Privacy Policy

Last updated: December 17, 2025

Key point: Ashley does not request email/mailbox permissions and does not store email bodies. Ashley also does not store a copy of your calendar or your contacts list.

1. What Ashley Accesses (and What It Does Not)

Ashley Calendar AI (“Ashley”, “we”, “us”) is a calendar management assistant. To help you schedule and manage time, Ashley may access data from the calendar provider(s) you connect.

Email / Mailbox: Ashley does not request Gmail/Outlook Mail scopes and does not read or store email bodies.
Calendar: Ashley accesses calendar data transiently (in-memory) to check availability and to create/update events when you instruct it to do so. Ashley does not store a full copy of your calendar or calendar event bodies.
Contacts: Ashley does not bulk-download or sync your contacts by default. If contacts permissions are requested, it is for limited, user-initiated scheduling flows (e.g., selecting invitees or supporting manually added contacts). Ashley does not maintain an external-address-book-backed contacts database.

2. Data We Store

Today, Ashley stores a minimal set of data necessary to operate the service:

Account identifiers: such as your email address and basic profile identifiers from your auth provider.
OAuth tokens: access tokens and refresh tokens required to access calendar APIs (“Connected Account Tokens”).
Request/response records: Ashley stores structured records of (a) requests you make to Ashley and (b) Ashley’s responses/outcomes (sometimes referred to internally as “human-in-the-loop” workflow records). These records may include scheduling metadata such as participants, proposed times, and action outcomes.
Operational logs: routine service logs (warnings/errors) needed to run the service. We aim to avoid logging secrets; tokens and other sensitive fields should not appear in logs.

3. OAuth Permissions We Request

Below is the current set of permissions (scopes) that Ashley may request, depending on which provider you connect.

3.1 Google

https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
openid
https://www.googleapis.com/auth/calendar.events
https://www.googleapis.com/auth/calendar.calendarlist.readonly
https://www.googleapis.com/auth/contacts.readonly
https://www.googleapis.com/auth/contacts.other.readonly

3.2 Microsoft

openid
profile
email
offline_access
User.Read
ProfilePhoto.Read.All
https://graph.microsoft.com/Calendars.ReadWrite
https://graph.microsoft.com/Calendars.Read
https://graph.microsoft.com/Contacts.Read
Calendars.Read
Calendars.ReadWrite
Contacts.Read

No mailbox/email scopes: We do not request Gmail, Outlook Mail, or Microsoft Graph Mail permissions.

4. How We Use Information

We use information to provide and operate Ashley’s features, including:

Scheduling assistance and calendar event creation/updates when instructed
Availability checking and conflict detection
Preference learning based on your scheduling actions (when applicable)
Service reliability, debugging, and improving product quality

5. AI Processing

Ashley uses AI models to interpret your scheduling requests and generate structured actions. For this, Ashley may send portions of your request (and minimal relevant scheduling context) to an AI model provider (currently OpenAI) as a subprocessor.

We aim to minimize the data sent to AI models to what is needed to complete the task.
We do not send email bodies because Ashley does not access email.

6. Third-Party Services and Subprocessors

Ashley integrates with and/or is hosted by third-party service providers to deliver the service:

Microsoft Azure: hosting (Azure App Service) and database (Azure Cosmos DB using MongoDB API).
Calendar providers: Google Calendar and Microsoft Graph (and other calendar providers as supported).
OpenAI: AI model API used to interpret and fulfill requests. OpenAI states that API data is not used to train models by default, and is retained for a limited time for abuse monitoring under their policies.

7. Data Security

We implement security measures appropriate for an early-stage service, including:

Encryption in transit using HTTPS/TLS
Environment separation (Production vs PPE vs Development)
MFA enforced for critical systems (e.g., GitHub)
Operational logging designed to avoid secrets/tokens
Platform-level encryption at rest provided by our cloud providers

Reality note: Connected Account Tokens (OAuth access + refresh tokens) are currently stored in the database to maintain calendar connectivity. At this time, we do not apply additional application-layer encryption to tokens beyond platform-level protections.

8. Data Retention

Current retention behavior:

Connected Account Tokens: retained while your account remains connected, or until you revoke access.
Request/response records: currently retained indefinitely unless deleted.
Backups: production backups are performed nightly with approximately two weeks of retention.

9. Your Choices

You can:

Revoke access at any time via your Google or Microsoft account settings.
Request deletion of Ashley-stored account data by contacting us (manual process).

Note: Data export and fully automated DSAR workflows are not currently available.

10. Cookies and Tracking

We use essential cookies and similar mechanisms for:

Authentication and session management
Security protections
Basic preference/session continuity

11. Children's Privacy

Ashley Calendar AI is not intended for use by children under 13. We do not knowingly collect personal information from children under 13.

12. Changes to This Policy

We may update this policy from time to time. We will post updates on this page and revise the “Last updated” date above.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

Email: sid.mathur@gmail.com