Skip to content

Privacy & Data Handling

What data CMMD collects, how it's used, how to delete it. Customer-shareable. Data residency, retention, rights, AI/model boundary, change log.

What data CMMD collects, how it’s used, how to delete it. Customer-shareable.

You own your data. CMMD stores it to make the product work. We don’t sell it. We don’t train AI on it. You can export or delete it at any time. We host in the US today (EU residency Q4 2026).

CategoryExamplesRequired?
IdentityName, email, password (hashed)Required for account
ProfileAvatar, timezone, roleOptional
Workspace contentChats, threads, tasks, projects, Brain documents, calendar events, contacts, dealsCreated by use
Sidekick interactionsChat history, tool calls, attached context tagsCreated by use
IntegrationsOAuth tokens for connected accounts (Slack, Google, GitHub, etc.)Optional, per integration
Payment informationCard last-4, billing addressRequired for paid plans (handled by Stripe — full card number never touches CMMD systems)
CategoryExamples
Product analytics eventsPages visited, features used, button clicks — no raw content, no PII in event properties
LogsRequest paths, response codes, error stack traces, latency timings
Device infoUser agent string, IP address (kept 30 days), browser version
UseApproval needed?
Operate the product (display your tasks, run your chats, etc.)Implicit — required for service
Run our AI on your workspace content (Sidekick reads Brain, etc.)Implicit — required for service
Send transactional emails (password reset, invoice receipts)Implicit
Send product updates / marketing emails✅ Opt-in via Settings — Notifications
Customer support — when you contact us, we can see your data✅ Implicit; we minimize access
Aggregate analytics (“how many orgs used Brain this month”)Implicit — never per-user-identifiable externally
Training AI models🚫 NEVER. Hard architectural rule.
Sell to third parties🚫 NEVER
Share with sub-processors✅ Necessary for service — see Security Posture → Vendor list
RegionStatus
US (us-east)✅ Active — current default
EU (eu-west)🟡 Planned Q4 2026 for European customers requiring residency
Other regionsNot committed

Until EU residency ships, EU customers have a Data Processing Agreement (DPA) available on request that covers the cross-border transfer mechanism under GDPR (current basis: SCCs).

Data typeDefault retentionConfigurable
Active workspace contentIndefinite — until you deletePer item
Chat historyIndefinite — until you deletePer chat / archive flag
Ghost Mode chatsNot retained — discarded post-response(always off-the-record)
Logs30 daysNo
IP addresses (in logs)30 daysNo
Analytics events13 monthsNo
Backups30 days point-in-time + monthly snapshots 1 yearNo
Deleted account dataPurged within 30 days of deletion request(account-level GDPR right)
RightHow to exercise
Access — see all your dataSettings → Export workspace (JSON / CSV)
Portability — take it elsewhereSame export, in machine-readable format
Correction — fix wrong dataEdit in the app, or contact support@cmmd.ai
Deletion — delete specific itemsStandard delete in the app (30-day soft delete, then purge)
Account deletionSettings → Delete account — initiates 30-day purge
Opt out of marketingSettings → Notifications, OR unsubscribe link in any marketing email
Object to processingprivacy@cmmd.ai
Lodge a complaintYour local DPA (EU) or relevant authority

We respond to data subject requests within 30 days (GDPR), faster in practice.

This is the question every prospect asks. The honest answer:

  1. Inside the Sidekick: the Sidekick CAN read your Brain, chats, tasks, projects, calendar, contacts — to answer questions and take actions. This is the product.
  2. Across users: the Sidekick CANNOT read other users’ data. Org-scoping is architecturally enforced.
  3. For training: customer data is NEVER used to train Apex models or any AI. The model serving infrastructure is isolated from the training data pipeline.
  4. For the proxy (current state): today, Sidekick interactions are sent to Anthropic’s API. Per Anthropic’s terms, they do not train on API data. This dependency goes away as we transition to Apex (see ADR-0005).
  5. Ghost Mode: off-the-record chats — not stored, not extracted into memory, not used for analytics.

See the full list in Security Posture → Vendor / sub-processor list. All sub-processors have DPAs in place.

We use structured logging (log.error) with required stack: fields, but raw PII is filtered before it hits the log. Email addresses appear in logs (necessary for debugging); passwords, tokens, and bank details never do.

If you find PII in a log we shouldn’t have, treat it as a P0 incident via security@cmmd.ai.

  • Material changes to data practices get 30 days notice via email to workspace admins
  • Non-material changes (clarifications, vendor list updates) get a change-log entry but no email
  • Change log is maintained on this page (bottom)
DateChange
2026-05-19Migrated to internal-docs from Confluence
2026-05-16Initial publication