Privacy Policy - Aligned.Tools

Last updated: March 16, 2026

1. Data Controller Information

Aligned Tools is operated by:

White Elk LLC

7736 Winter Snow Ct

Newcastle, CA 95658

United States

For privacy-related inquiries, please contact us at:

Email: [email protected]
General support: [email protected]
Security issues: [email protected]

2. Scope and Acceptance

By accessing or using our Services, you acknowledge that you have read and understand this Privacy Policy and agree to the collection and use of your personal information in accordance with this Privacy Policy. If you don't agree, please do not use our Services.

3. Information We Collect

We may collect personal information about you when you:

Register an Account: Such as your name, email address, and any other details you choose to provide.
Upload Content: Any videos, meeting recordings, files, or data ("User Content") you upload to or import into our Services.
Communicate with Us: Information you provide when you contact us by email or through other communication methods.

We may also collect certain non-personal information automatically through cookies, logs, or other tracking technologies, such as your IP address, browser type, and usage information.

4. How We Use Your Information

We use the information we collect in the following ways:

To Provide and Improve Our Services: We use your personal information to operate our platform, store your videos or other content, and personalize your experience.
To Communicate with You: We may send you updates, transaction confirmations, or any other relevant administrative messages regarding your account and the Services.
Customer Support: We use your information to respond to inquiries, diagnose issues, and provide support.
Security and Fraud Prevention: We may use your data to detect, prevent, or investigate security breaches, fraudulent activities, or violations of our Terms of Service.
AI-Powered Features: We process your data using AI services (OpenAI, Anthropic, AssemblyAI, Fireworks AI, and optionally Mem0) to provide intelligent features such as meeting transcription, chat assistance, workflow intelligence, content generation, voice agent interactions, and personalized learning. This processing is based on your consent and our legitimate interest in providing advanced functionality.

Data Not Used for Training: Your data is never used to train AI models. We have agreements with our AI providers (OpenAI, Anthropic, AssemblyAI, Fireworks AI, and Mem0) that explicitly prohibit them from using your data for model training purposes. For more details, see their privacy policies: OpenAI Privacy Policy, Anthropic Privacy Policy, AssemblyAI Privacy Policy, Fireworks AI Privacy Policy, and Mem0 Privacy Policy.

Lawful Basis (GDPR): We process your personal data based on: (1) Your consent when you use AI-powered features, (2) Contractual necessity to provide the Services you requested, (3) Compliance with legal obligations, and (4) Our legitimate interests in improving and securing our Services.

5. Where and How Your Data Is Stored

We use the following trusted subprocessors to store and process your data:

Amazon AWS S3: We store video files and other User Content using Amazon Web Services (AWS) Simple Storage Service (S3). AWS has its own robust security measures and complies with industry standards.
Supabase (PostgreSQL): We utilize Supabase services for database management, storing user profiles, meeting data, chat messages, and application data. All sensitive data such as OAuth tokens are encrypted at rest using AES-256-GCM encryption with Supabase Vault for defense-in-depth security.
Clerk: We use Clerk for secure authentication and user identity management.
OpenAI: We process data through OpenAI's API for AI-powered features (chat, transcription, intelligence). OpenAI does not use your data for training.
Anthropic (Claude): We process data through Anthropic's API for AI-powered features. Anthropic does not use your data for training.
AssemblyAI: We process audio data through AssemblyAI's API for meeting transcription features. AssemblyAI does not use your data for training.
Fireworks AI: We process data through Fireworks AI's API for AI-powered features. Fireworks AI does not use your data for training.
Mem0 (optional): If enabled, we process data through Mem0's API for personalized learning and feedback features. Mem0 does not use your data for training.
LiveKit: We use LiveKit's real-time communication infrastructure to provide voice agent features. Audio data is processed in real time and is not stored by LiveKit after the session ends.
LemonSlice: We use LemonSlice's API to provide avatar-based visual representations during voice agent sessions. LemonSlice receives real-time audio and session data only for the duration of the session.
Google: We integrate with Google Calendar API and Gmail API to sync your calendar events and email data. Google processes data in accordance with their Privacy Policy.
Yahoo: We integrate with Yahoo Mail API to sync email data for email intelligence features.
Atlassian (JIRA): We integrate with JIRA's API to sync project management data including issues, sprints, and team information. See Atlassian Privacy Policy.
Slack: We integrate with Slack's API to sync messages, channel metadata, and conversation data for workflow intelligence features. See Slack Privacy Policy.
Microsoft Teams: We integrate with Microsoft Teams API to sync meeting and communication data. See Microsoft Privacy Statement.
Zoom: We integrate with Zoom's API to import meeting recordings and associated metadata for transcription and analysis. See Zoom Privacy Policy.
GitHub: We integrate with GitHub's API to sync repository data and development activity for workflow intelligence features.
Linear: We integrate with Linear's API for project management data synchronization.
Asana: We integrate with Asana's API for project management data synchronization.
Monday.com: We integrate with Monday.com's API for project management data synchronization.
Notion: We integrate with Notion's API for workspace and document data synchronization.
X (formerly Twitter): We integrate with X's API for social media publishing and analytics features.
TikTok: We integrate with TikTok's API for social media publishing and analytics features.
Instagram: We integrate with Instagram's API for social media publishing and analytics features.
Stripe: We use Stripe for payment processing. Stripe handles payment information according to PCI DSS standards. See Stripe Privacy Policy.

By using our Services, you agree to your data being transferred to, stored in, and processed by these third-party providers. We take commercially reasonable measures to ensure that any transfer of your data is performed securely and in accordance with applicable laws, including GDPR requirements for international data transfers.

Data Encryption: We implement industry-standard encryption measures including AES-256-GCM encryption for OAuth tokens, TLS for data in transit, and Supabase Vault encryption for defense-in-depth protection of sensitive credentials.

6. Disclosure of Your Information

We do not rent, sell, or share personal information about you with third parties except as described in this Privacy Policy or with your consent. We may share information in the following contexts:

Service Providers: We may share your information with third-party service providers who perform services on our behalf, such as payment processing, analytics, or technical support.
Legal Requirements: We may disclose your information if required by law, subpoena, or court order, or if we believe it is necessary to protect our rights, your safety, or the safety of others.
Business Transfers: If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to appropriate confidentiality arrangements.

7. Cookies and Tracking Technologies

We use cookies, web beacons, and similar technologies to collect information about your use of the Services. When you first visit our site, you will see a cookie consent banner allowing you to manage your preferences.

Types of Cookies We Use:

Essential Cookies: Required for authentication, security, and core functionality. These cannot be disabled.
Functional Cookies: Remember your preferences such as theme settings and language choices.
Analytics Cookies: PostHog and Google Analytics, used to understand how visitors interact with our Services. Loaded only after you consent (in required regions) or until you opt out (in non-required regions).
Marketing Cookies (Future): If implemented, these may be used for targeted advertising. You can opt out of these cookies.

Region-Aware Consent: To respect regional privacy laws without burdening users in jurisdictions that do not require a cookie banner, we determine your coarse location from country and state/province codes provided by our CDN (Cloudflare). No precise location or personal data is used. The resulting code (for example, US-CA or DE) is stored in a short-lived, non-sensitive cookie named aligned-geo so the consent banner can decide which flow to apply.

Explicit opt-in regions (banner shown, analytics off by default): European Union / EEA, United Kingdom, Switzerland, Brazil, Turkey, South Korea, Quebec (Canada), and all US states with comprehensive privacy laws (California, Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island).
Silent opt-in regions (no banner, analytics on by default): All other locations. You may withdraw consent at any time via the "Your Privacy Choices" link in the footer of every page, which re-opens the consent controls (CCPA §1798.135 compliance).

Managing Cookie Preferences: Use the "Your Privacy Choices" footer link at any time to review and change your analytics consent, regardless of your region. Signed-in users can also manage consent from Settings → Privacy. Disabling essential cookies through your browser may impact authentication and core functionality.

You can set your browser to refuse cookies or alert you when cookies are being sent. However, some parts of the Services may not function properly if you disable essential cookies.

8. Data Security

We maintain commercially reasonable administrative, technical, and physical safeguards designed to protect your personal information against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. Our security measures include:

Encryption at Rest: AES-256-GCM encryption for OAuth tokens and sensitive credentials, with Supabase Vault providing defense-in-depth encryption.
Encryption in Transit: TLS/SSL encryption for all data transmitted between your device and our servers.
Access Controls: Role-based access controls (RBAC) and Row-Level Security (RLS) policies ensure users can only access their own data.
Audit Logging: Comprehensive audit logs track all access to sensitive data and administrative actions (retained for 90 days).
Rate Limiting: Distributed rate limiting protects against brute-force attacks, abuse, and ensures fair access to our Services. Rate limit violations are logged for security monitoring (retained for 30 days) and do not include personal information.
System Monitoring: We monitor system health, performance metrics, and security events to ensure service availability and detect potential security issues. Monitoring data is retained for 90 days and does not include personal information.
Security Headers: Implementation of security headers (CSP, HSTS, X-Frame-Options) to protect against common web vulnerabilities.

While we strive to protect your personal data using industry best practices, no security system is impenetrable, and we cannot guarantee absolute security.

Data Breach Notification: In the event of a data breach that affects your personal information, we will notify you and relevant authorities within 72 hours as required by GDPR. Notifications will be sent to your registered email address and may include information about the breach, affected data, and steps you should take to protect yourself.

9. Retention of Your Information

We retain your personal information only for as long as necessary to provide the Services and comply with legal obligations. Our specific retention periods are:

User Account Data: Retained while your account is active, plus 30 days after account deletion request to allow for recovery or dispute resolution.
Audit Logs: Retained for 90 days and then automatically deleted. Audit logs track security events, access to sensitive data, and administrative actions.
Meeting Transcriptions: Retained for the lifetime of your active account or until you manually delete them.
Chat Messages: Retained for the lifetime of your active account or until you manually delete them.
JIRA Workflow Data: Retained for the lifetime of your active account or until you disconnect the integration.
Email Intelligence Data: Retained for the lifetime of your active account or until you disconnect the Gmail or Yahoo Mail integration.
Google Calendar Data: Synced calendar events are retained for the lifetime of your active account or until you disconnect the Google Calendar integration.
Microsoft Teams Data: Synced meeting and communication data are retained for the lifetime of your active account or until you disconnect the Microsoft Teams integration.
Zoom Recordings: Imported Zoom recordings and their transcriptions are retained for the lifetime of your active account or until you manually delete them.
Slack Data: Synced Slack messages, channel metadata, and conversation data are retained for the lifetime of your active account or until you disconnect the Slack integration.
Voice Agent Sessions: Voice interactions with our AI voice agent are processed in real time and are not stored after the session ends. Meeting recordings generated from voice sessions follow the Meeting Transcriptions retention policy above.
OAuth Tokens: Retained until you disconnect the integration or the token is revoked/refreshed. Tokens are automatically deleted when you disconnect an integration.
Marketing Campaigns: Retained for the lifetime of your active account or until you manually delete them.
Marketing Analytics: Retained for 365 days for performance analysis and optimization, then automatically deleted.
Marketing Posting Preferences: Retained while your account is active or until you modify your preferences.
Rate Limit Violations: Retained for 30 days for security monitoring and abuse prevention, then automatically deleted.
Job Execution Logs: Retained for 90 days to facilitate debugging and monitoring, then automatically deleted.

After the applicable retention period, we securely delete or anonymize your personal information. In some cases, we may retain certain information for longer periods if required by law, such as for tax, accounting, or legal compliance purposes.

Data Deletion: You can request deletion of your account and all associated data at any time through your Privacy Settings. Upon deletion, your data will be permanently removed from our production systems within 30 days, except where retention is required by law.

10. Children's Privacy

Our Services are not directed to anyone under the age of 13 (or the applicable age of digital consent in your jurisdiction), and we do not knowingly collect personal information from children. If you believe we may have inadvertently collected information from a child, please contact us so we can promptly delete it.

11. Your Privacy Rights and Choices

We provide you with comprehensive privacy controls and respect your data subject rights under GDPR and other privacy laws. You have the following rights:

Data Subject Rights (GDPR)

Right to Access: You can access and download all your personal data in JSON format through your Privacy Settings. The export includes your profile, meetings, chat history, JIRA data, and all other personal information we store.
Right to Rectification: You can update your account information, profile details, and preferences at any time through your Account Settings.
Right to Erasure ("Right to be Forgotten"): You can request permanent deletion of your account and all associated data through your Privacy Settings. Your data will be deleted within 30 days.
Right to Data Portability: You can export your data in a structured, machine-readable JSON format for transfer to another service.
Right to Object: You can object to certain data processing activities, including marketing communications and analytics (when implemented).
Right to Restrict Processing: You can request that we limit the processing of your personal data in certain circumstances.
Right to Withdraw Consent: Where we process your data based on consent, you can withdraw consent at any time by disconnecting integrations or deleting specific data.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

Privacy Controls

Account Information: Review and update your profile information through your Account Settings.
Integration Management: Connect or disconnect third-party integrations (JIRA, Gmail, Yahoo Mail, Google Calendar, Slack, Microsoft Teams, Zoom, GitHub, Linear, Asana, Monday.com, Notion, X, TikTok, Instagram) at any time. Disconnecting an integration immediately revokes access and deletes associated tokens.
Marketing Communications: If you wish to stop receiving marketing or promotional emails, follow the unsubscribe instructions in the email or contact us at [email protected].
Cookies: Manage cookie preferences through our cookie consent banner or your browser settings.
Data Export: Export all your data in JSON format through Privacy Settings.
Account Deletion: Permanently delete your account and all data through Privacy Settings.

To exercise any of these rights or if you have questions about your privacy, please visit your Privacy Settings or contact us at [email protected]. We will respond to your request within 30 days as required by GDPR.

12. Automated Decision-Making and AI Processing (GDPR Article 22)

We use artificial intelligence and machine-learning systems to help you work more effectively. In accordance with GDPR Article 22, we disclose the following about automated processing that may significantly affect you.

AI-Powered Features That Involve Automated Processing

Email Classification and Routing: Emails synced from your connected Gmail or Yahoo Mail account are automatically classified (e.g., urgent, action-required, informational) and may be routed to your work queue. The logic is based on email subject, sender, content patterns, and your historical preferences.
Assignee Suggestions for JIRA Issues: When you create or triage JIRA issues, AI analyzes issue content, team member skill profiles, and historical assignment patterns to suggest the most suitable assignee. Suggestions are presented for your review — no assignment is made automatically without your approval.
Sprint Planning Recommendations: AI systems analyze your team's historical velocity, issue complexity estimates, and workload distribution to recommend sprint compositions. These are advisory recommendations only.
Workflow Intelligence and Pattern Analysis: Patterns in your JIRA workflow data, meeting notes, and Slack conversations are analyzed to surface insights (e.g., bottlenecks, recurring topics, risk signals). No decisions are made automatically on your behalf based on these patterns.
Meeting Analysis: Meeting transcriptions and summaries are generated automatically using AI speech-to-text and large language models. Action items and key decisions may be extracted from transcripts. This includes recordings imported from Zoom.
Slack Channel Intelligence: When you connect Slack, messages and conversations may be analyzed to surface workflow insights, recurring topics, and action items relevant to your projects.
Voice Agent Interactions: Our AI voice agent processes your speech in real time using speech-to-text and large language models to provide conversational assistance. Audio is processed in real time and is not retained after the session.

Human Oversight and Your Rights

We have designed all significant automated decision-making features with mandatory human oversight:

Human-in-the-Loop (HITL): Actions that affect external systems (e.g., creating JIRA issues, sending emails, making assignments) require your explicit approval before execution. Our HITL system presents AI suggestions for your review in the work queue.
Right to Request Human Review: You can request human review of any AI-generated recommendation by contacting us at [email protected].
Right to Object: You can disable AI processing of your data at any time by navigating to Settings → Privacy & Security and toggling off "AI Processing Consent". Disabling AI processing will limit intelligent features but will not affect core functionality.
No Solely Automated Decisions with Legal Effects: None of the automated processing described above produces decisions with legal or similarly significant effects on you without human oversight.

All AI processing is subject to your consent. If you have not consented to AI processing or withdraw your consent, the AI-powered features described above will be disabled for your account.

13. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information:

Your CCPA Rights

Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you. You can access this information through your Privacy Settings where you can download a comprehensive export of your data.
Right to Delete: You have the right to request deletion of your personal information. You can permanently delete your account and all associated data through your Privacy Settings.
Right to Opt-Out of Sale: We do not sell your personal information to third parties, and we never will. Therefore, there is no need to opt-out of such sales.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive a different level of service or be charged different prices for exercising your privacy rights.

How to Exercise Your Rights

California residents can exercise their CCPA rights through the following methods:

Self-Service: Visit your Privacy Settings to export or delete your data immediately.
Email: Contact us at [email protected] with the subject line "CCPA Request".

Verification: To protect your privacy and security, we may need to verify your identity before fulfilling your request. This may include confirming your email address or other account information.

Response Time: We will respond to verifiable requests within 45 days of receipt as required by CCPA. If we need more time (up to 90 days), we will inform you of the reason and extension period.

Authorized Agents: California residents may designate an authorized agent to make CCPA requests on their behalf. The authorized agent must provide written authorization from you, and we may require you to verify your identity directly with us.

14. International Users and Data Transfers

If you access the Services from outside the country in which our servers are located, your data may be transferred internationally. By using the Services, you consent to the collection, transfer, storage, and processing of your information in and to the United States and other countries in accordance with this Privacy Policy.

GDPR Compliance for European Users: If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we comply with GDPR requirements for international data transfers. We ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) with our subprocessors
Data Processing Agreements (DPAs) where required
Adequacy decisions where available
Encryption of data in transit and at rest

Our subprocessors (AWS, Supabase, Clerk, OpenAI, Anthropic, AssemblyAI, Fireworks AI, Mem0, LiveKit, LemonSlice, Google, Yahoo, Atlassian, Slack, Microsoft, Zoom, GitHub, Linear, Asana, Monday.com, Notion, X, TikTok, Instagram, Stripe) maintain GDPR-compliant data processing practices and provide appropriate safeguards for international data transfers.

15. Changes to This Privacy Policy

We reserve the right to modify or update this Privacy Policy at any time. If we make material changes, we will notify you by posting the updated policy on our website or by other appropriate means. Your continued use of the Services after any such update indicates your acceptance of the new terms.

16. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us: