Skip to content

Security and privacy

Family data, treated like family data.

Trust isn't a compliance checkbox to us. It's our brand. The principles below are what we will and won't do with your information, in plain language.

Foundational commitments

  • Encrypted in transit and at rest.

    TLS for every connection; database-level encryption at rest. Attachments and raw email bodies live in isolated object storage with their own access controls.

  • Zero-retention LLM processing.

    We process Smitty's reasoning and classification through enterprise APIs that contractually retain nothing. Vendor data is never used for AI training.

  • We do not sell your data. Ever.

    There's no advertising business here, no data brokers in the supply chain, and no plans to add one.

  • Per-household isolation, verified.

    Every database query is scoped to one household. We run a CI audit that fails the build if any query forgets it.

Data lifecycle

Your data lifecycle

Plain-language summary of what we keep, why, and how to delete it. The legal version lives on the privacy policy.

  • Email retention defaults to 90 days.

    Forwarded emails and attachments are kept for 90 days by default and then purged. You can shorten or extend this in settings.

  • One-command full delete.

    Text DELETE to Smitty and we permanently remove your household: messages, calendar feed, attachments, derived items, and account.

  • Visible Review surface.

    The Review tab on the web app shows every email Smitty processed and what it did with each — so you can see and correct AI actions in real time.

  • Logs that don't leak.

    Structured logs use strict allowlists. No message bodies, no chat content, no family profile data. Household IDs are hashed for aggregation.

Authentication

Magic links by default. PIN gates on the sensitive stuff.

Web sign-in is a one-time email link. Sessions persist 30 days and can be revoked from the account screen. Passkeys are on the roadmap for month six.

Custody-related and medical queries require a PIN before Smitty answers — even from your own phone — so a found device can’t be used to read sensitive context.

Compliance roadmap

What's in place, and what's coming.

  • Day oneGDPR/CCPA-compliant data handling
  • Day oneTCPA: STOP/START handling, soft-pause, quiet hours by default
  • Pre-launch10DLC SMS registration with carriers
  • Pre-launchSigned DPAs with every vendor before production data flows
  • 72 hoursIncident notification commitment
  • Month 6SOC 2 Type 1 target
  • Month 12SOC 2 Type 2 target

Questions, vulnerabilities, or just curious?

Email security@smittyhq.com. The full legal version lives on the privacy policy.