Privacy Policy

1. Who we are

This Privacy Policy describes how Shabe AI Corp ("Shabe," "we," "us") handles information when you use the Shabe application at app.shabe.ai (the "Service"). By using the Service, you agree to this policy.

2. Data we collect

Account data: Email address, name, and profile information from Clerk authentication.

Google data (with your OAuth consent): If you connect Google, we access data only through the scopes below. We request read-only access to Gmail and Google Calendar, plus basic profile scopes—we do not request Gmail send, Calendar write, or Google Drive content for this integration.

• https://www.googleapis.com/auth/gmail.readonly — email headers and message content needed for inbox-backed features (e.g., deal context).
• https://www.googleapis.com/auth/calendar.readonly — calendar events and related fields for scheduling context.
• https://www.googleapis.com/auth/userinfo.email — your Google account email address.
• https://www.googleapis.com/auth/userinfo.profile — basic profile information (e.g., name) for display in the product.

Usage data: Feature usage and session analytics (e.g., via PostHog), aggregated where possible.

Billing data: Processed by Stripe. We store customer and subscription identifiers, not full payment card numbers.

3. How we use your data

Service delivery: We process Google data only to provide features you enable—such as syncing context from email and calendar into Shabe, generating insights, and surfacing recommendations.

Read-only commitment: Shabe does not use these Google OAuth permissions to send email, create or edit Calendar events, or otherwise write to your Gmail or Google Calendar through the read-only scopes above.

AI analysis: Content may be processed by OpenAI (or similar) after sanitization steps designed to reduce personal data where feasible. OpenAI API usage is governed by OpenAI's terms and policies.

Limited Use: Our use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data; we do not use it for advertising; we do not use Google user data to train or improve generalized artificial intelligence or machine learning models; and we do not transfer it to third parties except as necessary to provide the Service (for example, secure infrastructure subprocessors) or as required by law. Human access to Google user content is limited to what is needed for support, security, legal compliance, or with your explicit consent.

4. Storage and retention

Application data is hosted on Convex. OAuth tokens are encrypted at rest (e.g., AES-256-GCM). Retention of synced content and derived records depends on your plan and settings. You may request export or deletion as described in your account and below.

When you disconnect Google or revoke access, we stop using Google credentials for your account and delete or invalidate stored tokens per our retention procedures; residual copies may persist briefly in backups before aging out.

5. Third-party services

We use subprocessors such as Clerk (authentication), Convex (database), OpenAI (AI processing), Stripe (billing), Resend (transactional email where applicable), Sentry (error monitoring), PostHog (analytics), and Upstash (rate limiting). Each receives only the data needed for its function.

6. Security

We use TLS for data in transit, encrypt sensitive secrets at rest, enforce Content Security Policy and rate limiting where applicable, and maintain audit logging for security-sensitive operations.

7. Your rights and choices

You may request access, correction, export, or deletion of your data where applicable. You can revoke Shabe's access to Google at any time in two ways: (1) disconnect the integration in Shabe settings (stops sync and removes our use of stored credentials for Google), and/or (2) revoke the app in your Google Account under Security → Third-party apps with account access. Contact privacy@shabe.ai for privacy requests.

8. Marketing site

Our public website (shabe.ai) has its own description of the product and may collect marketing or waitlist information separately. See the website Privacy Policy for that context.

9. Contact

Privacy questions: privacy@shabe.ai