[privacy]

Privacy Policy

Effective 2026-06-20

Draft v1 — pending legal review. Subject to change before general availability.

1. Who we are

Levio is a product of Joeybuilt LLC(“Joeybuilt”, “we”, “us”), a Utah, USA limited-liability company. We are the data controller for personal data processed through mylevio.com and the Levio mobile application.

For privacy questions, data-subject requests, or to reach our Data Protection point of contact, write to hello@joeybuilt.com.

2. What we collect

We deliberately collect the minimum needed to make Levio work. Specifically:

  • Account data: your email address, hashed password (if you sign up with email), and authentication session tokens.
  • Google account metadata: when you connect Google, we store your Gmail and Google Calendar OAuth tokens, your Google email address, and the list of message and event identifiers needed to render your inbox and calendar.
  • Email metadata + AI summaries: subject lines, sender, recipients, timestamps, thread identifiers, and the short AI-generated summary / category we produce for each thread. We do not persist the full body of your emails on Levio servers. Bodies are fetched transiently to produce the summary, then discarded. This matches the promise on our marketing page.
  • Calendar event data: titles, times, attendees, and location for the rolling window we display.
  • Tasks you create: title, notes, due date, status, tags, and (if you accept an AI proposal) the source email or event identifier.
  • Billing data: if you subscribe, Stripe processes your payment. We store only the Stripe customer / subscription identifiers and the plan tier — never your card details.
  • Operational logs: IP address, user agent, request paths, and timestamps. Logs are redacted of credentials and tokens.

3. How we use your data

  • Render the Today, Inbox, and Calendar surfaces.
  • Generate AI summaries, classifications, and proposed tasks via our orchestration backbone (see Sub-processors).
  • Send transactional emails (sign-in, security alerts, billing).
  • Detect abuse and operate the service reliably.

We do not sell your data. We do not use your email contents to train any third-party general-purpose model.

4. Sub-processors

We rely on the following processors. Each is bound by a data-processing addendum or equivalent contractual safeguard:

  • Google LLC — OAuth, Gmail API, Calendar API.
  • Plexo Core (operated by Joeybuilt LLC) — AI orchestration backbone for summaries and classifications. Runs in our own infrastructure.
  • Stripe, Inc. — payment processing.
  • Inngest, Inc. — background-job scheduling.
  • Codemagic Ltd — mobile-app build and distribution pipeline.
  • OVHcloud US, Inc. — hosting infrastructure.

5. Retention

  • Ephemeral data (email bodies fetched for AI processing, raw operational logs): retained no longer than 90 days.
  • Stored data (your account, tasks, AI summaries, calendar cache): retained until you delete your account.
  • Billing records as required by tax and accounting law (typically 7 years in the USA).

6. Your rights (GDPR + CCPA)

If you are in the EEA, UK, or California, you have the right to:

  • Access a copy of the personal data we hold.
  • Export your data in a portable format (JSON).
  • Rectify incorrect information.
  • Erase your account and all associated data.
  • Object to or restrict processing.
  • Lodge a complaint with your local supervisory authority.

To exercise any of the above, email hello@joeybuilt.com from the address on file. We respond within 30 days.

7. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Production access is limited to named operators on need-to-know basis. Tokens and secrets are scrubbed from application logs. Source code is publicly auditable under AGPL-3.0.

8. International transfers

Levio is operated from the United States. If you access the service from outside the USA, your data will be transferred to and processed there. We rely on Standard Contractual Clauses for transfers from the EEA.

9. Children

Levio is not directed to anyone under 16. We do not knowingly collect data from minors.

10. Changes

We will post material changes to this policy at this URL and notify registered users by email. Continued use after a change constitutes acceptance of the updated policy.