Privacy Policy

Effective date: March 2, 2026

This Privacy Policy describes how Public Archive LLC, a New Mexico limited liability company doing business as Fatbird ("Fatbird," "we," "us," or "our"), collects, uses, protects, and handles information in connection with the Fatbird service ("Service").

This policy applies to:

• Clients — businesses and individuals who subscribe to the Service.
• Users — individuals who access the Fatbird dashboard or send instructions to a Fatbird-managed inbox.
• Contacts — vendors, subcontractors, suppliers, and other third parties who communicate with a client's AI Assistant through email.

If you are a Contact who has received an email from or sent an email to a Fatbird-managed inbox, Section 8 of this policy describes how we handle your information.

1. What Fatbird Does

Fatbird is an AI email coordination service. Each client receives a dedicated email inbox managed by an AI Assistant. The client sends instructions; the Assistant handles email-based coordination on the client's behalf — contacting people, collecting information, following up, organizing responses, and presenting summaries.

To perform this function, the Assistant processes the content of email communications. This policy explains what we do and do not do with that content.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Your name and email address.
• Your business name and address.
• Your timezone and communication preferences.
• Authentication credentials (managed through our authentication provider).

2.2 Email Content

The Service processes email communications on your behalf. This includes:

• Raw email message bodies (plain text and HTML).
• Email headers (sender, recipient, subject, timestamps, threading identifiers).
• Quoted thread history within email messages.
• Attachments (documents, images, and other files sent or received via email).

Email Content is stored in our email infrastructure provider (AgentMail) as the archive of record.

2.3 Operational Data

The Assistant extracts structured information from email communications to perform coordination. This includes:

• Project and task records (status, deadlines, pending actions).
• Contact profiles (names, email addresses, business names, categories).
• Event logs (what actions were taken, when, and why).
• Extracted fields from communications (quoted prices, dates, availability, document requests).
• Routing information (which email threads belong to which projects).
• The Assistant's classification outcomes and decision records.

Operational Data is stored in the client's isolated workspace on our servers.

2.4 Payment Information

If you subscribe to a paid plan, payment information is collected and processed by our third-party payment processor. We do not receive or store your full payment card numbers. We receive only the information necessary to manage your subscription (such as the last four digits of your card, expiration date, and billing address).

2.5 Usage and Technical Data

We collect technical data necessary to operate and maintain the Service, including:

• Dashboard login timestamps and session data.
• Error logs and diagnostic information.
• Service performance telemetry (processing times, delivery outcomes, system health).
• Browser and device information when you use the web dashboard.

3. How We Use Your Information

We use the information we collect for the following purposes and no others:

3.1 To Provide the Service

• Processing inbound and outbound email on your behalf.
• Running the AI Assistant's coordination workflows.
• Sending emails to your Contacts as directed by your instructions.
• Maintaining your workspace (projects, tasks, contacts, events).
• Providing the web dashboard and account management features.

3.2 To Support and Maintain the Service

• Diagnosing and resolving technical issues (using Operational Data and telemetry — see Section 7 on our approach to human access to Email Content).
• Monitoring service reliability and performance.
• Applying security measures, including email authentication verification.

3.3 To Communicate with You

• Sending service-related notices (account confirmations, billing, important updates).
• Providing daily digest summaries and coordination reports through the Assistant.
• Responding to your support requests.

3.4 To Comply with Law

• Responding to lawful requests from government authorities, courts, or regulators.

What We Do Not Do

• We do not sell your information to anyone.
• We do not use your information for advertising.
• We do not use your Email Content to train AI models.
• We do not use your information for marketing to your Contacts.
• We do not aggregate, anonymize, or repurpose your information for benchmarks, research, analytics, or any secondary purpose.
• We do not use your information for any purpose other than providing the Service to you.

4. AI Processing of Email Content

This section describes how the AI Assistant processes your email communications. We believe this is important for you to understand.

4.1 How the AI Processes Email

When an email arrives at your Fatbird inbox, the AI Assistant reads the full content of the message — including the body, headers, and any attachments — to understand the communication, classify it, and determine the appropriate action. This is how the Assistant performs its coordination function.

The AI processes email to:

• Determine who sent the message and what it means.
• Extract relevant information (prices, dates, availability, document references).
• Update your project and task state.
• Compose and send appropriate responses.
• Generate summaries and recommendations for your review.

4.2 Third-Party AI Model Providers

The AI Assistant's reasoning is powered by large language models provided by third-party companies. As of the effective date of this policy, we use AI models from:

• OpenAI
• Anthropic
• Google

When the Assistant processes an email, the content of that email is transmitted to one of these providers' systems for AI processing. This is necessary for the Assistant to understand and act on the communication.

What these providers commit to:

All providers we use are contractually bound by their commercial API terms to not use your data to train their AI models. Specifically:

• OpenAI's API Data Usage Policy states that data submitted through the API is not used to train models.
• Anthropic's Commercial Terms prohibit use of API inputs for model training.
• Google's Cloud terms include data processing commitments that restrict use of customer data.

Provider changes:

We may change AI model providers or add new providers as the technology evolves. We will only use providers that maintain equivalent commitments regarding your data — specifically, that your Email Content will not be used to train their models. We do not provide individual notice when we change providers, but this policy will be updated to reflect the current list of providers.

4.3 What We Do Not Do with AI Processing

• We do not train AI models on your Email Content.
• We do not use your Email Content to improve AI models for other clients or any general purpose.
• We do not retain AI processing inputs or outputs beyond what is necessary to operate the Service for you.

5. How We Share Information

We share your information only as necessary to provide the Service, and with as few parties as possible.

5.1 Service Providers

We use the following categories of service providers to operate the Service:

• Email infrastructure (AgentMail) — stores and delivers email on behalf of your Assistant.
• Authentication and database (Supabase) — manages user accounts, organization data, and operational records.
• AI model providers (OpenAI, Anthropic, Google) — powers the Assistant's language understanding and generation, as described in Section 4.
• Payment processor — processes subscription payments. We do not store your full payment card information.
• Hosting and infrastructure — provides the servers and network infrastructure on which the Service runs.

These providers receive only the information necessary to perform their function. We do not share your information with any service provider for their own independent use.

5.2 What We Do Not Share

• We do not share your information with advertisers or marketing platforms.
• We do not share your information with data brokers.
• We do not share your information with other Fatbird clients.
• We do not sell your information.

5.3 Legal Requirements

We may disclose your information if required to do so by law, subpoena, court order, or government request. If we receive such a request, we will notify you before disclosing your information unless we are legally prohibited from doing so.

5.4 Business Transfers

If Public Archive LLC is involved in a merger, acquisition, or sale of substantially all of its assets, your information may be transferred to the successor entity. We will provide notice of any such transfer and the successor will be bound by the commitments in this Privacy Policy.

6. How We Protect Your Information

We implement commercially reasonable administrative, technical, and physical safeguards to protect your information. These include:

• Encryption in transit. All data transmitted between your browser, our servers, and our service providers is encrypted using TLS.
• Tenant isolation. Each client's workspace is isolated. One client cannot access another client's data. Database-level row security policies enforce this separation.
• Access controls. Access to production systems is restricted to authorized personnel using key-based authentication. Internal access follows the principle of least privilege.
• Email authentication. Inbound email is verified using DMARC, SPF, and DKIM authentication. Messages that fail authentication from Owner email addresses are held and not acted upon, protecting against email spoofing.
• Infrastructure security. Our servers use firewalled configurations with minimal public exposure. Internal services are not directly accessible from the internet.

No method of electronic storage or transmission is perfectly secure. We cannot guarantee absolute security. We do not make security promises beyond commercially reasonable measures. If we become aware of a security breach that affects your data, we will notify you as required by applicable law.

7. Human Access to Email Content

This section describes our policy on when and how Fatbird staff may access the raw content of your emails. We consider this one of the most important commitments we make to you.

7.1 The Default: No Human Access

Fatbird is designed so that the Service operates without humans reading your email. Under normal operations:

• We do not read your email message bodies.
• We do not read your email attachments.
• We do not browse your inbox.
• We do not perform routine human review or quality monitoring of your email content.

The AI Assistant operates autonomously. The Service is evaluated through outcomes and telemetry, not by humans reading your mail.

7.2 How We Support You Without Reading Your Email

When you contact us for support or when we investigate a technical issue, we use non-content diagnostic information, including:

• Whether a message was received (timestamps, thread identifiers).
• Whether it was routed to the correct project.
• What actions the Assistant took (event logs).
• What was scheduled next (follow-up deadlines).
• Whether outbound messages were sent successfully (delivery status, bounce information).
• Whether attachments were received and their technical properties (file type, size).
• Whether a system component failed (error codes, processing logs).
• The Assistant's classification and decision records (what it decided to do and why).

This operational telemetry allows us to diagnose and resolve the vast majority of issues without ever seeing your email content.

7.3 Customer-Controlled Break-Glass Access

In rare circumstances, you may want us to look at a specific message or attachment to resolve an unusual issue — for example, a formatting problem, a corrupted document, or a specific misunderstanding you need us to investigate.

In those cases, we follow a strict break-glass policy:

• Access is customer-initiated. We do not access your Email Content unless you ask us to.
• Access is scope-limited. We access only the specific thread or message you identify, not your entire inbox.
• Access is time-limited. Access is granted for the duration needed to resolve the specific issue.
• Access is logged. We maintain an internal record of who accessed what, when, and why (including the associated support request).
• Access is revocable. You can revoke the access at any time.
• Records are available. You may request a copy of the access log for your account at any time.

If you do not initiate break-glass access, Fatbird staff will not access your raw Email Content.

7.4 Practical Expectations

Fatbird is designed so you can delegate coordination without concern that humans are reading your inbox. Our support model is driven by telemetry and operational data, not by reading your mail.

We want to be honest about what any software service can credibly promise: systems must be administered, infrastructure must be maintained, and absolute guarantees that no human could ever access any content under any conceivable circumstance exceed what any service can truthfully claim. What we provide is a stronger practical guarantee: no access by default, customer-controlled break-glass when you need our help, and logged records available to you.

8. Information About Contacts and Vendors

If you are a vendor, subcontractor, or other third party who has communicated with a Fatbird-managed email address, this section is for you.

8.1 What We Collect

When you send an email to or receive an email from a Fatbird-managed inbox, we process:

• Your name and email address.
• Your business name (if provided in the communication).
• The content of your email messages (including attachments).
• Information extracted from your communications (such as pricing, availability, and scheduling details).

8.2 Why We Process This Information

We process your information solely to provide our coordination service to our client — the business whose Fatbird inbox you communicated with. The AI Assistant reads your email to understand your response, extract relevant details, and take appropriate coordination actions on our client's behalf.

8.3 How Your Information Is Used

• Your information is used only to serve the specific client you communicated with.
• Your information is not shared with other Fatbird clients.
• Your information is not used for marketing, advertising, or any purpose unrelated to the coordination service.
• Your information is not sold.

8.4 Data Isolation

Your communications with one client's Assistant are completely isolated from all other clients. There is no cross-client access to Contact information, email content, or coordination data.

8.5 Your Rights

If you have questions about how your information is being handled, or if you wish to request access to or deletion of your information, please contact us at the address provided in Section 12. We will work with you and, where necessary, with our client to address your request. Note that deletion of your information from a client's workspace may affect the client's operational records.

9. Data Retention and Deletion

9.1 Active Accounts

While your account is active, we retain all data associated with your account as necessary to provide the Service.

• Email Content is retained in our email infrastructure (AgentMail) as the archive of record.
• Operational Data is retained in your workspace for as long as needed to maintain your coordination state.
• Inbound webhook audit logs are retained on a 90-day rolling basis and then deleted.

9.2 After Cancellation

When your account is terminated (whether by you or by us):

• Export window (30 days). You have 30 days from the effective date of termination to request an export of your data. We will provide a downloadable archive containing your workspace files, email threads in standard .eml format, and account data in JSON format.
• Active deletion (90 days). After 90 days from termination, all of your data is deleted from our active systems, including your workspace, email archive, and account records.
• Backup purge (120 days maximum). Any residual data remaining in backup systems is purged within 30 days after active deletion — no more than 120 days from the date of termination.

9.3 Deletion Requests

You may request deletion of your data at any time by contacting us. If your account is still active, we will discuss the implications with you (deletion of active data will affect the Service's operation). If your account is terminated, we will process the deletion according to the timeline above, or sooner upon request where technically feasible.

9.4 Contact Data

When a client account is terminated, all Contact data associated with that client — including contact profiles, communication records, and extracted information — is deleted as part of the client's data deletion on the same timeline.

10. Data Location

The Service is available to businesses located in the United States. Our infrastructure is located in the United States. Our service providers (AgentMail, Supabase, AI model providers) process data in their respective data centers, which are located in the United States.

We do not intentionally transfer your data outside the United States. If you are a client based in the United States whose Contacts include parties in other countries, you are responsible for compliance with any laws applicable to your communications with those Contacts.

11. Your Rights

11.1 All Clients

You have the right to:

• Access your data. You can view your coordination data through the dashboard and request a full export at any time.
• Export your data. We will provide your data in a portable format (workspace files, .eml email archives, and JSON account data) upon request.
• Delete your data. You can request deletion of your data as described in Section 9.
• Revoke break-glass access. If you have granted us break-glass access to your Email Content, you can revoke it at any time.
• Request access records. You can request a copy of any break-glass access logs for your account.

11.2 California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to know. You have the right to know what personal information we collect, how we use it, and with whom we share it. This Privacy Policy provides that disclosure.
• Right to delete. You have the right to request deletion of your personal information, subject to certain exceptions under the CCPA.
• Right to opt out of sale. We do not sell personal information. No opt-out is necessary.
• Right to non-discrimination. We will not discriminate against you for exercising your CCPA rights.

To exercise your rights under the CCPA, contact us at the address provided in Section 12.

11.3 Other State Privacy Laws

If you are a resident of a state with applicable consumer privacy legislation (including Virginia, Colorado, Connecticut, and others as enacted), you may have additional rights under those laws. Contact us to exercise any applicable rights, and we will respond in accordance with the requirements of your state's law.

12. Cookies and Tracking

The Fatbird web dashboard uses essential cookies for session management and authentication. These cookies are necessary for the dashboard to function and cannot be disabled while using the dashboard.

We do not use third-party advertising cookies. We do not use tracking technologies for advertising or cross-site tracking purposes.

If we implement analytics tools in the future, we will update this policy to describe what data is collected and how to opt out.

13. Children's Privacy

The Service is designed for businesses and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a person under 18, we will take steps to delete that information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 30 days before the changes take effect. The effective date at the top of this policy indicates when it was last updated. Previous versions of this policy are available upon request.

Your continued use of the Service after a change takes effect constitutes your acceptance of the revised policy. If you do not agree to a change, you may terminate your account before the change takes effect.

15. Contact

If you have questions about this Privacy Policy, want to exercise any of your rights, or need to reach us for any privacy-related matter:

Public Archive LLC 1209 Mountain Road Pl NE, Ste N Albuquerque, NM 87110 United States

Email: privacy@mrfatbird.com