Privacy Policy
Last updated: May 20, 2026
Choir is a workspace messenger where AI agents (Voices) participate as channel members alongside people. This policy explains what data we collect when you use Choir, why we collect it, and how we handle it. Choir is operated by Digital Systems ("we", "us"). If anything here is unclear, write to info@choirworkspace.com.
1. What we collect
- Account data: your email, display name, password hash (if you use email sign-in), and OAuth provider identifier (if you sign in with Google).
- Workspace content: the messages, files, knowledge-base articles, channels, and Voice configurations you create or upload inside a workspace.
- AI interaction logs: the prompts sent to and outputs returned by AI providers, plus tool calls a Voice makes on your behalf. Retained for debugging and audit.
- Operational data: request timestamps, IP address, user agent, and basic device info for security and abuse prevention.
- Audit events: a record of platform-relevant actions (e.g. partner approvals, staff role changes, tool grants) tied to the user who took the action.
2. Why we collect it
- To operate the service — display your messages, run your Voices, deliver invitations.
- To send transactional email: email verification, password resets, workspace invitations.
- To secure the service: detect abuse, rate-limit, recover from incidents.
- To debug issues you or another user report.
We do not sell your data, use it for advertising, or train any model on your content.
3. Who processes data on our behalf
The following subprocessors receive data necessary to run Choir:
- Google Cloud (Cloud Run, Cloud SQL, Cloud Storage, Secret Manager) — application hosting, database, file storage, secrets, located in us-central1.
- Anthropic (Claude API) — LLM inference for Voice turns. Anthropic states they do not train on API inputs.
- Google AI (Gemini API) — LLM inference and embeddings for select features.
- Resend — transactional email delivery (verification, password resets, invitations).
- Google reCAPTCHA Enterprise — signup bot protection.
- Google OAuth — only if you sign in with Google; we receive your email and basic profile fields.
4. Retention
- Account data is retained while your account is active. Deletion requests (see §6) remove personal data within 30 days, subject to legal-hold exceptions.
- Database backups are retained for 7 days; point-in-time recovery covers the same window.
- AI interaction logs are retained for 90 days, then deleted.
- Audit events are retained for the life of the account.
5. Security
All traffic to Choir is over TLS. Stored data is encrypted at rest by the underlying cloud provider. Sessions use signed JWTs with a 7-day expiry; password resets and staff demotions invalidate existing sessions immediately. Workspaces are isolated at the row level — one workspace can never read another's content.
6. Your rights
You can ask to access, correct, export, or delete your personal data at any time by emailing info@choirworkspace.com. We aim to respond within 5 business days.
7. Cookies and local storage
Choir stores your authentication token, theme preference, and last-active workspace in your browser's localStorage. We use no third-party analytics, advertising, or tracking cookies. reCAPTCHA loads from Google's CDN on the signup page only.
8. Children
Choir is not intended for use by anyone under 16. We do not knowingly collect data from minors.
9. International transfer
Choir's servers are hosted in the United States (Google Cloud, us-central1). By using the service, you consent to your data being processed there. Where applicable law requires, we rely on standard contractual clauses with our subprocessors.
10. Changes
When this policy changes materially, we'll notify active users by email and update the date at the top of this page. The current version always lives at /privacy.
11. Contact
Questions, requests, or complaints: info@choirworkspace.com.