Your data at Wren
Who we are & what Wren does
Wren is an AI concierge you reach on one phone number (WhatsApp or SMS). With your permission it acts on the accounts you connect — email, calendar, contacts, files — and on the custom projects you set up. It is a personal build by an independent developer in Chicago. Questions: yaakov@ytx.app.
What data we handle
- Account identity — your name, email, and a verified mobile number, used to identify your account and recognize your messages.
- Connected accounts — when you connect Google or Microsoft, you approve access on the provider’s own screen. We receive a revocable access token, never your password. Tokens are encrypted at rest (AES-256-GCM) and used only to carry out what you ask.
- Contacts you add — people you choose to store so the concierge has context and your messages are less likely to be flagged as spam.
- Messages & instructions — the conversations you have with your concierge and the instructions you give it, used to do the work you request.
How we protect it
- No passwords for connected accounts — sign-in happens on Google’s or Microsoft’s consent screen; we only hold a revocable token.
- Encryption at rest — connection tokens are encrypted before storage.
- Per-user scoping — your concierge is designed to act only on the accounts you connect. We are hardening strict per-user isolation as we move Wren out of early beta.
- Least privilege & revoke anytime — we request only the access a task needs, and you can revoke it from your Google or Microsoft account whenever you want.
Anonymized transcript review (opt-in, beta only)
To improve the assistant during the beta, we offer an optional setting that lets us review your conversation transcripts to debug logic errors — cases where the AI follows your instructions but still reaches the wrong outcome.
It’s off by default
This is opt-in. It is off unless you turn it on in your dashboard (Account → Privacy). We never enable it for you, and you can turn it off at any time.
Transcripts are de-identified before anyone sees them
If you opt in, transcripts are de-identified (pseudonymized) at capture, before any human review. Our redaction pipeline removes, on a best-effort basis:
- names (yours, your contacts’, and other people’s), email addresses, phone numbers, and postal addresses;
- message contents and other free-text that could identify someone;
- financial data (e.g. card numbers) and secrets (one-time codes, passwords, tokens) — always removed.
We say “de-identified,” not “anonymized,” on purpose: automated redaction of free-form conversation is best-effort and not a guarantee of irreversible anonymization. We pair it with strict access controls, short retention, and audit logging as the real safeguards.
Retention & deletion
Review copies are kept for a limited window — up to 30 days, or the end of the beta, whichever comes first — and then automatically deleted. Turning the setting off purges any existing review copies for your account, and deleting your account purges them too.
Who can access it
Review copies are stored separately from your live data, encrypted, and accessible only to our small beta team for this debugging purpose, under access controls and append-only audit logging (every access is recorded). They are not used for advertising, profiling, training general models, or any other purpose.
People you talk to
Conversations often involve other people who did not consent. Their information is de-identified as well, whether or not they use Wren — the review copy is de-identified for everyone in the transcript.
Your consent is versioned
When you opt in, we record your consent together with the version of this policy you agreed to. If we materially change this disclosure, we ask you to opt in again; until you do, the setting is treated as off.
For reviewers / legal: where EU/UK users are in scope, the lawful basis is explicit consent; we apply data minimization (structured decision-trace preferred over free text), purpose limitation (beta logic-error debugging only), and honor erasure requests via opt-out purge and account deletion.
Your choices & rights
- Disconnect a connected account any time, from your dashboard or from Google/Microsoft directly.
- Opt out of transcript review any time — which also purges existing review copies.
- Access & deletion — email yaakov@ytx.app to request a copy of your data or deletion of your account; account deletion cascades to review copies.
Changes to this policy
We’ll update the Version and Effective date above when this policy changes. Material changes to the transcript-review disclosure require your renewed consent before the feature stays on.
Contact
Questions about your privacy? Email yaakov@ytx.app.