Privacy Policy
UsefulAI by Phenomenon Labs, Inc.
1. Overview
Phenomenon Labs, Inc. ("we," "our," or "us") operates UsefulAI, a platform that provides specialized AI tools ("AI Specialists") that integrate with existing AI assistants like Claude, ChatGPT, and Microsoft Copilot. This Privacy Policy explains how we collect, use, protect, and share information when you use our service.
- We only access data you explicitly authorize through secure OAuth connections
- We do not store your passwords or credentials from third-party services
- Your data is used solely to provide the AI specialist services you request
- You can revoke access permissions at any time
- This policy complies with CCPA, CPRA, GDPR, and PIPEDA requirements
By using UsefulAI, you consent to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our service.
2. Information We Collect
2.1 Categories of Personal Information (CCPA/CPRA Required Disclosure)
| Category | Examples | Sources | Business Purpose |
|---|---|---|---|
| Identifiers | Name, email, IP address, account ID | You, automatic collection | Account management, service provision |
| Commercial Information | Subscription details, billing history | You, payment processors | Billing, subscription management |
| Internet Activity | Usage patterns, feature interactions | Automatic collection | Service improvement, analytics |
| Professional Information | Company name, job title, business contacts | You, third-party integrations | B2B service provision |
| Inferences | Usage preferences, service optimization | Our analysis of your data | Personalization, service improvement |
2.2 Account Information
When you create a UsefulAI account, we collect:
- Email address (required)
- Name (optional for individual accounts, required for business accounts)
- Company or organization name (business accounts)
- Password (encrypted using industry-standard methods)
- Account preferences and settings
- Profile information you choose to provide
2.3 Subscription and Billing Information
For paid subscriptions, we collect:
- Billing address and contact information
- Payment method information (processed securely by Stripe)
- Transaction history and invoicing details
- Tax identification information where legally required
- Business registration details for enterprise accounts
2.4 Service Usage Data
To provide and improve our services, we collect:
- AI specialist deployment configurations and settings
- Usage metrics, interaction counts, and session data
- Error logs and performance data for service reliability
- Feature usage analytics and user behavior patterns
- Support requests and communications history
- Feedback and survey responses
2.5 Third-Party Integration Data
When you connect third-party services (Google Workspace, Microsoft 365, Salesforce, etc.), we collect:
- OAuth access tokens (encrypted and securely stored)
- Integration configuration settings and permissions
- Data you explicitly authorize us to access during OAuth flow
- Metadata about connected accounts (account names, organization details)
- Refresh tokens for maintaining authorized connections
2.6 Technical Information (Automatically Collected)
We automatically collect:
- IP address and approximate geographic location (country/region level)
- Browser type, version, and user agent string
- Device information, operating system, and screen resolution
- Referring website and navigation patterns within our service
- Timestamps of service usage and session duration
- Cookies and similar tracking technologies (with your consent where required)
3. How We Use Your Information
3.1 Primary Service Delivery
- Deploy, manage, and operate AI specialists on your behalf
- Process data through AI specialists as requested and authorized
- Maintain secure connections to authorized third-party services
- Provide customer support and technical assistance
- Process payments and manage your subscription
- Authenticate users and prevent unauthorized access
3.2 Service Improvement and Development
- Analyze usage patterns to improve AI specialist performance
- Develop new features and capabilities based on user needs
- Optimize system performance, reliability, and user experience
- Conduct security monitoring and threat detection
- Perform internal research and analytics
3.3 Legal Basis for Processing (GDPR)
For users in the European Economic Area, United Kingdom, or Switzerland, we process your personal data based on:
- Contract Performance: Service delivery, account management, payment processing
- Legitimate Interest: Service improvement, security monitoring, fraud prevention
- Consent: Marketing communications, non-essential cookies, optional features
- Legal Obligation: Tax compliance, regulatory reporting, law enforcement requests
3.4 Communication
- Send service-related notifications and updates
- Provide customer support responses and technical assistance
- Share important security alerts or policy updates
- Send marketing communications (with your consent and opt-out options)
- Conduct user research and feedback surveys
3.5 Legal and Compliance
- Comply with applicable laws, regulations, and legal obligations
- Respond to legal requests, court orders, and government inquiries
- Protect our rights, property, and safety, and that of our users
- Prevent fraud, abuse, and violations of our Terms of Service
- Maintain records as required by law
4. Data Sharing and Third Parties
4.1 Service Providers and Processors
We share your information with trusted third-party service providers who assist in delivering our services. These relationships are governed by strict data processing agreements:
| Category | Purpose | Examples | Data Types Shared |
|---|---|---|---|
| Cloud Infrastructure | Hosting and computing services | AWS, Google Cloud | Account data, usage data |
| Payment Processing | Secure payment handling | Stripe | Billing information, transaction data |
| Analytics | Service performance monitoring | Google Analytics (anonymized) | Usage patterns, technical data |
| Customer Support | Help desk and communication | Zendesk, Intercom | Support requests, contact information |
| Security | Threat detection and monitoring | Cloudflare, security vendors | IP addresses, access logs |
4.2 AI Platform Integration
UsefulAI integrates with AI platforms to deliver specialist services. We share necessary data including:
- MCP (Model Context Protocol) server configurations and tool definitions
- Data necessary for AI specialist functionality as authorized by you
- Anonymized usage patterns for service optimization
- Technical metadata required for platform integration
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the business transaction. We will:
- Provide notice of any change in ownership or control
- Ensure the acquiring party honors existing privacy commitments
- Offer you choices regarding your data if policies will change
4.4 Legal Requirements and Safety
We may disclose your information when required by law or when we believe disclosure is necessary to:
- Comply with legal obligations, court orders, or government requests
- Protect the safety and security of our users and the public
- Investigate and prevent fraud or other illegal activities
- Enforce our Terms of Service or other agreements
- Protect our rights, property, or safety
4.5 What We Do NOT Share
- We do not sell your personal information to advertisers or data brokers
- We do not share your data with unauthorized third parties
- We do not use connected service data for our own business purposes beyond providing requested services
- We do not share individual user data for marketing purposes without explicit consent
5. Data Security
5.1 Technical Security Measures
We implement comprehensive security measures to protect your information:
- Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Role-based access with multi-factor authentication required
- OAuth Security: Industry-standard OAuth 2.0 with PKCE for third-party integrations
- Regular Audits: Ongoing security assessments and penetration testing
- Incident Response: 24/7 monitoring with dedicated security team
- Data Minimization: Collect and retain only necessary information
5.2 Infrastructure Security
- SOC 2 Type II compliant infrastructure providers
- Network isolation, firewalls, and intrusion detection
- Regular security updates and automated patch management
- Comprehensive backup and disaster recovery procedures
- Physical security controls at data center facilities
5.3 Organizational Security
- Background checks and confidentiality agreements for all employees
- Security training and awareness programs
- Principle of least privilege access
- Regular security policy updates and compliance reviews
5.4 Data Breach Response
In the event of a data security incident, we will:
- Contain and investigate the breach immediately
- Notify affected users without undue delay (within 72 hours for EU users under GDPR)
- Report to relevant authorities as required by applicable law
- Provide clear information about the incident and remedial actions
- Implement additional safeguards to prevent future incidents
6. Your Rights and Choices
6.1 Universal Rights (All Users)
- Access: Request copies of your personal information
- Correction: Update or correct inaccurate information
- Deletion: Request deletion of your personal data (subject to legal exceptions)
- Data Portability: Export your data in machine-readable formats
- Opt-out: Unsubscribe from marketing communications
6.2 California Residents (CCPA/CPRA Rights)
- Right to Know: Categories of personal information collected, sources, and purposes
- Right to Delete: Request deletion of personal information
- Right to Opt-Out: Opt-out of sale or sharing of personal information (we do not sell data)
- Right to Correct: Request correction of inaccurate information
- Right to Limit Use: Limit use and disclosure of sensitive personal information
- Right to Data Portability: Receive personal information in portable format
- Right to Non-Discrimination: Equal service regardless of privacy rights exercise
6.3 EU/UK Residents (GDPR Rights)
- Right of Access (Article 15): Obtain copy of personal data and processing information
- Right to Rectification (Article 16): Correct inaccurate personal data
- Right to Erasure (Article 17): "Right to be forgotten" in specific circumstances
- Right to Restrict Processing (Article 18): Limit processing in certain situations
- Right to Data Portability (Article 20): Receive data in structured, common format
- Right to Object (Article 21): Object to processing based on legitimate interests
- Rights related to automated decision-making (Article 22): Not be subject to solely automated decisions
6.4 Canadian Residents (PIPEDA Rights)
- Right to Access: Request access to personal information
- Right to Correction: Correct inaccurate information
- Right to Withdraw Consent: Withdraw consent for non-essential processing
- Right to Complaint: File complaints with Privacy Commissioner of Canada
6.5 How to Exercise Your Rights
To exercise your privacy rights:
- Email us at privacy@usefulai.ai
- Use the privacy controls in your account dashboard
- Contact our Data Protection Officer (for EU residents)
- Submit requests through our privacy portal at usefulai.ai/privacy-request
We may need to verify your identity before processing requests. For GDPR requests, we respond within one month. For CCPA requests, within 45 days.
7. Data Retention
7.1 Retention Periods by Data Type
| Data Category | Retention Period | Legal Basis | Deletion Criteria |
|---|---|---|---|
| Account Information | Duration of account + 90 days | Service provision | Account closure confirmation |
| Usage and Analytics Data | 24 months | Service improvement | Statistical value expires |
| Billing Records | 7 years | Legal/tax obligations | Regulatory requirements met |
| Support Communications | 3 years | Issue resolution | Support value expires |
| OAuth Tokens | Until disconnected | Service functionality | Integration removed |
| Marketing Data | Until consent withdrawn | Consent | Opt-out requested |
| Security Logs | 12 months | Security monitoring | Security value expires |
7.2 Retention Principles
Our data retention practices follow these principles:
- Necessity: Data kept only as long as necessary for specified purposes
- Proportionality: Retention periods proportionate to data sensitivity
- Legal Compliance: Minimum retention as required by applicable laws
- Regular Review: Periodic assessment of retention necessity
- Secure Deletion: Irreversible deletion when retention period expires
7.3 Deletion Process
When you delete your account or request data deletion:
- Account information deleted within 30 days of verification
- All AI specialist deployments immediately terminated
- Third-party integration tokens revoked immediately
- Backups containing your data deleted within 90 days
- Some data may be retained longer for legal compliance (e.g., billing records)
- Anonymized or aggregated data may be retained for statistical purposes
7.4 Legal Holds
Data subject to legal holds (litigation, investigations, regulatory requests) will be preserved beyond normal retention periods until the hold is lifted.
8. International Data Transfers
8.1 Transfer Locations
UsefulAI is based in the United States. Your information may be transferred to and processed in:
- United States (primary processing location)
- Countries where our service providers are located
- Countries where you authorize third-party integrations
8.2 Safeguards for International Transfers
EU to US Transfers
- EU-US Data Privacy Framework participation (DPF-certified organizations)
- Standard Contractual Clauses (SCCs) with supplementary measures
- Adequacy decisions where applicable
- Additional safeguards including encryption and access controls
Canada to US Transfers
- Contractual commitments ensuring comparable level of protection
- User notification of cross-border data processing
- Right to know jurisdictions where data is processed
Other International Transfers
- Appropriate safeguards as required by applicable privacy laws
- Due diligence on destination country privacy protections
- Contractual commitments from receiving parties
8.3 Your Rights Regarding Transfers
You have the right to:
- Know the countries where your data is processed
- Receive information about safeguards protecting your data
- Object to transfers in certain circumstances (GDPR)
- Request information about adequacy decisions or appropriate safeguards
9. Regulatory Compliance
9.1 CCPA/CPRA Compliance
- Annual gross revenue exceeds $25 million threshold
- Full B2B and employee data protection (exemptions expired January 1, 2023)
- Comprehensive consumer rights implementation
- Regular privacy policy updates reflecting CPRA requirements
- Data minimization and purpose limitation practices
9.2 GDPR Compliance
- Lawful basis established for all processing activities
- Data Protection Impact Assessments (DPIA) for high-risk processing
- Privacy by design and by default implementation
- Data Protection Officer appointed for EU operations
- Records of processing activities maintained
9.3 PIPEDA Compliance
- 10 Fair Information Principles fully implemented
- Accountability measures with designated privacy officer
- Consent mechanisms appropriate to data sensitivity
- Cross-border transfer safeguards and notifications
- Breach notification procedures for significant harm
9.4 Sector-Specific Compliance
Financial Services (GLBA)
If providing financial advisory services:
- Privacy notices for nonpublic personal information
- Opt-out rights for information sharing
- Safeguards rule compliance for customer data
Healthcare (HIPAA)
If processing protected health information:
- Business Associate Agreements with covered entities
- Minimum necessary standard implementation
- Breach notification within 60 days
9.5 Data Protection Officer
Our Data Protection Officer can be reached at:
- Email: dpo@usefulai.ai
- Role: Independent oversight of data protection practices
- Responsibilities: Privacy compliance monitoring, user rights fulfillment, regulatory liaison
10. AI and Automated Processing
10.1 AI Processing Disclosure
10.2 Types of AI Processing
- Service Optimization: AI algorithms optimize performance and user experience
- Data Analysis: Automated analysis of usage patterns for service improvement
- Personalization: AI-driven customization of features and recommendations
- Security Monitoring: Automated threat detection and anomaly identification
- Content Processing: AI analysis of data you authorize us to access
10.3 Automated Decision-Making
We use automated processing for:
- Account security and fraud detection
- Service personalization and optimization
- Usage analytics and performance monitoring
- Content filtering and safety measures
10.4 Your Rights Regarding AI Processing
- Right to Explanation: Request information about AI decision-making logic
- Right to Human Review: Request human intervention in automated decisions affecting you
- Right to Challenge: Contest automated decisions and request reconsideration
- Right to Opt-Out: Opt-out of non-essential automated processing where technically feasible
10.5 AI Data Training
We do not use your personal data to train AI models unless:
- You provide explicit consent for such use
- Data is fully anonymized and cannot be linked back to you
- Processing is necessary for service functionality you requested
10.6 Third-Party AI Services
When integrating with third-party AI platforms:
- Data is processed only as necessary for authorized services
- We maintain contractual protections for your data
- You can control which AI services have access to your data
- Processing logs are maintained for transparency and accountability
11. Changes to This Policy
11.1 Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. When we make changes, we will:
For Material Changes:
- Notify you by email at least 30 days before changes take effect
- Post a prominent notice on our website
- Update the "Last Updated" date at the top of this policy
- Provide a summary of key changes
- For significant changes affecting your rights, obtain renewed consent where required
For Minor Changes:
- Update the policy with immediate effect
- Note changes in our policy changelog
- Update the "Last Updated" date
11.2 Your Options
When we update this policy:
- Continued use constitutes acceptance of the updated policy
- You may delete your account if you disagree with changes
- For material changes, we may require active consent
- You can always contact us with questions about changes
11.3 Policy Archive
Previous versions of this Privacy Policy are archived and available upon request for your reference and legal compliance purposes.
12. Contact Information
Privacy Questions and Requests
General Privacy Inquiries:
Email: privacy@usefulai.ai
Response Time: 5 business days
Data Protection Officer (EU/UK residents):
Email: dpo@usefulai.ai
Response Time: 3 business days
CCPA/CPRA Requests (California residents):
Email: ccpa@usefulai.ai
Online Portal: usefulai.ai/privacy-request
Response Time: 45 days (extendable to 90 days)
Company Information:
Phenomenon Labs, Inc.
1449 S Michigan Ave STE 13239
Chicago, IL 60605
United States
EU Representative (for GDPR compliance):
[To be appointed as needed]
Email: eu-representative@usefulai.ai
12.1 Regulatory Contacts
You have the right to file complaints with relevant privacy authorities:
California Residents:
California Privacy Protection Agency
Website: cppa.ca.gov
Phone: 1-833-322-2772
EU/UK Residents:
Your local Data Protection Authority
EU List: edpb.europa.eu/about-edpb/board/members_en
UK: ico.org.uk
Canadian Residents:
Office of the Privacy Commissioner of Canada
Website: priv.gc.ca
Phone: 1-800-282-1376
12.2 Emergency Contact
For urgent security or privacy incidents:
- Email: security@usefulai.ai
- 24/7 Response for critical security matters