Privacy Policy
Last Updated: April 27, 2026
Effective Date: April 27, 2026
AskMyu LLC
1. Introduction
Welcome to AskMyu ("we," "our," or "us"). AskMyu is a relationship intelligence and professional development platform that helps white-collar professionals develop and apply soft skills in their everyday work through AI-powered insights and analysis.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our software-as-a-service (SaaS) application, including our website, mobile applications, and related services (collectively, the "Service"). Please read this Privacy Policy carefully.
By accessing or using our Service, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.
2. Google API Services User Data Policy Compliance
IMPORTANT NOTICE: AskMyu's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
2.1 Google User Data We Access
When you connect your Google account to AskMyu, we request access to specific Google services with your explicit permission. The specific Google API scopes we use include:
Gmail API (gmail.readonly scope): To read email metadata (sender, recipient, subject, date/time, labels) and analyze communication patterns for relationship intelligence
Google Drive API (drive.readonly scope): To scan for and read any meeting transcripts and notes to analyze communication patterns for meeting participant relationships
Google Calendar API (calendar.readonly scope): To read calendar events for time management insights and meeting pattern analysis
2.2 How We Use Google User Data - Limited Use Disclosure
We use Google user data ONLY for the following specific purposes that you explicitly authorize:
Relationship Intelligence: Analyzing email communication patterns to provide insights about your professional relationships, including tone analysis, sentiment detection, and relationship dynamics
Communication Health: Detecting patterns such as response times, after-hours communication, and potential burnout indicators
Event Detection: Identifying important events, tasks, and goals mentioned in your communications
Calendar Integration: Analyzing meeting patterns and time allocation for professional development insights
Critical Limitation: We employ a metadata-only storage approach. We do NOT store the full text content of your Gmail messages. We only extract and retain:
Email metadata (sender, recipient, subject, timestamps, labels)
Extracted insights (sentiment scores, tone analysis, relationship metrics)
Detected entities (people, organizations, dates, events mentioned)
Aggregated statistics and patterns
The original email content is processed in real-time through our AI extraction pipeline and is not retained in our databases.
2.3 Google User Data - No Sale or Transfer
We do NOT and will NEVER:
Sell your Google user data to third parties
Transfer your Google user data to third parties for advertising purposes
Use your Google user data for serving advertisements
Allow humans to read your Gmail messages except: (a) with your explicit consent, (b) for security purposes (e.g., investigating abuse), (c) to comply with applicable law, or (d) when aggregated and anonymized for internal operations
2.4 Google User Data Sharing
We share your Google user data ONLY in the following limited circumstances:
With AI/ML Service Providers: We use third-party AI language model providers (Groq, Google AI Studio:, Fireworks AI, AWS Bedrock) to process email content for extraction and analysis. These providers process data on our behalf under strict contractual obligations and do not retain your data for their own purposes.
With Cloud Infrastructure Providers: We use cloud services (PostgreSQL, Redis, Milvus, Neo4j, OpenSearch) to store extracted metadata and insights. Full email content is never stored.
For Legal Compliance: When required by law, court order, or government regulation.
With Your Consent: When you explicitly authorize sharing for specific purposes.
All third-party service providers are contractually bound to comply with Google API Services User Data Policy and use data only to provide services to AskMyu.
2.5 Security of Google User Data
We implement comprehensive security measures to protect your Google user data:
Encryption in Transit: All data transmission uses TLS 1.2 or higher encryption
Encryption at Rest: All stored metadata and insights are encrypted using AES-256 encryption
Access Controls: Role-based access controls limit internal access to your data
Authentication: Secure OAuth 2.0 authentication for Google API access
Monitoring: Continuous security monitoring and logging of all data access
DDoS Protection: Multi-phase DDoS protection to prevent service disruptions
Regular Audits: Periodic security assessments and penetration testing
2.6 Retention of Google User Data
We retain Google user data according to the following policies:
Email Metadata: Retained while your account is active and for up to 30 days after account deletion
Extracted Insights: Retained while your account is active and for up to 30 days after account deletion
Anonymized Analytics: May be retained indefinitely after anonymization and aggregation (cannot be attributed to you or your Google account)
Calendar Data: Retained while your account is active and for up to 30 days after disconnection
You can request immediate deletion of all Google user data by disconnecting your Google account in your AskMyu settings or by contacting us at privacy@askmyu.com.
2.7 Revoking Google API Access
You can revoke AskMyu's access to your Google account at any time through:
Your AskMyu Account Settings: Disconnect your Google integration
Google Account Settings: Visit https://myaccount.google.com/permissions and remove AskMyu
Contact Us: Email support@askmyu.com to request immediate revocation
Upon revocation, we will immediately stop accessing your Google data and will delete all Google user data within 30 days, except for anonymized analytics data that cannot be attributed to you.
3. Information We Collect
3.1 Information You Provide Directly
We collect information that you provide directly to us, including:
Account Information: Name, email address, and account credentials for magic link authentication
Profile Information: Professional information, workplace details, job title, and skills assessments
Journal Entries: Personal reflections, goals, and professional development notes you create in the Service
Communication Preferences: Your preferences for how you interact with our Service
Payment Information: Billing details for paid subscription tiers (processed securely through third-party payment processors - we do not store complete payment card information)
Feedback and Support: Information you provide when contacting our support team or providing feedback
3.2 Information Collected Automatically
When you use our Service, we automatically collect certain information, including:
Usage Data: Information about how you interact with our Service, including features used, pages viewed, session duration, and interaction patterns
Device Information: Device type, operating system, browser type and version, IP address, and unique device identifiers
Log Data: Server logs, including access times, pages requested, error logs, and technical diagnostics
Cookies and Tracking: We use cookies and similar technologies to maintain sessions, remember preferences, and analyze usage (see Section 9)
3.3 Information from Third-Party Integrations
With your explicit permission, we collect information from third-party services you choose to connect to AskMyu:
Google Services (covered in detail in Section 2):
Gmail: Email metadata and extracted insights (no full email content stored)
Google Calendar: Calendar events, meeting patterns, and time allocation data
Google Drive: Extracted meeting insights from transcriptions and notes
Other Third-Party Services:
Messaging Platforms (Slack, Zulip, Microsoft Teams): Message metadata (sender, recipient, timestamp, channel) to analyze communication patterns - we do NOT store full message content
WhatsApp, SMS, Telegram: Message metadata for unified communications features
Microsoft 365 Calendar: Calendar events and meeting data
Zoho Calendar: Calendar events and meeting data
CalDAV Services: Calendar synchronization data
LinkedIn: Publicly available profile information to enhance professional insights (when you choose to connect)
Important: We employ a metadata-only storage approach across ALL integrations. We do NOT store the full text content of your emails, messages, or communications. We only retain extracted insights, sentiment analysis, relationship metrics, and metadata necessary to provide our Service.
4. How We Use Your Information
We use the information we collect for the following purposes:
4.1 Service Provision and Core Features
Relationship Intelligence: Analyze communication patterns to deliver insights about your professional relationships, including multi-dimensional tone analysis, sentiment detection, and relationship dynamics
Communication Health Monitoring: Detect burnout risk, after-hours communication patterns, response time metrics, and communication velocity/acceleration
AI-Powered Assistant: Provide intelligent assistant features with hybrid routing, adaptive tone, context cards, and IO psychology integration
Board of Directors Feature: Enable multi-perspective AI deliberation with 16 advisor personas for professional decision-making
Goal Tracking: Track professional goals, detect goal-related communications, and provide progress insights
Career Development: Analyze career trajectory, provide development recommendations, and track skill progression
Journaling: Support multi-channel journaling via email, SMS, WhatsApp, Slack DM, Teams, and Telegram
Event and Task Detection: Automatically identify important events, tasks, and deadlines from your communications
Network Analysis: Map your professional network and analyze relationship patterns using graph database technology
Alignment Analysis: Provide multi-dimensional alignment analysis (semantic, values, worldview, narrative, definitional) with trajectory predictions
4.2 AI and Machine Learning
We use artificial intelligence and machine learning technologies to:
Extract Insights: Process communications through our extraction pipeline to identify relationships, sentiment, tone, events, tasks, and entity mentions
Generate Recommendations: Create personalized insights and recommendations based on your communication patterns and professional development goals
Detect Patterns: Identify patterns in relationship dynamics, communication health, and professional development
Semantic Search: Enable semantic similarity search for goals, memories, and journal entries using vector embeddings
Natural Language Processing: Understand and process your inputs to provide relevant responses and insights
Predictive Analytics: Forecast relationship trajectories and provide proactive insights
4.3 Model Training and Improvement
We may use anonymized and aggregated user data to train and improve our machine learning models. This process involves:
Pseudonymization: Removing personally identifiable information and replacing it with pseudonyms before any model training
Differential Privacy: Applying mathematical techniques to ensure individual users cannot be re-identified from model outputs
Aggregation: Combining data from multiple users to identify patterns and trends without exposing individual information
Consent-Based: We only use data from users who have provided explicit consent for analytics and model training in their account settings
You control model training consent: You can manage your consent for analytics and model training in your account settings at any time. Opting out will not affect your use of the Service.
Important: Even with consent enabled, we never use identifiable Google user data for model training. Only anonymized, aggregated data is used, in full compliance with Google API Services User Data Policy.
4.4 Communication and Support
Service Communications: Send you service-related notifications, including security alerts, account updates, and feature announcements
Customer Support: Respond to your inquiries, requests, and provide technical support
Marketing Communications: Send promotional communications if you have opted in (you may opt out at any time via unsubscribe links or account settings)
Feedback and Surveys: Conduct surveys and gather feedback to improve our Service
Transactional Emails: Send receipts, billing statements, and subscription-related communications
4.5 Security, Fraud Prevention, and Legal Compliance
Security Monitoring: Protect against, identify, and prevent fraud, unauthorized access, malicious activity, and security threats
Rate Limiting: Prevent abuse through IP-based rate limiting and DDoS protection
Compliance: Comply with applicable laws, regulations, legal processes, and governmental requests
Rights Protection: Protect the rights, property, and safety of AskMyu, our users, and the public
Terms Enforcement: Enforce our Terms of Service and other legal agreements
Dispute Resolution: Resolve disputes and troubleshoot problems
4.6 Analytics and Service Improvement
Usage Analytics: Understand how users interact with our Service to improve features and user experience
Performance Monitoring: Monitor Service performance, identify bugs, and optimize infrastructure
A/B Testing: Test new features and improvements with user consent
Feature Development: Identify which features are most valuable to users and prioritize development accordingly
5. How We Share Your Information
We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:
5.1 Service Providers and Subprocessors
We share information with third-party service providers who perform services on our behalf. These providers are contractually obligated to use your information only to provide services to us and to protect your information consistent with this Privacy Policy and applicable data protection laws.
AI and Machine Learning Providers:
Groq: LLM inference for fast extraction and analysis
Google AI Studio: LLM inference for processing tasks
Fireworks AI: LLM inference and batch processing
AWS Bedrock: Titan embeddings
Note: These AI providers process email content during extraction but do not store your data. We have data processing agreements ensuring compliance with privacy requirements.
Cloud Infrastructure and Database Providers:
PostgreSQL hosting: For relational data storage (accounts, relationships, goals)
TimescaleDB: For time-series metrics and analytics
Redis hosting: For session management and caching
Milvus/VertexAI: For vector embeddings and semantic search
Neo4j: For graph database and network analysis
OpenSearch: For full-text search indices
Message Queue and Communication Services:
AWS SNS/SQS: Cloud-based message queue
SendGrid: Email delivery for authentication and notifications
Other Service Providers:
Payment processors: For processing subscription payments (we do not store complete payment card details)
Analytics services: For usage analytics and service improvement
Customer support platforms: For providing user support
Monitoring services: For security and performance monitoring
5.2 Business Transfers
If AskMyu is involved in a merger, acquisition, financing, bankruptcy, dissolution, reorganization, asset sale, or similar transaction, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
5.3 Legal Requirements and Protection of Rights
We may disclose your information when we believe it is necessary to:
Comply with applicable law, regulation, legal process, or enforceable governmental request
Enforce our Terms of Service, including investigation of potential violations
Detect, prevent, or address fraud, security, or technical issues
Protect against harm to the rights, property, or safety of AskMyu, our users, or the public as required or permitted by law
Respond to court orders, subpoenas, or other legal processes
5.4 With Your Consent
We may share your information with your explicit consent for purposes not covered by this Privacy Policy.
5.5 Aggregated and Anonymized Data
We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This data may be used for research, analytics, marketing, or other business purposes.
6. Data Storage and Security
6.1 Data Storage Architecture
We use a sophisticated multi-database architecture to store different types of information:
PostgreSQL: Primary relational data including accounts, relationships, journals, email metadata, goals, and career information (165+ tables with 13 versioned migrations)
TimescaleDB: Time-series metrics for privacy-preserving analytics and aggregated metrics
Redis: Session management, user state, profile caching (16 isolated databases)
Milvus/VertexAI: Vector embeddings for semantic similarity, goal deduplication, and memory retrieval
Neo4j: Graph relationships for network analysis and team detection (requires Graph Data Science plugin)
OpenSearch: Full-text search for journals, memories, and LinkedIn data (9 indices)
SQLite: Local lightweight storage for specific use cases
6.2 Data Location
Your data is currently stored on servers located in the United States. We plan to expand to Japan and will provide notice when data storage locations change.
If you are accessing our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located and where our service providers operate.
6.3 Security Measures
We implement comprehensive, industry-standard security measures to protect your information:
Encryption:
Data in Transit: TLS 1.2 or higher encryption for all data transmission
Data at Rest: AES-256 encryption for stored data
Database Encryption: Encrypted database storage for sensitive information
Device-Based Encryption: Account encryption with device-based key management (mDEK)
Authentication and Access Control:
Magic Link Authentication: Passwordless login system to eliminate password-related vulnerabilities
OAuth 2.0: Secure authentication for third-party integrations (Google, Slack, etc.)
Role-Based Access Control: Strict access controls limiting employee access to user data
Admin Authorization: Separate admin authorization checks for administrative functions
Session Management: Secure Redis-based session management with configurable TTL
Cross-Domain Security: Configurable cookie domain settings for multi-service authentication
DDoS Protection and Rate Limiting:
Multi-Phase DDoS Protection: Advanced attack pattern detection and mitigation
Global Rate Limiting: IP-based rate limiting per minute/hour with exponential backoff
Endpoint-Specific Limits: Category-based limits for auth, admin, and upload endpoints
Payload Size Limits: Configurable body size validation to prevent abuse
Slow Request Protection: Timeout protection with automatic IP blocking
Security Monitoring and Response:
Security Filter Chain: Multi-layer security filters (headers, rate limiting, payload validation)
Continuous Monitoring: 24/7 monitoring for security threats and anomalous activity
Logging and Auditing: Comprehensive logging of all access and security events
Incident Response: Established procedures for security incident detection and response
Regular Audits: Periodic security assessments, vulnerability scans, and penetration testing
Security Updates: Prompt application of security patches and updates
Infrastructure Security:
Secure Cloud Infrastructure: Hardened servers with firewalls and intrusion detection
Network Isolation: Isolated database environments and network segmentation
Disaster Recovery: Regular backups with disaster recovery procedures
Secure Development: Security-first development practices and code review processes
Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.
7. Data Retention
We retain your information for as long as necessary to provide our Service and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
7.1 Retention Periods by Data Type
Account Information: Retained while your account is active and for up to 90 days after account deletion to allow for account recovery and comply with legal obligations
Google User Data (Gmail, Calendar, Contacts): Retained while your account is active and for up to 30 days after you disconnect your Google integration or delete your account
Other Integration Data (Slack, Teams, etc.): Retained while your account is active and for up to 30 days after disconnection
Journal Entries and Goals: Retained until you delete them or close your account, then deleted within 30 days
Usage and Analytics Data: Retained for 12-24 months for service improvement purposes
Anonymized and Aggregated Data: May be retained indefinitely for model training and service improvement (cannot be attributed to you)
Security Logs: Retained for 12 months for security and fraud prevention purposes
Financial Records: Retained for 7 years to comply with tax and accounting requirements
7.2 Account Deletion
When you delete your account:
We will delete or anonymize your personal information within 30 days
Some information may be retained in backups for up to 90 days, then permanently deleted
Certain data may be retained for legal, tax, audit, or regulatory purposes as required by law
Anonymized data used for model training will not be deleted, as it cannot be attributed to you
Financial transaction records will be retained as required by law
7.3 Data Retention Settings
You can manage retention preferences for certain types of data in your account settings, including:
Setting automatic deletion timeframes for journal entries
Configuring how long to retain integration metadata
Requesting immediate deletion of specific data types
8. Your Rights and Choices
8.1 Access and Data Portability
You have the right to:
Access your personal information and request a copy
Export your data in a portable, machine-readable format (JSON, CSV)
Request information about what data we have collected and how we use it
You can export your data through your account settings or by contacting us at privacy@askmyu.com.
8.2 Correction and Update
You have the right to:
Correct inaccurate personal information
Update your account information and profile at any time
Request correction of data we hold about you
You can update most information directly through your account settings.
8.3 Deletion and Account Closure
You have the right to:
Delete your account at any time through your account settings
Request deletion of specific data types
Request immediate deletion of all personal information (subject to legal retention requirements)
Upon account deletion, your personal information will be deleted within 30 days, except for:
Anonymized data that cannot be attributed to you
Data required for legal compliance, fraud prevention, or legitimate business purposes
Data in backup systems (deleted within 90 days)
8.4 Third-Party Integration Management
You can manage or revoke third-party integrations at any time:
Google Integrations:
Disconnect through your AskMyu account settings
Revoke access through Google Account settings at https://myaccount.google.com/permissions
Request immediate deletion of all Google user data by contacting privacy@askmyu.com
Other Integrations (Slack, Teams, etc.):
Disconnect through your AskMyu account settings
Revoke access through the respective platform's authorization settings
Request deletion of integration data
Revoking access will stop new data collection from that service. Previously collected metadata will be deleted within 30 days unless you request immediate deletion.
8.5 Marketing and Communications
You can control communications:
Opt out of marketing emails by clicking "unsubscribe" in any marketing email
Manage communication preferences in your account settings
Choose which types of notifications you receive
Note: You cannot opt out of service-related communications (e.g., account verification, security alerts, billing notifications) as these are necessary for the Service.
8.6 Analytics and Model Training Consent
You can manage your consent for:
Privacy-preserving analytics and usage data collection
Model training using anonymized and aggregated data
A/B testing and feature experiments
These settings are available in your account settings under "Privacy Preferences." Opting out will not affect your use of the Service.
8.7 Cookie Management
You can control cookies through:
Your browser settings (most browsers allow you to refuse or delete cookies)
Browser extensions for cookie management
Our cookie preference center (if applicable)
Note: Disabling essential cookies may prevent some features of the Service from functioning properly.
8.8 Do Not Track Signals
Some web browsers have a "Do Not Track" (DNT) feature. Our Service does not currently respond to DNT signals because there is no industry standard for how to interpret and implement DNT.
9. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to provide, protect, and improve our Service.
9.1 What Are Cookies
Cookies are small text files stored on your device by your web browser. They allow us to recognize your device and remember information about your visit.
9.2 Types of Cookies We Use
Essential Cookies (Required):
Session Management: Maintain your logged-in state and session data
Authentication: Verify your identity and prevent unauthorized access
Security: Detect and prevent malicious activity
Load Balancing: Ensure proper distribution of traffic across servers
Functional Cookies (Optional):
Preferences: Remember your settings and preferences
Language: Store your language preference
Feature Toggles: Remember which features you have enabled
Analytics Cookies (Optional - with consent):
Usage Analytics: Understand how users interact with our Service
Performance Monitoring: Identify performance issues and optimize loading times
A/B Testing: Test new features and improvements
9.3 Other Tracking Technologies
We may also use:
Local Storage: Store data locally in your browser for faster access
Session Storage: Temporarily store data during your session
Web Beacons: Small graphic images to track page views and email opens
Device Fingerprinting: Collect device and browser characteristics for security purposes
9.4 Managing Cookies
You can manage cookies through your browser settings. Most browsers allow you to:
View cookies stored on your device
Delete specific cookies or all cookies
Block all cookies or only third-party cookies
Set cookies to expire when you close your browser
Please note that disabling essential cookies may affect the functionality of our Service.
10. International Data Transfers
10.1 Cross-Border Transfers
AskMyu operates in the United States and plans to expand to Japan. Your information may be transferred to, stored, and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.
10.2 Safeguards for International Transfers
When we transfer information internationally, we implement appropriate safeguards to protect your data:
Standard Contractual Clauses: We use European Commission-approved Standard Contractual Clauses (SCCs) for transfers from the EEA
Data Processing Agreements: All service providers sign data processing agreements that require adequate data protection
Privacy Shield Principles: Where applicable, we follow Privacy Shield principles (though Privacy Shield has been invalidated, these principles provide strong protections)
GDPR Compliance: Ensuring transfers comply with GDPR requirements for EEA data
APPI Compliance: Planning for compliance with Japan's Act on the Protection of Personal Information when we expand to Japan
10.3 Data Localization
When we expand to Japan, we will evaluate data localization requirements and may offer options for Japanese users to store data within Japan if required by law or user preference.
11. Children's Privacy
Our Service is intended exclusively for users who are at least 18 years of age. We do not knowingly collect, maintain, or use personal information from individuals under 18 years of age.
If we discover that we have collected personal information from a person under 18, or if a person under 18 has provided us with personal information, we will delete that information immediately.
If you are a parent or guardian and believe your child under 18 has provided us with personal information, please contact us immediately at privacy@askmyu.com so we can delete the information.
12. Regional Privacy Rights
12.1 California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know:
Request information about the categories and specific pieces of personal information we have collected about you in the past 12 months
Request information about the categories of sources from which we collected your personal information
Request information about our business or commercial purposes for collecting or selling personal information
Request information about the categories of third parties with whom we share personal information
Right to Delete:
Request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, fraud prevention)
Right to Correct:
Request correction of inaccurate personal information
Right to Opt-Out:
Opt out of the "sale" or "sharing" of personal information (Note: We do not sell personal information)
Right to Limit Use:
Limit the use and disclosure of sensitive personal information
Right to Non-Discrimination:
Not be discriminated against for exercising your privacy rights
Exercising California Rights:
To exercise these rights, contact us at privacy@askmyu.com or through your account settings. We will verify your identity before processing your request. You may designate an authorized agent to make requests on your behalf.
California "Shine the Light" Law:
California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.
12.2 European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):
Right of Access (Article 15):
Obtain confirmation of whether we process your personal data and access to that data
Right to Rectification (Article 16):
Request correction of inaccurate or incomplete personal data
Right to Erasure (Article 17):
Request deletion of your personal data under certain circumstances (e.g., data no longer necessary, withdrawal of consent)
Right to Restriction (Article 18):
Request restriction of processing under certain circumstances
Right to Data Portability (Article 20):
Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller
Right to Object (Article 21):
Object to processing based on legitimate interests, direct marketing, or for research/statistical purposes
Right to Withdraw Consent (Article 7):
Withdraw consent for processing at any time (does not affect lawfulness of processing before withdrawal)
Right to Lodge a Complaint (Article 77):
File a complaint with your local data protection authority (supervisory authority)
Right Not to Be Subject to Automated Decision-Making (Article 22):
Not be subject to decisions based solely on automated processing with legal or significant effects (we do not make such automated decisions)
Legal Basis for Processing:
We process your personal data based on the following legal grounds:
Consent: You have given explicit consent for specific processing purposes (Article 6(1)(a))
Contract Performance: Processing is necessary to perform our contract with you (Article 6(1)(b))
Legal Obligation: Processing is necessary to comply with legal obligations (Article 6(1)(c))
Legitimate Interests: Processing is necessary for our legitimate interests (service improvement, security, fraud prevention), except where overridden by your fundamental rights (Article 6(1)(f))
Exercising GDPR Rights:
To exercise these rights, contact us at privacy@askmyu.com. We will respond to your request within 30 days.
EU Representative:
For questions about our GDPR compliance or to exercise your rights, you may contact our EU representative (if appointed) at the contact information we provide.
12.3 United Kingdom Privacy Rights
UK residents have rights under the UK GDPR and Data Protection Act 2018, which are substantially similar to the GDPR rights described above. Contact us at privacy@askmyu.com to exercise these rights.
12.4 Japan Privacy Rights (APPI)
When we expand operations to Japan, we will comply with the Act on the Protection of Personal Information (APPI). Japanese users will have the following rights:
Right to Request Disclosure: Request disclosure of personal information and the purpose of use
Right to Request Correction: Request correction, addition, or deletion of personal information
Right to Request Suspension of Use: Request suspension of use or deletion of personal information
Right to Request Suspension of Third-Party Provision: Request suspension of provision to third parties
Right to Notification: Receive notification when we acquire or provide personal information to third parties
To exercise these rights, Japanese users can contact us at privacy@askmyu.com.
12.5 Other Jurisdictions
If you reside in a jurisdiction with specific privacy laws not mentioned above, you may have additional rights. Contact us at privacy@askmyu.com to inquire about your rights.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
13.1 How We Notify You of Changes
We will notify you of material changes by:
Posting the updated Privacy Policy on our website with a new "Last Updated" date
Sending you an email notification to your registered email address (for significant changes)
Displaying a prominent notice in the Service when you log in
For Google API-related changes: Providing clear notice and obtaining consent as required by Google's policies
13.2 Your Acceptance of Changes
Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated Privacy Policy, you must:
Stop using the Service
Disconnect all third-party integrations (especially Google integrations)
Delete your account
Contact us at privacy@askmyu.com to request data deletion
13.3 Review of Policy
We encourage you to periodically review this Privacy Policy to stay informed about how we protect your information and your privacy rights.
14. Contact Us and Data Protection Officer
14.1 General Inquiries
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:
AskMyu LLC
Email: privacy@askmyu.com
Support: support@askmyu.com
Address: 345 Franklin Street, Suite 204, Cambridge, MA 02139
Website: www.askmyu.com
14.2 Privacy Rights Requests
To exercise your privacy rights (access, deletion, correction, etc.):
Email: privacy@askmyu.com with subject line "Privacy Rights Request"
Use your account settings for self-service data export and deletion
For Google-specific requests: Email privacy@askmyu.com with subject line "Google Data Request"
14.3 Data Protection Officer (if applicable)
If required by law (e.g., GDPR), we will appoint a Data Protection Officer (DPO). You can contact our DPO at dpo@askmyu.com.
14.4 Response Time
We will respond to your privacy inquiries and requests within:
General inquiries: 5 business days
Privacy rights requests: 30 days (may extend to 60 days for complex requests with notification)
GDPR/CCPA requests: As required by applicable law (typically 30-45 days)
15. Additional Information
15.1 Third-Party Links
Our Service may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.
15.2 Business to Business (B2B) Relationships
If you use our Service as part of a business or organization account, your employer or organization may have access to your usage data and may control certain settings. Please review your organization's privacy policies.
15.3 Accessibility
We are committed to making this Privacy Policy accessible to all users. If you need this Privacy Policy in an alternative format, please contact us at privacy@askmyu.com.
15.4 Translation
This Privacy Policy may be translated into other languages for your convenience. In the event of any conflict between the English version and a translated version, the English version shall prevail.
IMPORTANT REMINDER: AskMyu's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We are committed to protecting your privacy and using your data only to provide and improve our Service.
This Privacy Policy was last updated on April 27, 2026.
════════════════════════════════════════════════════════════════
ADDENDUM: MOBILE APP & AWS COMPLIANCE
════════════════════════════════════════════════════════════════
ADDENDUM A: Mobile App Privacy Disclosures
A.1 Apple App Store Privacy Labels
The following table shows how our data collection maps to Apple's App Privacy categories:
Data Category
Data Types Collected
Linked to You / Used for Tracking
Contact Info
Name, Email Address
Linked to You / NOT Used for Tracking
User Content
Emails (metadata only), Journals, Goals
Linked to You / NOT Used for Tracking
Identifiers
User ID, Device ID
Linked to You / NOT Used for Tracking
Usage Data
Product Interaction, App Launch
Linked to You / NOT Used for Tracking
Diagnostics
Crash Data, Performance Data
NOT Linked to You / NOT Used for Tracking
Financial Info
Purchase History (via App Store)
Linked to You / NOT Used for Tracking
Sensitive Info
NONE collected
N/A
Location
Coarse Location (IP-based only)
NOT Linked to You / NOT Used for Tracking
Health & Fitness
NONE collected
N/A
Browsing History
NONE collected
N/A
KEY POINTS:
We do NOT track you across apps and websites owned by other companies
We do NOT sell your data to data brokers or advertisers
We do NOT use your data for advertising purposes
Email and message content is processed for insights but NOT stored
A.2 Google Play Store Data Safety
The following information is disclosed in our Google Play Store Data Safety section:
Data Type
Collected?
Shared with Third Parties?
Purpose
Personal Info (Name, Email)
Yes
No
Account creation, authentication
App Activity
Yes
No
Analytics, functionality
App Performance Data
Yes
No
Diagnostics, crash prevention
Device/Other IDs
Yes
No
Analytics, fraud prevention
Messages (Metadata ONLY)
Yes
No
Relationship intelligence
Location (Approximate)
Yes
No
Analytics (IP-based)
Financial Info
Via Play Store
No
Google processes payments
Photos/Videos
No
No
Not collected
Security Practices (Google Play):
Data encrypted in transit (HTTPS/TLS 1.2+)
Data encrypted at rest (AES-256)
Users can request deletion
18+ age restriction (Google Play Families Policy)
Regular security audits
A.3 Mobile App Permissions
A.3.1 iOS Permissions
Our iOS app may request the following permissions:
Notifications: For alerts about insights and goals (Settings > AskMyu > Notifications)
Background App Refresh: To sync data (Settings > General > Background App Refresh)
Internet Access: Required for core functionality (cannot be disabled)
Contacts (Optional): Only if you import contacts (Settings > AskMyu > Contacts)
Face ID/Touch ID (Optional): For biometric security (Settings > Face ID & Passcode)
A.3.2 Android Permissions
Our Android app requests the following permissions:
INTERNET: Required for core functionality (auto-granted)
ACCESS_NETWORK_STATE: To detect connectivity (auto-granted)
RECEIVE_BOOT_COMPLETED: To restart sync after reboot (auto-granted)
POST_NOTIFICATIONS (Android 13+): For notifications (Settings > Apps > AskMyu)
GET_ACCOUNTS (Optional): For Google OAuth (granted when connecting)
READ_CONTACTS (Optional): If importing contacts (Settings > Apps > AskMyu > Permissions)
USE_BIOMETRIC (Optional): For fingerprint/face unlock (device security settings)
ADDENDUM B: AWS Infrastructure and Compliance
B.1 AWS Regions and Data Location
Your data is stored on Amazon Web Services (AWS) infrastructure in the following regions:
Primary Region: AWS US-West-2 (Oregon, USA)
Secondary Region: AWS US-East-1 (Northern Virginia, USA) - for disaster recovery
Future: AWS AP-Northeast-1 (Tokyo, Japan) for Japanese customers
B.2 AWS Compliance Certifications
Our AWS infrastructure complies with:
SOC 1, SOC 2, SOC 3: Security, availability, confidentiality audits
ISO 27001, 27017, 27018: Information security management
PCI DSS Level 1: Payment card industry standards
GDPR: Data Processing Addendum with AWS
HIPAA Eligible: For future health data features
FedRAMP: For government customers
B.3 AWS Security Features
We leverage AWS security services:
VPC Isolation: Databases in isolated Virtual Private Clouds
AWS WAF: Web Application Firewall for exploit protection
AWS Shield: DDoS protection
AWS GuardDuty: Threat detection monitoring
AWS CloudTrail: Complete audit logging
AWS IAM: Strict role-based access control
Multi-Factor Authentication: Required for all admin access
B.4 Backup and Disaster Recovery
AWS-powered backup strategy:
Automated Daily Backups to S3 (7-day retention)
Multi-Region Replication to US-West-2
Point-in-Time Recovery (7 days for databases)
AES-256 Encrypted Backups
RTO: 4 hours, RPO: 1 hour
Backups deleted within 90 days after account deletion
B.5 Data Processing Addendum
For enterprise customers and GDPR compliance:
We have executed Data Processing Addendums (DPAs) with AWS
DPAs ensure GDPR, CCPA, and international data protection compliance
Enterprise customers can request a copy of our AWS DPA
Contact: enterprise@askmyu.com for DPA requests
ADDENDUM C: App Store Compliance
C.1 App Tracking Transparency (iOS)
IMPORTANT: We do NOT track you across apps and websites owned by other companies.
This means:
We do NOT request the App Tracking Transparency (ATT) permission
We do NOT share your device advertising identifier with third parties
We do NOT use your data for targeted advertising
Our analytics are for service improvement only, not cross-app tracking
C.2 In-App Purchases and Subscriptions
When purchasing through Apple App Store or Google Play Store:
Purchases are charged to your Apple ID (App Store) or Google Play account
Subscription management: iOS Settings > [Your Name] > Subscriptions, or Play Store > Menu > Subscriptions
Subscriptions auto-renew unless cancelled 24 hours before renewal
No refunds for partial billing periods except as required by law
Family Sharing: Subscriptions may be eligible for Family Sharing (check app store)
We do NOT use third-party payment systems within the apps (App Store/Play Store only)
C.3 Third-Party SDKs and Libraries
Our mobile apps use the following third-party SDKs:
AWS SDK: For cloud infrastructure integration
SendGrid SDK: For email delivery
Google OAuth SDK: For Google account integration (optional)
Apple Sign In SDK: For Apple authentication (if implemented)
Analytics SDK: For app usage analytics (anonymized)
All SDKs are configured to comply with this Privacy Policy and app store requirements.
END OF PRIVACY POLICY
This comprehensive Privacy Policy includes all requirements for:
Google API Services User Data Policy compliance
Apple App Store privacy requirements
Google Play Store Data Safety requirements
AWS infrastructure and security compliance
GDPR, CCPA, and APPI regulatory compliance
