L1 ─ LEGAL · PRIVACY

Privacy Policy.

Effective May 10, 2026 Updated May 28, 2026 Version 1.0

1. Introduction

ChronaPilot ("ChronaPilot," "we," "us," or "our") operates the ChronaPilot voice-first calendar artificial intelligence service, including the Chrona AI assistant, accessed through our website at https://www.chronapilot.com, our mobile applications, desktop applications, watch applications, and related services (collectively, the "Service").

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use our Service. We are committed to protecting your privacy and handling your data with transparency, integrity, and care.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

This Privacy Policy is designed to comply with applicable data protection laws including the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, the General Data Protection Regulation (GDPR) of the European Union and United Kingdom, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable global privacy regulations.

2. Scope of This Policy

This Privacy Policy applies to all users of the Service worldwide, including individuals using the free tier, Pilot subscribers, Studio team subscribers, and visitors to our website. It covers personal information collected through:

  • Our website at https://www.chronapilot.com
  • Our iOS, Android, macOS, Windows, and watchOS applications
  • Voice interactions with our Chrona AI assistant
  • Connected third-party calendar and productivity services
  • Customer support, sales, and marketing communications
  • Any other interaction you have with ChronaPilot

3. Information We Collect

We collect information that you provide directly, information generated through your use of the Service, and information from authorized third parties. We collect only what we need to deliver, secure, and improve the Service.

3.1 Information You Provide Directly

Account Information

  • Full name and display name
  • Email address
  • Phone number (optional, for SMS-based features)
  • Password (stored only in hashed form using industry-standard cryptographic functions)
  • Profile photograph (optional)
  • Time zone and language preferences
  • Working hours and availability preferences

Payment Information

Payment information for Pilot and Studio subscriptions is processed by our PCI DSS Level 1-compliant payment processors. We do not store full payment card numbers on our systems. We retain only the last four digits of your card, the card brand, expiration date, billing postal code, and a tokenized payment reference for subscription management and fraud prevention.

Communications and Support

  • Email correspondence with our support, sales, or operations teams
  • Survey responses, feedback, and beta program submissions
  • Information shared in chat or community channels

3.2 Voice and AI Interaction Data

Because Chrona AI is a voice-first assistant, voice data is central to the Service. We treat voice data with heightened care.

On-Device Speech Processing. By default, speech-to-text conversion happens on your device. Raw audio recordings are not transmitted to our servers when on-device processing is available on your platform. Only the resulting text transcript and the structured intent (for example, "move Maya to 3 PM") are transmitted to ChronaPilot for processing.

Wake Phrase and Activation. Chrona AI listens for the wake phrase you configure or activates only when you tap the orb interface. Audio captured before activation is processed locally, in a rolling buffer on your device, and is never transmitted to our servers. You can change or disable the wake phrase at any time in Settings > Privacy & Voice.

Cloud-Based Voice Processing (Optional). When on-device processing is unavailable (for example, on certain older devices or for specific advanced features), and only when you have explicitly opted in, we may transmit short audio clips to our cloud infrastructure for transcription. These audio clips are:

  • Encrypted in transit using TLS 1.3
  • Processed in our Canada Central data region on Microsoft Azure
  • Deleted within twenty-four (24) hours of processing unless you explicitly save them
  • Never used to train general AI models

Voice Transcripts and Intents. To provide continuity in conversation (so Chrona AI remembers what you discussed earlier in the day), we retain text transcripts and structured intents associated with your account. You can review, export, or delete these at any time from Settings > Privacy & Voice > Conversation History.

3.3 Calendar and Productivity Data

When you connect a calendar or productivity service (Google Calendar, Apple iCloud, Microsoft Outlook, Microsoft 365, Notion Calendar, Slack, Linear, or others we add over time), we access only the scopes you authorize. Depending on the service, this may include:

  • Event titles, descriptions, dates, times, durations, and time zones
  • Attendee names and email addresses
  • Event locations (physical and virtual conferencing links)
  • Recurrence patterns and reminders
  • Free/busy availability
  • Working hours and out-of-office settings
  • Limited task and project metadata from connected productivity tools

We access only the calendars you explicitly connect. You can revoke access to any connected service at any time, both from within the Service and from the third-party provider's settings.

3.4 Device, Location, and Usage Information

Device Information

  • Device model, operating system, and version
  • Application version and build number
  • Device identifiers (such as advertising identifiers, where permitted, and internal install IDs)
  • Network connection type (Wi-Fi, cellular, etc.)
  • Browser type and version (for web access)
  • Screen resolution and language settings

Location Information. Chrona AI uses location data to power leave-now alerts, transit-aware routing, and weather-aware suggestions. With your permission:

  • We may access your approximate or precise location while the app is in use
  • We may use background location for leave-now alerts (you can disable this at any time)
  • We may use significant location changes to estimate transit time

Location data is processed transiently to compute alerts and is not retained as a long-term location history unless you explicitly enable Travel Insights.

Usage Information

  • Features used and frequency of use
  • Interaction events (taps, voice commands issued, suggestions accepted or dismissed)
  • Performance metrics (app launch time, response latency, crash logs)
  • Error reports and diagnostic data

3.5 Information from Third Parties

  • Authentication providers (Apple, Google, Microsoft) when you sign in through Single Sign-On
  • Payment processors confirming subscription status
  • Identity verification services (for Studio team administrators using SCIM provisioning)
  • Analytics and crash-reporting providers operating under our instructions

4. How We Use Your Information

We use your information for the following purposes, each grounded in a lawful basis under applicable privacy law:

4.1 To Provide and Operate the Service

  • Authenticate your account and maintain your session
  • Synchronize and display your connected calendars in a unified timeline
  • Process voice commands and execute calendar operations on your behalf
  • Generate morning briefs, leave-now alerts, focus sessions, and weekly insights
  • Compute travel time, transit options, and weather-aware recommendations
  • Deliver notifications across your devices

4.2 To Improve the Service

  • Diagnose and resolve technical issues, crashes, and errors
  • Measure feature performance and reliability
  • Conduct product research, A/B testing, and usability studies (using only data you have agreed to share)
  • Develop new features and refine existing ones

4.3 AI Model Use — Important Statement

We do not use your calendar content, voice transcripts, contacts, or personal communications to train general-purpose foundation AI models. Your day is yours.

Anonymized usage telemetry (such as which features are used and aggregate latency) is used to improve the Service only when you have explicitly opted in. You can disable usage telemetry at any time in Settings > Privacy & Voice.

When Chrona AI uses third-party large language model providers to process intents, we operate under enterprise data-processing agreements that prohibit those providers from training their models on your data.

4.4 To Communicate With You

  • Respond to support requests, bug reports, and inquiries
  • Send transactional messages (subscription renewals, security alerts, important updates)
  • Send product announcements and marketing communications (only with your consent where required, and you may unsubscribe at any time)

4.5 To Maintain Security and Prevent Fraud

  • Detect, investigate, and prevent unauthorized access, abuse, and fraud
  • Enforce our Terms of Use and other policies
  • Protect the rights, property, and safety of ChronaPilot, our users, and others

4.6 To Comply With Legal Obligations

  • Comply with applicable laws, regulations, court orders, and lawful requests
  • Respond to claims, disputes, and legal processes
  • Maintain records required by tax, accounting, and corporate law

5. Legal Bases for Processing (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with similar law, we process your personal data on the following legal bases:

  • Contract: To deliver the Service you have signed up for, including processing voice commands, syncing calendars, and managing your subscription.
  • Legitimate Interests: To secure our infrastructure, prevent fraud, debug crashes, and improve the Service — balanced against your rights and freedoms.
  • Consent: For voluntary cloud-based voice processing, marketing communications, optional usage telemetry, and certain optional integrations.
  • Legal Obligation: To comply with applicable laws and respond to lawful regulatory or judicial requests.

6. Where Your Data Is Stored — Canada Central on Microsoft Azure

ChronaPilot is hosted on Microsoft Azure in the Canada Central region (Toronto, Ontario). We have selected this region intentionally to provide our users with strong data residency, regulatory clarity, and enterprise-grade infrastructure security.

6.1 Primary Data Region

All primary application databases, voice transcripts, calendar caches, and account information are stored at rest in Canada Central. Our redundant secondary region for disaster recovery is Canada East (Quebec City, Quebec), keeping your data within Canadian borders by default.

6.2 Microsoft Azure Security Posture

Microsoft Azure maintains a comprehensive set of security certifications and compliance attestations including, but not limited to:

  • ISO/IEC 27001, 27017, 27018, and 27701
  • SOC 1, SOC 2, and SOC 3 (Type II)
  • PCI DSS Level 1
  • HIPAA Business Associate Addendum capability
  • CSA STAR Certification
  • Canadian federal government cloud profile (Protected B-eligible)

6.3 Encryption

  • Data at rest: AES-256 encryption with Microsoft-managed and customer-managed key options
  • Data in transit: TLS 1.3 for all client-to-server and server-to-server communication
  • Voice transcripts: Encrypted at rest with per-tenant cryptographic isolation
  • Backups: Encrypted, geographically redundant within Canada

6.4 International Transfers

Some narrowly scoped processing may occur outside Canada — for example, push notification delivery via Apple and Google services, payment processing, or email delivery. When personal data is transferred outside Canada, we rely on appropriate safeguards such as Standard Contractual Clauses, the EU-U.S. Data Privacy Framework, or equivalent mechanisms recognized under applicable law.

7. How We Share Information

We do not sell your personal information. We do not rent your data. We share information only in the limited circumstances described below.

7.1 Service Providers and Sub-Processors

We engage carefully vetted service providers that process data on our behalf under written agreements requiring them to protect your information. Categories include:

  • Cloud infrastructure (Microsoft Azure — Canada Central / Canada East)
  • Speech-to-text and text-to-speech providers, where on-device processing is unavailable
  • Large language model providers under enterprise no-training agreements (see Section 7.1.1 below for our named LLM sub-processor)
  • Push notification delivery (Apple Push Notification service, Firebase Cloud Messaging)
  • Payment processing (Stripe and the Apple App Store / Google Play billing systems)
  • Customer support tools
  • Analytics and crash reporting (operating in privacy-preserving mode)
  • Email delivery for transactional and authenticated marketing messages

A current list of our sub-processors is available on request and is kept up to date in our Data Processing Addendum (DPA).

7.1.1 Microsoft Azure OpenAI Service

To deliver Chrona AI's voice-driven scheduling, we route portions of your interaction to Microsoft Azure OpenAI Service (Microsoft Corporation) operating under enterprise data-processing terms. This is our primary named third-party processor for large-language-model operations and the details are disclosed below for full transparency:

  • Processor: Microsoft Azure OpenAI Service, provided by Microsoft Corporation under a Microsoft Customer Agreement and the Azure OpenAI enterprise data-processing terms.
  • Region: US East — Azure regional deployment in the United States.
  • Data processed: the voice audio you record during a Chrona AI session, the resulting speech transcript, and the calendar context referenced to interpret your request (specifically, the titles and times of the events Chrona AI needs to read in order to answer you).
  • Purpose: interpreting your spoken commands and generating spoken or written responses that ChronaPilot then turns into actions on your calendar.
  • Retention: transient. Your audio, transcript, and calendar context are processed only during your active session. Microsoft does not retain this data after the request completes, and does not use it to train, improve, or fine-tune any AI model — ours or anyone else's.
  • Confidentiality: Microsoft is contractually prohibited from using your data for any purpose other than providing the Azure OpenAI service to ChronaPilot.

7.2 Studio Team Plans

If you use ChronaPilot under a Studio team plan, your team administrator may have access to:

  • Account creation and removal
  • Subscription billing and seat management
  • Audit logs of administrative actions
  • Aggregate, non-content usage statistics

Team administrators do not have access to the content of your voice conversations, your private calendar events that you have not shared with the team, or your personal calendar connections.

7.3 Legal Requirements

We may disclose information when we have a good-faith belief that disclosure is required by law, including in response to a valid subpoena, court order, government investigation, or other legal process. Where lawful and appropriate, we will notify affected users of such requests.

7.4 Corporate Transactions

If ChronaPilot is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or material change in how your information is handled.

7.5 With Your Consent

We may share your information for any other purpose when you have given us your specific consent.

8. Data Retention

We retain personal information only as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law.

  • Account information: Retained while your account is active and for up to thirty (30) days after deletion to support recovery and prevent fraud.
  • Voice transcripts and conversation history: Retained until you delete them or close your account, then permanently removed within thirty (30) days.
  • Cloud-based audio clips (when used): Deleted within twenty-four (24) hours of processing.
  • Connected calendar data: Cached only as needed for the Service to function; removed within seventy-two (72) hours of disconnection.
  • Billing and tax records: Retained for the period required by applicable tax and accounting law (typically seven years in Canada).
  • Backups: Encrypted backups are retained on a rolling thirty-five (35) day cycle and overwritten in the ordinary course.

9. Your Privacy Rights

You have meaningful rights over your personal information. Depending on where you live, you may exercise the following:

9.1 Universal Rights

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct inaccurate or incomplete information.
  • Deletion: Request that we delete your personal information, subject to legal retention requirements.
  • Portability: Export your calendar data in iCalendar (.ics) format and your account data in a structured, machine-readable format at any time.
  • Withdraw Consent: Withdraw your consent for processing that relies on consent.
  • Object or Restrict: Object to or restrict certain processing, including direct marketing.
  • Complaint: Lodge a complaint with a supervisory authority such as the Office of the Privacy Commissioner of Canada, your provincial commissioner, the UK ICO, or your local EU Data Protection Authority.

9.2 California Residents (CCPA / CPRA)

California residents have additional rights to know, delete, correct, limit the use of sensitive personal information, and opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law. We do not knowingly collect personal information from minors under sixteen (16) without legally required consent.

9.3 How to Exercise Your Rights

Most rights can be exercised directly within the app under Settings > Privacy & Voice and Settings > Account. You may also contact us at privacy@chronapilot.com. We will respond within thirty (30) days, or sooner where required by law. We may need to verify your identity before fulfilling your request.

10. Security

We take security seriously and apply layered, defense-in-depth controls to protect your information.

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Cryptographic isolation of customer data
  • Multi-factor authentication for all internal access
  • Role-based access control with least-privilege defaults
  • Comprehensive audit logging of administrative actions
  • Continuous vulnerability scanning and regular third-party penetration testing
  • Independent security assessments and SOC 2 Type II controls in progress
  • A documented incident response and breach notification program

In the event of a data breach affecting your personal information, we will notify you and the relevant supervisory authorities without undue delay and in compliance with applicable law (including PIPEDA's mandatory breach notification requirements and GDPR Article 33 / 34).

Despite our safeguards, no method of transmission or storage is one hundred percent secure. We cannot guarantee absolute security, but we work continuously to reduce risk and respond effectively when issues arise.

11. Children's Privacy

ChronaPilot is not directed at children under the age of thirteen (13), or under sixteen (16) where required by local law. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@chronapilot.com and we will promptly delete it.

12. Cookies and Similar Technologies

Our website uses a minimal set of cookies and similar technologies, categorized as follows:

  • Strictly Necessary: Required for authentication, session management, and security. Cannot be disabled.
  • Functional: Remember preferences such as language and time zone.
  • Analytics: Help us understand how visitors interact with the website. Loaded only with your consent where required by law.

Our mobile and desktop applications do not use third-party advertising trackers. You can manage cookie preferences from our website cookie banner or your browser settings.

13. Third-Party Services and Links

The Service integrates with third-party providers that you choose to connect (such as Google Calendar, Apple iCloud, Microsoft Outlook, and Notion). Your use of those services is governed by their own privacy policies and terms. We encourage you to review them. We are not responsible for the privacy practices of third parties.

14. Automated Decision-Making

Chrona AI offers suggestions — not commands. While we use machine learning and large language models to generate recommendations (such as proposed reschedules, focus blocks, and leave-now alerts), these are presented for your review and approval. We do not engage in solely automated decision-making that produces legal or similarly significant effects on you without human involvement.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect product changes, legal developments, or operational improvements. When we make material changes, we will notify you in advance through the Service, by email, or by another reasonable means. The "Last Updated" date at the top of this policy reflects the most recent revision. We encourage you to review the Privacy Policy periodically.

16. Contact Us

If you have questions, concerns, or requests about this Privacy Policy or our data practices, please contact us:

ChronaPilot
Email: privacy@chronapilot.com
Mailing Address: 550 Burrard St, Suite 2900, Vancouver, BC V6C 0B3, Canada

For users in the European Economic Area or United Kingdom, our representative under GDPR / UK GDPR may be contacted at the same email addresses above.

If you are not satisfied with our response, you may contact your local data protection authority. In Canada: the Office of the Privacy Commissioner of Canada (priv.gc.ca).

ChronaPilot · Talk to your week.
© 2026 ChronaPilot. All rights reserved.