1. Who we are
AskNell is operated by otageLabs, a sole-trader consultancy based in Melbourne, Australia. When this policy says "we" or "us," it means otageLabs.
2. Data we collect
Account data
When you create an account we collect your email address, display name, and a hashed password. If you sign in via Google, Microsoft, or Apple, we receive the email and name your provider shares — nothing more.
Email and calendar data
When you connect a Google or Microsoft account, we sync your email and calendar data into a private, per-user markdown vault so the assistant can read and act on it. We access only the scopes you grant during OAuth. Synced content stays within your vault and is never shared with other users.
Voice audio
Voice conversations use ElevenLabs for speech-to-text and text-to-speech. Audio is streamed to ElevenLabs in real time using your own API key (BYOK). We do not store voice recordings.
Usage data
We record which LLM models are called, token counts, and costs per request for metering and billing. We also collect standard web-server logs (IP address, user agent, timestamps).
3. How we use your data
- To operate the assistant — reading your email, calendar, and vault to answer questions and draft responses on your behalf.
- To process billing and enforce plan limits.
- To send transactional email (verification, password reset, billing receipts). You can opt out of lifecycle emails via an unsubscribe link.
- To improve the service — aggregate, anonymised usage statistics only.
4. Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| OpenRouter + upstream LLM providers | AI inference | Conversation text, vault excerpts provided as tool context |
| ElevenLabs | Voice (STT/TTS) | Audio stream (your own API key) |
| Stripe | Billing | Payment method and subscription state (Stripe holds card details; we never see full card numbers) |
| Resend | Transactional email | Recipient address and email content |
| Google / Microsoft | OAuth, email sync, calendar sync | OAuth tokens (encrypted at rest); synced content stays in your vault |
5. Data storage and security
- Database: PostgreSQL. OAuth tokens and API keys are encrypted at rest using Fernet symmetric encryption.
- Vault: Each user has an isolated markdown vault on the server filesystem. Path-traversal out of your vault is a hard error.
- Passwords: Hashed with Werkzeug's PBKDF2 (never stored in plain text).
- Transport: All traffic is served over HTTPS (TLS).
6. Cookies and sessions
We use Flask session cookies to keep you signed in and to protect against CSRF. We track device sessions so you can review and revoke them in Settings → Security. We do not use third-party tracking cookies. If you have enabled Google Analytics via the admin panel, a first-party GA4 cookie may be set.
7. Your rights
Data export
You can request a full export of your data (vault, conversations, usage, settings) from Settings → Privacy. The export is delivered as a ZIP file with a 24-hour download link.
Account deletion
You can delete your account from Settings → Privacy. Deletion has a 30-day grace period — signing back in during that window reactivates your account. After 30 days, your data is permanently purged.
Correction and access
You can update your email and display name in Settings at any time. To request access to data we hold about you, email privacy at asknell dot io.
8. Data retention
We retain your data for as long as your account is active. Synced email and calendar content follows your provider's retention. When you delete your account, all data is purged after the 30-day grace period. Aggregate, anonymised usage statistics may be retained indefinitely.
9. Children
AskNell is not intended for anyone under the age of 16. We do not knowingly collect data from children.
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. The "Last updated" date at the top reflects the most recent revision.
11. Contact
Questions about this policy? Email privacy at asknell dot io.