Privacy Policy

1. Introduction

Welcome to Caleo, a productivity and scheduling assistant developed and operated by Shadow Solutions LLC, an Illinois limited liability company ("Shadow Solutions," "we," "our," or "us").

This Privacy Policy describes how we collect, use, disclose, and safeguard personal information in connection with your use of Caleo ("the App") across Microsoft Teams, Microsoft 365, and other integrated platforms.

By installing or using Caleo, you acknowledge that you have read and understood this Privacy Policy and consent to our handling of your information as described below.

If you do not agree, you must uninstall or cease using the App.

2. Scope of This Policy

This Privacy Policy applies to:

• The Caleo Microsoft Teams app and related web services.
• The backend services hosted via Supabase and Azure that process user data.
• Any communication channels (such as support or email) through which users contact us.

This policy does not apply to third-party services that you independently connect to or use through Caleo, including Microsoft 365 or other software governed by their own privacy statements.

3. Information We Collect

We collect only the data necessary to operate Caleo securely and effectively.

3.1. Information Provided by Users

Account and Authentication Information:

When you sign in through Microsoft Teams or Microsoft 365, we collect your Microsoft account identifiers (user ID, display name, email, and tenant ID). Authentication occurs via Microsoft OAuth 2.0, and Caleo never receives your password.

Calendar and Scheduling Data:

When you request scheduling actions, we access data from the Microsoft Graph API such as event titles, start and end times, attendee lists, and optional descriptions.

Support or Contact Information:

When you email or contact us for support, we may collect your name, email address, and details of your inquiry.

3.2. Information Collected Automatically

Usage Logs:

Caleo automatically records basic usage metrics, including API request timestamps, feature usage counts, and response times.

System and Device Information:

We collect anonymized metadata (browser type, platform version, Teams organization ID) for performance optimization and debugging.

Diagnostic and Error Data:

When errors occur, anonymized stack traces and error logs are captured for troubleshooting.

3.3. Data From Third Parties

When authorized by you, we receive data from:

• Microsoft Graph API, used to access your calendar and Teams environment.
• OpenAI API, used for natural language processing and command interpretation.
• Supabase, used as a backend platform for secure data storage and role-based access.

4. How We Use Information

We process data solely to operate and improve Caleo. Specifically, we use your data to:

• Authenticate your Microsoft account and maintain secure sessions.
• Execute scheduling commands (e.g., "create a meeting," "list calendar events").
• Provide AI-powered assistance using OpenAI's models.
• Diagnose service interruptions, bugs, or integration failures.
• Communicate with you regarding updates, incidents, or security notifications.
• Comply with applicable laws, regulatory obligations, or enforcement requests.

We do not sell, rent, or trade your personal information for advertising or marketing purposes.

5. Lawful Basis for Processing (GDPR Compliance)

For users located in the European Economic Area (EEA) or United Kingdom, our legal bases for processing include:

• Performance of Contract: To deliver the Caleo service you requested.
• Legitimate Interests: To maintain system integrity, improve functionality, and ensure security.
• Legal Obligations: To comply with law enforcement or regulatory requirements.
• Consent: When you explicitly grant Caleo permission to access your Microsoft Graph data or contact you.

6. Data Storage and Security

All user data (including refresh and access tokens) is securely stored in Supabase, hosted in U.S. East (us-east-1).

We employ the following safeguards:

• Encryption: TLS 1.3 encryption for data in transit and AES-256 encryption at rest.
• Access Controls: Strict role-based access control (RLS) enforced via Supabase policies.
• Token Handling: Tokens are encrypted before storage and automatically invalidated when revoked or expired.
• Separation of Environments: Development, staging, and production environments are logically separated.

No Caleo engineer or third party has direct access to decrypted user tokens or personal calendar data.

7. Data Retention

We retain user data only for as long as necessary to provide the service:

• Tokens and user records are stored while your Caleo account remains active.
• When you uninstall or disconnect the app, all tokens and related records are deleted within 7 days.
• Diagnostic logs are retained for up to 30 days for operational purposes, after which they are automatically purged.

8. Data Sharing and Disclosure

We disclose information only under limited circumstances:

To Service Providers:

We share information with trusted vendors who perform essential functions, including:

• Supabase Inc. – data storage and access control
• OpenAI LLC – AI response generation
• Microsoft Corporation – authentication and calendar access

To Comply with Law:

We may disclose information if required to do so by law or in response to valid legal requests.

Business Transfers:

In the event of a merger, acquisition, or reorganization, data may be transferred under confidentiality obligations.

9. International Data Transfers

Caleo operates from the United States. If you access the service from outside the U.S., you consent to the transfer of your data to U.S.-based servers where privacy laws may differ.

We ensure all third-party vendors provide adequate protection consistent with applicable data protection laws.

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access and Portability: Request copies of your data.
• Correction: Request updates to inaccurate or incomplete data.
• Deletion: Request deletion of your stored data.
• Restriction: Request limits on how your data is processed.
• Withdrawal of Consent: Revoke Microsoft Graph or Teams permissions at any time.

Requests can be made by emailing rushi@shadowsolutions.tech.

11. Children's Privacy

Caleo is not directed to, and does not knowingly collect data from, individuals under the age of 16.

If we learn that we have inadvertently collected personal information from a child, we will delete it promptly.

12. Third-Party Services and Links

Caleo may contain links or integrations with third-party services (e.g., Microsoft Teams, OpenAI).

We are not responsible for the privacy practices or content of those external entities. Please review their policies individually.

13. Data Breach Procedures

In the unlikely event of a data breach:

• We will identify and isolate affected systems.
• We will notify impacted users and relevant authorities within 72 hours, consistent with GDPR Article 33.
• We will document remediation measures and update internal security controls.

14. Changes to This Policy

We may revise this Privacy Policy periodically to reflect new legal, technical, or business developments.

When updated, the new version will be posted at https://caleoai.com/privacy with a revised "Last Updated" date.

Continued use of Caleo constitutes acceptance of the updated policy.

15. Contact Us

If you have questions or concerns regarding this Privacy Policy, contact: