DRAFT — pending attorney review
This Privacy Policy is a draft starting point and has not yet been reviewed by a California-licensed attorney. Bracketed placeholders such as the effective date and mailing address are not yet finalized. Do not rely on this document as final legal terms.
Privacy Policy
IXOME PRIVACY POLICY
Effective Date: [DRAFT — to be finalized] Last Updated: [DRAFT — to be finalized]
This Privacy Policy describes how IxomeAI (“we,” “us,” “our”) collects, uses, discloses, and protects your personal information when you use the IxomeAI platform.
1. INFORMATION WE COLLECT
1.1 Account Identifiers
What: A UUID (universally unique identifier) generated in your browser and stored in localStorage under the key ixome_user_id. This is your primary account identifier.
How collected: Generated automatically on first visit. You are not required to provide an email address or password to use the Service.
Personal data status: The UUID alone is not personal data under most definitions. However, if combined with a display name, hardware IP addresses, or Stripe customer data, the combination becomes personal data.
1.2 Profile Data
What: Your display name (optional), selected system type (Control4, Lutron, or Both), room names you configure during onboarding (stored as a JSON array), your onboarding completion status, and your experience level (numeric preference).
How collected: Provided by you during the onboarding wizard (Steps 0–4) and stored in the users table in our PostgreSQL database.
Personal data status: Display name is directly personal. Room names (“Master Bedroom,” “Home Office”) may indirectly identify you. Room configuration data reveals the layout of your home.
1.3 Hardware Configuration Data
What: Your smart-home system type, room names, and the IP addresses of your Control4 and Lutron systems.
How collected: Provided by you during onboarding and saved to your account.
Sensitivity: Home network IP addresses (e.g., 192.168.x.x) are sensitive because they enable direct communication with physical hardware in your home. These are stored in our database and used to route commands to your devices. They are not transmitted to OpenAI or Anthropic in their raw form — they are used server-side by IxomeAI’s backend to establish hardware connections.
1.4 Conversation and Command Data
What: Every message you send to the IxomeAI AI system, including natural-language commands (e.g., “Turn off the lights,” “What’s the status of my Control4 system”), and the AI-generated responses to those messages.
How collected: Captured by the LangGraph orchestration layer (backend/agents/chat_graph.py) as LangChain HumanMessage and AIMessage objects. Stored transiently in session state and persisted to file-based user memory at data/user_memory/{user_id}.json.
Transmitted to third parties: YES. Your messages are transmitted to:
- OpenAI (model: gpt-4o-mini and GPT-4, depending on the agent): for AI response generation and intent classification.
- Anthropic (model: claude-sonnet): for certain agent responses.
- Pinecone: certain messages trigger RAG (Retrieval Augmented Generation) queries. A vector representation (embedding) of your message is generated and used to search the Pinecone index.
What is NOT sent: Your hardware IP addresses, credentials, Stripe customer ID, or push subscription tokens are NOT included in messages sent to OpenAI or Anthropic.
1.5 User Memory Files
What: A per-user JSON file stored on the IxomeAI server at data/user_memory/{user_id}.json. Contents may include: your preferred hardware interaction patterns, topics you’ve asked about, hardware feedback observed during your sessions, and any preferences the AI has inferred from your interactions.
How collected: Written and updated by backend/agents/user_memory_service.py at the end of each AI session.
Sensitivity: Medium. The memory file does not contain your name or contact information. It contains behavioral data about your smart-home usage patterns.
1.6 Payment and Billing Data
What: Your Stripe customer ID (stored in the stripe_customer_id field of the users table), your subscription plan and status (user_subscriptions table), payment amounts, and timestamps of payment events.
What IxomeAI does NOT store: Your full credit card number, CVV, or bank account details. These are handled exclusively by Stripe and never transmitted to or stored by IxomeAI.
Stripe’s privacy policy: https://stripe.com/privacy
1.7 Push Notification Subscriptions
What: If you opt into web push notifications, we store your full Web Push subscription object (JSON) in the push_subscriptions table. This object contains: an endpoint URL (provided by your browser’s push service, e.g., Google FCM or Apple APNs), a public VAPID authentication key, and a P-256 ECDH key pair for message encryption.
Personal data status: The push endpoint URL identifies your specific browser installation and can be used to send you push notifications. It does not contain your name or email. Push subscription tokens are specific to your browser and device.
Retention: Deleted immediately upon account deletion request or when the push service returns a “410 Gone” error (indicating your subscription is no longer valid).
1.8 Dealer Data
What: If you are a dealer, we store: your name, email address, a unique access token (used in lieu of a password), your commission percentage, and the date your account was created. This is stored in the dealers table.
Dealer client referrals: We store the relationship between a dealer and referred clients via the referred_by_dealer_id field on the users table. We also store commission records in the dealer_commissions table, which include: the dealer ID, the referred user ID, the commission amount, the plan name, and the payment status.
1.9 Moderator Events
What: Each message processed by the AI system generates a ModeratorEvent record in the database, containing: a timestamp, a preview of the message content (first 200 characters), whether the message was blocked, the reason for blocking (if applicable), a session ID, and the channel and source of the message.
Purpose: Content safety monitoring and abuse prevention.
1.10 Scheduled Agent Run Logs
What: Each execution of IxomeAI’s automated background jobs (morning briefings, evening summaries, firmware checks, etc.) generates a ScheduledAgentRun record containing: the job ID, start time, finish time, status, and a result snippet.
Personal data: These logs may contain your user ID if the job ran on your behalf.
1.11 Marketplace Data
What: If you register as a marketplace developer, we store: your name, email, GitHub URL, agent idea description, approval status, and Stripe Connect account ID. If you purchase a marketplace agent, we store an AgentSession record containing: your user ID, the agent ID, the Stripe session ID and payment intent ID, the session status, and any session transcript.
1.12 Pinecone Vector Database
What: IxomeAI uses Pinecone to power its RAG (Retrieval Augmented Generation) feature. Pinecone stores vector embeddings — mathematical representations — of knowledge base documents about Control4, Lutron, smart-home protocols, and IxomeAI platform knowledge. The current index (ixome-support) contains approximately 6,959+ vectors.
Does Pinecone store your personal messages? Not by design. The RAG system uses your query to search Pinecone (by generating an embedding of your query and finding similar stored documents). The query text itself is processed by OpenAI’s embedding model to generate the vector, but only the query text is transmitted — not your user ID, hardware data, or subscription status.
User data isolation in Pinecone: Pinecone stores a shared knowledge base used to answer questions about smart-home systems. Your personal data, hardware details, account identifiers, and subscription status are not written to Pinecone. Pinecone is used only to retrieve relevant reference documents in response to your queries.
1.13 Usage Analytics and Server Logs
What: Standard server access logs including: IP address of the request, request path, HTTP status code, timestamp, and user agent. These are generated by Heroku’s infrastructure.
Retention: Heroku retains logs for a rolling period (typically 1,500 lines or 1 week), after which they are automatically discarded.
1.14 Cookies and Local Storage
What we set:
| Name | Type | Content | Purpose | Duration |
|---|---|---|---|---|
ixome_user_id |
localStorage | UUID | Account identification | Persistent (until cleared) |
ixome_is_subscriber |
Cookie | “true” or absent | Funnel routing (show/hide subscription banner) | Session or persistent |
ixome_playground_token |
localStorage | UUID | Playground rate limiting | Session |
ixome_dealer_token |
localStorage | Dealer access token | Dealer portal authentication | Persistent |
| Flask session cookie | Secure cookie | Encrypted session data | Server-side session management | Session |
Third-party cookies: IxomeAI does not currently embed third-party analytics, advertising, or tracking scripts. Stripe’s checkout page (which opens in a redirect) sets Stripe’s own cookies — see Stripe’s privacy policy.
2. HOW WE USE YOUR INFORMATION
| Data Category | Primary Purpose | Secondary Purpose |
|---|---|---|
| Account UUID | Identify you in the database; route your AI sessions | Link billing records |
| Display name | Personalize AI responses | None |
| Room names, system type | Route hardware commands correctly | Training better routing (de-identified) |
| AI conversation messages | Generate AI responses | Quality improvement (see Section 3) |
| User memory files | Personalize responses across sessions | None |
| Hardware IPs | Connect to your physical systems | None |
| Stripe customer ID | Process payments; manage subscription status | Tax reporting |
| Push tokens | Deliver morning briefings, alerts, push notifications | None |
| Dealer data | Administer dealer portal; calculate commissions | None |
| Moderator events | Content safety; abuse prevention | None |
| Server logs | Debugging; security monitoring | None |
3. AI MODEL DATA POLICIES
3.1 OpenAI
IxomeAI uses the OpenAI API. Under OpenAI’s API usage policies (effective March 2023), OpenAI does not use data submitted via the API to train its models by default for API customers with a zero-data-retention agreement. Standard API customers (without a zero-data-retention agreement) have their data retained by OpenAI for up to 30 days for safety monitoring, after which it is deleted.
Retention disclosure: Messages sent to OpenAI via the API may be retained by OpenAI for up to 30 days for safety monitoring before deletion, in accordance with OpenAI’s API data usage policies.
3.2 Anthropic
IxomeAI uses the Anthropic API. Anthropic’s API privacy policy states that Anthropic does not train on customer API data by default. Messages submitted via the API are processed to generate responses and are subject to Anthropic’s data retention policies, available at anthropic.com/privacy.
3.3 What We Do NOT Do
IxomeAI does not use your hardware command history, room layout data, or conversation transcripts to train AI models operated by IxomeAI or any third party without your explicit consent. Aggregated, de-identified usage statistics (e.g., “X% of commands are lighting control requests”) may be used to improve the Service.
4. HOW WE SHARE YOUR INFORMATION
We do not sell your personal information. We share information only as follows:
Service Providers (Processors):
| Processor | Data Shared | Purpose | Privacy Policy |
|---|---|---|---|
| Heroku (Salesforce) | All data (hosting) | Platform hosting | salesforce.com/privacy |
| Stripe | Stripe customer ID, transaction metadata | Payment processing | stripe.com/privacy |
| OpenAI | AI conversation messages | AI response generation | openai.com/privacy |
| Anthropic | AI conversation messages | AI response generation | anthropic.com/privacy |
| Pinecone | Query embeddings | RAG knowledge retrieval | pinecone.io/privacy |
| Tavily | Search queries (for research agents) | Web search | tavily.com/privacy |
| LangChain/LangSmith | Conversation traces (if tracing enabled) | Observability | langchain.com/privacy |
| If Google API is used for specific agents | Research | policies.google.com/privacy |
Legal Requirements: We may disclose personal information if required by law, court order, or government authority, or if we believe disclosure is necessary to protect the safety of any person or the security of the Service.
Business Transfers: In connection with a merger, acquisition, or sale of IxomeAI’s assets, personal data may be transferred to the acquiring entity, subject to the same privacy protections.
5. DATA SECURITY
We implement industry-standard security measures to protect your personal information:
- Encryption in transit: All communications between your browser and IxomeAI’s servers are encrypted using TLS 1.2 or higher. All communications between IxomeAI’s backend and hardware systems use TLS where supported.
- Database security: The PostgreSQL database is hosted on Heroku Postgres, which provides encryption at rest (AES-256) and encrypted connections.
- Secrets management: API keys and credentials are stored as Heroku environment variables (config vars), not hardcoded in source code.
- Access control: Administrative access to the database and production environment is restricted.
Despite these measures, no method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security.
If you discover a security issue, please report it responsibly to security@ixome.ai.
6. YOUR PRIVACY RIGHTS
6.1 California Residents (CCPA / CPRA)
California residents have the following rights under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.):
Right to Know: You may request that we disclose: (a) the categories and specific pieces of personal information we have collected about you; (b) the categories of sources from which we collected it; © our business purpose for collecting it; (d) the categories of third parties with whom we share it.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., information needed to complete a transaction, comply with legal obligations, or exercise free speech).
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. This right is therefore satisfied by our current practices.
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information (such as home network credentials) for any purpose other than providing the Service.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
How to Submit a Request: Email privacy@ixome.ai with the subject line “California Privacy Request.” We will respond within 45 days, extendable by an additional 45 days with notice.
Verification: Because our accounts are UUID-based and not tied to email addresses, we will need to verify your identity by asking you to confirm your account UUID and at least one other piece of identifying information (e.g., your display name, hardware system type, or subscription plan).
6.2 European / UK Residents (GDPR / UK GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under the GDPR and/or UK GDPR. Your rights include:
- Right of Access (Article 15): Obtain a copy of your personal data.
- Right to Rectification (Article 16): Correct inaccurate data.
- Right to Erasure (Article 17): Request deletion (“right to be forgotten”).
- Right to Restriction (Article 18): Restrict processing.
- Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format.
- Right to Object (Article 21): Object to processing based on legitimate interests.
- Right to Withdraw Consent: Where processing is based on consent, withdraw at any time.
Legal basis for processing: IxomeAI processes your personal data on the following bases:
- Performance of contract: Processing necessary to provide the Service you have subscribed to.
- Legitimate interests: Security monitoring, fraud prevention, service improvement.
- Consent: Push notification subscriptions.
- Legal obligation: Retaining billing records for tax purposes.
Data Protection Officer: IxomeAI has not yet appointed a formal DPO. Until one is designated, direct GDPR inquiries to privacy@ixome.ai.
EU Representation: EU residents may direct any GDPR inquiries to privacy@ixome.ai.
International Data Transfers: Your personal data is processed in the United States. If you are located in the EEA, this constitutes a transfer of personal data to a third country. IxomeAI relies on Standard Contractual Clauses (SCCs) where applicable.
6.3 Other Rights
Residents of other U.S. states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, etc.) may have similar rights. Contact privacy@ixome.ai to exercise any applicable state privacy rights.
7. CHILDREN’S PRIVACY
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you are a dealer who has provisioned IxomeAI for a household with children, note that:
(a) Children under 13 should not be given access to the AI chat interface;
(b) HVAC, lock, and security camera control commands issued by or on behalf of minor household members are the responsibility of the adult account holder and/or the provisioning dealer;
© The Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.) requires verifiable parental consent before collecting personal information from children under 13. IxomeAI does not have a mechanism for verifiable parental consent and therefore does not knowingly permit children under 13 to create accounts.
If a child under 13 has used the Service, contact privacy@ixome.ai and we will delete any associated data promptly.
8. DATA RETENTION
See Section 12 of the Terms of Service for the complete retention schedule. Summary:
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| User UUID, profile, room names | Until deletion request + 30 days | SQL DELETE cascade |
| User memory files | Until deletion request | File system delete |
| Push subscriptions | Immediately on deletion | SQL DELETE |
| Conversation transcripts (AgentSession) | 30 days + deletion request period | SQL DELETE |
| Moderator events | 90 days | SQL DELETE via cleanup job |
| Stripe billing records | 7 years (legal requirement) | Retained; customer ID only |
| Hardware command audit logs (future) | 3 years | SQL DELETE |
| Server access logs | 1 week (Heroku rolling) | Automatic |
| LangSmith traces | Per LangChain policy | LangChain dashboard |
9. CONTACT US
Privacy inquiries: privacy@ixome.ai
Security disclosures: security@ixome.ai (see responsible disclosure policy)
Mailing address: IxomeAI | San Diego, California | [mailing address — finalized at incorporation]