Privacy & Data Policy

Definitions

For purposes of this Privacy Policy:

• "Input" means any text, prompts, data, files, or other materials you submit to the Service.
• "Output" means any content, analysis, recommendations, or responses generated by the Service based on your Input.
• "Service" means the 122ai website, applications, AI models, tools, and related services.
• "Memories" means key contextual information extracted from your conversations to personalize future interactions.

Data Controller

122ai.io
United States

Contact: privacy@122ai.io

Legal Basis for Processing (GDPR)

• Contractual Necessity: To provide our AI advisory services
• Legitimate Interest: To improve and secure our platform
• Consent: For optional features and communications
• Legal Obligation: To comply with applicable laws

How 122ai Works

1

You type a message

Your input is captured in your browser and authenticated via Clerk

2

Securely stored in cloud database

Your conversation is saved to our Neon PostgreSQL database with SSL encryption, enabling multi-device access and sync

3

Sent to Anthropic's API

Your message is securely transmitted to Anthropic's servers for AI processing

4

AI generates response

Anthropic's Claude AI analyzes your message and creates strategic insights

5

Response stored and returned

The response is saved to your database record and displayed in your browser. A local cache is maintained for offline access.

Boardroom Mode (Ephemeral Sessions)

For your most sensitive discussions, the Service offers "Boardroom Mode" — ephemeral sessions with enhanced privacy protections:

• Zero Database Storage: Conversations in Boardroom Mode are processed in real-time but never written to our database.
• No Long-Term Memory: These sessions are excluded from your account's memory and personalization systems.
• Session-Only Context: All Input and Output is permanently discarded when the session ends.
• Not Recoverable: Once a Boardroom Mode session ends, the conversation cannot be retrieved by you, 122ai, or any third party.

Note: AI processing still occurs via Anthropic's API, subject to their standard 7-day abuse monitoring logs. Boardroom Mode eliminates 122ai's retention, not Anthropic's temporary processing logs.

Data Storage & Security Architecture

Database Storage (Neon PostgreSQL)

Your conversations are stored in a secure, serverless PostgreSQL database:

• Encryption in Transit: TLS 1.3 with SSL/TLS encryption for all database connections
• Encryption at Rest: AES-256 encryption for all stored data (managed by Neon)
• User-Scoped Queries: All database queries are filtered by your user ID - you can only access your own data
• Connection Pooling: Efficient, secure connection management with automatic timeout
• Data Isolation: Multi-tenant architecture with strict logical separation

Authentication & Access Control (Clerk)

User authentication and session management powered by Clerk:

• OAuth 2.0: Industry-standard authentication protocols
• Secure Sessions: JWT-based session tokens with automatic refresh
• Multi-Device Support: Access your conversations from any authenticated device
• Account Security: Password requirements, MFA support, and breach detection

API Security

All API endpoints implement security best practices:

• Authentication Required: All database operations verify user identity via Clerk middleware
• Parameterized Queries: SQL injection protection through prepared statements
• HTTPS Only: All communications encrypted in transit with TLS 1.3
• Security Headers: CORS policies, Content Security Policy (CSP), and X-Frame-Options
• Input Validation: Server-side validation and sanitization of all user inputs
• Rate Limiting: Protection against abuse and DoS attacks (planned)

Local Caching (Optional)

For improved performance and offline access, conversations are also cached in your browser's localStorage. This local cache is automatically synchronized with the cloud database.

What 122ai Does

✓

Store conversations securely

Your sessions are encrypted and stored in a secure cloud database with strict access controls

✓

Enable multi-device access

Access your conversation history from any device after authenticating

✓

Protect your data with encryption

All data is encrypted in transit (HTTPS/SSL) and protected by authentication

✓

Give you full control

Export, delete, or manage your conversations anytime through your account

✓

Maintain transparency

Clear documentation of all data collection, storage, and processing practices

What 122ai Does NOT Do

✗

Share or sell your data

We have no business model based on data monetization. Your data is never sold to third parties.

✗

Train AI models on your conversations

Your conversations are used only to provide you with AI assistance, never for training purposes

✗

Use tracking or advertising cookies

We use only essential cookies for authentication and functionality - no tracking or ad networks

Essential Cookies: Clerk session cookies (__session, __client_uat) for authentication and security. These are strictly necessary for the service to function.

✗

Allow unauthorized access

Strict authentication and row-level security ensure only you can access your data

Third-Party Data Processors

122ai uses the following trusted third-party services to deliver our platform. Each has been selected for their strong security and privacy practices. Data Processing Agreements (DPAs) are in place with all sub-processors to ensure GDPR-compliant data handling:

Anthropic (AI Processing)

Your conversations are processed by Anthropic's Claude API to generate AI responses.

• No training on your data: Anthropic does not use API conversations to train AI models - your strategic discussions stay private
• Enterprise security: SOC 2 Type II certified, ISO 27001, ISO 42001 compliant
• Data retention: API logs retained for 7 days (abuse monitoring only), then automatically deleted
• Prompt caching: We use prompt caching for performance; only hashed metadata is temporarily stored (5 min TTL), not your actual content
• Compliance: GDPR and CCPA compliant

View Anthropic's privacy policy →

Clerk (Authentication)

User authentication and session management powered by Clerk.

• Secure authentication: Industry-standard OAuth 2.0 and JWT tokens
• Data collected: Email address, authentication credentials, session data
• Security features: MFA support, breach detection, secure password storage
• Compliance: SOC 2 Type II, GDPR, CCPA compliant

View Clerk's privacy policy →

Neon (Database Hosting)

Conversation data, messages, and metadata are stored in a Neon-hosted PostgreSQL database.

• Serverless PostgreSQL: Auto-scaling, high-availability database infrastructure
• Data encryption: SSL/TLS in transit, AES-256 encryption at rest
• Geographic location: US East (configurable)
• Compliance: SOC 2 Type II certified

View Neon's privacy policy →

Vercel (Application & File Hosting)

The 122ai application is hosted on Vercel's edge network. Uploaded files are stored in Vercel Blob Storage.

• Edge deployment: Global CDN for fast, secure delivery
• HTTPS only: All connections encrypted with TLS 1.3
• File storage: Uploaded attachments stored in Vercel Blob with private access (token-authenticated)
• File deletion: Uploaded files are permanently deleted when you delete a conversation or your account
• Logs: Request logs retained for 7 days for debugging and security
• Compliance: SOC 2 Type II, GDPR compliant

View Vercel's privacy policy →

Data Retention & Your Rights

Data Retention

We retain your data only as long as necessary to provide our services and comply with legal obligations.

• Conversations: Retained until you delete them or close your account. We store conversations to enable multi-device access and continuity of your advisory sessions.
• Account data: Retained while your account is active. After deletion, database point-in-time restore capability maintains history for 6 hours (disaster recovery only), after which your data becomes permanently unrecoverable.
• Logs: Request logs retained for 7 days for security and debugging
• Anthropic processing: API logs retained by Anthropic for 7 days (abuse monitoring only), then automatically deleted. Your data is never used for AI training.
• Memories (Cross-Conversation Context): Key facts extracted from your conversations (e.g., your role, industry, preferences) to personalize future interactions. Retained until you delete them individually via the memory management interface or close your account. You have full control to view, export, and delete all memories.

Your Data Rights (GDPR/CCPA)

We will respond to your data rights requests within 30 days.

• Right to Access: View all your stored conversations through the app
• Right to Delete: Delete individual conversations or your entire account
• Right to Export: Download your data in standard formats (Markdown, Word, PDF, JSON)
• Right to Rectification: Edit or update your conversations
• Right to Object: Stop processing by deleting your account
• Right to Opt-Out (CCPA): We do not sell or share your personal information for cross-context behavioral advertising

To exercise your rights, contact privacy@122ai.io

Account Deletion

You can permanently delete your account and all associated data:

• Self-Service: Use the account deletion endpoint (requires confirmation)
• Contact Support: Email support@122ai.io

Account deletion permanently removes your user profile, all conversations, messages, artifacts, attachments, and memories. This action cannot be undone.

Deletion Timeline: Your data is immediately removed from production systems. Database restore history (6 hours) exists solely for disaster recovery and cannot be accessed by users or staff. After 6 hours, your data becomes cryptographically unrecoverable.

Your Data Controls

You have complete control over your data:

Export Conversations

Download as Markdown, Word, PDF, or JSON formats

Delete Data

Remove individual conversations or your entire account

Manage Access

Control device access and session management

Recommendations for Sensitive Data

While 122ai implements strong security measures, any AI-powered tool requires sending data for processing. If you're working with highly sensitive or regulated information:

⚠ Avoid including specific names, account numbers, PII, or confidential identifiers
⚠ Use general terms instead of specific details (e.g., "our Q3 revenue" instead of "$4.2M")
⚠ Review Anthropic's data retention policies if handling regulated data (HIPAA, SOX, GDPR)
⚠ For HIPAA compliance, contact us about Business Associate Agreements (BAA)
⚠ Regularly review and delete old conversations to minimize data retention

Security & Breach Notification

In the unlikely event of a data breach affecting your personal information, we will:

• Notify affected users within 72 hours of discovery (GDPR requirement)
• Provide detailed information about the nature and scope of the breach
• Explain steps taken to mitigate harm and prevent future incidents
• Notify relevant regulatory authorities as required by law

Report security concerns to security@122ai.io

Children's Privacy

122ai is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at privacy@122ai.io and we will delete the information.

International Data Transfers

Our services are hosted in the United States. If you access 122ai from outside the US:

• Your data will be transferred to and processed in the United States
• We implement appropriate safeguards for international data transfers
• Standard Contractual Clauses (SCCs) are in place with third-party processors
• GDPR adequacy mechanisms ensure European data protection standards

Privacy Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. Material changes will be communicated via email or prominent notice in the app. Continued use of 122ai after updates constitutes acceptance of the revised policy.