CleverLife.ai Security

1. Encryption

• • All data stored by CleverLife.ai — including account information, child profiles, and processed summaries — is encrypted at rest in our managed database (Supabase).
• • Google OAuth tokens receive an additional layer of application-level encryption (AES-256-GCM) on top of the at-rest database encryption.
• • All data in transit, between your browser, our servers, and our processors, is protected by TLS/SSL.

2. Access Control

• • We follow the principle of least privilege: access to production systems and customer data is limited to a small number of authorized engineers.
• • Employee access to user data is restricted to legitimate operational needs (e.g., resolving a support ticket or investigating an incident).
• • Debugging access in production is gated and time-limited.

3. Audit Logging

Sensitive operations — authentication events, access to user records, and administrative actions — are logged so that we can review activity and investigate issues if needed.

4. Infrastructure

CleverLife.ai runs primarily on managed cloud infrastructure (Vercel, DigitalOcean, and Supabase) with vendor-provided security controls, network isolation, and routine patching, which lets us inherit an independently-audited security posture. Our one self-hosted component is the n8n workflow runner used for AI classification; it runs on the same managed cloud infrastructure and is access-controlled and patched as part of our routine operations.

5. Gmail Data Handling

We only access Gmail messages from senders you have explicitly whitelisted. Mail from anyone else is never retrieved, scanned, or stored.

Raw Gmail content (email body, subject, and sender) is retained for up to 30 days to generate summaries and structured events, then automatically deleted. Attachments and the AI-generated summaries are kept until you delete your account.

6. Sub-processors & Vendors

To operate the service, we share data with a small set of trusted infrastructure providers:

• • Google (Gmail API + OAuth) — source of the school emails you authorize us to read, and your sign-in identity.
• • Supabase (Postgres) — primary database for account data and AI-generated summaries.
• • Supabase Storage — stores email attachments until you delete your account.
• • n8n (self-hosted) — our self-hosted workflow tool that forwards email body and subject to OpenAI for classification.
• • OpenAI (API, called via n8n) — classification and summarization of email content via the OpenAI API.
• • Vercel — hosting for this website and the app frontend, which never receives raw Gmail content.
• • DigitalOcean — hosting for our backend service, which processes Gmail content in memory.

These processors only handle data on our behalf and cannot use it for their own purposes.

7. Google API Limited Use

CleverLife.ai's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

8. OpenAI and AI Model Training

OpenAI does not use customer data submitted through our API for model training. CleverLife.ai also does not train any AI models on your data.