Privacy Policy
Introduction
Little Helpers LLC ("Company," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Little Helpers services, including Droid and Little Helpers (collectively, the "Services").
This policy applies to information we collect through our websites, applications, APIs, and related services. Please read this policy carefully. By using our Services, you consent to the practices described herein.
If you do not agree with this policy, please do not use our Services.
1. Information We Collect
1.1 Information You Provide
Account Information:
- Email address
- Name (optional)
- Organization name (for Team/Organization plans)
Authentication is handled through third-party OAuth providers (Google, Discord, Telegram). We do not store passwords.
Payment Information:
- Billing address
- Payment method details (processed and stored by Stripe; we do not store full card numbers)
API Keys (BYOK):
- Third-party API credentials you provide (e.g., Anthropic API keys)
- Stored encrypted; used solely to authenticate requests on your behalf
Content:
- Messages and prompts you send to your agents
- Files and code you upload or create
- Conversation history and session data
- Configuration files
Communications:
- Support requests and correspondence
- Feedback and survey responses
1.2 Information Collected Automatically
Usage Data:
- Features used and actions taken
- Session duration and frequency
- API calls and token usage
- Error logs and performance data
Device and Connection Information:
- IP address
- Browser type and version
- Operating system
- Referring URLs
Cookies and Similar Technologies:
- Session cookies (for authentication)
- Preference cookies (for settings)
- Analytics cookies (with consent where required)
See our Cookie Policy section for details.
1.3 Information from Third Parties
Platform Connections (Messaging):
- When you connect messaging platforms (Discord, Telegram, Slack), we receive your platform user ID and username
- Message content sent through these platforms to your agents
Third-Party Service Connections (Google, Microsoft, GitHub, etc.):
- When you connect external services to your agent (e.g., Gmail, Google Calendar, Google Drive, Microsoft Outlook, GitHub), the OAuth tokens and data retrieved through those services are stored exclusively on your dedicated virtual machine ("sprite"). These tokens and data never pass through our central servers.
- We receive no access to your email, calendar events, files, or other data from connected services
- See Section 8.4 — Connected Services for full details
Payment Processor:
- Transaction status and history from Stripe
- We do not receive or store full payment card numbers
2. How We Use Your Information
2.1 Providing the Services
- Creating and managing your Account
- Provisioning and operating your agents
- Processing messages and executing tasks
- Storing your Content and conversation history
- Processing payments and managing subscriptions
2.2 Improving the Services
- Analyzing usage patterns to improve features
- Debugging and fixing issues
- Developing new features and services
- Conducting research and analytics (using aggregated, anonymized data)
2.3 Communications
- Sending transactional emails (confirmations, receipts, security alerts)
- Providing customer support
- Sending product updates and announcements (with opt-out option)
- Marketing communications (with explicit consent)
2.4 Security and Compliance
- Detecting and preventing fraud, abuse, and security threats
- Enforcing our Terms of Service and Acceptable Use Policy
- Complying with legal obligations
- Responding to legal requests and protecting our rights
2.5 What We Do NOT Do
- We do not sell your personal data
- We do not use your Content to train AI models
- We do not share your Content with other users
- We do not serve targeted advertising based on your Content
3. How We Share Your Information
We share your information only in the following circumstances:
3.1 Service Providers
We use third-party vendors to help operate our Services:
| Provider | Purpose | Data Shared |
|---|---|---|
| Fly.io | Infrastructure hosting | Content, usage data |
| Stripe | Payment processing | Billing information |
| Anthropic | AI model provider | Messages/prompts (sent to generate AI responses) |
| Email Provider | Transactional email | Email address, name |
| Analytics | Usage analytics | Anonymized usage data |
Service providers are contractually bound to protect your data and use it only for specified purposes.
3.2 Platform Integrations
When you connect messaging platforms:
- Discord: Messages to/from your agent flow through Discord's servers
- Telegram: Messages to/from your agent flow through Telegram's servers
- Slack: Messages to/from your agent flow through Slack's servers
These platforms have their own privacy policies governing their handling of your data.
3.3 Connected Services (Google, Microsoft, GitHub, etc.)
When you connect external services to your agent, the connection uses the OAuth 2.0 Device Authorization Grant (RFC 8628). This means:
- We do not proxy, relay, or store your service tokens. Tokens travel directly from the service provider (e.g., Google) to your dedicated virtual machine.
- We do not have access to data retrieved through connected services. Your email, calendar events, files, and other service data are accessed only by your agent running on your dedicated infrastructure.
- We provide only the OAuth application registration (a public client ID) that enables your device to request authorization from the service provider.
This architecture means we are not a data processor for your connected service data. Your tokens and data remain under your control on your dedicated infrastructure.
3.4 Legal Requirements
We may disclose information if required to:
- Comply with applicable law, regulation, or legal process
- Respond to lawful requests from public authorities
- Protect the rights, property, or safety of the Company, our users, or others
- Enforce our Terms of Service
3.5 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal data.
3.6 With Your Consent
We may share your information for other purposes with your explicit consent.
4. Data Retention
4.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Content (messages, files) | Duration of account + 30 days after deletion |
| Conversation history | Duration of account + 30 days after deletion |
| API keys | Until you remove them or account deletion |
| Usage logs | 90 days |
| Payment records | 7 years (legal requirement) |
| Support communications | 3 years |
4.2 Backup Retention
Encrypted backups may persist for up to 90 days after deletion for disaster recovery purposes.
4.3 Anonymized Data
We may retain anonymized, aggregated data indefinitely for analytics and service improvement. This data cannot be used to identify you.
4.4 Deletion Requests
You may request deletion of your data at any time. See Your Privacy Rights.
5. Data Security
5.1 Security Measures
Encryption:
- Data in transit: TLS 1.2+ for all connections
- Data at rest: AES-256 encryption for stored data
- API keys: Encrypted using industry-standard methods
Infrastructure:
- Dedicated virtual machines (Firecracker) for each customer
- Network isolation between customer environments
- Regular security updates and patching
Access Controls:
- Role-based access for employees
- Multi-factor authentication required for administrative access
- Audit logging of administrative actions
Monitoring:
- Automated threat detection
- Security incident response procedures
- Regular security assessments
5.2 Your Security Responsibilities
- Keeping your API keys confidential
- Reporting suspected security incidents promptly
- Using secure networks when accessing the Services
5.3 Incident Response
In the event of a data breach affecting your personal data, we will:
- Notify affected users within 72 hours of discovery
- Notify relevant supervisory authorities as required by law
- Take immediate steps to contain and remediate the breach
- Provide information about the nature of the breach and recommended protective actions
6. Your Privacy Rights
6.1 Rights for All Users
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data (subject to legal retention requirements)
- Data Portability: Export your Content in a machine-readable format
- Opt-Out: Unsubscribe from marketing communications
6.2 European Economic Area (EEA) Rights — GDPR
Legal Basis:
- Contract performance (providing the Services)
- Legitimate interests (security, fraud prevention, service improvement)
- Consent (marketing communications)
- Legal obligations (tax, compliance)
Additional Rights:
- Right to restrict processing
- Right to object to processing based on legitimate interests
- Right to withdraw consent at any time
- Right to lodge a complaint with a supervisory authority
Data Protection Officer: dpo@mylittlehelpers.ai
6.3 California Rights — CCPA/CPRA
- Right to Know: Categories and specific pieces of personal information collected
- Right to Delete: Request deletion of personal information
- Right to Correct: Request correction of inaccurate information
- Right to Opt-Out of Sale: We do not sell personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
6.4 Exercising Your Rights
To exercise your rights, contact us at privacy@mylittlehelpers.ai with "Privacy Request" in the subject line. We will respond within 30 days (or sooner if required by law).
7. International Data Transfers
Our Services are hosted on infrastructure provided by Fly.io, with servers located in various regions. Your data may be processed in the United States and other countries.
When we transfer data outside your jurisdiction, we use appropriate safeguards including Standard Contractual Clauses (SCCs), Data Processing Agreements, and encryption in transit and at rest.
8. Third-Party Services and Connected Services
8.1 AI Providers
Your prompts and messages are sent to third-party AI providers (e.g., Anthropic) to generate AI responses. For the Droid product, this uses your own API key (BYOK). For Little Helpers, this uses our API access on your behalf (metered usage).
8.2 Messaging Platforms
- Discord: discord.com/privacy
- Telegram: telegram.org/privacy
- Slack: slack.com/privacy-policy
8.3 Payment Processing
Payments are processed by Stripe. We do not store full payment card numbers. See: Stripe Privacy Policy
8.4 Connected Services (Google, Microsoft, GitHub, etc.)
You may connect external services to your agent so it can act on your behalf (e.g., read email, manage calendar events, access files).
Services you can connect:
| Service | Data Accessed | Why |
|---|---|---|
| Google Gmail | Email messages (read-only) and sending on your behalf | So your agent can summarize emails, draft replies, and send messages you approve |
| Google Calendar | Calendar events (read and write) | So your agent can check your schedule, create events, and send reminders |
| Google Drive | Files (read and write to agent-created files only) | So your agent can reference your documents and create reports |
| Microsoft Outlook | Email messages (read-only) | So your agent can summarize emails and draft replies |
| Microsoft Calendar | Calendar events (read and write) | So your agent can manage your schedule |
| Microsoft OneDrive | Files (read-only) | So your agent can reference your documents |
| GitHub | Repositories and notifications | So your agent can monitor repos and manage issues |
How connection works:
Your agent uses the OAuth 2.0 Device Authorization Grant (RFC 8628). When you say "connect my Gmail," your agent presents a short code and a URL. You open the URL on any device, enter the code, and approve access on the service provider's consent screen. The service provider sends an OAuth token directly to your dedicated virtual machine.
Where your tokens and data are stored:
- OAuth access tokens and refresh tokens are stored encrypted on your dedicated virtual machine (using AES-256-GCM encryption)
- Data retrieved through connected services is accessed by your agent on your dedicated virtual machine
- Tokens and retrieved data never pass through our central servers. We have no ability to read your email, view your calendar, or access your files.
How to disconnect a service:
- Tell your agent "disconnect Gmail" (or any connected service)
- Revoke access in your service provider's account settings (e.g., Google Account → Security → Third-party apps)
- Delete your account, which destroys your virtual machine and all stored tokens
Token refresh:
Your agent automatically refreshes expiring tokens so you don't need to re-authorize. If a refresh token is revoked (e.g., you changed your Google password), your agent will ask you to re-connect.
9. Children's Privacy
Our Services are not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will delete that information promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date and notify you via email or prominent notice at least 30 days before changes take effect.
11. Contact Us
Little Helpers LLC
- Privacy Inquiries: privacy@mylittlehelpers.ai
- General Support: support@mylittlehelpers.ai
- Security Issues: security@mylittlehelpers.ai
- Mailing Address: 629 Maple Valley Dr, Unit #1250, Farmington, MO 63640
12. Additional Disclosures
Cookie Policy
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security | Session |
| Functional | Preferences, settings | 1 year |
| Analytics | Usage statistics (anonymized) | 1 year |
You can disable cookies in your browser settings. Disabling essential cookies may prevent you from using the Services.
Do Not Track
We do not currently respond to "Do Not Track" browser signals, as there is no consistent industry standard for compliance.
Nevada Residents
We do not sell covered information as defined under Nevada law.
Data Processing Agreement
Business customers requiring a Data Processing Agreement (DPA) for GDPR compliance can request one at legal@mylittlehelpers.ai.