How we handle your data.

Management OS is operated by Management OS, Inc., a Delaware C-corporation. If you have any privacy question, email privacy@managementos.ai. A real person reads it.

From you, when you sign up: name, email, company, role, and the credential you authenticate with (Google, email + password). Standard.

From your connected tools: when you connect HubSpot, Salesforce, Gmail, Google Calendar, or Slack via Unified.to, we read pipeline records, contact records, deal records, calendar events, and email metadata. We need this to do our job. We do not read the full body of every email — we read enough to identify whether a customer was contacted, by whom, when, and at what stage.

From your usage: what you ask the AMA, which briefs you open, which alerts you act on. We use this to make the system smarter for you and to improve the product for the cohort. Aggregate, not surveillance.

We don't scrape your inbox. We don't read messages from contacts who are not on a deal in your CRM. We don't share your CRM data with third parties for advertising. We don't sell anything about you. Ever.

Your data is stored in Supabase (US-East), encrypted at rest. AI inference runs through Anthropic and OpenAI. We do not train any external model on your data. AI providers under our contract are bound to delete prompts after processing.

You. Members of your workspace you've invited. Engineers at Management OS, Inc. when responding to support tickets you've opened or investigating a security incident. Nobody else.

You can export everything we have about you. You can delete your account and all data tied to it. You can disconnect any integration at any time. Email privacy@managementos.ai with the request and we will action it within 7 business days. GDPR and CCPA rights respected; California and EU residents have explicit rights to access, correction, deletion, portability, and to object to processing.

While your subscription is active: we retain everything needed to run the product. After cancellation: your data is retained for 30 days (in case you reactivate), then permanently deleted. Backups roll off after 90 days. Aggregate / de-identified analytics may persist longer.

TLS in transit. AES-256 at rest. Service-role keys for server-only paths. Row-level security policies on every table that touches customer data. SOC 2 Type II planned for late 2026; we'll publish the report when it's done.

If we ever experience a breach affecting your data, you will be notified within 72 hours of confirmation, with details of what happened and what we're doing.

We use cookies for authentication (you stay signed in) and basic analytics (PostHog, anonymized). No advertising cookies. No third-party tracking.

If we make material changes to this policy, we will email active users 30 days before they take effect. Minor changes (typos, clarifications) we post here without notice.