Privacy Policy

The short version

Jarvis is a multi-agent AI assistant. To do its job, it processes your messages, connected accounts (calendar, email, etc.), and the actions you ask it to take. Your conversations and personal context are encrypted with keys scoped to your account. Even Jarvis owners and operators have no read path to your content — no support backdoor, no "let me just take a look." We do not sell your data, we do not use your conversations to train third-party models, and you can delete everything from your dashboard whenever you like.

1. Who we are

This Privacy Policy describes the practices of Jarvis ("Jarvis", "we", "us", or "our") regarding the personal information we collect from users ("you") of our website at jarvis.wtf, our mobile applications, and any related services (collectively, the "Service").

Questions about this policy or your data: privacy@jarvis.wtf.

2. What we collect

2.1 Information you give us

• Account information — email address, phone number, name. Used to authenticate you and contact you about the Service.
• Conversations — the messages you send to Jarvis (text, voice, SMS, WhatsApp) and the responses generated by our agents.
• Connected accounts — when you authorize Jarvis to access services like Google Calendar, Gmail, or WhatsApp, we receive OAuth tokens and the data you ask Jarvis to act on. We do not receive your passwords.
• User-provided context — preferences, goals, profile information, and any other context you share to help Jarvis assist you.
• Payment information — if and when paid plans launch, we will use a third-party payment processor (e.g., Stripe). Card details are sent directly to the processor; we never see or store them.

2.2 Information collected automatically

• Device and connection metadata — IP address, device type, browser, operating system, and timestamps of requests. Used for security, abuse detection, and operational diagnostics.
• Usage metrics — counts of requests, agent invocations, and feature usage. Aggregated and not tied to message content.
• Diagnostic logs — error messages and stack traces. We make a deliberate effort to keep your message content out of logs; if message content reaches a log by accident, it is treated as a bug and removed.

2.3 Information from third parties

• Authentication providers — if you sign in with Google, we receive your name, email, and profile photo from Google.
• Connected services — calendar events, emails, WhatsApp messages, and similar data only when you connect those services and only to the extent needed to fulfill your request.

3. How we use your data

• To deliver and operate the Service — running agents, processing your requests, and returning answers.
• To send you account-related communications (e.g., security alerts, beta updates).
• To diagnose problems, prevent abuse, and improve reliability.
• To comply with legal obligations.

What we do not do: we do not sell your data, we do not show you advertising based on your data, and we do not feed your conversations into third-party AI training datasets.

4. Zero-access architecture

Jarvis is engineered so that the people who run the Service cannot read your content under normal operation:

• Your conversations and profile are encrypted at rest with AWS KMS customer-managed keys, scoped per user where technically possible.
• Internal access controls follow the principle of least privilege; production data stores are not human-browsable.
• If we ever need to debug a specific issue with your assistance, we will request your explicit, time-bound consent before any read access is granted, and the access window is logged.
• Operational metrics (counts, latencies, error rates) are visible to our team. The substance of your messages is not.

5. Third-party processors

We use a small set of vetted third parties to operate the Service. Each one receives only what is necessary for its function:

• Amazon Web Services (AWS) — hosting, storage, encryption, and AI inference (Amazon Bedrock). AWS is our primary infrastructure provider.
• Google — sign-in (OAuth), Calendar, and Gmail integrations when you connect them.
• Meta Platforms (WhatsApp Business) — when you choose to interact with Jarvis over WhatsApp, your messages are delivered through Meta's WhatsApp Business Platform. Meta receives the routing metadata necessary to deliver messages and is subject to its own privacy policy.
• Telecom providers — when you use voice or SMS, carriers route the calls and messages.
• Search providers — when an agent performs a web search on your behalf, the search query is sent to a search API. We do not send your identity along with these queries.
• Stripe (when paid plans launch) — payment processing.

We do not share your conversations or profile with these processors beyond what is required for the specific feature you are using. Each integration can be disconnected from your dashboard, after which we revoke our credentials and delete cached data on a rolling basis.

6. Data retention

• Conversations and personal context — retained while your account is active so Jarvis can remember you across sessions. You can delete individual items, clear memory, or wipe everything from the dashboard at any time.
• Account information — retained while your account is active, plus a short reconciliation period after account deletion.
• Diagnostic logs — retained for up to 30 days.
• Aggregated, non-identifying metrics — retained indefinitely for capacity planning.

If you delete your account, we delete your personal data within 30 days, except where retention is required by law (for example, financial records).

7. Your rights

Wherever you are, you can:

• Access — request a copy of the personal data we hold about you.
• Correct — fix anything that's wrong.
• Delete — wipe your data from the Service.
• Export — receive a portable copy.
• Withdraw consent — disconnect any integration at any time.
• Object or restrict processing — where applicable under your local law.

Most of these are one-tap actions in the dashboard. For step-by-step instructions, see our Data Deletion Instructions. For anything else, email privacy@jarvis.wtf and we will respond within 30 days.

7.1 Residents of California (CCPA/CPRA)

California residents have additional rights including the right to know, the right to delete, the right to correct, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information as those terms are defined under California law.

7.2 Residents of the EEA, UK, and Switzerland (GDPR)

We process personal data on the following legal bases: contract (to provide the Service you signed up for), consent (for optional integrations), legitimate interests (security and abuse prevention), and legal obligation. You have the right to lodge a complaint with your local data protection authority.

8. International transfers

The Service is operated from AWS in the United States (us-east-1 region). If you access the Service from outside the United States, your data is transferred to and processed in the United States. Where required, we use AWS's standard contractual clauses and other appropriate safeguards.

9. Security

We use industry-standard security measures including encryption in transit (TLS 1.2+), encryption at rest (AWS KMS customer-managed keys), strict IAM least-privilege policies, dedicated VPCs, and audit logging. No system is perfectly secure, but we treat security as a primary product feature, not an afterthought.

If we ever discover a security incident affecting your data, we will notify you without undue delay and explain what happened in plain language.

10. Children

The Service is not directed to children under 13 (or under 16 in jurisdictions where that is the threshold). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@jarvis.wtf and we will delete it.

11. Cookies and similar technologies

The Service uses minimal cookies and local storage — primarily to keep you signed in and to remember your preferences. We do not use third-party advertising trackers. Where required by law, we will request your consent before setting any non-essential cookies.

12. AI processing

Jarvis uses large language models to interpret your requests and generate responses. We send the minimum context necessary to perform your task to model providers (primarily Amazon Bedrock; in some cases, third-party model providers when you opt in to a specific capability). Where we use third-party model providers, we configure those services to not use your inputs or outputs to train their models.

13. Changes to this policy

We may update this policy as the Service evolves. When we make material changes, we will notify you via email or in-app before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact

For privacy questions, requests, or to exercise your rights:

• Email: privacy@jarvis.wtf
• General contact: hello@jarvis.wtf