Privacy Policy
Last updated: March 13, 2026
Table of Contents
- Introduction and Scope
- Definitions
- Information We Collect
- How We Use Your Information
- Emotional and Behavioral Data
- AI Memory System
- Third-Party AI Model Processing
- Third-Party Integrations
- Data Sharing and Disclosure
- Data Storage and Security
- Data Retention
- Your Rights and Choices
- California Residents -- CCPA/CPRA
- Other State Privacy Laws
- International Users
- Children's Privacy
- SMS Privacy
- Cookies and Tracking Technologies
- Do Not Track Signals
- Changes to This Privacy Policy
- Contact Information
1. Introduction and Scope
This Privacy Policy ("Policy") describes how Jorvek LLC ("Jorvek," "Company," "we," "us," or "our"), an Ohio limited liability company located in Canton, Stark County, Ohio, collects, uses, stores, shares, and protects information in connection with the Salty Panda application and all related services (the "Service").
This Policy applies to all users of the Service, including users who access the Service via web browser, progressive web app (PWA), SMS, Telegram, or any other access method.
By creating an account and using the Service, you consent to the collection, use, and processing of your information as described in this Policy. If you do not agree with this Policy, you must not use the Service.
This Policy should be read in conjunction with our Terms of Service, our Safety Protocol, and our AI Transparency Report.
Important Notice Regarding Emotional Data: Salty Panda uses algorithmic emotional analysis as described in Section 5. This analysis is purely computational and does NOT constitute clinical psychological assessment, medical evaluation, or professional mental health services. No licensed mental health professional or medical professional is involved in analyzing your emotional data. The collection and processing of Emotional Data does not create any therapist-patient, doctor-patient, counselor-client, or other professional relationship between you and Jorvek. Please read Section 5 carefully.
2. Definitions
- "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular individual or household.
- "Conversation Data" means all text messages, image uploads, and other inputs you submit through the chat interface, as well as all AI-generated responses.
- "Memory Data" means facts, preferences, behavioral patterns, entities, relationships, beliefs, and other information algorithmically extracted from your Conversation Data and stored persistently to personalize your experience.
- "Emotional Data" means algorithmic assessments of your emotional state derived from your Conversation Data using a proprietary computational model, including numerical emotional dimensions, emotion labels, and trend indicators.
- "Behavioral Data" means information about your interaction patterns, including active hours, messaging frequency, session duration, and time between messages.
- "Usage Data" means information about how you use the Service, including AI model token consumption, voice usage, SMS counts, and features accessed.
- "Device Data" means device fingerprints (cryptographic hashes of browser headers), browser type, operating system, user-agent strings, and trusted device status.
- "Integration Data" means information received from or sent to Third-Party Services you connect via integrations.
- "Entity Data" means named entities (people, places, organizations, things) mentioned in your conversations that are extracted and stored to improve personalization.
- "Belief Data" means inferred facts, preferences, goals, and behavioral patterns the AI system derives from your conversations.
3. Information We Collect
3.1 Information You Provide Directly
- Account Information: Email address, display name, and authentication credentials. If you sign up using Google or Apple OAuth (through Clerk), we receive your name, email, and profile photo URL.
- Profile Information: Display name, persona preference, location (city/region), and timezone.
- Conversation Content: All text messages and questions you type or speak into the chat interface.
- Uploaded Images: Images you upload for AI analysis, processed client-side (HEIC to JPEG conversion, resizing to max 2048px) before transmission and stored as base64 data within your Conversation Data.
- Phone Number: If you register for SMS features, your phone number in E.164 format.
- Apple CalDAV Credentials: If you connect Apple Calendar/Reminders, your Apple ID email and app-specific password (encrypted at rest).
- Telegram Bot Token: If you connect Telegram, your bot token (encrypted at rest).
- Notes: Text content you create using the native notes feature.
- Consent Records: Your affirmative consent to Terms and data processing, with timestamp, IP address, and browser user-agent.
- App Lock Passcode: If enabled, securely hashed (never stored in plaintext).
3.2 Information Collected Automatically
- Device Information: Device fingerprint (cryptographic hash of browser headers -- not raw headers), device name, browser type and version, operating system.
- IP Address: Collected when you provide consent and during certain security-sensitive actions. Recorded in audit logs.
- Interaction Patterns: Message timestamps, session times, message count per day, average gap between messages, typical active hours.
- Usage Metrics: AI model token consumption (input/output tokens, model, cost), voice usage (provider, characters), SMS usage (direction, length -- phone numbers masked in logs).
- Error Data: If Sentry is configured, anonymized error data (stack traces with PII stripped, anonymized user ID only). No message content or email addresses are sent to Sentry.
3.3 Information from Third-Party Integrations
When you connect a Third-Party Service, we receive information based on the permissions you authorize:
- Google: Calendar events, Gmail messages, Google Tasks, Google Contacts, Maps data, Nest thermostat data (if configured)
- Microsoft: Outlook calendar events, emails, Microsoft To-Do tasks, OneDrive file listings
- Spotify: Profile, playback state, playlists, saved library, listening history, available devices
- Notion: Workspace search results, page content, database entries
- Apple: Calendar lists, events, reminder lists, reminders
- Brave Search: Search results (titles, URLs, descriptions). No user-identifying data sent to Brave.
- OpenWeatherMap: Weather data for your stored location. No user-identifying data sent.
- Telegram: Inbound message content from your Telegram bot
3.4 AI-Inferred Information
- Emotional State: Numerical emotional dimensions inferred via our emotional analysis model (see Section 5)
- Beliefs and Preferences: Inferred behavioral patterns, preferences, goals, relationships, values, and constraints
- Named Entities: People, places, organizations, things, and events mentioned in conversations
- Life Events: Birthdays, anniversaries, milestones mentioned in conversations
- Relationship Depth: Algorithmic assessment of how established your interaction history is with the AI Companion
- Corrections: Detection of when you correct the AI, used to improve response accuracy
- Session Summaries: AI-generated summaries of conversation sessions
3.5 Payment Information
When you subscribe, you provide payment information directly to Stripe, Inc. We do not receive, process, or store your credit card number, debit card number, CVV, bank account number, or other payment instrument details. We receive from Stripe only: your Stripe customer ID, subscription ID, subscription status, and payment event outcomes.
4. How We Use Your Information
- Service Delivery: To provide, maintain, and operate the Service, including processing messages, generating AI responses, and managing your account
- AI Personalization and Memory: To extract, store, and retrieve Memory Data for conversational continuity and personalization
- Emotional Intelligence: To analyze messages using our emotional analysis model and adjust the AI Companion's tone and responsiveness (see Section 5)
- Integration Functionality: To read from and write to Third-Party Services you have connected
- Proactive Notifications: To generate and deliver AI-initiated notifications (briefings, reminders, check-ins)
- Billing: To process subscriptions via Stripe, manage tier access, and enforce usage limits
- Communication: To send verification codes, device trust challenges, security alerts, and service notifications
- Security: To detect and prevent unauthorized access, abuse, and fraud via device fingerprinting, rate limiting, and audit logging
- Service Improvement: To monitor aggregate usage patterns and system performance. Admin access is restricted to aggregate counts and metadata only -- admin endpoints cannot access message content, memory text, or emotional state details.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes
5. Emotional and Behavioral Data
IMPORTANT: This section describes how Salty Panda processes emotional data. Please read it carefully.
5.1 Emotional Analysis Model
Salty Panda uses a proprietary computational model to algorithmically analyze patterns in your text messages and infer approximate emotional states. The model produces multiple numerical dimensions representing aspects of your emotional state, along with emotion labels (e.g., "happy," "frustrated," "curious," "neutral") and an emotional trend indicator ("improving," "stable," or "declining").
5.2 How Emotional Analysis Works
- After each message exchange, a portion of your message and the AI response are analyzed by a delegate language model for emotional assessment
- New readings are blended with your existing emotional state to ensure smooth, stable tracking
- Emotional state naturally decays toward neutral over time when you are not actively chatting
- The resulting state modulates the AI Companion's tone, warmth, directness, verbosity, pacing, and energy
5.3 What Emotional Analysis Is NOT
You acknowledge and agree that the Service's emotional analysis:
- Is purely algorithmic pattern recognition and is NOT a clinical psychological assessment, psychiatric evaluation, emotional diagnosis, or therapeutic intervention
- Has NO clinical validity or reliability and has NOT been validated by any medical, psychological, or regulatory body
- Does NOT involve any licensed mental health professional in the analysis of your data
- Does NOT constitute the practice of psychology, psychiatry, counseling, social work, or medicine
- Does NOT create any therapist-patient, doctor-patient, or other professional relationship
- May be inaccurate, misleading, or entirely wrong
- Should NEVER be relied upon for any health, mental health, medical, or clinical purpose
5.4 Emotional Data Storage and Retention
- Current emotional state is stored per user and channel (web, SMS), with a limited rolling history of recent readings
- Emotional context at memory formation time is stored alongside Memory Data
- Emotional state naturally decays toward neutral over time
- Removed from active app systems when account deletion is processed; encrypted backups age out on their normal schedule
5.5 Emotional Data Sharing
- Transmitted to our AI model provider as part of system prompt context for response calibration
- We do NOT sell, rent, or share Emotional Data with insurance companies, employers, advertisers, data brokers, or any third party for profiling, risk assessment, employment screening, insurance underwriting, or targeted advertising
- Not accessible to Jorvek's admin panel -- admin endpoints are architecturally restricted from accessing emotional state
- May be disclosed only as described in Section 9
5.6 Your Control Over Emotional Data
- View your current state via the Vibe Check visualizer in the chat interface
- Included in full data exports (Section 12)
- Removed from active app systems when account deletion is processed
- Revoke data processing consent to prevent future emotional analysis
5.7 Behavioral Data
The Service tracks interaction patterns (active hours, message frequency, session durations, correction patterns) to personalize the AI Companion's behavior, adjust notification timing, and calibrate verbosity. This data is removed from active app systems when account deletion is processed, and encrypted backups age out on their normal schedule.
6. AI Memory System
6.1 Overview
Salty Panda uses a persistent memory system that extracts and stores factual information from your conversations to enable the AI Companion to remember details about you across sessions.
6.2 Memory Categories
The system stores multiple categories of memories with different retention characteristics:
| Category | Examples | Retention |
|---|---|---|
| Long-term facts | Your name, job, family, preferences, routines | Kept until you remove them or delete your account |
| Short-term context | Recent events, plans, time-sensitive info | 7 to 90 days (varies by type) |
| Conversation summaries | AI-generated session recaps | 30 days |
6.3 What Is Stored Per Memory
- Content: Memory text, encrypted at rest using industry-standard encryption with a unique per-tenant key
- Metadata: Memory category, relevance tags, confidence and importance ratings, and source attribution
- Emotional context: Emotional state at time of memory formation
- Search index: Numerical representation generated locally on our servers (not sent externally) for semantic search
- Temporal data: Creation time, last access time, and expiration
- Taught-by-user flag: If you explicitly taught this fact, it is immune to automatic decay
6.4 How Memories Are Created
After each message exchange, AI delegates extract notable facts and store them encrypted. Memory extraction occurs only if you have consented to data processing ("Allow Contextual Memory" consent during onboarding).
6.5 Additional Personalization Data
- Entity relationships: Named entities and how they relate to each other and to you
- Inferred patterns: Beliefs, preferences, and behavioral patterns derived from your conversations
- Conversation segments: Your chat history is organized into segments with AI-generated summaries
6.6 Your Control Over Memories
- View: All memories on the Memories page (decrypted for display)
- Remove individual memories: Archive any memory from the Memories page
- Clear app-side memory data: Remove the memory store via product controls where that option is available
- Export: Download all memories (decrypted) as JSON
- Consent: Revoke data processing consent to prevent future extraction
- Account deletion: Memory data is removed from active app systems and backup copies age out on their normal schedule
7. Third-Party AI Model Processing
7.1 What Data Is Sent
Each AI model request includes: your system prompt (with memory context, emotional state, integration status, beliefs), conversation history (up to 20 turns), your current message (text and/or images), and tool definitions/results.
7.2 AI Model Providers
| Provider | Model | Use Case |
|---|---|---|
| OpenAI | GPT-5 Mini | Conversational AI, tool tasks, and fast delegate work |
| OpenAI | GPT-5.2 | Complex reasoning and image understanding |
| OpenAI | GPT-5 Nano | Background tasks only |
7.3 Voice Processing Providers
| Provider | Data Sent | Purpose |
|---|---|---|
| OpenAI | AI response text (up to 4,096 chars) | Text-to-speech |
| ElevenLabs | AI response text (up to 4,096 chars) | Text-to-speech (Pro/Max) |
| Browser vendor | Microphone audio (browser-controlled) | Speech-to-text |
Browser speech-to-text processing is controlled by your browser vendor, not Jorvek. In Chrome, audio may be sent to Google. In Safari, audio may be sent to Apple.
7.4 Local Processing
Vector embedding generation is processed entirely on Jorvek's own servers and is NOT sent to any external third party.
7.5 Provider Privacy Policies
8. Third-Party Integrations
8.1 Google
Connection: OAuth 2.0 with PKCE. Scopes: openid, email, profile, calendar, tasks. Elevated tiers add gmail.readonly, gmail.send, gmail.compose, gmail.modify, contacts.readonly.
Data sent: Calendar events, tasks, emails, drafts, search queries, geocoding requests. Data received: Calendar events, tasks, Gmail messages, contacts, Places results, directions.
8.2 Microsoft
Connection: OAuth 2.0 with PKCE. Scopes: offline_access, Calendars.ReadWrite, Mail.ReadWrite, Mail.Send, Tasks.ReadWrite, Files.Read, User.Read.
Data sent: Calendar events, emails, tasks. Data received: Outlook events, emails, To-Do tasks, OneDrive listings.
8.3 Spotify
Connection: OAuth 2.0 with PKCE. Scopes: streaming, user-read-private, user-read-email, playback state, playlists, library, top tracks, recently played.
Data sent: Playback commands, playlist modifications, search queries. Data received: Profile, playback state, playlists, library, listening history.
8.4 Notion
Connection: OAuth 2.0. Permissions: Read/write pages, databases, blocks, comments. Page content is indexed locally for semantic search. Notion tokens do not expire.
8.5 Apple (CalDAV)
Connection: CalDAV with app-specific password (not OAuth). Credentials encrypted at rest.
8.6 Brave Search, OpenWeatherMap
Server-side API keys only. No user-identifying information is sent to these services.
8.7 Telegram
User-provided bot token. Two-way messaging: AI responses sent, inbound messages processed through the AI cognitive pipeline.
8.8 Disconnecting Integrations
You may disconnect any integration at any time from the product settings. Disconnection revokes stored credentials and disables the integration's tools. Previously retrieved data stored as memories or conversation content is not retroactively deleted, and provider-side records remain governed by that provider until you delete them there.
9. Data Sharing and Disclosure
9.1 Categories of Recipients
- AI Model Providers (OpenAI API): Conversation Data, Memory Data context, Emotional Data context, and uploaded images for AI response generation
- Payment Processor (Stripe): Your email and tenant identifier for billing
- Authentication Provider (Clerk): Email, name, OAuth identity
- SMS Provider (Twilio): Phone number and sanitized message content
- Email/CRM Provider (Loops): Email address for transactional emails
- TTS Providers (OpenAI, ElevenLabs): AI response text for voice features
- Error Tracking (Sentry): Anonymized error data (PII stripped)
- Integration Providers: Data as described in Section 8
- Cache Provider: Rate limit counters (tenant IDs only)
- Infrastructure (Cloudflare): All data for hosting, CDN, and cloud database
9.2 We Do NOT Sell Your Personal Data
Jorvek does not sell, rent, or trade your Personal Data, Conversation Data, Memory Data, Emotional Data, or Behavioral Data to any third party. We do not share your data with data brokers, advertisers, or any entity for targeted advertising, behavioral profiling, or resale.
9.3 Legal and Protective Disclosures
We may disclose information to: comply with law or legal process; enforce our Terms; protect rights, property, or safety; detect fraud or security issues; or respond to emergencies involving danger of death or serious injury.
9.4 Business Transfers
In the event of a merger, acquisition, or sale, your information may be transferred. We will notify affected users via email and/or in-app notice.
10. Data Storage and Security
10.1 Infrastructure
- Primary database: Managed cloud database with encrypted storage
- Encryption at rest: Memory content and OAuth tokens encrypted using industry-standard encryption with unique per-tenant keys
- Cache: Distributed cache infrastructure (rate limiting, temporary OAuth state)
- Secrets management: Secure secrets management platform (no secrets in source code or container images)
10.2 Security Measures
- All traffic over HTTPS/TLS with industry-standard security headers
- Database-level access controls on all tables with strict isolation between tenants
- Device trust verification (email-based 6-digit code, 10-min expiry, max 5 attempts)
- Distributed sliding-window rate limiting (fails closed in production)
- App lock PINs and one-time passcodes securely hashed (never stored in plaintext)
- PII masking in all server logs (phone numbers, emails, API keys)
- SMS content sanitized to remove private IPs, file paths, connection strings, API keys
- Admin endpoints architecturally restricted from accessing personal content
- Webhook signature validation for Stripe and Twilio
- Application runs with least-privilege security principles
10.3 Breach Notification
In the event of a data breach, we will: notify affected users via email within 72 hours where feasible; describe the nature and types of data affected; and notify applicable regulatory authorities as required by law.
11. Data Retention
11.1 During Active Account
| Data Category | Retention |
|---|---|
| Account info, profile | Duration of account |
| Conversation Data | Kept while your account is active unless you remove it sooner |
| Long-term memories (facts, preferences) | Kept until you remove them or delete your account |
| Short-term memories (events, plans) | 7 to 90 days (varies by type) |
| Conversation summaries | 30 days |
| User-taught memories | Permanent (immune to decay) |
| Emotional state | Decays toward neutral over time |
| Inferred patterns and entities | Duration of account |
| Integration credentials | Until disconnected |
| Phone number | Until removed or account deletion |
| Corrections | Auto-resolved after 30 days |
| Admin audit logs | 2 years |
11.2 After Account Deletion
Removed from active app systems: Personal data in the product database, including conversations, memories, entities, emotional state, beliefs, credentials, phone records, and tenant record.
Anonymized but retained: Audit log entries (details redacted) for security compliance.
Third-party deletion: Stripe subscription is canceled, Clerk identity deletion is initiated, and provider-side data remains governed by each provider until their own deletion flow completes.
Backups: Routine encrypted backups may retain copies briefly until normal backup rotation removes them. These backups are used solely for disaster recovery.
12. Your Rights and Choices
- Access: View your memories, conversations, emotional state, settings, billing, integrations, and devices in-app
- Export: Download a complete copy of all data in JSON format via Settings
- Delete: Delete individual conversations, memories, phone number, integrations, devices, or your entire account
- Correct: Update display name, location, timezone, and persona. Delete inaccurate memories.
- Control Memory: Enable/disable contextual memory via consent management
- Control Notifications: Manage web push, Telegram, SMS proactive, and SMS reminder preferences
- Control Integrations: Connect or disconnect any integration at any time
- Contact Us: For requests not covered by self-service tools, email legal@saltypanda.com
13. California Residents -- CCPA/CPRA
This section applies to California residents as required by the CCPA/CPRA.
13.1 Categories Collected
| CCPA Category | Examples |
|---|---|
| Identifiers | Email, name, phone, user ID, device fingerprint, IP |
| Personal info (Cal. Civ. Code 1798.80) | Name, phone, email |
| Commercial information | Subscription tier, payment history via Stripe |
| Internet/network activity | Interaction patterns, session data, usage metrics |
| Geolocation | User-provided location, IP-derived approximate location |
| Audio/visual information | Uploaded images, voice transcripts |
| Inferences | Emotional state, beliefs, behavioral patterns, preferences |
| Sensitive personal information | Account credentials (Clerk), contents of communications |
13.2 Sale and Sharing
We do NOT sell your personal information. We do NOT share personal information for cross-context behavioral advertising.
13.3 Your CCPA Rights
You have the right to: know what data we collect and share; delete your data; correct inaccuracies; opt-out of sale/sharing (already honored by default); limit use of sensitive personal information; and non-discrimination. Exercise rights via Section 12 self-service tools or email legal@saltypanda.com. We respond within 45 days.
14. Other State Privacy Laws
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy laws have rights to access, correct, delete, and port their data, and to opt out of targeted advertising, sale, and profiling. We do not engage in targeted advertising, data sales, or profiling as defined by these laws.
Exercise rights via the self-service tools in Section 12 or contact legal@saltypanda.com.
15. International Users
Data Transfers. Salty Panda is operated from the United States. By using the Service from outside the US, you consent to the transfer of your information to the United States.
GDPR (EEA/UK). We process data on the bases of: consent (memory extraction, SMS), contract performance (core service delivery), and legitimate interest (security, improvement). EEA/UK residents have additional rights to withdraw consent, restrict processing, object to processing, and lodge complaints with supervisory authorities. International transfers use appropriate safeguards including the EU-U.S. Data Privacy Framework and Standard Contractual Clauses.
16. Children's Privacy
The Service is for users aged 18 and older only. We do not knowingly collect personal information from anyone under 18. If we discover that we have collected information from a minor, we will promptly delete that information and terminate the account. Parents and guardians should contact legal@saltypanda.com if they believe their child has created an account.
17. SMS Privacy
- Collection: Phone number in E.164 format, voluntarily provided
- Verification: Via securely hashed one-time passcode (10-min expiry) sent through Twilio
- Processor: Twilio, Inc. (privacy policy)
- Storage: Full phone number in user_phones table; masked (last 3 digits removed) in SMS usage logs
- Content: Outbound messages sanitized (private IPs, file paths, API keys removed). Message content not stored in usage logs (only length).
- Opt-out: Reply STOP, UNSUBSCRIBE, CANCEL, or QUIT at any time. Opt back in with START or UNSTOP.
- Deletion: Remove phone number via Settings. Permanently deleted on account deletion.
18. Cookies and Tracking Technologies
18.1 Cookies Set by the Service
| Cookie | Purpose | Duration |
|---|---|---|
| __panda_device_id | Links browser to trusted device record (cryptographic hash) | Persistent, HttpOnly |
18.2 Authentication Cookies (Clerk)
Our authentication provider Clerk sets session cookies (__clerk_db_jwt, __session) managed entirely by Clerk's SDK. See Clerk's privacy policy.
18.3 Local Storage
UI preferences only: theme (light/dark/system/ocean) and sidebar collapsed state. No personal data.
18.4 No Third-Party Tracking
We do not use any third-party tracking cookies, pixels, beacons, fingerprinting scripts, or behavioral analytics services. No Google Analytics, Meta Pixel, Mixpanel, Amplitude, Heap, Hotjar, or similar technologies. Our Content Security Policy restricts unauthorized scripts.
19. Do Not Track Signals
We do not track users across third-party websites and therefore do not respond to DNT signals in a specific manner. We do not engage in cross-site tracking regardless of DNT status.
20. Changes to This Privacy Policy
We may update this Policy to reflect changes in our practices or legal requirements. Material changes will include an updated "Last Updated" date and at least 30 days' notice via email or in-app notification. Continued use after the effective date constitutes acceptance.
21. Contact Information
For questions, concerns, or data rights requests:
Jorvek LLC
6545 Market Ave. North, STE 100
Canton, OH 44721, USA
Email: legal@saltypanda.com
For self-service data access, export, and deletion, use the tools described in Section 12.
For urgent privacy concerns or to report a data breach, email legal@saltypanda.com with "URGENT: Privacy" in the subject line.