Privacy Policy
Last updated July 2026 · Draft — see the note at the bottom before relying on this.
This policy explains what data Olmex collects, why, and how it's handled. It applies to every organization using Olmex.
1. What we collect
- Account data — name, email, and workspace membership, via Supabase Auth.
- Work content — updates, notes, and files your team posts directly, plus content pulled from connected sources you authorize (GitHub pull requests/issues/commits, Slack messages, Jira issues, CRM/metric sheets, and uploaded documents/spreadsheets/images).
- Derived data — AI-generated summaries, tags, goal mappings, and decision briefs produced from the above.
- Usage data — product analytics events (e.g. when a picture is opened or a correction is filed) used to operate and improve the service.
2. How we use it
We use your data solely to operate Olmex for your organization: ingesting and tagging work, compiling the weekly operating picture, answering questions, and detecting exceptions. We do not sell your data, and we do not share it with third parties except the named subprocessors below, who process it on our behalf under contract.
3. Subprocessors
- Anthropic— work content is sent to Anthropic's Claude models for summarization, tagging, and question-answering. See Anthropic's own data handling terms for how they process API inputs.
- Supabase — hosts our database, authentication, and file storage.
- Resend — delivers transactional email (e.g. team invites), when configured.
- Slack, GitHub, Jira — only if you explicitly connect these integrations; we read the scopes you authorize and nothing more.
These providers operate under their own terms and privacy policies, which we do not control. To the maximum extent permitted by law, Olmex is not responsible for the acts, omissions, or security incidents of these third-party providers; our responsibility is limited to choosing them with reasonable care and passing data to them only as described here.
4. Data isolation
Every organization's data is isolated at the database level (row-level security) — one workspace can never read another's data through the product. Within a workspace, room- and role-based permissions further scope who can see what (e.g. private notes are visible only to their author).
5. Data retention and deletion
We retain your organization's data for as long as your workspace is active. On request, we will delete or export your organization's data within a reasonable timeframe, subject to any legal retention obligations.
6. Security
Secrets (integration tokens) are encrypted at rest. Access to production data is limited to engineers who need it to operate the service, and cross-workspace administrative access is itself audited and logged.
7. Your rights
Depending on your jurisdiction, you may have rights to access, correct, or delete your personal data. Contact us to exercise these rights.
8. Changes to this policy
We may update this policy as the product evolves. Material changes will be communicated to workspace admins.
9. Contact
Questions about this policy: privacy@olmex.ai.
Note: this is a starting draft written to describe what Olmex actually does, adapted from standard SaaS privacy templates. It has not been reviewed by a lawyer and should not be relied on as a substitute for legal advice — have counsel (and, if applicable, a data-protection review) confirm this before it governs real customer data.