Privacy Policy

Last updated: December 27, 2024

1. Introduction

Outermind Inc. ("Outermind," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use Outermind and our related services.

2. Information We Collect

We collect information in the following ways:

  • Account Information: Email address, name, and organization details when you sign up.
  • Microsoft 365 Data: With your permission, we access emails, calendar events, contacts, and organizational directory data through Microsoft Graph API to provide our services.
  • Usage Data: How you interact with Outermind, including agent configurations, tool usage, and activity logs.
  • Technical Data: Browser type, IP address, and device information for security and analytics.
  • Third-Party Integration Data: When you connect external services (GitHub, LinkedIn, databases, APIs), we process data necessary to execute those integrations.

3. How We Use Your Information

We use your information to:

  • Provide and improve Outermind services
  • Process AI agent requests and generate responses
  • Send important service notifications
  • Ensure security and prevent fraud
  • Comply with legal obligations

4. BYOK and Your AI Data

Outermind uses a Bring Your Own Key (BYOK) model. When you provide your own LLM API key (OpenAI, Claude, Gemini, etc.), your data is processed directly by your chosen AI provider under their terms. We do not store or have access to the content of AI-generated responses beyond what is necessary to display them to you and log agent activities for audit purposes.

5. Email Indexing and Knowledge Base

Outermind offers optional email indexing to build a searchable knowledge base from your organization's emails. This feature requires consent as follows:

  • Shared Mailboxes: Tenant administrator consent is sufficient to index shared mailbox contents.
  • Personal Mailboxes: Individual mailbox owner consent is required before their emails are indexed.

Indexed emails are stored in Azure AI Search with encryption at rest. We apply AI-powered value assessment to identify emails worth indexing and may redact personally identifiable information (PII) from indexed content. Original emails remain in Microsoft 365 and are not modified.

6. Safety Gateway and PII Scanning

Outermind includes a Safety Gateway feature that scans outbound AI-generated communications before they are sent. This scanning includes:

  • Detection of personally identifiable information (credit cards, social security numbers, bank accounts, etc.)
  • AI-powered content analysis for sensitive business information
  • Classification of recipients as internal or external to your organization

The Safety Gateway logs all scanning decisions for audit purposes. When PII is detected, it may be automatically masked before sending. Suspicious messages may be held for human review before delivery.

7. Third-Party Integrations

When you connect Outermind to third-party services, data is shared as follows:

  • GitHub: Repository data, issues, pull requests, and workflow information as configured.
  • LinkedIn: Profile information, posts, and engagement data for configured actions.
  • SQL Databases: Query results from databases you connect.
  • HTTP APIs: Data sent to and received from external APIs you configure.

Each third-party service has its own privacy policy. We encourage you to review the privacy policies of any services you connect to Outermind.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specific retention periods include:

  • Audit Logs: 7 days (Basic), 30 days (Professional), 1 year (Pro Plus)
  • Indexed Knowledge: Configurable per source, default 2 years
  • After Termination: All customer data permanently deleted within 30 days

You may request immediate deletion or export of your data at any time by contacting us.

9. Data Security

We implement industry-standard security measures including encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls, and regular security audits. We are currently pursuing SOC 2 Type II certification.

10. International Data Transfers

Outermind is hosted on Microsoft Azure infrastructure. Depending on your organization's requirements, we offer data residency options:

  • United States: Primary data center region (default)
  • European Union: Available upon request for EU-based customers

When data is transferred internationally, we use appropriate safeguards including Standard Contractual Clauses approved by the European Commission. Contact us to discuss data residency requirements for your organization.

11. Service Providers

We use the following categories of service providers to deliver Outermind:

  • Cloud Infrastructure: Hosting, storage, and computing services
  • AI/ML Providers: Large language model processing (as configured through BYOK)
  • Search Services: Knowledge base indexing and retrieval
  • Authentication: Identity verification and access management
  • Payment Processing: Subscription billing and payments
  • Analytics: Usage analytics and service improvement

All service providers are bound by data processing agreements that require them to protect your data and use it only as instructed by Outermind Inc.

12. Automated Decision-Making

Outermind uses AI to make certain automated decisions, including:

  • Routing emails to appropriate AI agents
  • Assessing the value of emails for knowledge base indexing
  • Evaluating risk levels of outbound communications

These automated processes are designed with human oversight. You may request human review of significant automated decisions by contacting us. The Safety Gateway and approval queue features provide built-in human review for high-risk automated decisions.

13. Your Rights

Depending on your location, you may have rights to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data
  • Export your data in a portable format
  • Opt out of certain processing, including AI training
  • Object to automated decision-making
  • Withdraw consent for email indexing

14. Contact Us

For privacy-related questions or to exercise your rights, contact us at legal@outermind.ai.

15. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through the Outermind dashboard at least 30 days before they take effect.