← Back to home
Legal · Privacy

Privacy Policy

Effective May 18, 2026 · Version 0.1 — Draft
This is a starter draft. Relay Oh is in private beta. The language below is a working template and has not yet been reviewed by privacy counsel — replace it with a finalized policy before general availability. The principles, though, are real: we collect what we need to run the product, we don't sell your data, and we don't use your customer data to train third-party foundation models.

01The short version

If you only read one section, read this one. The rest of this policy is the long-form version of these four promises.

We collect the minimum.What we need to run the Service and run the assistant — and not much more.
We don't sell your data.Not to advertisers, not to data brokers, not to anyone.
We don't train on your data.Your customer data and prompts are not used to train third-party foundation models. Ever.
You stay in control.Export it, delete it, or revoke any connected tool at any time.

02Who we are

Relay Oh, Inc. ("Relay Oh," "we," "us," "our") is the data controller for personal information described in this policy, except where we process information on behalf of a customer organization — in those cases, that organization is the controller and we act as processor under our customer agreement.

Contact: privacy@relayoh.com. Mailing address: 22 Swinton Gardens Dr., Delray Beach, FL 33444.

03Scope

This policy covers personal information we collect through:

  • Our website (relayoh.com) and any marketing properties.
  • The Relay Oh application at app.relayoh.com.
  • The Relay Oh AI assistant, including all conversations, tool calls, and actions taken on your behalf.
  • Connections to third-party tools made through MCP (Model Context Protocol) or other APIs you authorize.
  • Email, support, and other direct communications with us.

04Information we collect

A · Information you provide
CategoryExamples
Account infoName, work email, organization, role, password hash, profile photo (optional).
Customer / CRM dataContacts, companies, deals, pipelines, notes, files, tasks, calendar events, and message content you import or create inside Relay Oh.
AI conversationsPrompts you send the assistant, the assistant's responses, tool calls it makes, and the results those tools return.
Connected-tool dataTokens and metadata for MCP connections you authorize; data the assistant reads or writes in those tools at your direction.
BillingWhen paid plans exist: name, billing address, tax ID, and tokens issued by our payment processor. We don't store full card numbers.
Support & feedbackAnything you send us by email, in-app chat, or surveys — including the contents of those messages.
B · Information we collect automatically
CategoryExamples
Usage dataPages and features you access, actions you take, search queries, the assistant's audit trail, and timestamps.
Device & log dataIP address, approximate location (city-level, derived from IP), browser type and version, operating system, device identifiers, referring URL, and diagnostic data.
Cookies & similarSee Cookies & tracking below.
C · Information from third parties

When you connect a tool through MCP, OAuth, or another integration, we receive data that tool exposes to Relay Oh — for example, calendar events, email metadata, CRM records, message threads, or files. We only receive what's covered by the scopes you grant, and we process it strictly to fulfill the request you made of the assistant.

05How we use information

We use personal information to:

  • Operate, maintain, secure, and improve the Service.
  • Run the AI assistant on your behalf — including invoking model providers, executing tool calls, and recording the assistant's audit trail.
  • Authenticate you, your account, and your team.
  • Communicate with you about your account, security, billing, and product changes.
  • Send occasional product updates you can opt out of.
  • Detect, investigate, and prevent abuse, fraud, and security incidents.
  • Comply with legal obligations and enforce our Terms.
  • Aggregate and anonymize data for analytics and research — once anonymized, it's no longer personal data.

We rely on the following legal bases (for users covered by GDPR/UK GDPR): contract (to deliver the Service you signed up for), legitimate interests (to secure and improve the Service, fight abuse), consent (for optional cookies and marketing emails), and legal obligation (to meet tax, accounting, and law-enforcement requirements).

06The AI assistant

The assistant is the heart of Relay Oh, so it deserves its own section.

How prompts are processed

When you send a prompt, we transmit it — along with the context the assistant needs (recent conversation, relevant CRM records, the tools available, your organization's instructions) — to a third-party model provider. The provider returns a response, which the assistant may follow with tool calls to your CRM or connected services.

Model providers

We use enterprise-tier accounts with leading model providers. Examples of providers we use today:

Anthropic (Claude) OpenAI (GPT family) [Additional providers as added]

Each is bound by a written agreement that prohibits training their foundation models on your data, requires deletion within a defined window, and aligns with their respective enterprise/API privacy commitments.

Training

Your customer data and prompts are not used to train third-party foundation models. If we ever introduce an optional program where opted-in customers can contribute data to improve a Relay Oh-specific model, it will be off by default, clearly described, and revocable.

Limits & review

The assistant can take real actions — updating records, sending messages, drafting follow-ups. You can scope what data it sees, require human confirmation for destructive actions, and review every action it has ever taken via the audit log. AI output can be wrong; you remain responsible for verifying it before you rely on it.

07MCP & connected tools

MCP (Model Context Protocol) is how the assistant talks to your other tools. When you connect one:

  • You authorize a specific scope of access. The assistant cannot exceed that scope.
  • We store the connection credentials (encrypted) and metadata about the connection itself.
  • We do not bulk-copy data out of the connected tool. The assistant reads what it needs to answer a request, and writes what you ask it to.
  • Every read and write is recorded in an audit log visible to your admins.
  • You can revoke a connection at any time from your settings. Revocation immediately stops further access and triggers deletion of cached credentials.

Once data leaves Relay Oh and enters a third-party tool (for example, a message sent to a customer in Gmail), that data is governed by the third party's terms and privacy policy.

08Cookies & tracking

We use a small set of cookies and similar technologies:

TypePurposeRequired?
SessionKeep you signed in.Required.
SecurityDetect tampering, protect against CSRF, rate-limit abuse.Required.
PreferencesRemember UI choices you've made — theme, sidebar state, default views.Required.
Product analyticsMeasure feature usage so we can prioritize what to build.Optional.

We do not use third-party advertising or cross-site tracking cookies. You can disable optional cookies from the in-product settings, or by configuring your browser — note that this may degrade product analytics but the Service still works.

09How we share information

We share information only with the following categories of recipient, and only as needed:

  • Sub-processors / service providers — cloud hosting, AI model providers, email delivery, error monitoring, product analytics, payment processing. Each is under contract restricting their use to providing services to us.
  • Other users in your organization — collaborators on your team can see CRM records and conversations within their permission scope.
  • Authorities, when legally required — in response to a valid subpoena, court order, or similar lawful request. We review every request and push back on overreach.
  • A successor — in a merger, acquisition, financing, or sale of assets, with notice to you.
  • With your consent — anywhere else, we'll ask first.

We do not sell personal information. We do not share it for cross-context behavioral advertising. We do not share customer data with model providers for training their models.

10Sub-processors

The current list of sub-processors — including each one's purpose, location, and the categories of data they process — is maintained on a dedicated page and updated as the list changes. Until that page is published, the list is available on request from privacy@relayoh.com.

Enterprise customers receive 30 days' advance notice of material changes to the sub-processor list and can object before the change takes effect, subject to the terms of their agreement with us.

11Retention

WhatHow long
Account & CRM dataFor as long as your account is active. After closure: a 30-day recovery window, then deletion or anonymization.
Assistant conversationsRetained while your account is active, subject to any deletion you trigger in-product.
Audit logs (assistant & admin actions)12 months by default; configurable up to 7 years on enterprise plans.
Security & access logs12 months.
BackupsEncrypted, rotated, fully purged within 90 days.
Billing recordsAs long as required by tax and accounting law (typically 7 years).
Marketing contactsUntil you unsubscribe, then a short suppression-list retention to honor your opt-out.

12Security

We use commercially reasonable technical and organizational measures to protect personal information, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
  • Role-based access controls and least-privilege principles inside Relay Oh.
  • Single sign-on (SSO) and multi-factor authentication (MFA) options.
  • Audit logging of admin and assistant actions.
  • Vulnerability scanning, dependency monitoring, and regular security review of code changes.
  • Incident-response procedures and a security disclosure inbox at security@relayoh.com.

No system is perfectly secure. If we have a breach affecting your personal information, we'll notify you and applicable authorities within the timeframes required by law.

13Your rights

Depending on where you live, you may have some or all of the following rights regarding your personal information:

  • Access — a copy of the personal information we hold about you.
  • Correction — to fix data that's inaccurate or incomplete.
  • Deletion — to have personal information erased, subject to legal retention obligations.
  • Portability — to receive your data in a structured, machine-readable format.
  • Restriction & objection — to limit or object to certain processing, including processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent.
  • Non-discrimination — exercising any of these rights will not result in worse pricing or service.
  • Complaint — to lodge a complaint with your local data-protection authority. EU residents may contact their national DPA; UK residents may contact the ICO.

To exercise any of these, email privacy@relayoh.com. We'll verify your request and respond within the timeframes the law requires (typically 30 days). If we deny a request, we'll tell you why.

If you're a user of a Relay Oh customer organization, please direct rights requests to that organization first — we act as their processor and will support them in responding.

14California residents

If you're a California resident, the CCPA/CPRA gives you the rights listed in Your rights above, plus the right to know the categories of personal information we collect, use, disclose, and (if we did) sell. In the past 12 months, we have:

To submit a CCPA request, email privacy@relayoh.com with "California request" in the subject. We do not discriminate against users who exercise their rights.

15International transfers

We're based in the United States and process personal information here and in other countries where our sub-processors operate. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (and the UK addendum, where applicable) or another lawful safeguard. A copy of the relevant transfer mechanism for a specific data flow is available on request.

16Children

Relay Oh is a business product not directed to anyone under 18. We do not knowingly collect personal information from children under 18. If you believe a child has provided personal information to us, contact privacy@relayoh.com and we will delete it.

17Links to other sites

Relay Oh links to and integrates with third-party sites and services. Their handling of your personal information is governed by their own policies, which we encourage you to read. We're not responsible for their practices.

18Do Not Track

Our Service does not currently respond to "Do Not Track" browser signals because no industry consensus on how to interpret them exists. We treat Global Privacy Control (GPC) signals as a valid opt-out of any processing that would otherwise require a sale/share notice under U.S. state law.

19Changes to this policy

We may update this policy as the product evolves. When we make material changes, we'll:

  • Update the "Effective" date above and bump the version number.
  • Post a notice on this page.
  • Email you or display an in-product notice for material changes that affect your rights.

Older versions of this policy are kept on file and available on request.

20Contact us

Questions, requests, or anything else privacy-related:

— Relay Oh, Inc.