Privacy Policy

Remy is an AI assistant operated by Hoot Ventures LLC ("Remy," "we," "us," or "our"). This Privacy Policy explains what information we collect when you use Remy's mobile application and website (together, the "Service"), how we use it, who we share it with, and the choices you have. We've tried to write this in plain English. Where legal terms are unavoidable, we've done our best to explain them.

The short version. You sign in with your Google account. Remy stores the OAuth tokens so it can read your mail and calendar on your behalf, plus the conversations and the compact knowledge graph Remy builds from them. Only you can see your data. We don't sell it, we don't share it with advertisers, and we don't train general-purpose AI models on it. You can delete everything at any time.

1. Information we collect

We collect the following categories of information:

(a) Account information. When you create an account by signing in with Google, we receive basic profile information from Google: your name, email address, and profile photo. We store this so we can identify you and display it back to you in the app.

(b) OAuth tokens. When you grant Remy permission to access your Google account, Google issues us access and refresh tokens. We store these tokens encrypted at rest using AES-256-GCM. They are the keys Remy uses to read your mail and calendar when you ask it to. They are never shared with third parties and never transmitted in plaintext.

(c) Mail and calendar data. Depending on which permissions you grant, Remy reads email messages, calendar events, and associated metadata (participants, times, subjects, bodies, and attachments when relevant) from your connected account. Remy uses this data to answer your questions, draft replies, and propose actions. Remy also maintains a bounded source index of relevant message and calendar metadata so it can find the right items without scanning your whole account on every request.

(d) Conversation history. We store the messages you send to Remy and Remy's responses so you can continue a conversation across sessions and devices.

(e) Working memory. From your conversations and the data you ask Remy to look at, Remy writes a compact knowledge graph of the people, organizations, projects, preferences, and decisions that matter to you. This lets Remy help you better over time. It is scoped to your account and visible only to you.

(f) Device and log data. When you use the Service, we automatically collect basic technical information: IP address, device model and OS version, app version, crash reports, approximate region derived from your IP, and timestamps of requests. We use this to operate, secure, and improve the Service.

(g) Support communications. If you contact us, we retain your messages and our replies so we can help you and improve the product.

2. How we use your information

We use your information only to:

• Provide the Service: answer your questions, draft messages, find times on your calendar, and take actions you explicitly approve.
• Maintain continuity: keep your conversations and working memory available across sessions and devices.
• Operate, secure, and debug the Service: prevent abuse, investigate incidents, fix crashes, and monitor performance.
• Communicate with you: respond to support requests and send service-related notices (we don't send marketing email unless you opt in).
• Comply with law: respond to valid legal process and enforce our Terms of Service.

We do not sell your personal information, rent it, or share it with advertisers. We do not use the contents of your mail, calendar, or conversations to train general-purpose AI models. Any model fine-tuning we do in the future on your data would be strictly opt-in, scoped to your own account, and disclosed before it happens.

3. Google API Services User Data Policy

Remy's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only request the Google OAuth scopes necessary to provide features you have asked for (for example, reading Gmail to triage your inbox, or reading and writing Calendar events to schedule on your behalf).
• We only use your Google user data to provide or improve user-facing features that are prominent in the Service.
• We do not transfer your Google user data to third parties except (i) as necessary to provide or improve user-facing features, (ii) for security purposes, (iii) to comply with applicable law, or (iv) as part of a merger, acquisition, or sale of assets with notice to you.
• We do not use your Google user data to serve advertisements.
• We do not allow humans to read your Google user data unless (i) we obtain your explicit consent for specific messages, (ii) it is necessary for security purposes such as investigating abuse, (iii) it is necessary to comply with applicable law, or (iv) the data is aggregated and used for internal operations in a way that cannot identify you.

4. Future connected services

Remy currently launches with Google account connection. If we add other account providers later, we will update this policy before asking you to connect those accounts.

5. Third-party model providers

To generate replies, Remy sends the portion of your conversation and the relevant context Remy needs to a large language model provider, currently Google's Gemini. The provider processes that data on our behalf under contractual commitments that prohibit them from using it to train their general-purpose models and require them to delete it after a short retention period. We use reputable providers with SOC 2 Type II controls and equivalent enterprise safeguards. A current list of subprocessors is available on request at privacy@hootventures.ai.

6. How we share information

We share information only in these limited circumstances:

• Service providers and subprocessors who host our infrastructure, process payments (if and when we introduce paid plans), send transactional email, and deliver AI inference. These providers are contractually bound to use your data only to provide services to us.
• At your direction, for example when you approve a draft and ask Remy to send it from your connected account, or when you connect an additional integration.
• Legal and safety: to comply with a subpoena, court order, or other valid legal process; to enforce our Terms; or to protect the rights, safety, or property of Remy, our users, or the public.
• Business transfers: if we are involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

7. Data isolation and security

We take security seriously. Our controls include:

• Encryption in transit: all traffic between your device and our servers uses TLS 1.2 or higher.
• Encryption at rest: databases and backups are encrypted. OAuth tokens are additionally encrypted at the application layer using AES-256-GCM with keys managed by a dedicated key management service.
• Row-level isolation: every table that holds user data uses Postgres row-level security, so the database itself refuses to return another account's rows — not just the application.
• Approval gating: Remy never sends an email, books a meeting, or takes any outward-facing action without your explicit in-app approval for that specific action.
• Access controls: production access is limited to a small number of engineers, scoped by role, logged, and subject to two-factor authentication. Humans do not read your mail, calendar, or conversations in the ordinary course of operating the Service.
• Vulnerability management: we monitor dependencies, patch on a regular cadence, and conduct security reviews before shipping new integrations.

No system is perfectly secure. If you discover a vulnerability, please email security@hootventures.ai and we will respond promptly.

8. Data retention

We retain your data for as long as your account is active, or as needed to provide the Service and comply with our legal obligations. When you delete your account, we delete the personal information we hold about you from our production systems within 30 days and from backups within 90 days. Aggregated or de-identified information that cannot reasonably be used to identify you may be retained for longer.

9. Your rights and choices

You can:

• Access, correct, or export the information we hold about you.
• Delete your account and all associated data from within the app, or by emailing us.
• Revoke Remy's access to your Google account at any time at myaccount.google.com/permissions.
• Opt out of any optional communications from us.

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the GDPR, including the right to object to or restrict certain processing, the right to data portability, and the right to lodge a complaint with a supervisory authority. Our lawful bases for processing are your consent (for connecting your Google account), the performance of a contract (operating the Service you signed up for), and our legitimate interests (securing and improving the Service).

If you are a California resident, you have rights under the California Consumer Privacy Act as amended by the CPRA, including the right to know the categories and specific pieces of personal information we have collected about you, the right to delete that information, the right to correct inaccurate information, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information as those terms are defined under California law. To exercise any of these rights, email us at the address below.

10. International data transfers

Remy is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States or other countries where our service providers operate. We rely on appropriate safeguards for these transfers, including the Standard Contractual Clauses approved by the European Commission where applicable.

11. Children's privacy

The Service is not directed to children under 13 (or under 16 in the European Economic Area), and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will post the updated policy here and update the effective date above. If the changes are material, we will provide a more prominent notice (for example, an in-app banner or an email). Continued use of the Service after the updated policy takes effect means you accept the changes.

13. Contact us

Questions, requests, or concerns: privacy@hootventures.ai. Security reports: security@hootventures.ai. General support: support@hootventures.ai.

Data controller: Hoot Ventures LLC, United States.