Privacy Policy

Effective May 21, 2026

Legend OS is an executive operating system that acts on your behalf — sending emails, scheduling meetings, organizing relationships, and tracking commitments. Doing that job well requires access to your data. This policy explains what we collect, what we do with it, what we never do, and your rights.

1. Who we are

Legend OS Inc. (“Legend,” “we”) operates the Legend OS executive assistant platform at legendos.app. Privacy questions can be sent to privacy@legendos.app.

2. Data we collect

Account data

• Name, email address, and phone number (used for caller-ID authentication on the voice line)
• Passkey credentials (stored as public keys only — the private key never leaves your device)
• Recovery codes (hashed before storage)
• Your role within your tenant (executive, EA, admin)

Google account data (when you connect Gmail and Calendar)

When you connect Google, we request only two scopes:

• gmail.send — to send emails on your behalf. We do not request gmail.readonly or any other read scope. We cannot see your inbox.
• calendar.events — to read your calendar and create events.

OAuth tokens are encrypted at rest using AES-256-GCM with a master key held only on our infrastructure. You can disconnect Google at any time from your settings; that revokes our tokens and we lose all access.

Action data

• Emails Legend sends on your behalf (subject, body, recipient, timestamp)
• Calendar events Legend creates
• Chat messages between you and your assistant
• Tool calls Legend makes (lookup_contact, send_email, etc.)
• Trust-framework decisions: tier classifications, your approvals, rejections, edits, and reasons

Voice call data

• Inbound call transcripts (rendered by Deepgram)
• Call summaries
• Call duration, cost, and caller-ID metadata

Contact graph data

• Contacts you import or create within Legend (name, email, phone, role, tier, notes)
• Interaction history between you and those contacts

3. How we use your data

• To run your assistant. Sending the emails, booking the meetings, looking up the contacts — the literal job.
• To learn your preferences. When you edit a draft before sending, we capture the difference between what Legend proposed and what you actually sent. Over time, this teaches Legend your voice, tone, and judgment. This training data is used only to improve your tenant's assistant, never shared across tenants or sold.
• To prevent dropped balls. Open loops, follow-up tracking, and morning briefs are generated from your action history.
• To enforce the trust framework. Tier classification, reputation overrides, and approval gating use your contact graph and action history.
• To improve security. Audit logs track who did what within your tenant.

4. What we never do

• We do not sell your data to anyone.
• We do not show advertisements.
• We do not read your existing emails — we have no scope to.
• We do not train models on your data outside your own tenant.
• We do not share your data across tenants. Each tenant is fully isolated by row-level security at the database layer.

5. Third parties we share data with

Anthropic (Claude API)

Your chat messages and the system context for your assistant are processed by Anthropic's Claude API. We operate under Anthropic's Zero Data Retention (ZDR) agreement, which means Anthropic does not retain your inputs after the response is returned and does not train on them.

Vapi (voice infrastructure)

Inbound voice calls are routed through Vapi, which provides telephony and orchestration. Vapi processes the audio and transcript in transit. Call recordings and transcripts are retained in our database, not Vapi's.

Google (Gmail + Calendar APIs)

When you connect Google, the API calls we make on your behalf go directly to Google. Google's privacy practices govern the data they hold on you.

ElevenLabs + Deepgram (voice components)

Voice synthesis (your assistant's voice) is provided by ElevenLabs. Voice transcription is provided by Deepgram. Both process audio in transit; we retain the transcripts, not them.

Supabase (database hosting)

Your data is stored in a Supabase Postgres database hosted in AWS US-East-1. Supabase is our infrastructure provider; they do not access your data for any business purpose.

6. Where your data lives

• Region: United States (AWS US-East-1).
• Encryption at rest: Postgres encryption + AES-256-GCM for OAuth tokens. Sensitive fields use libsodium symmetric encryption.
• Encryption in transit: TLS 1.2+ for all API and web traffic.
• Tenant isolation: Postgres row-level security policies enforce that one tenant cannot access another tenant's data — even if our application code has a bug. This is the strongest isolation guarantee available.
• Production data gate: Real customer data cannot flow through Claude until our ZDR contract is countersigned. Until then, only synthetic test tenants are active. Schema CHECK constraints + environment flags enforce this.

7. Data retention

• Action history + decision logs: retained for the life of your account so Legend can learn your preferences. You can request deletion at any time.
• Chat history: retained for the life of your account, scoped to your thread.
• Voice call transcripts: retained for the life of your account.
• OAuth tokens: retained until you disconnect Google or delete your account.
• Audit logs: retained for 24 months for security and compliance.

8. Your rights

• Access: You can request a copy of all data we hold on you.
• Deletion: You can request deletion of your account and all associated data. Some audit-log entries may be retained for compliance purposes, scrubbed of personally identifying information.
• Export: You can request your data in a portable format (JSON / CSV).
• Disconnect Google: You can revoke our Google access from your Legend settings or directly from your Google Account security page.
• Correction: You can update any contact data, settings, or account information at any time.

To exercise any of these rights, email privacy@legendos.app. We respond within 30 days.

9. Security incidents

In the event of a breach affecting your personal data, we will notify affected users within 72 hours of discovery, along with the scope of the incident and the steps we are taking to address it.

10. Children's data

Legend OS is not designed for or directed at children. We do not knowingly collect data from anyone under 16. If we learn we have collected data from a child, we will delete it.

11. Changes to this policy

We will post any updates to this policy at this URL with a revised effective date. Material changes will be communicated to active users by email at least 14 days before they take effect.

12. Contact

Questions, deletion requests, or concerns: privacy@legendos.app.

Legend OS Inc.
Lithonia, Georgia, USA