Privacy Policy

SumGeniusAI LLC ("Company", "we", "our", or "us") values your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website https://sumgenius.ai (the "Site") or use any services or features we provide (collectively, the "Services").

By accessing or using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please do not access the Site.

1. Information We Collect

a. Personal Information You Provide to Us:

• Name, email address, phone number, company name
• Billing and payment information
• Project or service inquiry details
• Any other data you voluntarily submit through contact forms or service requests

b. Information We Automatically Collect:

• IP address and browser type - Collected for security monitoring, rate limiting, fraud prevention, and abuse protection
• Device type, operating system, and geographic location
• Pages visited, referring website, and usage patterns (via cookies and tracking tools like Google Analytics and Microsoft Clarity)
• Session recordings and interaction data - Mouse movements, clicks, scrolling behavior, and page interactions captured via Microsoft Clarity (with automatic masking of sensitive fields)

Security & Fraud Prevention Logging:

For security purposes, we log IP addresses in the following scenarios:

• Authentication & Access Control: IP addresses are logged during login attempts, failed authentication, and CSRF token validation failures
• Rate Limiting: IP addresses are temporarily tracked to prevent abuse, denial-of-service attacks, and excessive API requests (e.g., 200 requests per 60 seconds on webhook endpoints)
• Security Incidents: IP addresses are logged when suspicious activity is detected, including failed authorization attempts, invalid requests, or potential attacks
• Meta Webhook Security: IP addresses of incoming Meta Platform webhooks are logged for signature verification and abuse prevention

Legal Basis (GDPR): Article 6(1)(f) - Legitimate interests in maintaining system security, preventing fraud, and protecting our services from abuse.

IP Address Protection: IP addresses in security logs are automatically anonymized by masking the last two octets (e.g., 192.168.***.***) to minimize personal data exposure.

Retention & Rotation: Security log files are automatically rotated when they exceed 10MB to prevent indefinite growth. Older rotated logs may be archived or deleted as part of routine system maintenance.

c. Information from Third Parties:

We may receive information from third-party sources including partners, service providers, and publicly available databases.

2. How We Use Your Information

We use your information to:

• Provide and improve our Services
• Respond to inquiries or support requests
• Personalize user experience
• Send marketing and promotional materials (if you opt in)
• Process payments and manage subscriptions
• Comply with legal obligations or enforce our terms

3. Sharing Your Information

We do not sell your personal information. We may share your data with:

• Service providers (e.g., hosting, analytics, payment processors)
• Contractors or business partners under confidentiality obligations
• Legal or governmental authorities as required by law
• In case of a business transfer (e.g., merger or acquisition)

4. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience. We now provide a cookie consent banner that allows you to control which types of cookies you accept. You can also manage cookie settings through your browser.

Types of Cookies We Use:

Managing Your Cookie Preferences

You can manage your cookie preferences at any time by:

• Using our cookie consent banner that appears on your first visit
• Clicking the "Cookie Settings" button in the consent banner
• Clearing your browser's cookies and localStorage
• Adjusting your browser settings to block or delete cookies

Note: Disabling essential cookies may prevent you from using certain features of our website, such as the customer portal and chat widget.

Session Recording & Heatmap Analytics

We use Microsoft Clarity to understand how visitors interact with our website through session recordings and heatmap analytics. This helps us identify usability issues, improve user experience, and optimize our website design.

What Microsoft Clarity Collects:

• Session Recordings: Visual playback of user sessions showing mouse movements, clicks, scrolling, and page interactions. Sensitive form fields (passwords, credit cards, email addresses) are automatically masked and never visible in recordings.
• Heatmaps: Aggregated visual maps showing where users click and how far they scroll on each page.
• User Behavior Insights: Rage click detection (repeated clicking indicating frustration), dead clicks (clicks on non-interactive elements), JavaScript errors, and excessive scrolling.
• Technical Data: Mouse movements, clicks, touch gestures, scrolling behavior, page elements interacted with, browser type, device type, screen resolution, time spent on pages, and navigation paths.
• IP Address: Collected and automatically anonymized by Microsoft to comply with privacy regulations.

Microsoft Clarity Cookies:

• _clck - Persistent cookie that stores a unique user ID and session information (expires after 1 year)
• _clsk - Session cookie that groups multiple page views into a single session recording (expires after 1 day)

Third-Party Data Processing:

Microsoft Clarity processes session data in accordance with the Microsoft Privacy Statement. Microsoft does not sell personal data collected through Clarity or use it for advertising purposes. Session recordings are stored on Microsoft's secure servers and are accessible only to authorized SumGeniusAI personnel.

Privacy Protections for Session Recordings:

How to Opt-Out of Session Recordings:

You can disable Microsoft Clarity session recordings and heatmaps by:

• Rejecting or disabling "Analytics" cookies in our cookie consent banner
• Enabling Global Privacy Control (GPC) in your browser (automatically blocks all analytics)
• Using browser privacy extensions like Privacy Badger or uBlock Origin to block third-party analytics
• Adjusting your browser settings to block third-party cookies

Data Retention for Session Recordings:

• Session Recordings: Stored by Microsoft Clarity for up to 30 days, then automatically deleted
• Heatmap Data: Aggregated anonymized data retained indefinitely for performance analysis
• Analytics Reports: Summary statistics retained to track improvements over time

Legal Basis (GDPR): Article 6(1)(f) - Legitimate interests in improving website usability and user experience. You can object to this processing by disabling Analytics cookies.

5. Data Security

We implement industry-standard security measures to protect your data, including SSL encryption, firewalls, and regular vulnerability scanning. However, no method of transmission over the internet is 100% secure.

Security Monitoring & Audit Logging

To maintain the security and integrity of our services, we implement comprehensive security logging:

• Access Logging: All authentication attempts, including successful logins and failed attempts, are logged with timestamps and IP addresses
• CSRF Protection Logging: Failed CSRF token validations are logged to detect and prevent cross-site request forgery attacks
• Rate Limiting: Request patterns are monitored to identify and block abusive traffic or potential DDoS attacks
• Webhook Security: All webhook requests are verified using cryptographic signatures, with verification failures logged for security analysis
• Data Access Auditing: Sensitive data operations (conversations deletion, consent changes, etc.) are logged with full audit trails

Security logs are stored securely with restricted access. IP addresses in logs are automatically anonymized by masking the last two octets. Log files are automatically rotated when they exceed 10MB to prevent indefinite storage growth.

Data Protection Measures

• Encryption at Rest: OAuth tokens and sensitive credentials are encrypted using AES-256-CBC encryption before storage
• Encryption in Transit: All data transmission uses TLS/SSL encryption
• Access Controls: Role-based access control (RBAC) ensures only authorized personnel can access sensitive data
• Transaction Safety: Database operations use transactions with automatic rollback on errors to maintain data integrity
• Input Validation: All user inputs are validated and sanitized to prevent SQL injection, XSS, and other injection attacks

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access, correct, or delete your personal information
• Opt out of data processing or marketing communications
• Request data portability
• File a complaint with a data protection authority

For these requests, please contact us at info@sumgenius.ai.

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information.

Your California Rights:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collect information, our business purposes for collecting information, and the categories of third parties with whom we share information.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out: You have the right to opt-out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information to purposes necessary to perform our services.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights.

Global Privacy Control (GPC):

We honor Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we will automatically opt you out of the "sale" or "sharing" of your personal information and limit the use of sensitive personal information.

Do Not Sell or Share My Personal Information:

We do not "sell" personal information as defined by the CCPA. We may share certain information with third-party service providers and analytics partners to provide and improve our services. You can opt-out of this sharing by:

• Enabling Global Privacy Control (GPC) in your browser
• Adjusting your cookie preferences in our cookie consent banner
• Contacting us at privacy@sumgenius.ai

Categories of Personal Information We Collect:

We collect the following categories of personal information as described in the CCPA:

• Identifiers (name, email, IP address)
• Commercial information (purchase history, service usage)
• Internet or network activity (browsing behavior, interactions with our services)
• Geolocation data (approximate location based on IP address)
• Professional or employment-related information (if voluntarily provided)
• Inferences drawn from the above to create user profiles

Business Purposes for Collection:

We collect personal information for the following business purposes:

• Providing and improving our AI services
• Customer support and communication
• Fraud prevention and security
• Analytics and service optimization
• Marketing communications (with consent)
• Legal compliance

Third Parties We Share With:

We may share personal information with:

• Service providers (hosting, analytics, AI processing)
• Payment processors (Stripe)
• Communication platforms (Twilio, Meta)
• Analytics providers (Google Analytics, Microsoft Clarity)

Exercising Your California Rights:

To exercise your California privacy rights, please contact us at:

• Email: privacy@sumgenius.ai
• Phone: +1 (833) 365-7318
• Mail: SumGeniusAI LLC, Las Vegas, NV

We will verify your identity before processing your request and respond within 45 days.

Authorized Agent:

You may designate an authorized agent to make requests on your behalf. We will require written proof of the agent's authority before processing the request.

8. Data Retention

We retain your information only as long as necessary for business purposes or legal compliance. Data may be anonymized for research or analytical purposes.

9. Children's Privacy

Our Services are not intended for individuals under 13 (or 16 in the EU). We do not knowingly collect data from children.

10. Third-Party Links

Our Site may contain links to third-party websites. We are not responsible for their privacy practices or content. Please review their policies individually.

11. VibeCheck AI Chrome Extension

If you use our VibeCheck AI Chrome Extension, the following additional terms apply:

a. Data Collection and Processing:

• Message Analysis: Text you analyze is sent to our servers for AI processing but is NEVER stored, logged, or saved. Analysis happens in real-time and data is immediately discarded after processing.
• AI Processing: We use OpenAI's API to analyze text tone and sentiment. OpenAI processes the text temporarily and does not store or use your data for training. The analysis is performed in real-time and results are not retained.
• Usage Tracking: We track the number of daily checks per user account to enforce free tier limits (10 checks/day for free users).
• Authentication: Your login credentials create a secure token stored locally in your browser. Passwords are hashed using industry-standard bcrypt encryption.
• Platform Detection: The extension detects which website you're on (Gmail, LinkedIn, Twitter, etc.) to provide context-appropriate analysis. URLs are not stored.
• Data Retention: Usage statistics are retained for 90 days. Account information is retained until you delete your account.

b. Extension Permissions:

• activeTab: To detect text input fields on the current tab
• storage: To save your authentication token and track daily usage locally
• scripting: To inject the VibeCheck analysis interface into web pages
• clipboardRead: To enable the Ctrl+Shift+V (Cmd+Shift+V on Mac) keyboard shortcut for analyzing copied text
• host_permissions: To communicate securely with sumgenius.ai servers for AI analysis

c. Data Security for VibeCheck:

• All communication uses HTTPS encryption
• No message content is ever stored in our databases
• Authentication tokens expire after 30 days of inactivity
• You can delete your account at any time, which removes all associated data

d. Premium Subscriptions:

If you upgrade to VibeCheck Pro, payment processing is handled by Stripe. We store only your subscription status and customer ID, never your payment details.

e. Your VibeCheck Rights:

• Request deletion of your VibeCheck account and all associated data immediately
• Export all your personal data in machine-readable JSON format
• Access your account information and usage statistics anytime
• Correct or update your personal information through the dashboard
• Cancel your subscription at any time via Stripe's customer portal
• Opt out of any future features that may collect additional data
• Disable the extension at any time through Chrome's extension manager
• Contact us at privacy@sumgenius.ai for any privacy concerns

VibeCheck Privacy Commitment: We built VibeCheck with privacy as a core principle. Your messages are your business - we just help you communicate better without compromising your privacy.

12. AI Voice Services & SMS Consent Collection

13. ChatGenius - Meta Messenger Integration

14. Law Enforcement & Legal Requests

If we receive legal requests for user data from public authorities, we follow strict procedures to protect user privacy:

Our Legal Request Handling Process:

• Legality Review: All legal requests are reviewed by our legal team to verify authenticity, proper authorization, and compliance with applicable law
• Right to Challenge: We reserve the right to challenge requests that appear unlawful, overly broad, or improperly issued through appropriate legal channels
• Data Minimization: We disclose only the minimum information legally required to comply with valid requests, not entire datasets
• Documentation & Transparency: All legal requests, our responses, legal reasoning, and involved parties are documented in secure audit logs

User Notification: Where legally permitted, we will notify affected users before disclosing their information, giving them an opportunity to seek legal protection. However, we may be prohibited from providing notice in certain cases (e.g., national security letters).

Transparency Reporting: We are committed to transparency about government requests for user data and may publish aggregate statistics about such requests when legally permitted.

15. Changes to This Policy

We reserve the right to update this Privacy Policy at any time. Any changes will be reflected on this page with a revised "Last Updated" date. Your continued use of the Site after changes indicates your acceptance.

16. Contact Us