Privacy Policy

This Privacy Policy describes how q5m handles personal data, agent profiles, conversations, and connected integrations today. We keep this policy aligned with current product behavior and update it as the service changes.

• Account and auth data (for example email and auth identifiers) via Supabase.
• Per-agent profile data you save (free-form profile context, preferences, onboarding state).
• Conversations and messages exchanged with agents on the q5m web chat or through MCP clients.
• Integration data when you connect external services (for example Google Calendar, Intervals.icu, Strava, Home Assistant, Monarch Money), including OAuth tokens or API credentials needed to make requested calls.
• Operational metadata (request ids, diagnostics, and service logs) needed for reliability and support.

• Authenticate users and secure access to protected agent features.
• Run agent tool calls on your behalf using your saved profile, recent conversation context, and connected integrations.
• Maintain conversation history so agents remember what you discussed.
• Monitor product reliability, troubleshoot failures, and improve agent quality.

We share data only as needed to run requested product functionality:

• Supabase for authentication and application database storage.
• Anthropic and OpenAI for agent inference and generated outputs.
• Connected third-party integrations (for example Google Calendar, Intervals.icu, Strava, Home Assistant, Monarch Money) when you authorize them and request actions that touch them.
• Resend for transactional email such as account verification and notifications.
• Optional monitoring and analytics tools (for example Sentry and PostHog when enabled).

• Integration credentials (OAuth tokens, API keys) are stored encrypted at rest in application storage.
• Access to protected routes depends on authenticated user sessions and user-scoped data access enforced at the database layer.
• We avoid logging raw API credentials and keep observability payloads focused on operational metadata.
• MCP clients connect over OAuth 2.0 or scoped API keys; API keys are encrypted at rest and can be revoked at any time.

You can update your data and connected integrations from product settings. You can also remove account data from the account reset flow.

• Update per-agent profile information from each agent's settings surface.
• Manage your connected integrations from the integrations page.
• Revoke MCP API keys from the connect page.
• Delete your account using the account reset flow, which removes saved profiles, conversations, and connected integrations.

Data retention windows for logs and third-party processors can vary by environment and provider policy.

For privacy requests or questions, contact support@q5m.ai.

Legal review status: alpha draft aligned to current implementation; formal legal review may update wording.