Privacy Policy

Effective Date: January 2, 2026

CAIO LLC ("CAIO", "we", "us") operates the CAIO Bridge platform ("Platform"). This policy explains how we collect, use, and protect your information when you use our Platform.

1. Information We Collect

1.1 Information You Provide

Account Information

Name, email address, password (stored in hashed form), organization name, profile photo (optional), and job title.

Billing Information

Payment method details (processed by Stripe; full card numbers are not stored), billing address, and transaction history.

Content You Create

Documents, notes, files, tasks, email templates, drafts, sent messages, social media posts, blog posts, proposals, AI prompts and inputs, and workspace strategy and configuration data.

Contact Data (CRM)

Names and contact information of business contacts, company and employment information, communication history and notes, deal and pipeline information, and engagement scores.

1.2 Information from Third-Party Connections

When you connect third-party services, we receive data from: LinkedIn, X (Twitter), Google OAuth, Google Calendar, Gmail Intel, Quo (call tracking), HeyReach, Apollo, Instantly, Slack, Cal.com, ZeroBounce, and Granola (meeting intelligence).

1.3 Call Recording and Transcript Data

When call tracking is enabled, we process call metadata, recordings, transcripts, and AI-extracted insights. You are responsible for compliance with applicable call recording laws and obtaining participant consent.

1.4 Advisory Session Recording Data

For advisory clients, we collect audio/video recordings, transcripts, AI-generated notes, and meeting metadata. CAIO provides notice at the beginning of each recorded session. Continued participation constitutes consent.

1.5 Information Collected Automatically

• Usage Data: Pages accessed, time spent, actions taken, feature usage patterns, and agent interaction data
• Device and Technical Data: IP address, browser type, operating system, device identifiers, and referring URLs
• Email Engagement Data: Open events, link clicks, reply detection, bounce and unsubscribe events

1.6 Information from Data Enrichment

Third-party providers supplement contact data with professional titles, employment history, company information, email addresses, and verification status.

1.7 Third-Party Credential Data

API keys and authentication tokens are encrypted at rest using AES-256. Credentials are accessed only as needed for Platform features and disconnected upon account termination.

2. How We Use Your Information

• Create and manage your account and Workspace
• Process transactions and subscriptions
• Deliver Platform features (CRM, outreach, content, AI agents)
• Sync meetings and calendar events
• Publish content to your connected social accounts
• Send emails through outreach features
• Generate AI-powered content, analysis, and suggestions
• Process call transcripts and extract insights
• Track email and multi-channel engagement
• Record and transcribe advisory sessions (with consent)
• Analyze usage patterns to improve features
• Detect and prevent fraud and abuse
• Communicate service updates and support

Aggregated Data and Derived Learnings

We collect and analyze anonymized, aggregated usage data to improve the Platform. We do not sell personal information or Contact Data. We do not use your Content or Contact Data to train third-party AI foundation models.

3. How We Share Your Information

We do not sell your personal information. We share data only:

• With your consent and at your direction (publishing content, sending emails, sharing proposals)
• With service providers (sub-processors) who are contractually obligated to protect your information — see our full Sub-processors list
• When required by law or to protect our rights and safety
• In business transfers (mergers, acquisitions) with advance notification

4. Data Retention

When you delete your account, we remove your information within 30 days, except where retention is required by law.

5. Data Security

We implement comprehensive security measures including:

• Encryption of data in transit (TLS 1.2+) and at rest
• AES-256 encryption for third-party credentials and sensitive data
• Secure password hashing (bcrypt)
• Role-based access controls
• Workspace-level data isolation at the database level
• Regular security assessments

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Your Rights and Choices

• Access and Portability: Access your data through account settings; request copies in CSV or JSON format
• Correction: Update your account information at any time
• Deletion: Delete your account through settings or by contacting us
• Disconnect: Remove third-party account connections at any time
• Opt Out: Unsubscribe from promotional emails
• Session Recordings: Request deletion of specific advisory session recordings

California Residents (CCPA/CPRA)

California residents have rights to know, delete, correct, and limit use of sensitive information. We do not sell or share personal information for cross-context behavioral advertising. Contact privacy@getcaio.com to exercise your rights.

European Users (GDPR)

EEA, UK, and Switzerland users have additional rights including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Our legal bases for processing include contract performance, legitimate interests, consent, and legal obligations.

The Platform uses AI to generate content, score prospects, and recommend actions. These outputs assist your decision-making and do not make binding decisions about individuals without human review.

For international transfers, we rely on Standard Contractual Clauses. Details are in our Data Processing Agreement.

7. AI-Specific Data Practices

Your Content and Contact Data are sent to AI service providers only as needed to generate specific outputs you request. Anthropic does not use API inputs to train models. Your Content and Contact Data are not used to train third-party AI foundation models.

When voice features are enabled, audio data is processed in real-time and is not retained by voice infrastructure providers beyond the processing session.

8. Cookies and Tracking

We do not use third-party advertising cookies or sell data to advertisers. Email tracking pixels measure engagement; disable images in your email client to prevent open tracking.

9. Children's Privacy

The Platform is not intended for users under 18. We do not knowingly collect personal information from children.

10. International Data Transfers

CAIO is based in the United States. Information from outside the US will be transferred to and processed in the US. For EEA, UK, and Switzerland users, we rely on Standard Contractual Clauses and user consent.

11. Data Controller and Processor Roles

As Data Controller: CAIO is the data controller for personal information of Platform account holders (account data, usage data, communications).

As Data Processor: When the Platform processes Contact Data about your prospects, leads, and customers, CAIO acts as data processor. Processing obligations are governed by our Data Processing Agreement.

12. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. Continued use after changes become effective constitutes acceptance.

Third-Party Services

Our Platform integrates with third-party services. Your use of these platforms is governed by their respective privacy policies:

• LinkedIn Privacy Policy
• X (Twitter) Privacy Policy
• Stripe Privacy Policy
• Anthropic Privacy Policy
• Granola Privacy Policy
• ElevenLabs Privacy Policy