This Privacy Policy describes how TRYFIREFLY.AI, INC. ("TRYFIREFLY," "we", "us" or "our") processes personal information that we collect through our digital or online properties or services that link to this Privacy Policy (including as applicable, our website, social media pages, marketing activities, live events and other activities described in this Privacy Policy (collectively, the "Service")).

TRYFIREFLY provides AI-powered educational support and services to students and educational institutions. This Privacy Policy does not apply to information that we process on behalf of our business customers (such as educational institutions) while providing the TRYFIREFLY platform and services to them. Our use of information that we process on behalf of our business customers is governed by our agreements with such customers. If you have concerns regarding your personal information that we process on behalf of a business customer, please direct your concerns to that customer.

Our websites, products, and services are designed for our business customers, their representatives, and students. Accordingly, we treat all personal information we collect as pertaining to individuals in their capacities as representatives of the relevant enterprise or as students, and not their individual capacities.

Information you provide to us.

Personal information you may provide to us through the Service or otherwise includes:

• Contact data, such as your first and last name, email address, billing and mailing addresses, professional title and company name, year in college, college status and phone number.
• Demographic data, such as your city, state, country of residence, postal code, and age.
• Profile data, such as the username and password that you may set to establish an online account on the Service, date of birth, educational information, interests, preferences, and any other information that you add to your account profile.
• Educational data, such as your school affiliations, courses, grades, and academic performance.
• Communications data based on our exchanges with you, including when you contact us through the Service, social media, or otherwise.
• Marketing data, such as your preferences for receiving our marketing communications and details about your engagement with them.
• Other data not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

Third-party sources.

We may combine personal information we receive from you with personal information we obtain from other sources, such as:

• Public sources, such as government agencies, public records, social media platforms, and other publicly available sources.
• Educational institutions, such as schools and universities that use our services.
• Marketing partners, such as joint marketing partners and event co-sponsors.

Automatic data collection.

We, our service providers, and our business partners may automatically log information about you, your computer or mobile device, and your interaction over time with the Service, our communications and other online services, such as:

• Device data, such as your computer or mobile device's operating system type and version, manufacturer and model, browser type, screen resolution, IP address, unique identifiers, language settings, and general location information such as city, state or geographic area.
• Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.

Cookies and similar technologies.

Some of the automatic collection described above is facilitated by the following technologies:

• Cookies, which are small text files that websites store on user devices and that allow web servers to record users' web browsing activities and remember their submissions, preferences, and login status as they navigate a site.
• Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data on your device outside of your browser in connection with specific applications.
• Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.

Data about others.

We may offer features that help users invite their contacts to use the Service, and we may collect contact details about these invitees so we can deliver their invitations. Please do not refer someone to us or share their contact details with us unless you have their permission to do so.

Google Workspace Integration.

As part of our service offering, we utilize Google Workspace APIs to access general information about meetings and calendar events that are not stored within our systems. This data is used solely to create and manage events on users' calendars with the consent of all involved parties. The data accessed through Google Workspace APIs is not used to train or improve any AI models or agents. The only data we store from Google Workspace is users' encrypted refresh tokens and their profile pictures. These tokens are encrypted at rest, in transit, and within our database.

Knowledge Base and RAG System Usage

Our Retrieval-Augmented Generation (RAG) system is designed with privacy and data sovereignty in mind. When users upload information to their knowledge base:

• Information is only used as context for AI responses and is never used to train our models
• Data remains private and accessible only to the user who owns it - Firefly employees cannot access or view uploaded knowledge base content
• When content is deleted from a user's knowledge base, it is permanently removed from our systems
• Information is only retrieved during active chat sessions when relevant to user queries
• All knowledge base data is encrypted and stored securely following our comprehensive data protection protocols

Sharing and Disclosure of Google User Data

We do not share, transfer, or disclose Google user data to any third parties, except as required by law or with explicit user consent. All Google user data is treated with the utmost confidentiality and is only used for the purposes stated in this privacy policy.

Data Protection for Sensitive Information

We implement strict data protection mechanisms for all sensitive data, including Google user data. Our comprehensive approach to data protection includes:

• End-to-end encryption for data in transit and at rest:
  • TLS 1.3 for all data in transit
  • AES-256 encryption for data at rest
  • Regular rotation of encryption keys
• Regular security audits and penetration testing:
  • Quarterly internal security audits
  • Annual third-party penetration testing
  • Continuous vulnerability scanning
• Access controls and authentication measures:
  • Multi-factor authentication for all employee accounts
  • Role-based access control (RBAC) for system access
  • Regular access reviews and prompt removal of unnecessary privileges
• Employee training on data protection and privacy:
  • Mandatory annual privacy and security training for all employees
  • Ongoing awareness programs and updates on best practices
  • Strict confidentiality agreements for all staff
• Network security measures:
  • Next-generation firewalls and intrusion detection systems
  • Regular network segmentation and security reviews
  • Virtual Private Network (VPN) for remote access
• Data backup and disaster recovery:
  • Daily encrypted backups stored in geographically separate locations
  • Regular testing of backup restoration processes
  • Comprehensive disaster recovery plan with annual drills
• Secure software development lifecycle:
  • Security review at each stage of development
  • Regular code reviews and static code analysis
  • Dependency scanning for known vulnerabilities

Data Retention and Deletion

We retain Google user data only for as long as necessary to provide our services. Upon request or account deletion, we will remove all Google user data from our systems within 30 days. To request deletion of your data, please email kris@tryfirefly.ai. Please note that some information may be retained as required by law or for legitimate business purposes.

Revoking Access to Google Data

In addition to contacting us for data deletion, users can revoke our access to their Google data at any time through their Google Account security settings. To do this:

1. Go to your Google Account (https://myaccount.google.com/)
2. Click on "Security" in the left-hand menu
3. Scroll down to "Third-party apps with account access"
4. Click on "Manage third-party access"
5. Find TRYFIREFLY.AI in the list and click on it
6. Click "Remove Access"

Please note that revoking access will prevent TRYFIREFLY.AI from providing services that rely on your Google data. If you wish to continue using our services after revoking access, you may need to re-authorize our application.

We use your personal information for the following purposes:

• To provide, maintain, and improve our services
• To communicate with you about our services
• To protect against fraud and unauthorized access
• To comply with legal obligations
• To personalize your experience
• To analyze and improve our services

Depending on your location, you may have certain rights regarding your personal information:

• Right to access your personal information
• Right to correct inaccurate information
• Right to request deletion of your information
• Right to restrict processing
• Right to data portability
• Right to object to processing

To exercise these rights, please contact us at kris@tryfirefly.ai

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. We ensure appropriate safeguards are in place for international transfers, including:

• Standard contractual clauses
• Data processing agreements
• Adequacy decisions where applicable

Our services are not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of our services after such modifications constitutes your acceptance of the updated Privacy Policy.

If you have any questions, concerns, or requests related to this Privacy Policy or our privacy practices, please contact us at:

TRYFIREFLY.AI, INC.
Email: kris@tryfirefly.ai