Privacy Policy

Last updated: April 2026

Introduction

Rincon AI (“we,” “our,” or “us”) builds AI-powered operating systems for small and medium businesses. This Privacy Policy explains how we collect, use, store, and protect information when you visit rinconai.com, use our client portal at portal.rinconai.com, or connect third-party services (such as Google, Instagram, TrainingPeaks, or Klaviyo) to our platform.

We believe in the minimum data principle: we only request access to the data we actually need to deliver the agreed-upon service, and we do not resell, rent, or otherwise commercialize your data.

Information We Collect

Information you provide directly

  • Contact form submissions: name, email, phone number, business name, message content.
  • Portal account details: name, email, and any organization or role information you add.
  • Content you upload or configure inside the portal, including campaign copy, workout comments, promotion settings, and notes you record about contacts or athletes.

Information from connected third-party services (with your consent)

When you authorize Rincon AI to connect to a third-party service on your behalf, we receive and process only the data covered by the scopes you approve:

  • Google / Gmail API. If you connect a Gmail mailbox, we request the gmail.readonly and gmail.modify scopes to list, read, and mark-as-read messages from specific senders (for example, TrainingPeaks coach-comment notifications). We do not read, index, or retain any messages outside the narrow filter you configure.
  • Instagram / Meta Graph API. If you connect an Instagram business account, we receive public profile information, comment events, and direct-message events for that account only, limited to the permissions you approve.
  • TrainingPeaks Partner API. If you connect a TrainingPeaks coach or athlete account, we receive athlete profile, workout, and metric data that your scopes cover. We post coach comments back to TrainingPeaks only when you explicitly approve a draft.
  • Klaviyo API. If you connect a Klaviyo account, we read list and profile data you designate and write new profiles, list memberships, and email campaigns on your behalf.

Information collected automatically

  • Standard web server logs: IP address, browser type, pages visited, timestamps.
  • Error and performance diagnostics used to maintain service reliability.

Google API Services User Data Policy (Limited Use)

Rincon AI’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data to provide or improve user-facing features that are prominent in the application’s user interface.
  • We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use Google user data for serving advertisements, and we never sell Google user data.
  • We do not allow humans to read Google user data except with your explicit consent, when necessary for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations where the data has been aggregated and anonymized.

How We Use Your Information

  • To respond to your inquiries and provide the services you request.
  • To authenticate you and keep your portal session secure.
  • To process the operational tasks you configure: ingesting comments and messages, drafting replies, routing leads, staging newsletters, and similar automation inside your own accounts.
  • To generate AI-assisted drafts and suggestions inside the portal. We send the minimum context required for each request to our AI model providers and never use your data to train foundation models.
  • To send transactional emails related to your use of the service.
  • To improve the reliability and security of our platform.
  • To comply with legal obligations.

Third-Party Processors

We rely on a small set of vetted service providers to operate the platform. Each receives only the data necessary to perform its function:

  • Amazon Web Services (AWS). Hosting, compute, and storage.
  • Supabase. Managed Postgres and authentication backend.
  • Anthropic. Large language model inference for drafts and analysis. No training on your data.
  • OpenAI. Embeddings and supporting language model inference. No training on your data.
  • Google (Gmail API, OAuth). Mailbox access for inbound ingestion, only under the scopes you authorize.
  • Meta (Instagram / Facebook Graph API). Social account access, only under the scopes you authorize.
  • TrainingPeaks. Athlete and workout data, only under the scopes you authorize.
  • Klaviyo. Email list and campaign management, only under the API keys you provide.
  • Resend. Outbound transactional email delivery.
  • GitHub. Source control for our platform code. No customer data stored in repositories.

Data Storage and Security

All data is transmitted over HTTPS and stored in managed databases with encryption at rest. Access tokens for connected third-party services are stored server-side and never exposed to the client browser. Portal access is gated by single sign-on and role-based authorization. We maintain audit logs of privileged actions.

No system is perfectly secure. If we become aware of a breach affecting your information, we will notify you without undue delay and cooperate with applicable regulatory authorities.

Data Retention and Deletion

We retain operational data (contacts, comments, drafts, logs) for as long as you maintain an active relationship with us, plus a reasonable archival period for backups and recovery.

You may request deletion of your account data at any time by emailing cav@leancycl.com. We will confirm deletion within 30 days. You may also revoke any third-party integration grant (Google, Meta, TrainingPeaks, etc.) directly from that provider’s account settings; doing so immediately ends our ability to access further data from that account.

Your Rights

Depending on your jurisdiction, you may have the right to:

  • Request access to the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion or export of your personal information.
  • Object to or restrict certain processing activities.
  • Withdraw consent for any connected third-party integration at any time.
  • Opt out of any marketing communications.

To exercise any of these rights, contact cav@leancycl.com.

Cookies and Tracking

Our marketing website does not use advertising cookies or third-party analytics tools. The portal uses only essential cookies required for authenticated sessions. We do not sell or share browsing data.

Children’s Privacy

Our services are not directed to individuals under the age of 13, and we do not knowingly collect personal information from children. If you believe we have inadvertently done so, contact us and we will delete the data.

International Users

Rincon AI operates from the United States. If you access our services from outside the United States, your information may be processed in the United States, where data protection laws may differ from those in your country.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be flagged on this page with an updated revision date, and where required by law we will notify you directly before the change takes effect.

Contact Us

Questions about this Privacy Policy, your personal data, or connected integrations can be directed to cav@leancycl.com.

Rincon AI · Tucson, Arizona