Privacy Policy

1. Who we are

TheConsultant (https://theconsultant.chat) is an AI-powered personal assistant that helps users manage WhatsApp, email, calendar, and AI tools. This policy covers the TheConsultant web service (the AI WhatsApp secretary) and the TheConsultant — AI Browser Tools Chrome extension.

For any privacy question or data subject request (access, correction, deletion, portability), contact hello@theconsultant.chat. See Contact Us for response-time commitments.

2. What data we collect

2.1 Account information

When you sign in with Google, we receive your name, email address, profile picture, and Google account ID. This information is used solely to identify your account and is never sold.

2.2 WhatsApp messages — processed in isolated containers, not stored

To deliver the AI auto-reply service, your WhatsApp Web session runs inside a per-user isolated Docker container on our worker infrastructure. The container reads incoming chat messages from the open chat panel, sends them to a Large Language Model for an answer, and posts the reply back through your WhatsApp Web session.

We do not store the body of your WhatsApp messages in our primary database. Messages are processed in memory while the AI is generating a reply, then discarded. We do, however, keep:

• A short-term conversation context buffer (the most recent ~20 messages per chat) used for the next reply, retained for at most 30 days and then deleted automatically by our memory-cleanup cron.
• A usage log recording the contact name (or phone), the direction (in/out), the LLM provider used and a delivery status per message — the message body itself is not kept in this log.
• Optional chat history visible to you in the dashboard Chats tab for your own reference, retained for the same 30 days.

2.3 Third-party service credentials (extension only)

The Chrome extension operates on sites you are already signed into (Gmail, ChatGPT, Gemini, Claude, Google AI Studio, and LLM provider dashboards such as Groq, OpenRouter, Mistral, Hugging Face, Cohere, and Together AI). The extension reads session cookies and page content from these sites only when you explicitly trigger an action, and only in your own browser — these credentials are never transmitted to TheConsultant servers.

2.4 LLM API keys

When you opt in to automatic provisioning, the extension or dashboard stores API keys you have created on your own accounts at supported LLM providers (Groq, Gemini, OpenRouter, Mistral, etc.). Keys live in your browser (chrome.storage) and / or in our database so the assistant can call LLMs on your behalf. Keys are encrypted at rest when an encryption key is configured. Keys are never shared with third parties.

2.5 Email content (extension only)

When you ask the assistant to read, summarise, or reply to emails, the extension temporarily accesses that content to generate the requested response. Content is processed in memory and is not retained beyond the duration of the request, except for the short-term conversation context used by the AI.

2.6 Browser activity during tool execution (extension only)

While executing a tool call, the extension opens or interacts with specific tabs (e.g. opening Gmail to read a thread). It does not track your browsing history, and it does not run in the background on sites outside of its declared host permissions.

2.7 Diagnostic telemetry

Both the extension and the WhatsApp agent send health heartbeats (uptime, message counts, error counts) to the TheConsultant orchestrator so we can detect outages and auto-recover failed containers. Heartbeats do not contain personal data or message content.

2.8 Billing & payment data

Payment card numbers are never seen or stored by us — they go directly to the payment gateway you choose at checkout (currently Stripe, Razorpay, PayPal, Paddle or Lemon Squeezy depending on your region). We store only the gateway customer ID, subscription ID, plan, status and renewal date returned by that gateway, plus the country / currency used so the dashboard can show the right pricing.

3. How we use your data

• To authenticate your account and authorise tool execution.
• To execute the specific browser actions you (or the assistant acting on your behalf) request.
• To provide LLM responses using API keys that you have provisioned.
• To diagnose extension errors and improve reliability.

We do not use your data for advertising, profiling, creditworthiness scoring, or any purpose unrelated to the product's single purpose.

4. Data sharing and third parties

We do not sell, rent, or trade your personal data. Data is shared only with:

• LLM providers you choose — including Groq, Google Gemini, Mistral, OpenAI, Anthropic, OpenRouter, Cohere, Together AI, Hugging Face, or a local Ollama instance. Only the content of the message being replied to (and the relevant conversation context and KB snippets) is sent, using API keys you have provisioned. Each provider has its own privacy policy — review those before enabling them.
• Payment gateways you select at checkout (Stripe, Razorpay, PayPal, Paddle, Lemon Squeezy, etc.) for processing subscription payments. Card data is handled entirely by the gateway and never traverses our servers.
• Service providers that host TheConsultant's own infrastructure (database, error monitoring, VM hosting providers such as Hetzner, Contabo, DigitalOcean, Fly.io). These providers are bound by confidentiality obligations and do not use the data for their own purposes.

Neither the WhatsApp agent nor the extension contacts ad networks, analytics services, or unrelated third parties.

5. Data retention

• Account info: retained for the life of your account; deleted on account deletion request.
• LLM API keys: retained until you remove them or delete your account.
• Message / email content: not retained; processed only in memory during tool execution.
• Short-term conversation context: stored for up to 30 days to enable multi-turn assistance; deleted after that or on request.
• Diagnostic logs: retained for up to 14 days for debugging.

6. Your rights

You have the right to:

• Request a copy of the data we hold on you.
• Request correction or deletion of your data.
• Revoke LLM API keys and third-party access at any time from your TheConsultant dashboard.
• Uninstall the extension from your browser at any time, which removes all locally stored data immediately.

To exercise these rights, email hello@theconsultant.chat.

7. Chrome Web Store disclosures

In accordance with the Chrome Web Store Developer Program Policies, we confirm that:

• The single purpose of this extension is to execute browser-side automation and AI-tool actions on behalf of the TheConsultant assistant signed into the user's Google account.
• The extension does not execute remote code. All JavaScript is bundled in the extension package at build time. Network requests are used only to read or write data from APIs the user has explicitly authorised.
• Data collected through the extension is used solely to deliver the single purpose described above; it is never sold, transferred for advertising, or used to determine creditworthiness.
• The extension only accesses the host permissions declared in its manifest and only when the user triggers an action.

8. Security

Data in transit is encrypted using TLS. Locally stored data in the browser is protected by Chrome's extension sandbox. Backend storage uses standard industry encryption at rest. No system is perfectly secure — if you become aware of a security issue, please report it to hello@theconsultant.chat.

9. Children

TheConsultant is not directed to children under 13 (or the equivalent age in your jurisdiction) and we do not knowingly collect personal data from children.

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced via the TheConsultant dashboard or by email. Continued use of the service after an update constitutes acceptance of the revised policy.