Intelligent Assistant

Privacy Policy

1. Introduction

CREAM AI, Inc. ("we," "us," or "our") operates Intelligent Assistant, a cloud-based business application for commercial real estate and related workflows. This Privacy Policy explains how we collect, use, store, and protect information when you use our web application at https://iadashboard.app and related services.

2. Information We Collect

2.1 Account Information

  • Name, email address, and profile details you provide at registration
  • Application login credentials are managed by Firebase Authentication (email and password). Microsoft and Google are used only for optional integrations after you are logged in — they do not replace your application login.
  • Subscription and billing identifiers processed through Stripe (we do not store full payment card numbers)

2.2 Intelligent Assistant and Workspace Data

Data you create or sync into your workspace is stored in Google Cloud Firestore, scoped to your account, including:

  • Contacts, properties, transactions, tasks, goals, and notes
  • Calendar events when you enable calendar sync
  • Contact notes derived from email matching when auto-scan or linking features are enabled
  • App-sharing invitations and permissions when you share modules with other users

2.3 Email and Mailbox Data

2.4 Integration Tokens

When you connect Microsoft or Google, OAuth refresh tokens are stored in a server-side vault (Firestore private subcollections accessible only by our backend). Access tokens are kept in memory or short-lived session storage — not in long-term browser local storage.

2.5 Technical and Security Data

  • Security audit logs (email access events, permission changes) stored in Firestore per user
  • Firebase App Check attestation via Google reCAPTCHA v3 to protect backend APIs from abuse
  • Standard web server and platform logs from Firebase Hosting and Cloud Functions

3. How We Use Your Information

  • Provide, operate, and maintain the application and your workspace
  • Authenticate you and enforce subscription access
  • Sync data with Microsoft 365 and Google Workspace when you connect those services
  • Process payments and manage subscriptions through Stripe
  • Facilitate app sharing between users you authorize
  • Protect against fraud, abuse, and security incidents
  • Respond to support requests and legal obligations

We do not sell your personal information. We do not use your email content for advertising or train third-party AI models on your mailbox data.

4. Third-Party Integrations

4.1 Microsoft 365 (Microsoft Graph)

Connected only after Firebase login and your explicit consent. Permissions we request include:

  • User.Read — identify your Microsoft account
  • Mail.ReadWrite — display, organize, and update messages (read/unread, folders, trash)
  • Mail.Send — send email from Message Center
  • Contacts.ReadWrite — sync contacts with your Intelligent Assistant workspace
  • Calendars.ReadWrite — sync calendar events

You may disconnect Microsoft at any time in Settings → Integrations. Microsoft's terms and privacy policy also apply to data in your Microsoft 365 tenant.

4.2 Google Workspace (Gmail, Calendar, Contacts)

Connected only after Firebase login and your explicit consent. Our use of Google user data adheres to the Google API Services User Data Policy, including Limited Use requirements. Permissions include Gmail (read and send), Calendar, and Contacts as shown on the Google consent screen at connection time.

5. App Sharing

You may invite other registered users to access specific modules in your workspace (for example, contacts or calendar) with read or write permission. Shared access is governed by invitation records in Firestore; recipients cannot self-grant access. You are responsible for reviewing who you invite and what permission level you grant.

6. Data Security

  • HTTPS/TLS for all communications; HSTS and strict Content Security Policy on hosting
  • Firebase App Check with reCAPTCHA v3 on sensitive Cloud Functions
  • Firestore and Storage security rules with per-user data isolation
  • Session timeout after inactivity; step-up password confirmation for billing and integration changes
  • HTML sanitization (DOMPurify) for untrusted email content displayed in the application
  • OAuth refresh tokens vaulted server-side; client cannot read private vault documents

7. Cookies and Similar Technologies

We use cookies and browser storage for essential operation and security. You can manage optional preferences in Settings → Data → Cookie Preferences.

  • Essential: Firebase authentication session, MSAL/Google OAuth session data in sessionStorage, cookie-consent preferences, and App Check/reCAPTCHA signals required to protect the service
  • Analytics: Firebase Analytics is disabled in our production build. We do not currently deploy third-party behavioral analytics cookies even if you opt in — the preference is recorded for future policy changes only
  • Marketing: We do not currently deploy marketing or advertising tracking cookies on the application

8. Data Processors and Sub-Processors

  • Google Firebase / Google Cloud: hosting, database, authentication, Cloud Functions, Storage
  • Microsoft Corporation: email, calendar, and contacts APIs when you connect Microsoft 365
  • Google LLC: Gmail, Calendar, and Contacts APIs when you connect Google; reCAPTCHA for App Check
  • Stripe, Inc.: subscription billing and customer portal (payment cards are handled by Stripe)

9. Your Rights and Choices

  • Access / export: Settings → Data → Export All Data
  • Delete account: Settings → Data → Delete Account
  • Disconnect integrations: Settings → Integrations
  • Cookie preferences: Settings → Data → Cookie Preferences
  • GDPR/CCPA rights: contact support@creamai.tech — we respond within 30 days

10. Data Sharing and Disclosure

We do not sell personal information. We may disclose information only: with your consent; to service processors listed above; to comply with law; or in connection with a merger or acquisition (with notice where required).

11. Data Retention

  • Workspace data: retained until you delete your account or specific records
  • Local email cache: cleared on logout
  • OAuth vault tokens: deleted when you disconnect an integration or delete your account
  • Account data after deletion: removed within 30 days except where law requires retention

12. Children's Privacy

The service is not intended for users under 18. We do not knowingly collect information from children under 13.

13. Data Breach Notification

If a breach affecting your personal information is discovered, we will notify affected users and regulators as required by applicable law. Report suspected issues immediately to support@creamai.tech.

14. International Transfers

Data may be processed in the United States and other countries where our processors operate. We use appropriate safeguards such as Standard Contractual Clauses where required for cross-border transfers.

15. Compliance and Security Program

We maintain security controls aligned with industry practice and document them in an internal SOC 2 Type I design assessment (June 2026). This is an internal readiness review — not an independent CPA attestation. A formal SOC 2 Type II report from a licensed auditor is not yet published.

We design our practices to support GDPR, CCPA, and provider policies (Microsoft API Services, Google API Limited Use).

16. Changes to This Policy

We may update this policy and will revise the "Last Updated" date. Material changes may be communicated by email or in-app notice.

17. Contact Us