Privacy Policy
Effective Date: January 2, 2026
CAIO LLC ("CAIO," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the CAIO Bridge platform and all related services, features, and functionality (collectively, the "Platform").
By accessing or using the Platform, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.
1. Information We Collect
1.1 Information You Provide
Account Information:
- Name and email address
- Password (stored in hashed form)
- Organization name and details
- Profile photo (optional)
- Job title and role
Billing Information:
- Payment method details (processed and stored by Stripe; we do not store full card numbers)
- Billing address
- Transaction history
Content You Create:
- Documents, notes, and files
- Tasks and project information
- Email templates, drafts, and sent messages
- Social media posts and drafts
- Blog posts and SEO content
- Proposals and their content
- AI prompts and inputs
- Workspace strategy and configuration data (ICP descriptions, messaging, goals)
Contact Data (CRM):
- Names and contact information of your business contacts, prospects, and customers
- Company and employment information
- Communication history and notes
- Deal, pipeline, and revenue information
- Engagement scores and interaction data
Communications:
- Support requests and correspondence
- Feedback and survey responses
1.2 Information from Third-Party Connections
When you connect third-party accounts via OAuth or API, we access:
| Service | Information Accessed |
|---|---|
| Public profile (name, photo, headline), ability to post on your behalf, basic account identifiers | |
| X (Twitter) | Public profile, ability to post on your behalf, basic account identifiers |
| Google (OAuth) | Name, email address, profile photo for authentication |
| Google Calendar | Calendar events, ability to create events and Google Meet links on your behalf |
| Gmail (Intel) | Read-only access (gmail.readonly scope) to monitor newsletters and market updates from sender addresses you explicitly configure. We read email content (headers and body) only for configured senders. We do not access your full inbox, and we cannot send, modify, or delete emails. See Section 1.2.1 for details. |
| Quo | Call metadata (duration, direction, phone numbers), call recordings, transcripts, AI-extracted call summaries |
| HeyReach | LinkedIn automation activity, connection status, message delivery |
| Apollo | Contact enrichment data (professional information about contacts you add) |
| Instantly | Email campaign data, sending account status, delivery and engagement events |
| Slack | Ability to send notifications and alerts to your connected workspace channels |
| Cal.com | Booking page configuration, scheduled meeting data |
| ZeroBounce | Email verification results (validity status for email addresses you submit) |
| Granola | Meeting notes, transcripts, and summaries from advisory sessions (used with your consent for session documentation) |
We request only the minimum permissions necessary to provide Platform features. We do not access private messages, personal connections lists, or data beyond what is required for the specific features you use.
1.2.1 Gmail Data (Market Intelligence Feature)
Our Market Intelligence feature allows workspace administrators to connect a Gmail account to monitor industry newsletters and market updates. When you connect Gmail, we request the gmail.readonly OAuth scope. We do not request permission to send, modify, or delete your emails.
What we access and why:
| API Method | Purpose |
|---|---|
users.getProfile |
Retrieve your email address to identify the connected account |
users.watch |
Subscribe to push notifications for new inbox messages via Google Cloud Pub/Sub |
users.history.list |
Detect new messages added to your inbox since the last sync |
users.messages.get |
Read the full content (headers and body) of messages from your configured sender filters only |
Why we need gmail.readonly: The narrower gmail.metadata scope does not permit reading message bodies. Our feature requires reading newsletter HTML and text content to extract market intelligence insights. gmail.readonly is the minimum scope that supports this.
What we do NOT do with Gmail data:
- We do not read, store, or process emails from senders you have not configured
- We do not use Gmail data for advertising or user profiling
- We do not share raw email content with third parties
- We do not send, modify, draft, or delete any emails
Revoking access: You can disconnect Gmail from Settings > Intelligence > Email Sources, or revoke access from your Google Account permissions page. Upon disconnection, we delete stored OAuth tokens and stop all access to your Gmail data.
1.3 Call Recording and Transcript Data
If you enable call tracking integrations (such as Quo), we may receive and process:
- Call metadata (phone numbers, duration, timestamps, call direction)
- Call recordings (audio files)
- Call transcripts (text transcriptions of recordings)
- AI-extracted insights (summaries, sentiment analysis, action items, pain points mentioned)
Important: You are responsible for complying with all applicable call recording laws, including obtaining consent from call participants where required. We process call data only as directed by you and on your behalf.
1.4 Advisory Session Recording Data
If you are a CAIO advisory client, we may collect and process recordings from advisory sessions, consulting calls, and onboarding meetings. This includes:
- Audio and/or video recordings of advisory sessions
- Transcripts generated from session recordings (via tools such as Granola, Zoom, or other recording services)
- AI-generated session notes, summaries, and action items
- Meeting metadata (date, time, duration, participants)
Consent: CAIO will provide notice at the beginning of each recorded session. Your continued participation constitutes consent to recording. You are responsible for informing your personnel who attend sessions. See our Terms of Service Section 8 for additional details on session recording practices and your rights.
1.5 Information Collected Automatically
Usage Data:
- Pages and features accessed
- Time spent on the Platform
- Actions taken (clicks, form submissions, searches)
- Feature usage patterns and agent interaction data
Device and Technical Data:
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Referring URLs
Email Engagement Data:
- Email open events (via tracking pixels)
- Link click events
- Reply detection
- Bounce and unsubscribe events
1.6 Information from Data Enrichment
When you add contacts to the Platform, we may supplement that data with information from third-party providers (such as Apollo or ZeroBounce), including:
- Professional title and employment history
- Company information (size, industry, location, revenue, tech stack)
- Professional email addresses and verification status
- Social profile URLs
1.7 Third-Party Credential Data
If you provide API keys or credentials for third-party services ("BYO Credentials"), or if CAIO manages third-party accounts on your behalf ("Managed Services"), we store:
- API keys and authentication tokens (encrypted at rest using AES-256)
- OAuth refresh tokens for connected services (encrypted at rest)
- Integration configuration settings
- Integration validation status and metadata
We access credentials only as necessary to provide Platform features. BYO Credentials are disconnected upon account termination.
2. How We Use Your Information
2.1 To Provide and Operate the Platform
- Create and manage your account and Workspace
- Process transactions and subscriptions
- Deliver Platform features and functionality, including CRM, outreach, content, and AI agent capabilities
- Sync meetings and calendar events
- Send scheduled posts to connected social accounts
- Send emails through outreach features
- Generate AI-powered content, analysis, research, and suggestions
- Process call transcripts and extract insights
- Track email and multi-channel engagement for your campaigns
- Execute configured AI agent workflows and automations
2.2 To Provide Advisory Services
- Record and transcribe advisory sessions (with consent)
- Generate session notes, summaries, and action items
- Track advisory engagement progress and deliverables
- Manage onboarding workflows
2.3 To Communicate With You
- Send transactional emails (confirmations, receipts, alerts)
- Provide customer support
- Send service announcements and updates
- Deliver Slack notifications and alerts
- Respond to your inquiries
2.4 To Improve and Develop
- Analyze usage patterns to improve features
- Identify and fix technical issues
- Develop new features, modules, and services
- Conduct research and analytics using aggregated data
- Extract generalized, de-identified learnings from advisory engagements to improve our platform and methodologies (see Section 2.6)
2.5 To Protect and Secure
- Detect and prevent fraud and abuse
- Enforce our Terms of Service and Acceptable Use Policy
- Protect the rights and safety of users
- Comply with legal obligations
2.6 Aggregated Data, Cross-Tenant Intelligence, and Derived Learnings
We use data from Platform usage to improve our products and services for all customers. This includes:
- Aggregated Analytics: We collect and analyze anonymized, aggregated usage data (such as feature adoption rates, campaign performance benchmarks, and operational patterns) to improve the Platform. This data does not identify you, your Workspace, or any individual.
- Cross-Tenant Intelligence: Patterns observed across multiple workspaces (such as effective outreach sequences, high-performing content formats, or common workflow optimizations) may inform platform improvements and default configurations for all users. This intelligence is derived from aggregated patterns, not individual client data.
- Derived Learnings from Advisory Services: General knowledge, techniques, and operational insights gained during advisory engagements may be used to develop platform features, modules, and methodologies. Derived Learnings do not identify specific clients or reveal proprietary business information. See our Terms of Service Section 8.4 and MSA Section 3.3 for additional details.
- We do not sell your personal information or Contact Data
- We do not use your Content or Contact Data to train third-party AI foundation models
- We do not share identifiable client data between workspaces
- We do not use Session Recordings for marketing purposes without your consent
3. How We Share Your Information
3.1 With Your Consent and Direction
- Publishing content to your connected LinkedIn or X accounts
- Sending emails through your configured email accounts or Managed Service accounts
- Sending LinkedIn connection requests and messages via automation tools
- Sharing proposals with recipients you specify
- Inviting team members to your Workspace
3.2 With Service Providers (Sub-Processors)
We share information with third-party vendors who assist in operating the Platform. A complete list of sub-processors is maintained at getcaio.com/legal/subprocessors. Key categories include:
| Provider Category | Purpose | Examples |
|---|---|---|
| Cloud Infrastructure | Hosting, data storage, deployment | Vercel, Supabase |
| Payment Processing | Subscription billing, invoicing | Stripe |
| Email Delivery | Transactional and outreach emails | Resend, Instantly |
| AI Services | Content generation, analysis, agent capabilities | Anthropic (Claude) |
| Voice Infrastructure | Voice synthesis, transcription | ElevenLabs, OpenAI Whisper |
| Meeting Intelligence | Session recording, notes, transcription | Granola |
| LinkedIn Automation | Automated LinkedIn actions | HeyReach |
| Data Enrichment | Contact and company information | Apollo |
| Email Verification | Email address validation | ZeroBounce |
| Call Tracking | Call recording, transcription, SMS | Quo |
| Scheduling | Meeting booking | Cal.com |
| Notifications | Workspace alerts and reminders | Slack |
| Analytics | Usage analytics | Vercel Analytics |
Service providers are contractually obligated to protect your information and use it only for the purposes we specify. See our Data Processing Agreement for details on sub-processor obligations.
3.3 For Legal Reasons
We may disclose information when we believe it is necessary to:
- Comply with applicable law, regulation, or legal process
- Respond to lawful requests from public authorities
- Protect our rights, privacy, safety, or property
- Enforce our agreements and policies
- Investigate potential violations
3.4 Business Transfers
In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and provide the opportunity to delete your data before transfer.
3.5 Aggregated and Anonymized Data
We may share aggregated or anonymized information that cannot reasonably be used to identify you for analytics, benchmarking, research, or other purposes.
4. Data Retention
4.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of account + 30 days after deletion request |
| Content (documents, tasks, posts) | Duration of account + 30 days |
| Contact Data (CRM) | Duration of account + 30 days |
| Call Recordings & Transcripts | Duration of account + 30 days (or as configured in Workspace settings) |
| Advisory Session Recordings | 12 months from recording date, or engagement period + 6 months (whichever is longer) |
| Email Engagement Data | 24 months from event date |
| Usage Analytics | 24 months |
| Billing Records | 7 years (legal requirement) |
| Support Communications | 3 years from last contact |
| Third-Party Credentials (BYO) | Duration of account; deleted within 5 business days of termination |
4.2 Deletion
When you delete your account or request data deletion, we will remove your information within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, legal compliance, billing records). Derived Learnings that have been extracted and de-identified prior to a deletion request are not subject to deletion, as they do not identify you.
5. Data Security
5.1 Security Measures
We implement appropriate technical and organizational measures to protect your information, including:
- Encryption of data in transit (TLS 1.2+) and at rest
- AES-256 encryption for third-party credentials and sensitive configuration data
- Secure password hashing (bcrypt)
- OAuth token encryption and secure storage
- Role-based access controls and authentication requirements
- Workspace-level data isolation
- Regular security assessments
- Employee access limitations and training
5.2 Workspace Isolation
Data is isolated between workspaces at the database level. Every query is scoped to your Workspace. Users in one workspace cannot access another workspace's data unless explicitly granted cross-workspace access (super admin only).
5.3 Limitations
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials and BYO API keys.
6. Your Rights and Choices
6.1 Access and Portability
You may access your personal information through your account settings. You may request a copy of your data in a portable format (CSV, JSON) by contacting us. Upon account termination, you have 30 days to request a data export.
6.2 Correction
You may update your account information at any time through your settings. Contact us if you need assistance correcting other information.
6.3 Deletion
You may delete your account through settings or by contacting us. Upon deletion, your data will be removed as described in Section 4.
6.4 Session Recording Rights
You may request deletion of specific advisory session recordings at any time by contacting us. CAIO will delete recordings within 30 days of a valid request. You may also decline recording at the start of any session.
6.5 Disconnect Third-Party Accounts
You may disconnect LinkedIn, X, Gmail, or other connected accounts at any time through Platform settings or through the third party's settings.
6.6 Email Communications
You may opt out of promotional emails by clicking "unsubscribe" in any email or updating your preferences. You cannot opt out of transactional emails related to your account.
6.7 Email Tracking
If you receive emails from Platform users, those emails may contain tracking pixels. You can disable image loading in your email client to prevent tracking.
7. Cookies and Tracking Technologies
7.1 Cookies We Use
| Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication (session token), workspace selection, security (CSRF protection) | Session / 30 days |
| Functional | Preferences, theme settings, active workspace memory | 1 year |
| Analytics | Usage patterns, performance monitoring | 1 year |
7.2 No Advertising Cookies
We do not use third-party advertising cookies or sell data to advertisers.
7.3 Cookie Choices
You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Platform.
8. International Data Transfers
We are based in the United States. If you access the Platform from outside the US, your information will be transferred to and processed in the US, where data protection laws may differ from your jurisdiction.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:
- Standard Contractual Clauses approved by the European Commission
- Your consent where applicable
- Necessity for contract performance
Details of transfer mechanisms are set forth in our Data Processing Agreement.
9. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know: Request information about the categories and specific pieces of personal information we collect, use, and disclose
- Delete: Request deletion of your personal information
- Correct: Request correction of inaccurate personal information
- Non-Discrimination: Exercise your rights without discriminatory treatment
- Limit Use of Sensitive Information: Direct us to limit use of sensitive personal information to what is necessary for services
To exercise these rights, contact us at privacy@getcaio.com. We will verify your identity before processing requests.
Do Not Sell or Share: We do not sell or share (for cross-context behavioral advertising) personal information as defined under California law.
10. European Privacy Rights (GDPR)
If you are in the EEA, UK, or Switzerland, you have additional rights:
- Access: Obtain a copy of your personal data
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion under certain circumstances
- Restriction: Request limitation of processing
- Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interests
- Withdraw Consent: Where processing is based on consent
- Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or significant effects (see Section 10.1)
10.1 Automated Decision-Making
The Platform uses AI to generate content, score prospects, prioritize tasks, and recommend actions. These outputs are tools to assist your decision-making; they do not make binding decisions about individuals without human review. You control agent autonomy levels and approval workflows through your Workspace settings.
Our legal bases for processing include: contract performance, legitimate interests (improving services, preventing fraud, developing products), consent, and legal obligations.
You may lodge a complaint with your local data protection authority.
11. AI-Specific Data Practices
11.1 How AI Processes Your Data
The Platform uses AI models (primarily Anthropic Claude) to analyze your data and generate outputs. When AI processes your data:
- Your Content and Contact Data are sent to AI service providers only as needed to generate the specific output you or your configured agents request
- AI providers process data according to their data processing terms (Anthropic does not use API inputs to train models)
- AI outputs are stored in your Workspace and subject to the same data protection as your other Content
11.2 AI Training
Your Content and Contact Data are not used to train third-party AI foundation models. We may use aggregated, anonymized data to improve our proprietary agent capabilities, prompt templates, and platform features.
11.3 Voice Data
If voice features are enabled in your Workspace, audio data is processed by voice infrastructure providers (ElevenLabs for synthesis, Whisper for transcription). Voice data is processed in real-time and is not retained by these providers beyond the processing session, except as required for service delivery.
12. Children's Privacy
The Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child, we will delete it promptly.
13. Third-Party Links and Services
The Platform may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those services. We encourage you to review their privacy policies:
- LinkedIn Privacy Policy
- X (Twitter) Privacy Policy
- Stripe Privacy Policy
- Anthropic Privacy Policy
- Granola Privacy Policy
- ElevenLabs Privacy Policy
- Google Privacy Policy
14. Changes to This Policy
We may update this Privacy Policy periodically. The "Effective Date" at the top indicates the last revision. Material changes will be communicated via email or in-app notification at least thirty (30) days before taking effect.
Your continued use of the Platform after changes become effective constitutes acceptance of the revised policy.
15. Data Controller and Processor Roles
As Data Controller: CAIO LLC is the data controller for personal information of Platform account holders (your account data, usage data, and communications with us).
As Data Processor: When you use the Platform to process Contact Data about your prospects, leads, and customers, CAIO acts as a data processor on your behalf. Our processing obligations are governed by our Data Processing Agreement.