Privacy & Data Handling
What data CMMD collects, how it's used, how to delete it. Customer-shareable. Data residency, retention, rights, AI/model boundary, change log.
What data CMMD collects, how it’s used, how to delete it. Customer-shareable.
Plain-English summary
Section titled “Plain-English summary”You own your data. CMMD stores it to make the product work. We don’t sell it. We don’t train AI on it. You can export or delete it at any time. We host in the US today (EU residency Q4 2026).
What we collect
Section titled “What we collect”From the user (deliberately)
Section titled “From the user (deliberately)”| Category | Examples | Required? |
|---|---|---|
| Identity | Name, email, password (hashed) | Required for account |
| Profile | Avatar, timezone, role | Optional |
| Workspace content | Chats, threads, tasks, projects, Brain documents, calendar events, contacts, deals | Created by use |
| Sidekick interactions | Chat history, tool calls, attached context tags | Created by use |
| Integrations | OAuth tokens for connected accounts (Slack, Google, GitHub, etc.) | Optional, per integration |
| Payment information | Card last-4, billing address | Required for paid plans (handled by Stripe — full card number never touches CMMD systems) |
Automatically (operational)
Section titled “Automatically (operational)”| Category | Examples |
|---|---|
| Product analytics events | Pages visited, features used, button clicks — no raw content, no PII in event properties |
| Logs | Request paths, response codes, error stack traces, latency timings |
| Device info | User agent string, IP address (kept 30 days), browser version |
How we use it
Section titled “How we use it”| Use | Approval needed? |
|---|---|
| Operate the product (display your tasks, run your chats, etc.) | Implicit — required for service |
| Run our AI on your workspace content (Sidekick reads Brain, etc.) | Implicit — required for service |
| Send transactional emails (password reset, invoice receipts) | Implicit |
| Send product updates / marketing emails | ✅ Opt-in via Settings — Notifications |
| Customer support — when you contact us, we can see your data | ✅ Implicit; we minimize access |
| Aggregate analytics (“how many orgs used Brain this month”) | Implicit — never per-user-identifiable externally |
| Training AI models | 🚫 NEVER. Hard architectural rule. |
| Sell to third parties | 🚫 NEVER |
| Share with sub-processors | ✅ Necessary for service — see Security Posture → Vendor list |
Data residency
Section titled “Data residency”| Region | Status |
|---|---|
| US (us-east) | ✅ Active — current default |
| EU (eu-west) | 🟡 Planned Q4 2026 for European customers requiring residency |
| Other regions | Not committed |
Until EU residency ships, EU customers have a Data Processing Agreement (DPA) available on request that covers the cross-border transfer mechanism under GDPR (current basis: SCCs).
Retention
Section titled “Retention”| Data type | Default retention | Configurable |
|---|---|---|
| Active workspace content | Indefinite — until you delete | Per item |
| Chat history | Indefinite — until you delete | Per chat / archive flag |
| Ghost Mode chats | Not retained — discarded post-response | (always off-the-record) |
| Logs | 30 days | No |
| IP addresses (in logs) | 30 days | No |
| Analytics events | 13 months | No |
| Backups | 30 days point-in-time + monthly snapshots 1 year | No |
| Deleted account data | Purged within 30 days of deletion request | (account-level GDPR right) |
Your rights
Section titled “Your rights”| Right | How to exercise |
|---|---|
| Access — see all your data | Settings → Export workspace (JSON / CSV) |
| Portability — take it elsewhere | Same export, in machine-readable format |
| Correction — fix wrong data | Edit in the app, or contact support@cmmd.ai |
| Deletion — delete specific items | Standard delete in the app (30-day soft delete, then purge) |
| Account deletion | Settings → Delete account — initiates 30-day purge |
| Opt out of marketing | Settings → Notifications, OR unsubscribe link in any marketing email |
| Object to processing | privacy@cmmd.ai |
| Lodge a complaint | Your local DPA (EU) or relevant authority |
We respond to data subject requests within 30 days (GDPR), faster in practice.
How AI uses your data
Section titled “How AI uses your data”This is the question every prospect asks. The honest answer:
- Inside the Sidekick: the Sidekick CAN read your Brain, chats, tasks, projects, calendar, contacts — to answer questions and take actions. This is the product.
- Across users: the Sidekick CANNOT read other users’ data. Org-scoping is architecturally enforced.
- For training: customer data is NEVER used to train Apex models or any AI. The model serving infrastructure is isolated from the training data pipeline.
- For the proxy (current state): today, Sidekick interactions are sent to Anthropic’s API. Per Anthropic’s terms, they do not train on API data. This dependency goes away as we transition to Apex (see ADR-0005).
- Ghost Mode: off-the-record chats — not stored, not extracted into memory, not used for analytics.
Sub-processors
Section titled “Sub-processors”See the full list in Security Posture → Vendor / sub-processor list. All sub-processors have DPAs in place.
PII in error logs
Section titled “PII in error logs”We use structured logging (log.error) with required stack: fields, but raw PII is filtered before it hits the log. Email addresses appear in logs (necessary for debugging); passwords, tokens, and bank details never do.
If you find PII in a log we shouldn’t have, treat it as a P0 incident via security@cmmd.ai.
Changes to this page
Section titled “Changes to this page”- Material changes to data practices get 30 days notice via email to workspace admins
- Non-material changes (clarifications, vendor list updates) get a change-log entry but no email
- Change log is maintained on this page (bottom)
Contact
Section titled “Contact”- Privacy questions: privacy@cmmd.ai
- Data subject requests: privacy@cmmd.ai (subject line: “DSR”)
- Suspected privacy incident: security@cmmd.ai
Change log
Section titled “Change log”| Date | Change |
|---|---|
| 2026-05-19 | Migrated to internal-docs from Confluence |
| 2026-05-16 | Initial publication |