Privacy Policy

1. Introduction

Welcome to Assistant Core ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI assistant platform, including web chat, voice interfaces, embedded widgets, and connected IoT devices. By using our Services, you agree to the collection and use of information as described in this policy.

2. Information We Collect

Information You Provide

• Account information: Name, email address, and authentication details when you register via email, Google, or GitHub OAuth
• Profile information: Optional profile details, preferences, and avatar
• Conversation content: Messages, prompts, and files you share with AI assistants on our platform
• Knowledge base content: Documents, URLs, and data you upload for retrieval-augmented generation (RAG)
• Support requests: Information provided when contacting customer support

Information Collected Automatically

• Usage data: Features used, session duration, assistant interactions, and conversation metadata
• Device information: IP address, browser type, operating system, and device identifiers
• Log data: Server logs, error reports, and performance metrics
• Cookies: Small data files stored on your device for authentication, session management, and language preferences

Voice & Audio Data

• Voice recordings: Audio captured during voice interactions is processed in real-time for speech-to-text (ASR) and is not stored permanently
• Voice activity detection (VAD): We process audio signals to detect when you are speaking
• Text-to-speech (TTS) output: Generated audio responses are streamed and not retained after delivery
• Voice data is processed solely to provide the voice interaction service and is deleted after processing is complete

IoT Device Data

• Device identifiers: Hardware IDs, firmware version, and device type for connected IoT devices
• Network information: WiFi connection data required for device communication
• Audio input: Voice data captured by IoT devices is transmitted to our servers for processing and is not stored on the device
• Device status: Connectivity status, session activity, and error logs

3. How We Use Your Information

• Service provision: To operate, maintain, and improve the AI assistant platform across all channels (web, mobile, voice, IoT)
• AI processing: To route your inputs to AI language models and return generated responses
• Knowledge retrieval: To search your uploaded knowledge base documents and provide contextually relevant answers
• Memory system: To maintain conversation context and remember user preferences across sessions (you can view and delete stored memories at any time)
• Personalization: To customize your experience, including language, theme, and assistant behavior preferences
• Security: To detect and prevent fraud, abuse, and security incidents
• Communication: To send service updates, support responses, and important notifications
• Analytics: To understand usage patterns and improve service quality
• Legal compliance: To comply with applicable laws and regulations

4. AI-Specific Data Practices

Assistant Core uses third-party AI providers to process your requests. Here is how your data is handled in AI-related processing:

• We do NOT use your conversations, inputs, or outputs to train, fine-tune, or improve any AI models. Your data is used solely to provide the service.
• Your conversation inputs are sent to third-party AI providers (such as OpenAI, Anthropic, Google, xAI, and DeepSeek) for real-time processing. Each provider's own data policies apply to their processing of your data.
• Our Memory System automatically extracts key facts from your conversations (such as preferences and context) to improve future responses. You can view, edit, and delete all stored memories through your account settings.
• Knowledge Base documents you upload are chunked, embedded as vectors, and stored in our database for semantic search. These documents are only accessible within your assistant's scope.
• Conversation logs are retained for 30 days after account deletion, after which they are permanently deleted.
• AI-generated outputs may not be unique — other users asking similar questions may receive similar responses.

5. Third-Party Service Providers

We use the following categories of third-party service providers to operate our platform. Your data may be processed by these providers in accordance with their respective privacy policies:

• AI Language Model Providers: OpenAI, Anthropic, Google (Gemini), xAI (Grok), DeepSeek, Xiaomi — for processing conversation inputs and generating responses
• Speech & Voice Providers: OpenAI (Whisper), Google, Soniox, ElevenLabs, xAI — for speech-to-text, text-to-speech, and voice activity detection
• Cloud Infrastructure: AWS (S3 storage), PostgreSQL database hosting, Redis caching — for data storage and service delivery
• Authentication: Google OAuth, GitHub OAuth — for account sign-in
• Monitoring: Langfuse — for AI interaction tracing and quality monitoring (anonymized)

6. Information Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following limited circumstances:

• AI processing: With third-party AI providers as listed above, solely to process your requests and generate responses
• Service providers: With trusted infrastructure and service providers who help us operate the platform, under strict data processing agreements
• Legal requirements: When required by law, court order, or government request under Vietnamese law or applicable international law
• Safety and security: To protect the rights, safety, and security of our users, the public, or our platform
• Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users
• With your consent: When you explicitly agree to the sharing of your information

7. Data Security

• TLS 1.3 encryption for all data in transit across HTTP, WebSocket, and MQTT connections
• Encryption at rest for stored data using PostgreSQL and S3 server-side encryption
• JWT-based authentication with access and refresh token rotation
• Role-based access control (RBAC) with scoped permissions per assistant
• Multi-tenant data isolation — each assistant's data is strictly separated at the database level
• Rate limiting per user and per IP to prevent abuse
• Regular security audits and vulnerability assessments
• Incident response procedures for handling security breaches with user notification

8. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

• Account data: Retained while your account is active. Deleted within 30 days after account deletion request.
• Conversation history: Retained while your account is active. Deleted within 30 days after account deletion.
• Memory data: Retained while your account is active. You can delete individual memories at any time. All memories are deleted within 30 days after account deletion.
• Knowledge base documents: Retained while your account is active. You can delete documents at any time. All documents are deleted within 30 days after account deletion.
• Voice and audio data: Processed in real-time and not stored permanently. Audio is discarded immediately after processing.
• Server logs and analytics: Retained for up to 90 days for security and debugging purposes, then automatically deleted.
• Payment records: Retained as required by applicable tax and financial regulations.

9. International Data Transfers

Our servers are located in various regions. Your data may be transferred to and processed in countries other than your country of residence, including the United States, where our AI providers operate. When we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) for transfers from the EU/EEA, and compliance with applicable data protection laws. By using our Services, you consent to the transfer of your information to these countries.

10. Your Rights — GDPR (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete personal data
• Right to erasure: Request deletion of your personal data ("right to be forgotten")
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Request transfer of your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent
• Right to lodge a complaint: File a complaint with your local data protection supervisory authority

11. Your Rights — CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA/CPRA):

• Right to know: Request information about the categories and specific pieces of personal information we have collected
• Right to delete: Request deletion of your personal information
• Right to opt-out: We do not sell or share your personal information for cross-context behavioral advertising
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
• Right to correct: Request correction of inaccurate personal information

12. Children's Privacy

Our Services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child, please contact us immediately.

13. Cookie Policy

We use cookies and similar technologies to operate and improve our Services:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Preference cookies: Store your language, theme, and assistant configuration preferences.
• Analytics cookies: Help us understand how users interact with our platform to improve the service. These can be disabled in your browser settings.

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain features of the platform.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes by posting the updated policy on our website at least 30 days before the changes take effect, and by sending an email notification to the address associated with your account. Your continued use of our Services after the effective date of the updated policy constitutes acceptance of the changes.

15. Contact Information

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us at:
Email: assistantcore.com@gmail.com
Address: 162B Trường Chinh, Phường 12, Quận Tân Bình, TP. Hồ Chí Minh, Vietnam

For GDPR-related inquiries, you may also contact our Data Protection contact at the same email address.