🔒 PAJR Privacy Policy

Your Privacy is Our Priority

Last Updated: January 2025

🔒 Our Core Privacy Commitment: PAJR uses end-to-end encryption for all messages and sensitive data. Your messages are encrypted on your device and remain encrypted in transit and at rest. We decrypt messages only momentarily to deliver them via Gmail API - we do not store, log, or access message content. Your encryption keys are device-specific and never shared. All customer data is explicitly guaranteed to never be used for AI model training.

Table of Contents

1. Overview

PAJR ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Personal AI Journal & Response System ("Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. We are committed to transparency about our data practices and providing you with control over your personal information.

Key Principle: We follow a "zero-knowledge" architecture where possible. This means we minimize the data we can access, encrypt everything we can, and never use your data for AI model training.

2. What Data We Collect

2.1 Account Information

When you register for PAJR, we collect:

  • Email Address: Required for account creation, authentication, and communication
  • Password: Stored as a cryptographically hashed value (bcrypt with salt) - we never store plain text passwords
  • First Name and Last Name: Optional, used for personalization and account management
  • PAJR Username: Automatically generated or chosen by you, used for messaging within the PAJR network
  • Account Settings: Your preferences for notifications, privacy, and service configuration

2.2 Communication Data

When you use PAJR to send and receive messages:

  • Message Content: Email content (subject, body) - encrypted end-to-end, decrypted only momentarily for delivery via Gmail API
  • Voice Recordings: Audio files you record - encrypted on device before transmission, encrypted in transit and at rest
  • Transcriptions: Text transcriptions of voice recordings - encrypted in transit and at rest
  • Message Metadata: Timestamps, message sizes, delivery status (no content or identifying information)

2.3 Device Information

When you connect a device to PAJR:

  • Device ID: Unique identifier for your device
  • Device Credentials: Encrypted authentication tokens for device communication
  • Device Activity: Connection status, last seen timestamps (no content access)

2.4 OAuth Integration Data

When you connect external services:

  • OAuth Tokens: Encrypted tokens for Google Gmail, Microsoft Outlook, Slack, and other integrated services
  • Service Account Information: Basic account details (email address, service type) - stored encrypted

2.5 Usage and Technical Data

We collect minimal metadata for service operation:

  • System Logs: Timestamps, data sizes, processing status, error flags (no message content or identifying information)
  • Performance Metrics: System performance data, API response times, service availability
  • Activity Logs: User actions (account creation, device registration, settings changes) - metadata only

What We Do NOT Collect: We do not collect or store message content in plain text. We do not log email addresses, names, or other identifying information in our system logs. We do not track your browsing behavior outside of our Service. We do not sell your data to third parties. We do not use your data for advertising purposes.

3. How We Use Your Data

3.1 Service Provision

We use your data to:

  • Provide, maintain, and improve the PAJR Service
  • Authenticate your identity and secure your account
  • Process and deliver messages through integrated email services
  • Enable voice recording transcription and AI-powered responses
  • Manage device connections and communication
  • Send you service-related notifications (account confirmations, security alerts)

3.2 AI Processing

When you use AI features:

  • Your messages are processed by AWS Bedrock with Anthropic Claude for generating responses
  • Data is encrypted before being sent to AI services
  • Plaintext exists only in memory during processing
  • Results are encrypted before storage
  • Your data is NEVER used for AI model training - this is contractually guaranteed by our AI provider

3.3 Security and Compliance

We use your data to:

  • Detect and prevent fraud, abuse, and security threats
  • Comply with legal obligations and respond to legal requests
  • Enforce our Terms of Service
  • Maintain audit logs for security and compliance purposes

3.4 Service Improvement

We use aggregated, anonymized data to:

  • Analyze service performance and reliability
  • Identify and fix technical issues
  • Improve system architecture and efficiency
  • Develop new features (without using your personal content)
  • Conduct security research and threat analysis (using anonymized metadata only)

Anonymization Standards: When we use aggregated data for service improvement, we ensure that all personal identifiers are removed and the data cannot be re-identified. We use industry-standard anonymization techniques and do not attempt to re-identify anonymized data.

Data Minimization: We only collect and use data that is necessary for providing the Service. We do not use your personal content for any purpose other than delivering the Service to you.

4. Google User Data Handling

PAJR integrates with Google services, including Gmail, to provide email functionality. This section specifically addresses how we access, use, store, and share Google user data in compliance with Google's API Services User Data Policy and OAuth verification requirements.

4.1 Google OAuth Scopes and Permissions

PAJR requests the following Google OAuth scopes to provide email functionality:

  • https://www.googleapis.com/auth/gmail.send - To send emails on your behalf through Gmail
  • https://www.googleapis.com/auth/gmail.readonly - To read Gmail messages for processing and delivery

These scopes are requested only when you choose to connect your Google account to PAJR. You can revoke these permissions at any time through your Google account settings or by disconnecting your Google account from PAJR.

4.2 What Google User Data We Collect

When you connect your Google account to PAJR, we access the following Google user data:

  • Gmail Messages: Email content (subject, body, sender, recipient) - accessed only to deliver messages through the PAJR service
  • Gmail Account Information: Your Gmail email address - used to identify and route messages
  • OAuth Tokens: Encrypted access and refresh tokens - stored securely to maintain your connection to Gmail

Limited Access: We only access Gmail data that is necessary to provide the PAJR service. We do not access your Google Drive, Google Calendar, Google Contacts (beyond what's in Gmail), or any other Google services beyond Gmail.

4.3 How We Use Google User Data

We use Google user data solely for the following purposes:

  • Email Delivery: To send emails on your behalf through the Gmail API when you use PAJR to compose and send messages
  • Message Processing: To read incoming Gmail messages that you choose to process through PAJR, enabling features such as AI-powered responses and message routing
  • Service Functionality: To provide core PAJR features, including neural message routing, cross-platform communication, and device-to-device message relay

Restricted Use: We use Google user data ONLY to provide or improve the functionality of the PAJR application. We do NOT use Google user data for any other purpose, including but not limited to:

  • Advertising or marketing purposes
  • Data mining or analytics unrelated to service functionality
  • Training AI models (we use enterprise AI services with privacy guarantees)
  • Sharing with third parties for their own purposes
  • Any purpose other than providing or improving PAJR's core functionality

4.4 How We Store Google User Data

Google user data is stored with the following security measures:

  • Encryption: All Google user data is encrypted using AES-256-GCM encryption both in transit and at rest
  • OAuth Tokens: Stored encrypted in Google Cloud Firestore with automatic encryption at rest
  • Message Content: Gmail message content is encrypted end-to-end and stored only temporarily for processing. Messages are decrypted only momentarily in memory for delivery via Gmail API
  • Access Controls: Google user data is isolated per user account and accessible only to the account owner
  • Secure Infrastructure: All data stored on Google Cloud Platform with SOC 2 Type II certified infrastructure

4.5 How We Share Google User Data

We share Google user data only as follows:

  • Google Gmail API: We share message content with Google's Gmail API solely for the purpose of sending emails on your behalf. This is necessary for the core functionality of PAJR
  • Google Cloud Platform: We use Google Cloud Platform for infrastructure hosting. Google user data stored on GCP is subject to Google's data processing agreements and is encrypted at rest
  • AI Processing Services: Message content may be processed by AWS Bedrock (Anthropic Claude) for AI-powered features. All data is encrypted before transmission, and our AI provider has contractual guarantees that data is never used for model training

We Do NOT Sell Google User Data: PAJR does not and will never sell Google user data to third parties. We do not share Google user data with advertisers, data brokers, or any third parties for their own commercial purposes.

4.6 Data Protection Mechanisms for Google User Data

We implement comprehensive security measures to protect Google user data:

  • End-to-End Encryption: All Google user data is encrypted using AES-256-GCM before storage
  • Encrypted Transmission: All data transmitted to and from Google APIs uses HTTPS/TLS 1.2+
  • Access Controls: User-based data isolation ensures your Google data is only accessible to you
  • Token Security: OAuth tokens are encrypted at rest and never exposed in logs or error messages
  • Audit Logging: All access to Google user data is logged (metadata only, no content) for security monitoring
  • Regular Security Audits: We conduct regular security assessments and penetration testing
  • Compliance: Our infrastructure is SOC 2 Type II certified and HIPAA eligible

4.7 Data Retention and Deletion of Google User Data

Google user data is retained and deleted as follows:

  • OAuth Tokens: Retained while your Google account is connected to PAJR. Deleted immediately when you disconnect your Google account or delete your PAJR account
  • Gmail Message Content:
    • Messages are automatically deleted immediately after successful delivery to your device
    • Failed messages are retained for up to 60 minutes for retry purposes, then permanently deleted
    • We do not store Gmail message content long-term
  • Account Deletion: Upon deletion of your PAJR account, all Google user data is permanently deleted within 30 days, except where required by law
  • Disconnection: You can disconnect your Google account at any time through your PAJR account settings, which immediately deletes associated OAuth tokens

You can also revoke PAJR's access to your Google account at any time through your Google Account permissions page, which will immediately revoke our access to your Google data.

4.8 Transfer of Google User Data

We transfer Google user data to third parties ONLY for the following purposes, which are necessary to provide or improve the PAJR application's functionality:

  • Google Gmail API: Transfer of message content to Google's Gmail API for email delivery (core functionality)
  • Google Cloud Platform: Storage of encrypted data on GCP infrastructure (necessary for service operation)
  • AWS Bedrock (Anthropic Claude): Processing of message content for AI-powered features (service functionality improvement). All transfers are encrypted, and the AI provider has contractual guarantees that data is never used for model training

We do NOT transfer Google user data to third parties for any purpose other than providing or improving PAJR's functionality. We do NOT transfer Google user data to advertisers, data brokers, or analytics services.

4.9 Your Rights Regarding Google User Data

You have the following rights regarding your Google user data:

  • Access: You can view what Google data is connected to your PAJR account through your account settings
  • Disconnect: You can disconnect your Google account from PAJR at any time, which immediately revokes our access
  • Revoke Permissions: You can revoke PAJR's access through your Google Account permissions page at any time
  • Delete: You can request deletion of all Google user data associated with your PAJR account
  • Export: You can export your data, including Google user data, in a machine-readable format

4.10 Changes to Google User Data Handling

If we change how we access, use, store, or share Google user data, we will notify you by:

  • Updating this Privacy Policy with a new "Last Updated" date
  • Sending you an email notification (if you have provided an email address)
  • Displaying a prominent notice in the PAJR application

Your continued use of PAJR after such changes constitutes your acceptance of the updated practices.

Google API Services User Data Policy Compliance: PAJR's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data only to provide or improve the functionality of the PAJR application and do not use it for any other purpose.

5. How We Protect Your Data

5.1 End-to-End Encryption

PAJR implements end-to-end encryption for all sensitive data:

  • Encryption Algorithm: AES-256-GCM (Galois/Counter Mode) with 256-bit keys
  • Key Derivation: HKDF (HMAC-based Key Derivation Function) for key derivation, PBKDF2 with 100,000 iterations for password-based keys
  • Key Management: Encryption keys are generated client-side and stored securely on your device. Device-specific mutual encryption keys between device and backend ensure secure communication
  • In Transit: All data is encrypted using HTTPS/TLS 1.2+ for API communications and MQTT over TLS (port 8883) for device communication
  • At Rest: All sensitive data stored in our database is encrypted using Google Cloud Firestore's automatic encryption at rest
  • Processing: Messages are decrypted only momentarily in memory for delivery via Gmail API - we do not store decrypted content
  • Additional Encryption: Fernet encryption for service-level data encryption, Google Cloud Secret Manager for service credentials

5.2 Infrastructure Security

Our infrastructure is built on enterprise-grade platforms:

  • Cloud Platform: Google Cloud Run with automatic security updates and DDoS protection
  • Database: Google Cloud Firestore with automatic encryption at rest and access control via IAM
  • AI Services: AWS Bedrock (SOC 2 Type II certified, HIPAA eligible) with contractual privacy guarantees
  • Secret Management: Google Cloud Secret Manager for service credentials

5.3 Access Controls

We implement strict access controls:

  • User-based data isolation - your data is only accessible to you
  • JWT-based authentication with configurable token expiry (default: 30 days)
  • Device authentication required for all device communications (MQTT over TLS)
  • Role-based access control (RBAC) for internal systems
  • Multi-factor authentication (MFA) support for enhanced account security
  • Comprehensive audit logging for all data access, modifications, and administrative actions
  • Regular access reviews and privilege audits
  • Principle of least privilege - users and systems only have access to data necessary for their function

5.4 Security Testing and Assessments

We regularly test and assess our security measures:

  • Penetration Testing: Annual third-party penetration testing
  • Vulnerability Assessments: Regular vulnerability scans and assessments
  • Code Reviews: Security-focused code reviews for all changes
  • Dependency Scanning: Regular scanning of dependencies for known vulnerabilities
  • Security Audits: Internal and external security audits
  • Incident Response Testing: Regular testing of incident response procedures

5.5 Audit Trails and Monitoring

We maintain comprehensive audit trails for security and compliance:

  • Access Logs: All data access events are logged with timestamps, user IDs, and action types
  • Authentication Logs: Login attempts, successful authentications, and failed login attempts are logged
  • Data Modification Logs: All data creation, modification, and deletion events are logged
  • System Logs: System events, errors, and security alerts are logged (metadata only, no content)
  • Retention: Security audit logs retained for 1 year, general system logs retained for 90 days
  • Monitoring: Real-time security monitoring and alerting for suspicious activities
  • Regular Reviews: Audit logs are regularly reviewed for security incidents and compliance

5.6 Compliance Certifications

Our infrastructure and processes comply with:

  • SOC 2 Type II: Certified security controls and processes
  • HIPAA Eligible: Ready for healthcare data compliance
  • GDPR Compliant: Meets EU data protection standards
  • ISO 27001: Information security management standards

For more details on our security measures, please see our Security Overview.

6. Data Sharing and Third Parties

6.1 Service Providers

We work with trusted third-party service providers who help us operate the Service. All service providers are subject to Data Processing Agreements (DPAs) that require them to:

  • Process data only for specified purposes
  • Implement appropriate security measures
  • Comply with applicable data protection laws
  • Notify us of any data breaches
  • Delete or return data upon termination of services
Service Provider Purpose Data Shared Privacy Guarantees DPA Status
Google Cloud Platform Infrastructure hosting, database storage, Secret Manager Encrypted user data, metadata, service credentials SOC 2 Type II, GDPR compliant, ISO 27001 ✓ DPA in place
AWS Bedrock (Anthropic Claude) AI processing for message responses Encrypted message content (temporarily decrypted in memory only) SOC 2 Type II, HIPAA eligible, no training data use (contractual guarantee) ✓ DPA in place
Google Gmail API Email delivery Message content (decrypted momentarily for delivery only) Google's privacy policy applies, OAuth 2.0 scopes limited to email sending ✓ Terms of Service
Microsoft Outlook API Email delivery (if used) Message content (decrypted momentarily for delivery only) Microsoft's privacy policy applies, OAuth 2.0 scopes limited to email sending ✓ Terms of Service
Slack API Slack integration (if used) Encrypted OAuth tokens, message metadata Slack's privacy policy applies, OAuth scopes limited to necessary permissions ✓ Terms of Service

Vendor Management: We regularly assess our service providers for security and compliance. All vendors handling personal data are required to maintain appropriate security certifications and comply with applicable data protection laws. We conduct annual vendor security assessments and review DPAs to ensure continued compliance.

6.2 Legal Requirements

We may disclose your data if required by law or in response to valid legal requests:

  • To comply with legal obligations, court orders, or government requests
  • To protect our rights, property, or safety, or that of our users
  • To investigate potential violations of our Terms of Service
  • In connection with a merger, acquisition, or sale of assets (with notice to users)

6.3 What We Do NOT Share

We do NOT: Sell your data to third parties. Share your data with advertisers. Use your data for marketing purposes without your explicit consent. Allow third parties to use your data for their own purposes. Share your encryption keys with anyone.

7. Data Retention and Deletion

7.1 Retention Periods

We retain your data for as long as necessary to provide the Service and comply with legal obligations:

  • Account Data: Retained while your account is active. After account deletion, retained for 30 days to allow account recovery, then permanently deleted except where required by law (e.g., transaction records for tax purposes - typically 7 years)
  • Message Data: Default policy: Messages are automatically deleted immediately after successful delivery to your device. Failed messages retained for up to 60 minutes for retry purposes, then permanently deleted. Configurable retention periods available per account settings
  • Voice Recordings: Retained according to your account settings. Default: Deleted immediately after transcription and delivery. Encrypted backups (if enabled) retained per your configured retention period
  • System Logs: Retained for 90 days for security and troubleshooting purposes (metadata only, no content or identifying information). Security audit logs retained for 1 year for compliance purposes
  • OAuth Tokens: Retained while your account is active and deleted immediately when you disconnect the service. Token refresh logs retained for 30 days
  • Backup Data: Encrypted backups deleted within 30 days of account deletion or immediately upon request

7.2 Your Right to Deletion

You have the right to request deletion of your data:

  • Account Deletion: You can delete your account at any time through your account settings
  • Data Deletion: Upon account deletion, we will delete your personal data within 30 days, except where we are required to retain it by law
  • Service Disconnection: You can disconnect integrated services (Gmail, Outlook, Slack) at any time, which will delete associated OAuth tokens
  • Message Deletion: You can configure automatic message deletion or manually delete messages

7.3 Deletion Process

When you request account deletion:

  1. We immediately disable your account and prevent new logins
  2. We begin the deletion process for your personal data
  3. Encrypted data is securely deleted from our systems
  4. Backup data is deleted according to our backup retention policies
  5. We retain only data required by law (e.g., transaction records for tax purposes) for the minimum required period

8. Your Rights and Choices

8.1 Access and Portability

You have the right to:

  • Access Your Data: Request a copy of your personal data in a machine-readable format
  • Data Portability: Export your data in a standard format
  • Account Information: View and update your account information at any time

8.2 Correction and Updates

You can:

  • Update your email address, name, and other account information
  • Change your password at any time
  • Modify your privacy and notification settings
  • Update your PAJR username (subject to availability)

8.3 Deletion Rights

You have the right to:

  • Delete your account and all associated data
  • Delete specific messages or voice recordings
  • Disconnect integrated services and delete associated data
  • Request deletion of data that is no longer necessary for the Service

8.4 Privacy Controls

You can control:

  • Profile Visibility: Set your profile to private or public
  • Message Retention: Configure how long messages are retained
  • Notifications: Choose which notifications you receive
  • Data Sharing: Control which services are connected to your account

8.5 GDPR Rights (EU Users)

If you are located in the European Union, you have additional rights under GDPR:

  • Right to Access: Obtain confirmation of whether we process your data and access to that data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing of your data for certain purposes
  • Right to Withdraw Consent: Withdraw consent for data processing where consent is the legal basis

8.6 Exercising Your Rights

To exercise any of these rights, please contact us using the information provided in the "Contact Us" section below. We will respond to your request within 30 days.

9. Children's Privacy

PAJR is not intended for users under the age of 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

10. International Data Transfers

PAJR is operated from the United States. If you are located outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

We ensure that appropriate safeguards are in place for international data transfers:

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256-GCM)
  • We use service providers that comply with international data protection standards (SOC 2 Type II, GDPR, ISO 27001, HIPAA eligible)
  • We implement Standard Contractual Clauses (SCCs) for data transfers to ensure GDPR compliance
  • We comply with applicable data protection laws, including GDPR for EU users and CCPA for California residents
  • Data Processing Agreements (DPAs) are in place with all third-party processors
  • Regular vendor assessments and compliance audits are conducted

By using our Service, you consent to the transfer of your information to the United States and other countries where our service providers operate, subject to the safeguards described in this Privacy Policy.

EU Users: For transfers from the European Economic Area (EEA) to the United States, we rely on Standard Contractual Clauses approved by the European Commission and additional technical and organizational measures to ensure your data receives an adequate level of protection.

11. California Consumer Privacy Act (CCPA) Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

11.1 Your CCPA Rights

  • Right to Know: You have the right to request information about the categories and specific pieces of personal information we collect, use, disclose, and sell (we do not sell personal information)
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
  • Right to Opt-Out: You have the right to opt-out of the sale of personal information (we do not sell personal information)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
  • Right to Correct: You have the right to request correction of inaccurate personal information
  • Right to Limit Use of Sensitive Personal Information: You can limit our use of sensitive personal information to what is necessary for service provision

11.2 Categories of Personal Information We Collect

Under CCPA, we collect the following categories of personal information:

  • Identifiers: Email address, PAJR username, device IDs
  • Personal Information: First name, last name (optional)
  • Commercial Information: Account settings, service preferences
  • Internet Activity: System logs (metadata only), connection status
  • Geolocation Data: Not collected
  • Sensitive Personal Information: Encrypted message content, encrypted voice recordings, encrypted OAuth tokens

11.3 How to Exercise Your CCPA Rights

To exercise your CCPA rights, please contact us using the information provided in the "Contact Us" section. We will verify your identity before processing your request and respond within 45 days (with a possible 45-day extension if needed).

We Do Not Sell Personal Information: PAJR does not and will not sell your personal information to third parties. We do not share your personal information for commercial purposes without your explicit consent.

12. Data Breach Notification

12.1 Our Commitment

PAJR is committed to protecting your data and maintaining transparency in the event of a security incident. We have implemented comprehensive security measures to prevent data breaches, including end-to-end encryption, access controls, and regular security audits.

12.2 Incident Response Plan

In the event of a suspected or confirmed data breach, we will:

  1. Immediate Containment: Immediately contain the breach to prevent further unauthorized access
  2. Assessment: Assess the scope and impact of the breach within 24 hours
  3. Investigation: Conduct a thorough investigation to determine the cause and extent of the breach
  4. Notification: Notify affected users and relevant authorities as required by law
  5. Remediation: Take steps to remediate the breach and prevent future occurrences
  6. Documentation: Document the incident and our response for compliance and improvement purposes

12.3 Notification Timelines

We will notify affected users and authorities in accordance with applicable laws:

  • GDPR (EU Users): Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and notify affected users without undue delay if the breach poses a high risk to their rights and freedoms
  • CCPA (California Residents): Notify affected California residents in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement
  • HIPAA (If Applicable): Notify affected individuals within 60 days, and notify the Department of Health and Human Services within 60 days for breaches affecting 500+ individuals, or within 60 days of the end of the calendar year for smaller breaches
  • General: We will notify affected users as soon as practicable, typically within 72 hours of confirming a breach

12.4 Notification Content

Our breach notifications will include:

  • Description of the nature of the breach
  • Categories and approximate number of affected individuals
  • Categories and approximate number of affected records
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact information for our privacy team
  • Recommendations for affected users to protect themselves

12.5 Security Measures to Prevent Breaches

We implement multiple layers of security to prevent data breaches:

  • End-to-end encryption for all sensitive data
  • Regular security audits and penetration testing
  • Access controls and authentication requirements
  • Network security and monitoring
  • Employee training on data protection
  • Incident response procedures and regular testing
  • Vendor security assessments

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

  • Posting the updated Privacy Policy on this page with a new "Last Updated" date
  • Sending you an email notification (if you have provided an email address)
  • Displaying a prominent notice on our Service

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Inquiries

Email: nolan@thepajr.com

Subject Line: "Privacy Inquiry" or "Data Rights Request"

For general privacy questions, data access requests, deletion requests, or to exercise your privacy rights (GDPR, CCPA, etc.), please contact our privacy team.

Security Issues

Email: nolan@thepajr.com

Subject Line: "Security Issue" or "Vulnerability Report"

For security-related concerns, suspected data breaches, or to report security vulnerabilities, please contact our security team immediately.

Data Protection Officer (GDPR)

Email: nolan@thepajr.com

For EU users, you can contact our Data Protection Officer for any GDPR-related inquiries or concerns.

Mailing Address

PAJR Privacy Team
[Your Business Address]
[City, State ZIP Code]
United States

Response Times

We are committed to addressing your concerns promptly and transparently:

  • General Inquiries: We will respond within 30 days
  • Data Rights Requests (GDPR/CCPA): We will respond within 30 days (with possible 30-day extension if needed, with notification)
  • Security Issues: We will acknowledge receipt within 24 hours and provide updates as we investigate
  • Data Breach Notifications: As required by law (typically within 72 hours for GDPR, as soon as practicable for CCPA)

Verification Requirements

To protect your privacy and security, we may need to verify your identity before processing certain requests, especially data access or deletion requests. We will request minimal information necessary for verification.

Your Privacy Matters
We are committed to protecting your privacy and being transparent about our data practices. If you have any questions or concerns, please don't hesitate to contact us.

PAJR Privacy Policy
Personal AI Journal & Response System
Last Updated: January 2025
Version: 2.0

This Privacy Policy is effective as of the "Last Updated" date above. By using PAJR, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your information as described herein.