Privacy Policy

This Privacy Policy describes how Avery Intelligence, Inc. (doing business as "Momental") ("we", "us", or "our") collects, uses, and shares information about you when you use our website, platform, and services (collectively, the "Service").

The Service is an AI-powered platform that processes workplace conversations through large language models. This creates unique privacy considerations that we detail throughout this policy.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

Important: Please also review our Terms of Service, particularly Section 5.1 (Prohibited Data Types), which lists sensitive data that must NOT be input into the Service.

We collect several types of information to provide and improve our Service:

We use the information we collect for the following purposes:

• Provide and Maintain the Service: Enable AI Employees to function, process conversations, and maintain context through our semantic memory system
• Improve and Optimize: Analyze usage patterns to enhance AI Employee performance, fix bugs, and develop new features
• Personalization: Customize AI Employee responses based on your workspace context, preferences, and interaction history
• Communication: Send service updates, security alerts, billing notifications, and respond to support requests
• Security and Fraud Prevention: Detect and prevent unauthorized access, abuse, bot loops, and security incidents
• Compliance: Fulfill legal obligations and enforce our Terms of Service
• Analytics: Understand how our Service is used to make informed business decisions and product improvements
• Knowledge Graph Construction: Create structured knowledge representations from your workspace content to power the Knowledge Library, conflict detection, and strategic alignment features
• Automated Conflict Detection: Analyze workspace content to identify contradictions, duplicates, and conflicts between information shared by team members
• Cross-Team Analysis: For workspaces with multiple teams, compare information across teams to detect strategic misalignment, duplicate efforts, or conflicting initiatives
• Document Intelligence: Process uploaded documents to extract insights, detect alignment issues, and generate strategic alerts

Automated Decision-Making:

The Service uses automated processing to:

• Detect conflicts and contradictions in your workspace content
• Extract insights and knowledge atoms from documents
• Generate strategic alerts and recommendations
• Classify and organize information in the Knowledge Library

These automated processes assist human decision-making but do not make legally binding decisions without human review. You have the right to:

• Request human review of any automated analysis
• Contest automated classifications or conflict detections
• Opt out of specific automated features where technically feasible

Data Protection Standards:

We ensure all AI Providers we utilize:

• Adhere to strict enterprise data security standards
• Are bound by Data Processing Agreements (DPAs) that govern the handling of your data
• Are contractually prohibited from using your proprietary workspace data to train their general foundation models

Subprocessors:

For a current list of all third-party AI providers and subprocessors involved in the delivery of our Service, please visit our Subprocessor List.

Your Acknowledgment:

By using AI features, you acknowledge and accept that your data will be processed by our third-party AI Providers as described in this policy and on our Subprocessor List.

We implement industry-standard security measures to protect your information:

• Encryption:
  • Data in transit: TLS 1.3 encryption for all network communications
  • Data at rest: AES-256 encryption for all stored data
  • Database encryption: Google Cloud Firestore automatic encryption
• Multi-Tenant Isolation: Your data is strictly isolated from other customers using unique tenant identifiers, namespace separation, and access control lists
• Infrastructure Security:
  • Hosted on Google Cloud Platform (SOC 2 Type II, ISO 27001 certified)
  • Infrastructure-as-code with security best practices
  • Automated security updates and patch management
  • DDoS protection and rate limiting
• Access Controls:
  • Role-Based Access Control (RBAC) for all systems
  • Multi-Factor Authentication (MFA) required for employee access
  • Principle of least privilege - employees only access data necessary for their role
  • Comprehensive audit logs of all data access
  • Annual security awareness training for all employees with data access
  • Background checks for employees with production system access
• Security Testing:
  • Annual penetration testing by third-party security firms
  • Automated vulnerability scanning and remediation
  • Regular security audits and risk assessments
• Incident Response: We maintain an incident response plan to quickly detect, contain, and remediate security incidents

In the event of a data breach that affects your personal information, we will take the following actions:

Notification Timeline:

• EU/EEA Residents (GDPR): We will notify you via email within 72 hours of becoming aware of the breach, as required by the General Data Protection Regulation
• California Residents: We will notify you "without unreasonable delay" and in no event later than the timeframes required by California Civil Code § 1798.82
• Other Jurisdictions: We will comply with applicable data breach notification laws in your jurisdiction

Information Provided:

Our breach notification will include (to the extent known at the time):

• Description of the nature of the breach
• Categories of personal information affected
• Approximate number of affected users
• Date or estimated date of the breach
• Steps we are taking to address the breach and mitigate harm
• Recommendations for actions you can take to protect yourself
• Contact information for questions

Regulatory Notification:

• California: If the breach affects 500 or more California residents, we will notify the California Attorney General as required by law
• EU/EEA: We will notify the relevant supervisory authority (typically within 72 hours) as required by GDPR Article 33
• Other Jurisdictions: We will notify authorities as required by applicable breach notification laws

You may also report a data breach to authorities directly:

• EU residents: Contact your national data protection authority (list available at edpb.europa.eu)
• California residents: California Attorney General's Office at oag.ca.gov

We share your information with third parties only in the following circumstances:

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy. Here are our specific retention periods:

• Account Data:
  • Retained while your account is active
  • Retained for 30 days after account termination (for potential reactivation)
  • Permanently deleted 30 days after termination unless legal hold applies
• Workspace Content (Semantic Memory):
  • Stored indefinitely while your account is active (necessary for AI context)
  • Deleted within 30 days of account termination OR upon explicit deletion request
  • Important: Vector embeddings cannot be immediately removed from backup snapshots. Backups are retained for 90 days, after which vector embeddings are permanently deleted
  • You can request deletion of specific conversations or time periods by contacting support
• Usage Data & Logs:
  • Retained for 24 months for analytics and troubleshooting
  • Automatically deleted after 24 months
  • May be retained longer in aggregated, anonymized form (no personal identification)
• Billing Records:
  • Retained for 7 years for tax compliance and accounting purposes
  • Required by law in most jurisdictions
• Legal Hold: If we receive a valid legal process (subpoena, court order), relevant data may be retained beyond normal retention periods until the legal matter is resolved
• Knowledge Library Data:
  • Knowledge atoms, relationships, and derivation chains are stored indefinitely while your account is active
  • You can delete individual knowledge atoms at any time through the Knowledge Library interface
  • All knowledge data is deleted within 30 days of account termination
  • Conflict resolution history is retained for audit purposes while account is active

When data is deleted, we:

• Remove it from all active systems and databases
• Ensure it cannot be recovered through normal operations
• Overwrite storage locations where technically feasible
• Note: Backup copies are automatically deleted according to our backup retention schedule (90 days). We cannot manually remove data from backup snapshots without compromising backup integrity.

• Protected Health Information (PHI) as defined by HIPAA
• Payment Card Data including credit card numbers, CVV codes, or other PCI-DSS protected information
• Social Security Numbers, tax identification numbers, or national identity numbers
• Financial Account Credentials such as bank account numbers, routing numbers, or investment account access codes
• Biometric Data including fingerprints, retina scans, or facial recognition data
• Children's Personal Information (individuals under 13 years old) as protected by COPPA
• Authentication Credentials including passwords, API keys, access tokens, or cryptographic private keys

Why This Matters:

• The Service is NOT HIPAA-compliant, NOT PCI-DSS compliant, and NOT designed for regulated data
• All workspace content is transmitted to Anthropic's API (Section 3.1)
• AI Employees monitor all accessible channels (Section 2.4)
• We cannot guarantee protection of prohibited data types if they are input into the Service

If You Accidentally Share Prohibited Data:

• Delete the message immediately in your workspace platform
• Contact us immediately at legal@momentalos.com with details
• We will make commercially reasonable efforts to delete the data from our systems, but cannot guarantee complete removal from Anthropic's systems or backup snapshots

Violation of prohibited data restrictions will result in immediate account termination without refund, and you will be solely liable for any resulting regulatory violations, fines, or damages.

Depending on your location, you may have certain rights regarding your personal information:

Your information may be transferred to, stored, and processed in countries outside of your country of residence. These countries may have data protection laws that differ from your jurisdiction.

Primary Data Location:

• United States: All customer data is primarily stored in Google Cloud Platform's us-central1 region (Iowa, USA)
• We do NOT intentionally transfer or store customer data outside the United States

Subprocessor Locations:

• Anthropic: Data processing occurs in the United States only
• Google Cloud: While Google operates globally, your data is stored in US-based data centers
• Stripe: Payment processing occurs in the United States

International Transfer Mechanisms (EU/EEA):

When we transfer personal data from the EU/EEA to the United States, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use the European Commission-approved Standard Contractual Clauses (2021 version) with all subprocessors that receive EU personal data
• UK International Data Transfer Agreement (IDTA): For UK data transfers, we use the UK IDTA or UK Addendum to SCCs
• Supplementary Measures: In accordance with the Schrems II decision (C-311/18), we implement technical and organizational measures including:
  • End-to-end encryption of data in transit and at rest
  • Strong access controls and authentication
  • Regular security assessments
  • Data minimization practices
• No Reliance on Privacy Shield: We do NOT rely on the invalidated EU-US Privacy Shield framework

High-Risk Jurisdiction Prohibition:

We do NOT transfer personal data to, or process data in, the following high-risk jurisdictions:

• People's Republic of China
• Russian Federation
• Countries subject to comprehensive U.S. trade embargoes (Iran, North Korea, Syria, Cuba, etc.)

Enterprise customers can request copies of our Standard Contractual Clauses and Data Processing Agreements by contacting legal@momentalos.com.

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18.

Consistent with our Terms of Service, you must be 18 years or older to create an account and use the Service.

If you are a parent or guardian and believe your child under 18 has provided us with personal information, please contact us immediately at privacy@momentalos.com. We will delete such information within 48 hours of verification.

COPPA Compliance:

We comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect, use, or disclose personal information from children under 13 years of age.

We use cookies and similar tracking technologies to improve your experience:

• Essential Cookies: Required for the Service to function properly (authentication, session management, security)
• Analytics Cookies: Help us understand how users interact with the Service (page views, feature usage, error rates)
• Preference Cookies: Remember your settings and preferences (theme, language, layout preferences)

Cookie Management:

You can control cookies through your browser settings. However, disabling certain cookies may limit your ability to use some features of the Service.

• Chrome: Settings → Privacy and Security → Cookies
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Cookies and Website Data

We do NOT use cookies for cross-site tracking or behavioral advertising. Our analytics are used solely to improve the Service.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email at least 30 days before the changes take effect
• Display a prominent notice in the Service
• Provide you with an opportunity to review the changes and, if you disagree, terminate your account before the changes take effect

Material changes include:

• New categories of personal information collected
• New purposes for data processing
• New third-party recipients of data
• Changes to data retention periods (shorter is non-material, longer is material)
• Reduced privacy rights or protections

Your continued use of the Service after changes to this Privacy Policy constitutes acceptance of the updated policy. If you do not agree with the changes, you must stop using the Service and may request account deletion.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Processing Agreement (DPA) Requests:

Enterprise customers requiring a Data Processing Agreement for GDPR compliance can request our standard DPA at legal@momentalos.com.