Privacy Policy

Corvan ("Corvan", "we", "us") provides an AI chief-of-staff assistant for founders and operators. This policy explains what personal data we process when you use the service, why, and the rights you have over it. For any privacy question, contact us at peter@corvanai.com.

We process the account data you give us (name, email, password hash), the content you connect or import (email, calendar events, messenger threads, contacts, notes, documents and files you upload), and operational metadata (logins, device labels, usage and error telemetry). Corvan derives summaries, contact dossiers, and a private knowledge graph from this content to power the assistant. We do not sell your personal data.

We use your data to operate the assistant (triage inbox and messages, prepare for meetings, draft replies, maintain dossiers and the knowledge graph), authenticate you, bill your subscription, provide support, and keep the service secure and reliable. AI features send the minimum necessary content to the model providers listed below to generate a response.

We share data with vetted service providers strictly to deliver the service. Our current sub-processors are:

• OpenRouter — LLM API gateway that routes prompts to the model below.
• DeepSeek — large-language-model inference for assistant features.
• Anthropic — large-language-model inference (Claude) for assistant features.
• Stripe — subscription billing and payment processing.
• MinIO on Netcup — object storage hosting for uploaded files and exports, and our underlying server infrastructure.
• Sentry — application error monitoring and performance telemetry.

We send these providers only the data needed for their function and require them to protect it under contract. The model providers (OpenRouter, DeepSeek, Anthropic) receive prompt content only at the moment a request is made.

Some sub-processors (including OpenRouter, Anthropic, Stripe, and Sentry) process data in the United States. Where personal data is transferred out of the EEA/UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) — and the UK International Data Transfer Addendum where applicable — together with the technical and organisational safeguards above as the lawful transfer mechanism.

We retain your account and content for as long as your account is active. When you delete content it is removed from active systems promptly, and from backups within the normal backup-rotation window. When you delete your account we erase your personal data and owned content (see "Your rights"), retaining only what we must keep for legal, tax, or fraud-prevention purposes. Aggregated or anonymised data that can no longer identify you may be retained.

You can access, correct, export, and erase your personal data. Corvan implements these directly in-product: you can export your data as a downloadable bundle and delete your account, which erases your personal data and the rows you own. Depending on your location you may also have rights to object to or restrict processing and to lodge a complaint with your data-protection authority. To exercise any right, use the in-app controls or email peter@corvanai.com.

We protect data in transit with TLS, store passwords only as salted hashes, scope every tenant's data so it is not visible to other tenants, and limit internal access on a need-to-know basis. No system is perfectly secure, but we work continuously to reduce risk and will notify affected users of a material breach as required by law.

We may update this policy as the product and our sub-processors evolve; we will revise the effective date above and, for material changes, notify you. Questions or requests: peter@corvanai.com. See also our Terms of Service.