Privacy Policy
This Privacy Policy explains how Highfox Pvt Ltd, operating as Juniors AI ("we", "us", or "our"), handles information across the Juniors AI workspace and its products: Concierge (AI customer support), Data Sensei (natural-language analytics), Recon (financial reconciliation), Search Sensei (AI-agent SEO and GEO), and Sentinel (autonomous DevOps). Given our bring-your-own-infrastructure (BYOI) architecture, the operational data each product handles stays on the database, storage, and LLM provider you own. This policy applies to account holders, team members, and visitors to our website.
1. The BYOI Principle and What It Means for Your Privacy
Juniors AI is built on a zero-data-residency model. The orchestration layer (API, dashboard, queues) is hosted by us; the data layer (database, cache, object storage) and the AI layer (Anthropic Claude or OpenAI) are connected from your own accounts. The single most important consequence is that the operational data each product handles never lives on our side:
- Concierge (AI customer support): conversations, tickets, attachments, agent activity, and the knowledge-base embeddings used for RAG-powered resolution are stored exclusively in the database, cache, and object storage you connect. End-user messages and your knowledge-base content never pass through or reside on Juniors AI's servers.
- Data Sensei (natural-language analytics): pipeline configurations and chat history are written to your own database. Query results stay in your warehouse (Metabase, SQL databases, Mixpanel, or Google Analytics). Only the answer rendered to the requesting user is returned through the platform.
- Recon (financial reconciliation): sources, comparisons, runs, bucket counts, and full row snapshots are persisted to your own database. The transactional rows you reconcile (from CSV / XLSX uploads or live HTTP_API fetches) never leave your infrastructure.
- Search Sensei (AI-agent SEO and GEO): domains, brand profiles, agent run deliverables, saved keywords, site-crawl results, and rank-tracking snapshots are persisted to your own database. Integration credentials for Search Console, Analytics, and optional data providers are encrypted at rest with AES-256-GCM.
- Sentinel (autonomous DevOps): monitoring data, incident diagnoses, automation runs, and reports are generated against your own cloud accounts using scoped credentials you supply. The control plane is VPN-locked, actions are recorded in an audit log within your infrastructure, and Juniors AI holds only the encrypted credentials and policy configuration.
- LLM inference (all products): AI requests are routed directly to your chosen LLM provider using credentials you supply. Juniors AI does not intercept, log, or store prompts, completions, or generated SQL on our side.
This architecture means the bulk of the operational data generated by Concierge, Data Sensei, Recon, Search Sensei, and Sentinel is governed by your own privacy obligations, not ours. This policy covers the narrower category of data Juniors AI does handle directly.
2. Information We Collect
2.1 Account and Registration Data
When you create a Juniors AI account or are invited to one, we collect:
- Full name and work email address of account holders and invited team members
- Organisation name and website
- Job title or role (where provided)
- Billing information (processed via our payment provider; we do not store raw card details)
- Workspace preferences and product configuration settings
2.2 Platform Usage and Metadata
As you use the Juniors AI workspace, we collect anonymised or aggregated platform metadata to understand how each product is used and to improve it:
- Feature interaction events (e.g., which Concierge inbox views are opened, which Data Sensei pipelines are queried, which Recon comparisons are run)
- Session duration and frequency, per product
- Error logs and performance diagnostics from the orchestration layer
- Counts and timings of runs, jobs, and background tasks (no payloads)
This metadata never includes the content of customer conversations, the answers Data Sensei produces, the rows Recon reconciles, or the prompts and completions exchanged with your LLM provider.
2.3 Technical and Device Information
When you access the Juniors AI dashboard or our marketing site, we automatically collect:
- IP address and general geographic region
- Browser type and version
- Operating system
- Referring URLs and page navigation within our site and the dashboard
2.4 Communications Data
If you contact us for support, submit an early-access request, or otherwise communicate with us directly, we retain:
- The content of your messages and enquiries
- Your contact details as provided
- Records of our responses
2.5 Integration Credentials
When you configure a product (e.g., your database connection for Concierge, your Metabase or Mixpanel keys for Data Sensei, your HTTP_API bearer tokens for Recon, your cloud credentials for Sentinel, or your LLM API keys for any product), you provide secrets to Juniors AI. All credentials, headers, query params, and POST bodies that contain secrets are encrypted at rest with AES-256-GCM and redacted from the API surface. They are used solely to facilitate the integration you configure.
3. How We Use Your Information
We use the information described in Section 2 for the following purposes:
- Service delivery: Provisioning and maintaining your Juniors AI workspace, routing you to the right product based on role, processing subscription payments, and enabling the features you configure across Concierge, Data Sensei, Recon, Search Sensei, and Sentinel.
- Platform improvement: Analysing anonymised, per-product usage metadata to identify friction points, improve UX, and prioritise new capabilities.
- Customer support: Responding to your support requests, bug reports, and account queries.
- Security and fraud prevention: Detecting and preventing unauthorised access, abuse, and security incidents at the orchestration layer.
- Legal compliance: Meeting our obligations under applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (DPDPA), and other applicable regulations.
- Communications: Sending transactional emails (e.g., one-time login codes, payment confirmations, account alerts) and, with your consent, product updates or early-access announcements. You may opt out of non-transactional communications at any time.
We do not use your data, your end-customers' data, your analytics queries, or your reconciliation rows to train AI models, build advertising profiles, or sell insights to third parties.
4. Legal Basis for Processing
Where applicable (including under the GDPR for users in the European Economic Area), we process personal data on the following legal bases:
- Contract performance: Processing necessary to provide the Juniors AI workspace and the products you have subscribed to under your agreement.
- Legitimate interests: Security monitoring, product analytics, and fraud prevention - where these interests are not overridden by your rights.
- Legal obligation: Compliance with applicable laws and regulatory requirements.
- Consent: Marketing communications and other optional data uses, where we have obtained your explicit consent. You may withdraw consent at any time.
5. Information Sharing and Disclosure
We do not sell, rent, or broker your personal information. We share data only in the following limited circumstances:
5.1 Service Providers
We engage trusted third-party vendors to operate the Juniors AI orchestration layer, including cloud infrastructure providers (for the hosted API and dashboard), payment processors, email delivery services (e.g., SendGrid for one-time login codes), and analytics tools. These providers process data on our behalf under contractual obligations that require them to protect it and use it only for the purposes we specify.
5.2 Your Connected Providers
When you configure a product, data flows directly between your account and the providers you connect: your LLM provider (Anthropic or OpenAI) for any AI feature, your warehouse for Data Sensei, your HTTP_API endpoints for Recon, your Slack workspace for alerts, and any custom webhooks you set up. Juniors AI does not control these providers. You are responsible for reviewing their privacy policies and ensuring your use of those integrations complies with your obligations to your own end-users.
5.3 Legal Requirements
We may disclose information when required by law, court order, or regulatory authority, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Juniors AI, our customers, or the public.
5.4 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your account information may be transferred to the successor entity. We will notify you of any such transfer and the resulting privacy implications with reasonable advance notice.
5.5 With Your Consent
We may share information in other circumstances with your explicit prior consent.
6. Data We Do Not Collect
Given the BYOI architecture, the following data categories are explicitly not collected or stored by Juniors AI:
- Concierge: the content of customer support conversations or chat transcripts, support-ticket data, your knowledge-base documents and embeddings, agent activity logs beyond what is stored on your own infrastructure, and your end-customers' personal information of any kind.
- Data Sensei: the raw rows returned by your warehouse, the SQL we generate against your data sources, the natural-language questions your team asks, or the answers rendered back. Pipeline configurations and chat history live in your own database.
- Recon: the transactional rows you reconcile, the contents of CSV / XLSX uploads, the bodies of HTTP_API responses, or the full row snapshots persisted to your buckets. The platform DB only stores source and comparison metadata.
- All products: LLM prompts, completions, or any AI-generated responses produced by Anthropic or OpenAI on your behalf.
You are the data controller for all of the above. Juniors AI acts as a processor only for the limited account and platform-usage data described in Section 2.
7. Google User Data and Limited Use
Some Juniors AI features let you connect your own Google account so the product can act on data in that account on your behalf. Access is granted by you through Google's OAuth consent screen, can be revoked at any time from your Google Account settings, and the resulting access and refresh tokens are encrypted at rest with AES-256-GCM. We request the following Google API scopes and use them only to provide the corresponding user-facing feature:
- Gmail - Concierge email channel (
gmail.readonly,gmail.send,gmail.modify): when you connect a support mailbox, we read incoming messages so they can be ingested as support tickets, send the replies you or the AI compose back in the original thread, and mark ingested messages as read so they are not processed twice. We never permanently delete your mail and never access messages beyond what is needed to operate your support inbox. - Google Analytics - Data Sensei and Search Sensei (
analytics.readonly): when you connect a Google Analytics 4 property, we call the GA4 Admin and Data APIs read-only to list the properties you select and run the reports needed to answer your analytics questions and produce SEO/GEO insights. We never modify your Analytics configuration. - Google Search Console - Search Sensei (
webmasters.readonly): when you connect Search Console, we read your Search Analytics and Sites data to generate SEO reports for the sites you own.
Where this data lives. Consistent with our BYOI model, data retrieved from these Google APIs (for example, ingested email threads and attachments, or query results) is stored in the database and object storage you connect, not on Juniors AI's servers. We retain only the encrypted OAuth tokens and the minimal metadata needed to operate the connection. Tokens are deleted promptly when you disconnect the integration, remove the product, or close your account.
How we use and protect it. Google user data is used solely to provide and improve the user-facing features described above. We do not use it for advertising, do not sell or rent it, and do not use it to train generalised or non-personalised AI/ML models. Humans do not read your Google user data except where you give explicit consent (for example, your own agents working a support ticket), where necessary for security or to comply with applicable law, or where the data has been aggregated and anonymised for internal operations.
Limited Use. Juniors AI's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. This applies to the restricted Gmail scopes (gmail.readonly, gmail.modify) and the sensitive scopes (gmail.send, analytics.readonly) described above.
8. Cookies and Tracking Technologies
We use cookies and similar technologies on our marketing site and within the Juniors AI dashboard for the following purposes:
- Essential cookies: Required for the platform to function - session management, JWT access tokens, refresh-token cookies, and security features. These cannot be disabled without breaking core functionality.
- Analytics cookies: Anonymised tracking of page views, feature usage, and navigation flows to improve the product. We use privacy-respecting analytics tools that do not build individual advertising profiles.
- Preference cookies: Storing your UI preferences (e.g., theme, last-viewed product, dashboard layout) across sessions.
You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect your ability to use the platform.
9. Data Retention
We retain personal data only for as long as necessary for the purposes outlined in this policy:
- Account data: Retained for the duration of your subscription and for up to 2 years after account closure, unless a shorter period is requested or required by law.
- Billing records: Retained for 7 years in compliance with Indian tax and financial record-keeping requirements.
- Support communications: Retained for up to 3 years from the date of the last interaction.
- Platform usage metadata: Anonymised aggregated metrics may be retained indefinitely as they cannot be linked to individuals.
- Integration credentials: Deleted promptly upon disconnection of the relevant integration, removal of the product, or account closure.
10. Data Security
We implement industry-standard technical and organisational measures to protect the data we hold:
- Encryption in transit (TLS 1.2+) for all data exchanged with the Juniors AI platform
- Encryption at rest with AES-256-GCM for stored account data and all integration credentials (database connection strings, LLM API keys, bearer tokens, webhook secrets)
- Passwordless authentication via email OTP, short-lived JWT access tokens (15-minute TTL), and HTTP-only refresh-token cookies (7-day TTL)
- Role-based access enforced server-side on every API endpoint, not just hidden in the UI
- Per-product credential scoping: Concierge, Data Sensei, Recon, Search Sensei, and Sentinel each use isolated ClientService configurations so cross-product credential leakage is prevented by design
- Regular security assessments, vulnerability monitoring, and incident-response procedures
In the event of a data breach affecting your account information, we will notify you as required under applicable law, and in any case within 72 hours of becoming aware of the breach where feasible.
No method of transmission over the internet is completely secure. While we take reasonable precautions, we cannot guarantee absolute security.
11. Your Rights
Depending on your location, you may have the following rights with respect to your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete information.
- Deletion: Request deletion of your personal data, subject to legal retention obligations.
- Portability: Request your data in a structured, machine-readable format.
- Restriction: Request that we limit how we process your data in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Withdraw consent for any processing based on consent (e.g., marketing emails) at any time, without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at rahul@juniors.ai. We will respond within 30 days. We may need to verify your identity before processing your request.
If you are located in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.
12. Your Obligations as a Customer (Data Controller)
Because Juniors AI's BYOI model means the operational data of each product resides on your infrastructure, you are the data controller for all such data processed through the platform. This includes:
- Concierge: end-customer messages, support tickets, agent notes, and knowledge-base content. You are responsible for providing your end-customers with a privacy notice that discloses the use of AI in support interactions and for obtaining any consents required by applicable law.
- Data Sensei: the warehouse data exposed to the AI through your pipelines, the prompts your team submits, and the queries generated. You are responsible for ensuring the team members granted access have the right to view the underlying data and that pipelines do not expose data beyond their authorised scope.
- Recon: the transactional rows you upload or fetch into Recon (payments, settlements, ledger entries, etc.) and any personal data those rows may contain. You are responsible for ensuring you have the legal basis to process that data and that your retention settings meet your obligations.
- All products: complying with data-subject rights requests in relation to data stored on your infrastructure, ensuring your infrastructure configuration meets applicable security and data-protection standards, and entering into appropriate data-processing agreements with any third-party LLM, warehouse, or integration providers you connect to Juniors AI.
13. International Data Transfers
Highfox Pvt Ltd is based in India. If you access Juniors AI from outside India, your account and platform-usage data may be transferred to and processed in India.
Where we engage service providers located in other jurisdictions, we ensure appropriate safeguards are in place, such as standard contractual clauses or equivalent mechanisms, to protect your data in accordance with applicable law.
Because the operational data of each product (Concierge conversations, Data Sensei pipeline activity, Recon reconciliation runs) resides on your own infrastructure, international-transfer rules for that data are governed by your own configuration and compliance obligations, not ours.
14. Children's Privacy
The Juniors AI platform is designed for business use and is not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us at rahul@juniors.ai and we will delete it promptly.
15. Third-Party Links
Our website and dashboard may contain links to third-party websites or services. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party services you access through links on our platform.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or product features. When we make material changes:
- We will update the "Last updated" date at the top of this page;
- We will notify you via email to your account's primary contact address and/or an in-platform notification at least 14 days before changes take effect;
- For significant changes that affect how we use your data in a materially different way, we will seek fresh consent where required.
Your continued use of the platform after the effective date of any changes constitutes acceptance of the updated policy.
17. Contact Us
For any questions, concerns, or requests related to this Privacy Policy or your personal data, please reach out to us:
We aim to respond to all privacy-related enquiries within 30 days.
