Privacy

Privacy Policy

Effective 18 April 2026 · Version 1.0 · Applies to iOS, Android, and aheadai.pro

TL;DR We collect only what we need to generate openers and sync calendars, encrypt sensitive data at rest, do not train AI models on your content, and let you delete everything in two taps. This page covers the detail required by GDPR, CCPA, and the App Store.

Sections

Who we are
Data we collect
How we use it
Who we share with
How long we keep it
Your rights
Security
Children
Changes
Contact

1. Who we are

Ahead AI ("we", "us") is operated by the team behind hello@aheadai.pro. The service consists of a mobile application distributed on the Apple App Store and Google Play, and an API at api.aheadai.pro. For GDPR we are the data controller for the information described below.

2. Data we collect

Account data

Email, display name, password hash. Required to sign you in.
Sign-in-with-Apple identifier or Google ID. If you choose social sign-in.
Optional profile fields: organisation, industry, role, preferred meeting formats.

Content you create

Meeting briefs: topic, audience type, duration, tone, and any notes you add.
Generated scripts: openers, questions, closings, fun facts, and the tokens each generation used.
Voice practice: recordings are sent to the server for analysis, transcribed, scored, and then the audio file is deleted. Only the transcript and scores remain.
Favourites and folders: your saved lines.

Calendar data (optional)

If you connect Google or Outlook, we store an OAuth access and refresh token (AES-256-GCM encrypted at rest) and the event fields required to draft a briefing: title, description, location, start/end time, attendees' names and email addresses, organizer, meeting URL.
You can disconnect at any time in Settings; tokens and calendar events are deleted within 24 hours.

Subscriptions

Purchases are handled by Apple or Google; we receive only the transaction identifier, renewal date, plan, and status via RevenueCat. We never see your card.

Technical data

Device type, OS version, app version, crash reports, and anonymised usage counts so we can fix what breaks and invest where people spend time.
IP address is used transiently for rate limiting and audit logs. It is not used for advertising.

What we don't collect

We don't read your other emails, contacts, photos, or microphone outside of voice practice while you're actively recording.
We don't use third-party advertising SDKs.
We don't sell data. Ever.

3. How we use it

Only the purposes below, and only the minimum required:

Deliver the product: draft openers, sync calendars, score voice takes, run subscriptions.
Improve the product: aggregate anonymised usage to decide what to build next.
Support you: answer your questions when you write in.
Meet legal obligations: audit logs for security investigations, responding to lawful requests.

AI training: we do not train machine-learning models on your meeting content, voice recordings, or calendar data. OpenAI, our LLM provider, is configured via the API to exclude our traffic from training.

OpenAI — to generate text. Your prompt (which includes meeting topic, audience, tone) is sent; the response comes back and is stored with your account. OpenAI's no-training agreement applies.
RevenueCat — to handle subscription logic across Apple and Google.
Amazon Web Services (us-east-1) — infrastructure hosting for the API and database.
Sentry — crash and error monitoring. Stack traces may include IP and request paths, never your content.
SendGrid or Amazon SES — transactional email (password reset).

Each processor is bound by a Data Processing Agreement. We do not share with advertisers, data brokers, or affiliates, because we have none.

5. How long we keep it

Account + generated content: until you delete your account.
Voice audio files: deleted immediately after analysis. The transcript and scores remain until you delete the take.
Calendar tokens and events: until you disconnect or delete the account, then purged within 24 hours.
Audit logs: 12 months for security, then deleted.
Backups: encrypted snapshots retained for 7 days after a delete.

6. Your rights

Regardless of where you live, you can:

Access and export all your data as JSON from Settings → Export, or by writing to us.
Correct information by editing your profile.
Delete your account in Settings → Delete Account. This is permanent and cascades to every row we hold.
Port your data — the export is machine-readable JSON.
Object / restrict processing — write to us and we will comply to the extent the law allows.
Complain to your data protection authority (in the UK, the Information Commissioner's Office).

For CCPA residents: we do not "sell" or "share" personal information as those terms are defined under California law.

7. Security

All traffic encrypted with TLS 1.2+.
OAuth tokens encrypted at rest with AES-256-GCM.
Passwords hashed with bcrypt (cost 12).
JWT access tokens expire in 15 minutes; password reset revokes every previously-issued token.
Least-privilege IAM, daily encrypted snapshots, locked-down networking.

No system is perfectly secure. If you suspect a breach, write security@aheadai.pro.

8. Children

Ahead AI is not designed for users under 16 and we don't knowingly collect their data. If you believe a child has signed up, write to us and we will remove the account.

9. Changes

When we update this policy, we bump the version date above and notify active users by email. Continued use after that date constitutes acceptance.

10. Contact

Write to privacy@aheadai.pro for any privacy matter. We acknowledge within 48 hours.