives only the data required to perform its function and is contractually prohibited from using that data for its own purposes, including training AI models.
• Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business. We will provide notice to users before any such transfer takes effect.
• Legal Requirements: We may disclose your information where required to comply with applicable laws, governmental requests, judicial proceedings, court orders, or legal process.

5. Do We Use Cookies and Other Tracking Technologies?

We use cookies and similar tracking technologies (such as web beacons and pixels) to maintain the security of the Services and your account, remember your preferences, keep you signed in, and collect analytics that help us understand how our Services are used. For website analytics we use Google Analytics, which sets cookies to measure aggregated usage patterns; Google Analytics data is never combined with or used in connection with data obtained through connected Google or Microsoft accounts. We do not use cookies or similar technologies to serve advertising, and we do not use data obtained through connected Google or Microsoft accounts for any form of advertising. You can control cookies through your browser settings; disabling some cookies may affect certain features of the Services.

6. How We Use Artificial Intelligence

Our Services are powered by artificial intelligence, including large language models that generate assistant responses, embedding models that index your knowledge base content, and transcription models that convert voice input to text. We use OpenAI as our primary AI provider.

7. Connected Accounts (Google and Microsoft)

You can sign in with, or connect, a Google or Microsoft account to enable specific features in our Services. Connecting an account is always optional, and you can disconnect at any time.

8. Google API Services User Data Policy

Our use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. A copy of that policy is available at https://developers.google.com/terms/api-services-user-data-policy. In particular:

• We only use Google user data to provide or improve the user-facing feature you have connected your Google account to.
• We do not use Google user data for serving advertisements of any kind, including retargeting, personalized, or interest-based advertising.
• We do not sell Google user data to any third party, and we do not transfer it to any third party except (a) as necessary to provide or improve the user-facing feature, (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of assets, with prior notice to affected users.
• We do not allow humans to read Google user data, except (a) with the user's affirmative agreement for specific messages, (b) when strictly necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and anonymized.
• We do not use Google user data to develop, improve, or train any generalized or personalized artificial intelligence or machine learning model. Data from Google APIs is only sent to OpenAI at inference time to generate a response to a specific user request, and OpenAI does not use API data to train its models by default. We have not opted in to any program that would change that behaviour.

9. Microsoft 365 and Microsoft Graph Data Use

When you connect a Microsoft 365 account or a personal Microsoft account, our use of data accessed through the Microsoft Graph API follows the same principles as our handling of Google user data:

• We access only the scopes required for the feature you have enabled, and only at the moment that feature is in use.
• We do not use Microsoft user data for advertising of any kind.
• We do not sell Microsoft user data, and we do not transfer it to third parties except as required to operate the feature, to comply with applicable law, or in connection with a change in corporate ownership with prior notice to affected users.
• We do not use Microsoft user data to train, fine-tune, or improve any artificial intelligence or machine learning model.
• Access tokens are encrypted at rest and deleted when you disconnect your account or close your 5Minder account. Our use remains subject to Microsoft's applicable developer policies and your agreement with Microsoft.

10. How Long Do We Keep Your Information?

We keep your personal information only for as long as it is necessary to provide the Services or to satisfy legal, tax, or accounting requirements. When we no longer have a legitimate reason to process your data, we delete or anonymize it, or, where this is not immediately possible, securely isolate it until deletion is possible. Specific retention windows include:

• Account data: retained while your account is active and for up to 90 days after account deletion, after which it is permanently removed or anonymized, except where longer retention is required by law.
• Connected-account tokens (Google, Microsoft): deleted immediately when you disconnect the account or close your 5Minder account.
• Knowledge base content: retained for the life of the associated assistant and deleted when the assistant or account is deleted.
• Conversation transcripts and call recordings: retained according to the settings on your 5Minder account, which you can change at any time.
• Data sent to OpenAI for AI processing: OpenAI retains API inputs and outputs for up to 30 days for abuse-monitoring purposes, after which they are deleted by OpenAI.

11. How Do We Keep Your Information Safe?

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. This includes encryption of data in transit, encryption of connected-account tokens at rest, secure hosting infrastructure, access controls, and regular security assessments. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. We cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security.

12. Do We Collect Information From Minors?

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 years of age or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records.

13. What Are Your Privacy Rights?

Depending on where you are located, applicable privacy law may give you certain rights regarding your personal information. These may include the right to request access and obtain a copy of your personal information, to request correction or erasure, to restrict processing, and, where applicable, to data portability. You may review, change, or terminate your account at any time. To exercise any of these rights, please contact us using the details provided below.

• Access: You may request access to the personal information we hold about you
• Correction: You may request that we correct any inaccurate personal information
• Deletion: You may request that we delete your personal information, subject to certain exceptions
• Opt-out: You may opt out of marketing communications at any time by clicking the unsubscribe link in our emails
• Disconnect Connected Accounts: You may revoke our access to a connected Google or Microsoft account at any time through your 5Minder settings or directly with the provider, which will delete the stored access and refresh tokens
• Account Termination: You may close your account through your account settings or by contacting us

14. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals.

15. Do Specific Regions Have Additional Rights?

If you are a resident of Canada, the European Economic Area, the United Kingdom, Australia, or another region with data protection laws, you may have additional rights under applicable law. We collect and process your personal information under the obligations and conditions set by applicable privacy legislation. Please contact us if you have questions about exercising your regional privacy rights.

16. Do We Make Updates to This Policy?

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last Updated" date at the top of this Privacy Policy. If we make material changes, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your information.

17. How Can You Contact Us About This Policy?

If you have questions or comments about this Privacy Policy, you may email us at [email protected] or contact us by mail at: FiveMinder, 6750 Esplanade Ave, Suite 330, Montreal, Quebec H2V 4M1, Canada.