Privacy Policy

Overview

ITPA (IT Personal Assistant) is an internal productivity tool built and operated by Takeshi Nakagawa. It is not a public service. Access is limited to invited members of the IT engineering team.

This policy explains what data the application accesses, how it is used, how it is stored, and what rights you have over your data.

Legal Basis for Processing

ITPA processes your data based on your explicit consent, which you provide when you first sign in and accept the data processing terms. You may withdraw consent at any time by deleting your account from the Settings page.

Processing is limited to what is necessary to provide the productivity features you have opted into (calendar sync, email triage, Slack status, etc.).

Data We Access

ITPA connects to the following services. All non-Google connections are optional and initiated by you from the Settings page.

Google Account

• Profile: Name, email address, and profile picture for account identification.
• Google Calendar: Read and create events. Used for schedule display, focus/lunch block scheduling, conflict detection, color coding, Slack status sync, PTO handoff coordination, and calendar analytics.
• Gmail (optional): Read, label, and send emails. Used for inbox triage, email analytics, thread summarization, reply/forward, label and filter management, and unsubscribe audits.
• Google Drive (optional): Read-only access to specific files you authorize. Used to ingest Google Meet meeting recordings/notes from your “Meet Recordings” folder for meeting-notes display, and to read shared vendor-contract documents for the Vendor Contracts feature.
• Google Contacts (optional): Read-only access. Used solely for email address autocomplete when composing replies or adding senders to preference lists.

Slack (optional)

• Status sync: Reads and updates your Slack profile status based on your calendar events.
• Auto-responder: Reads incoming DMs and sends automatic replies when you are OOO or after hours. No DM content is stored.
• Channel sync (opt-in per channel): Reads messages from channels you explicitly map to a Jira ticket (e.g. purchasing channels prefixed with purchasing-) and posts AI-summarized updates back to the linked Jira ticket. Only mapped channels are read.

Atlassian Jira (optional)

• Tickets and comments: Read assigned and watched issues; read ProForma intake form fields via Jira custom-field mirrors. Used for ticket overview, purchasing workflow, hardware request workflow, and assistant follow-ups.
• AI-generated comments: The purchasing and follow-up agents post comments back to Jira on your behalf. Every AI-authored comment is prefixed with an [AI] attribution tag.
• Watchers: Adds owners as watchers on vendor-contract tickets so contract renewal alerts route through Jira (no separate email channel).

Atlassian Confluence (optional)

• Page content: Read-only access to specific Confluence pages you reference. Used by the ITPA Academy to fetch linked training pages for AI summarization.

BambooHR (admin-configured)

• Org data: Employee directory, reporting structure, work email, job title, location, and time-off records. Used for the team roster, org chart, and PTO handoff workflows. Sensitive HR data (compensation, performance, personal contact) is never accessed.

Snipe-IT (admin-configured)

• Hardware inventory: Asset records (model, serial, status, assigned user, location) for the AMER Hardware laptop-inventory feature and the purchasing-workflow reorder formula.

Anthropic Claude API

• Short previews of calendar events, email snippets, Jira ticket descriptions, Slack messages from mapped channels, vendor-contract text, and Confluence page text are sent to the Claude API for analysis (triage, action-item extraction, thread summarization, purchasing-workflow planning, contract-field extraction, Academy summarization).
• All inputs are length-capped (email body 300 chars, calendar description 200, Jira description 600, Slack message 800) and untrusted text is wrapped in clearly-marked sections with a prompt-injection notice.
• Full email bodies are not sent unless thread summarization is explicitly triggered by the user.
• Anthropic does not retain data between requests per its API data policy. API requests are not used for model training.
• A global kill switch and per-feature toggles let administrators disable any AI feature instantly; per-feature hourly volume caps prevent runaway automation.

Privacy Boundaries

• Manager-facing features (team roster, org chart, handoffs, meeting notes) use only org-visible data sources (BambooHR, calendar, public/private channels the user is already in). They never read individual users’ personal Gmail inboxes or Slack DMs.
• Slack channel sync only reads channels you have explicitly mapped to a Jira ticket. No global channel listening.
• Google Drive access is scoped to specific files (Meet Recordings folder, designated contract docs) — not broad drive enumeration.
• Every AI-generated external write (Jira comment, Slack message, email) requires a per-target opt-in and is rate-capped.

Data We Store

The following data is stored in the application database:

Stored

• Account info: Google profile (name, email, picture), role, creation date, and consent timestamp.
• OAuth tokens: Google, Slack, Jira, and Confluence tokens, encrypted at rest using Fernet symmetric encryption (AES-128 + HMAC). Used to make API calls on your behalf.
• Calendar event cache: Event metadata (title, time, attendees, organizer) for up to 12 months. Used for analytics and scheduling without live API calls.
• Email metadata cache: Sender, recipient, date, read status, and label IDs for up to 12 months. Used for email analytics. No email subject, body, or attachment content is stored.
• Team data cache: Mirrored BambooHR roster (name, work email, title, manager, location, time-off windows) for the team roster, org chart, and PTO handoff features.
• Hardware inventory cache: Mirrored Snipe-IT asset records (model, serial, status, assigned user) used by the AMER Hardware feature and the purchasing reorder formula.
• Vendor contract records: Per-vendor primary-contract metadata extracted from contract documents (vendor name, renewal date, owner, Jira ticket key). The full contract text is not persisted after extraction.
• Channel-to-ticket mappings: Slack channel IDs you have explicitly mapped to Jira tickets for the channel-sync feature.
• Meeting notes references: Pointers to Google Drive Meet Recordings (file ID, title, date). Note bodies are fetched live, not cached.
• Purchasing & assistant workflow state: Plan turns, assignee handoff records, follow-up timers, and auto-execution flags for the purchasing and follow-up agents. AI-generated draft text is stored only until posted to Jira.
• User preferences: Working hours, lunch/focus settings, starred/muted senders, priority/ignored topics, Slack status mappings, color coding preferences.
• API usage logs: Claude token counts and external API call counts per user, for monitoring, cost tracking, and per-feature rate caps.
• Audit logs: Actions performed in the app (login, sync, settings changes, AI external writes) for security and debugging.

Not Stored

• Email body content, attachments, or full subjects
• Slack DM content (only event-driven auto-responder actions are tracked)
• Slack channel message history beyond what is needed to compose the next AI summary
• Google contact details (queried live for autocomplete, never cached)
• Calendar event descriptions or attachments
• Google Drive file contents beyond extracted metadata for contracts and meeting notes
• BambooHR compensation, performance, or personal contact information

Data Security

• The application runs on Google Cloud Run with HTTPS enforced and HSTS (Strict-Transport-Security) enabled.
• Database is hosted on Google Cloud SQL (PostgreSQL) in the us-central1 region, encrypted at rest.
• OAuth tokens are encrypted using Fernet symmetric encryption (AES-128 + HMAC-SHA256) before storage.
• Secrets (API keys, client secrets, signing keys) are managed via Google Cloud Secret Manager.
• CSRF protection, rate limiting, CORS restrictions, Content Security Policy, and Permissions-Policy headers are enforced.
• Session cookies are signed, HttpOnly, Secure, SameSite=Lax, and expire after 7 days.
• The application container runs as a non-root user following the principle of least privilege.
• All admin actions are logged in an immutable audit trail.

Data Retention

Data is retained only as long as necessary for its stated purpose. The following retention periods are enforced automatically:

• Calendar and email caches: Refreshed on each sync. Automatically purged for users inactive for more than 90 days.
• Gmail mark-as-read undo cache: Expires after 24 hours.
• API usage logs (Claude and external): Automatically deleted after 90 days.
• Audit logs: Automatically deleted after 1 year.
• Slack auto-reply deduplication logs: Automatically deleted after 30 days.
• Denied access requests: Retained until manually reviewed by an administrator.

A daily automated retention job enforces these periods. You may also request immediate deletion at any time (see Your Rights below).

Third-Party Services

The following third-party services process your data as described above:

• Google APIs: Calendar, Gmail, Drive, People, and OAuth. Subject to Google's Privacy Policy.
• Slack API: Profile, status, and messaging. Subject to Slack's Privacy Policy.
• Atlassian Jira & Confluence APIs: Ticket and page access. Subject to Atlassian's Privacy Policy.
• BambooHR API: Org and time-off data. Subject to BambooHR's Privacy Policy.
• Snipe-IT (self-hosted): Hardware inventory. Operated internally by DEPT.
• Anthropic Claude API: AI analysis. Subject to Anthropic's Privacy Policy. API requests are not used for model training.
• Google Cloud Platform: Infrastructure hosting (Cloud Run, Cloud SQL, Secret Manager, Cloud Scheduler). Subject to Google Cloud's Privacy Notice.

No data is sold to or shared with third parties for advertising, marketing, or any purpose beyond operating this application.

Your Rights

You have the following rights regarding your personal data:

• Right of access (Art. 15): You can view what data is stored about you in the Settings page.
• Right to data portability (Art. 20): You can download all your data as a JSON file from Settings > Your Data > Download My Data.
• Right to erasure (Art. 17): You can delete your account and all associated data from Settings > Your Data > Delete My Account. This action is immediate and irreversible.
• Right to withdraw consent: You can withdraw consent at any time by deleting your account. You can also disconnect individual services (Gmail, Drive, Slack, Jira, Confluence) from the Settings page.
• Right to rectification (Art. 16): Account data (name, email, picture) is synced from your Google account. Update it there to update it here.
• Admin users can also purge individual user data via the Data & Privacy admin panel.

All data subject requests are processed immediately through self-service. If you need additional assistance, contact the administrator.

Contact

For questions about this policy or your data, contact Takeshi Nakagawa.