.Chambiar Privacy Policy
Effective Date: March 13, 2026
Last Updated: March 13, 2026
1. Who We AreChambiar ("Chambiar," "we," "our," or "us") provides an AI coordination platform that connects to your existing business tools — email, calendar, CRM, Slack, accounting software, and more — and operates an AI voice and chat agent ("Maria") on your behalf. This policy explains exactly what data we collect, process, store, and share.
2. Information We Collect
2.1 Account InformationWhen you create a Chambiar account you provide:Full nameEmail addressCompany nameWe assign a unique company ID and link your account to a Firebase UID. If you sign in with Google, your Google profile name and email are received from Google but your Google profile photo is not stored by Chambiar beyond what Firebase Auth retains.
2.2 Integration DataWhen you connect a third-party service, you grant Chambiar OAuth access.
Here is exactly what is read and written for each integration:
Google Gmail
Read: Message headers, full message body (including attachments metadata), thread content, labels, drafts, mailbox settings (IMAP, POP, vacation responder, language).
Write: Send messages, delete messages, modify labels, create/update/delete drafts.
AI processing: The full decoded content of your emails (up to 300 emails from the past 150 days) is sent to OpenAI for summarization. The AI-generated summary (not the raw email body) is stored on our servers. Raw email content is not stored.
Google Calendar
Read: Calendar events, attendee lists, event details, recurring event data.
Write: Create, update, and delete calendar events including adding attendees and reminders.Storage: Full calendar event objects are stored on our servers.
Google Docs
Read: Document list, document content (full text).
Write: Create documents, update documents, reply to document comments.
AI processing: Full document text is sent to OpenAI for summarization. AI-generated summaries are stored.Google Sheets
Read: Spreadsheet list, cell data from specific ranges.
Write: Update cell ranges, reply to sheet comments.
Storage: Spreadsheet data is stored on our servers.
Slack
Read: Public and private channel list, direct message list, channel message history, thread replies, workspace user list (names and user IDs), bookmarks.
Write: Send and delete messages (channels and DMs), update messages, schedule messages, add/remove emoji reactions, add bookmarks.
Storage: Slack message objects are stored on our servers.HubSpot
Read: Contacts (names, emails, properties), deals (pipeline stage, amount, history), companies (name, domain, industry), associations between records, engagements (notes, emails, calls, meetings, tasks), analytics data.
Write: None at this time (read-only integration).
Storage: HubSpot CRM objects are stored on our servers.
Notion
Read: Pages, databases, database records, page comments
.Write: Create pages, update pages.
Storage: Notion objects are stored on our servers.
Zoom
Read: Meeting list, meeting details, meeting invitations.
Write: Create, update, and delete meetings; end live meetings; create invite links.
Storage: Zoom meeting objects are stored on our servers.
Xero
Read: Tenant list, contacts (name, email, tax number, addresses, phone numbers), invoice list and details
.Write: Create draft invoices (contact, line items, amounts, due date).
Storage: Xero invoice and contact objects are stored on our servers.
2.3 Voice and Audio DataWhen you use Maria's voice feature:Y
our microphone audio is streamed in real time from your browser through LiveKit Cloud to OpenAI's Realtime API for speech recognition and response generation.Audio is processed in real time and not recorded or stored by Chambiar as audio files. Noise cancellation is applied to your audio stream by the LiveKit BVC plugin before it reaches OpenAI. Your LiveKit participant metadata (your Firebase access token, company ID, and session context) is embedded in the room connection token so the AI agent can authenticate tool calls on your behalf.Every tool action Maria executes during a voice session (e.g., "sent email to X," "created calendar event Y") is logged to our database, including the inputs provided and the result returned by the tool.
2.4 Chat DataText messages sent to Maria via the chat interface are transmitted through the LiveKit data channel to the AI agent and processed by OpenAI. Chat messages are not independently stored beyond the tool action logs described above.
2.5 Usage and Activity Logs
We maintain application-level logs that record:Integration data ingestion events (when and what was synced from each connected service)AI report generation eventsEvery tool action executed by Maria: tool name, inputs, result, and timestampStandard application errors and warnings. These logs are stored in our PostgreSQL database linked to your user ID and company ID.
3. How We Use Your Data
PurposeData UsedOperating Maria AI agentI ntegration data, voice/chat input, tool resultsGenerating AI summaries and reportsEmail content, document content, calendar events, CRM data, Slack messagesExecuting actions on your behalfCalendar, Gmail, Slack, Notion, Zoom, Xero integration dataAuthentication and securityFirebase ID tokens, company IDAudit loggingTool action inputs/outputs, session metadataWe do not use your data for advertising, profiling, or sale to third parties.
4. AI and Third-Party Processing
We send your data to the following AI providers as part of operating the service:OpenAIThe following data is sent to OpenAI's API:Full email content (for summarization)Full Google Doc content (for summarization)Calendar events, HubSpot CRM data, Notion content, Slack messages (for generating analytics reports)Real-time voice audio (via OpenAI Realtime API for the voice agent)Full conversation history during chat and voice sessionsTool results returned during AI agent sessionsOpenAI processes this data under its API data usage policy. OpenAI does not use API data to train its models by default.Google Cloud (Vertex AI / Gemini)Document content (up to 10,000 characters) may be sent to Google's Vertex AI Gemini model for document analysis tasks.
5. Third-Party Services We UseServiceRoleData InvolvedFirebase (Google)Authentication, user identityEmail, name, sign-in eventsGoogle Cloud DatastorePrimary data storeAll integration data, OAuth tokens, user recordsPostgreSQLSecondary data storeNotifications, action logs, AI reports, chat historyLiveKit CloudReal-time audio/video transportVoice audio, participant metadata, chat messagesOpenAIAI language model and voice processingAs detailed in Section 4Google Cloud Vertex AIDocument AI analysisDocument contentBitHumanAI avatar rendering for MariaReal-time session data for avatar displaySlackIntegrationAs detailed in Section 2.2HubSpotIntegrationAs detailed in Section 2.2NotionIntegrationAs detailed in Section 2.2ZoomIntegrationAs detailed in Section 2.2XeroIntegrationAs detailed in Section 2.2Google (Gmail/Calendar/Docs/Sheets)IntegrationAs detailed in Section 2.2
6. OAuth TokensWhen you connect an integration, we store an OAuth access token and refresh token in Google Cloud Datastore. These tokens allow Chambiar to act on your behalf without requiring you to re-authenticate. Tokens are:Stored encrypted at rest in Google Cloud DatastoreUsed only to make API calls on your behalfDeleted when you disconnect an integrationAutomatically refreshed when expired; stale tokens are removed on persistent authentication failures
7. Data Storage and Security
Primary data store: Google Cloud Datastore (NoSQL), hosted in Google Cloud infrastructureS
econdary data store: PostgreSQL, for notifications, action logs, AI reports, and chat history In transit: All data is transmitted over HTTPS/TLS Authentication: All API endpoints require a valid Firebase ID token
Access control: Data is scoped to your company ID; cross-company data access is not possible by design
8. Data RetentionWe do not currently enforce automatic deletion or time-limited retention on your integration data. Specifically:Email summaries, calendar events, CRM data, and other integration objects remain stored until you disconnect the integration or delete your account.The Gmail ingestion pipeline fetches emails from the past 150 days during initial setup; historical emails outside this window are not fetched.Action logs and AI-generated reports are retained indefinitely.OAuth tokens are retained until you disconnect an integration or delete your account.We are working to implement configurable retention periods and will update this policy when those controls are available.
9. Your RightsYou may at any time: Access your stored data by contacting us Delete your account and associated data by contacting us — this will revoke all OAuth tokens and delete your integration data and account recordsDisconnect individual integrations from within the app, which revokes the relevant OAuth token and stops further data syncing for that serviceCorrect your account information (name, company name) from within the appTo exercise any of these rights, contact us at info@chambiar.ai.
10. Cookies and Local Storage
Local storage: We store a single flag (has_logged_in: true) in your browser's local storage to route returning users to the correct screen. No sensitive or personally identifiable data is written to local storage by our application code.IndexedDB: Firebase Auth uses browser IndexedDB to persist your authentication session. This is managed by the Firebase SDK and is necessary to keep you logged in.Cookies: We do not use tracking or advertising cookies. The backend uses cookie parsing capabilities for session handling but does not set any persistent cookies in active production flows.
11. Children's PrivacyChambiar is a business productivity tool not directed at children under 13.
We do not knowingly collect data from children under 13.
12. Changes to This PolicyWe will post any changes to this policy at this URL and update the "Last Updated" date. For material changes we will notify you by email.
13. Contact Chambiar Email: info@chambiar. Website: www.chambiar.ai