# Privacy Policy Last updated: March 20, 2026 ## 1. Overview Struere ("we", "us", "our") operates the Struere platform, a permission-aware AI agent platform for small businesses. This policy describes how we collect, use, and protect your information when you use our website at struere.dev and the Struere application at app.struere.dev. ## 2. Information We Collect ### Account Information When you create an account, we collect your name, email address, and organization details through our authentication provider, Clerk. We do not store passwords directly. ### Waitlist Information If you join our waitlist, we collect your email address. This is transmitted to our team via a Discord webhook for internal tracking. ### Platform Data When using the Struere platform, we store data you provide including agent configurations, entity records, conversation threads, messages, events, and job schedules. All data is scoped to your organization and environment (development or production). ### Usage Data We track execution metrics including token usage, request duration, and agent activity for billing and performance purposes. ### WhatsApp Data If you enable the WhatsApp integration, we process inbound and outbound messages, phone numbers, and connection state to facilitate communication between your AI agents and your customers. ### Google Calendar Data If you connect Google Calendar, we request access to the following OAuth scopes via Google's authorization flow: - **https://www.googleapis.com/auth/calendar.calendarlist.readonly** — Read-only access to the list of Google calendars you're subscribed to - **https://www.googleapis.com/auth/calendar.events** — Read and write access to calendar events This data is used exclusively to enable your AI agents to list, create, update, and delete calendar events and check free/busy availability on your behalf. We store a reference to your connected calendar (calendar ID and connection state) in our database, scoped to your organization and environment. OAuth tokens are managed by Clerk and are not stored directly by Struere. We do not access calendars beyond the specific account you authorize, and we do not use your calendar data for advertising, profiling, or any purpose unrelated to providing the Struere platform. You can revoke Struere's access to your Google Calendar at any time by disconnecting the integration in the Struere dashboard or by removing access in your [Google Account permissions](https://myaccount.google.com/permissions). Struere's use and transfer of information received from Google APIs adheres to the [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. ## 3. How We Use Your Information - Provide and operate the Struere platform - Process AI agent conversations via third-party LLM providers - Execute custom tools in sandboxed environments - Enforce role-based access control and permission policies - Send transactional communications (session reminders, follow-ups) - Process payments through our payment provider - Improve our services and debug issues ## 4. Third-Party Services We use the following third-party services that may process your data: - **Clerk** — Authentication and user management - **Convex** — Real-time database and backend infrastructure - **Anthropic** — AI language model processing for agent conversations - **Google** — Calendar integration via Google Calendar API (OAuth 2.0) - **Fly.io** — Custom tool execution in sandboxed environments - **Vercel** — Website and application hosting - **Flow** — Payment processing Each service operates under its own privacy policy. We only share the minimum data necessary for each service to function. ## 5. Data Security We implement multiple layers of security including organization-level data isolation, environment separation (development/production), row-level security via scope rules, column-level security via field masks, API key authentication with SHA-256 hashing, and a deny-overrides-allow permission model. Custom tool execution occurs in sandboxed environments on Fly.io with restricted network access. ## 6. Data Retention We retain your data for as long as your account is active. Entity deletions are soft-deletes, meaning records are marked as deleted but retained for audit purposes. You may request full data deletion by contacting us. ## 7. Your Rights - Access the personal data we hold about you - Request correction of inaccurate data - Request deletion of your data - Export your data in a machine-readable format - Object to processing of your data To exercise these rights, contact us at privacy@struere.dev. ## 8. Cookies We use essential cookies for authentication and session management through Clerk. We do not use tracking or advertising cookies. ## 9. Children's Privacy Struere is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it. ## 10. Changes to This Policy We may update this policy from time to time. We will notify you of significant changes by posting a notice on our website. Continued use of the platform after changes constitutes acceptance. ## 11. Contact For questions about this privacy policy, contact us at privacy@struere.dev.