Privacy Policy

Docsly is a software product operated by MetaCTO LLC, a Delaware limited-liability company. References to “Docsly,” “we,” “us,” or “our” in this policy mean MetaCTO LLC.

Docsly is an account-intelligence assistant. With your explicit authorization, it reads work signals from connected sources (email, calendar, chat, meeting transcripts) for a single client account at a time and produces briefings, drafts, and stakeholder summaries for the principal who connected them. It does not send messages, emails, or meeting invites on your behalf.

We collect three categories of data:

1. Account & identity. Name, work email, organization name, profile photo, and authentication state, supplied by you or by Clerk (our authentication provider) when you sign in.
2. Connector content. When you authorize a connector (Google Workspace, Microsoft 365, Slack, Zoom, etc.), Docsly fetches messages, calendar events, transcripts, and metadata visible to the authorizing account, scoped to filters you set. We never request write/send scopes from any provider.
3. Operational telemetry. API call logs, agent run records, error reports, and inferred features (stakeholder names, topics, importance scores) used to power your briefings.

• To produce daily and ad-hoc briefings, response drafts, and stakeholder profiles for the principal user of each workspace.
• To detect signals that need attention (escalations, drift, decisions awaiting input) and surface them in the inbox view.
• To learn from your feedback (approve, edit, dismiss) and improve the relevance of future suggestions. Feedback labels are kept in a per workspace feedback ledger.
• To diagnose issues, monitor system health, and satisfy legal and security obligations.

We do not train large foundation models on your content. We do not sell your data. We do not use your content for advertising.

Each connector you enable goes through the provider’s standard OAuth consent screen. Docsly requests only the scopes required to read the signals you authorize. You can revoke access at any time from the provider’s security settings (Google Account, Microsoft account, Slack workspace, Zoom) and from Docsly itself (Connections → Remove). When you revoke, we stop pulling new data on the next sync cycle and you can request deletion of stored content (see Your rights).

Use of information received from Google APIs adheres to Google’s API Services User Data Policy, including the Limited Use requirements.

We rely on a small set of vendors to run the product:

• Amazon Web Services — primary infrastructure (US-East-1). All workspace data is stored in an encrypted Postgres database (RDS) and an encrypted object store (S3).
• Clerk — user authentication, session management, organization invites.
• Anthropic — large-language-model inference for briefing generation and draft writing. Per Anthropic’s API terms, your content is not used to train their models.
• Stripe — billing (only if you become a paying customer). Stripe sees billing identifiers, not workspace content.

We do not transfer workspace content to any other third party. New subprocessors will be disclosed here before they are enabled.

We keep connector content as long as your workspace is active and for up to 30 days after the workspace is deleted, so that you can restore in error. Audit logs are retained for 12 months. You can request earlier deletion at any time.

Connector tokens are stored encrypted at rest. Network traffic is TLS-only. Access to production systems is limited to MetaCTO LLC personnel with a need-to-know, behind individual SSO and 2FA. We log administrative actions on the database and review them periodically.

No system is perfectly secure. If you believe you have found a vulnerability, please email security@docsly.ai; we will acknowledge within two business days.

You can, at any time:

• See what is connected and what we’ve stored, via the in-app Connections and Signals views.
• Disconnect any individual connector and stop further ingestion.
• Delete your workspace, which removes all content and tokens associated with it within 30 days.
• Export your stored content (signals, briefings, stakeholder profiles) on request. Email privacy@docsly.ai.
• If you are a resident of California, the EEA, or the UK, you may additionally have rights of access, rectification, restriction, and portability under applicable law. Email the same address.

Docsly is a business product for adults. We do not knowingly collect data from anyone under 16. If you believe a minor has used Docsly, contact us and we will delete their data.

We will update this policy when we materially change how we handle data. Material changes will be announced to workspace admins by email at least 7 days before they take effect. The current version is always at docsly.ai/privacy.

MetaCTO LLC
chris@metacto.com
For privacy requests: privacy@docsly.ai