Last updated: March 29, 2026

Privacy Policy

1. Who We Are

Lori is a product of Smart Agentics, LLC, a limited liability company organized in the State of North Carolina, United States. Lori is an AI-powered scheduling coordination agent designed for the executive office — executives, chiefs of staff, and executive assistants — that operates within Microsoft 365.

For the purposes of data protection law, Smart Agentics, LLC is the data processor acting on behalf of your organization (the data controller) when Lori processes your Microsoft 365 data. When you interact directly with our website or waitlist, Smart Agentics acts as the data controller.

Email: info@smartagentics.ai

Website: loriagent.info

Mailing address: Available upon request at the email above.

2. What This Policy Covers

This Privacy Policy explains how Smart Agentics collects, uses, stores, and protects personal information when you:

• Visit our website at loriagent.info
• Sign up for our early access waitlist
• Use the Lori scheduling agent through your Microsoft 365 account
• Interact with Lori via email, calendar, or web-based confirmation links
• Provide feedback about the product

Lori is currently in early access. This policy covers both our current data practices (waitlist phase) and the data practices that apply when the product is actively used. We clearly distinguish between the two throughout this document.

3. Information We Collect

3.1 Waitlist Signup Information (Current)

When you sign up for early access through our website, we collect:

• First name
• Work email address (personal email addresses such as Gmail, Yahoo, and Hotmail are not accepted — a Microsoft 365 business or education email is required)
• Role (Executive, Chief of Staff, Executive Assistant, or Other)

This information is submitted to our API and stored in our database. We do not currently collect last name, company name, or company size through the signup form, though these fields may be added in the future.

3.2 Account and Profile Information (Active Product)

When you onboard as an active Lori user, we collect:

• First name, last name, and preferred name
• Company name and job title
• Phone number (optional, stored in E.164 international format)
• Time zone and scheduling preferences (working hours, meeting duration, buffer time)
• Terms of service acceptance timestamp

Some of this information is pre-populated from your Microsoft 365 profile with your permission during the OAuth authentication process.

3.3 Microsoft 365 Data (Active Product)

When you connect Lori to your Microsoft 365 account, Lori accesses certain data through the Microsoft Graph API. This access is governed by the permissions you explicitly grant during setup. The specific data accessed includes:

• Email content: Subject lines, sender and recipient addresses, and body text of email threads where Lori is invoked (via the #lori hashtag or forwarding).
• Calendar data: Your Outlook calendar events, including event titles, times, attendees, and availability windows.
• Contact information: Names and email addresses of participants in scheduling threads.
• User profile: Your display name, email address, company name, job title, and mobile phone number as stored in your Microsoft 365 profile.
• Mailbox settings: Your time zone and language preferences.
• Teams integration: Lori creates Microsoft Teams meeting links when booking meetings through Outlook.

What Lori does NOT access: Files, documents, or OneDrive content; email messages unrelated to scheduling requests; contacts outside of active scheduling threads; SharePoint, Planner, or other Microsoft 365 services not listed above.

3.4 Scheduling Coordination Data

During the course of coordinating meetings, Lori generates and stores suggested time slots, participant responses (confirmations, declines, and counter-proposals), coordination status, and nudge history (when and how follow-up messages were sent to non-responsive participants).

3.5 Behavioral and Analytics Data

To improve scheduling effectiveness, Lori tracks operational metrics including participant response patterns, coordination outcomes, and product usage analytics. This data is used to optimize Lori's scheduling algorithms and improve the product. It is not used for advertising or sold to third parties.

3.6 Feedback Information

If you submit feedback about Lori, we collect issue category and severity, your description of the issue, and diagnostic data related to the specific scheduling coordination (if applicable). Feedback may be submitted anonymously through signed links in Lori's emails.

3.7 Technical and Log Data

Our systems automatically collect error logs, API cost metrics, and instrumentation logs for debugging. We apply data minimization to logging. Email addresses in cost-tracking logs are hashed using SHA-256 with domain preservation to enable operational analysis without storing raw addresses.

4. How We Use Your Information

• Waitlist management: To process your early access signup and communicate about Lori's availability.
• Product delivery: To coordinate meetings on your behalf — reading scheduling requests, identifying available times, communicating with participants, and booking confirmed meetings.
• AI-powered scheduling decisions: To classify email intent, detect time confirmations, and generate appropriate follow-up messages.
• Product improvement: To analyze coordination outcomes and optimize scheduling strategies.
• Technical operations: To monitor system health, debug issues, and maintain service reliability.
• Communication: To send product updates, onboarding information, and service-related notices. We do not send marketing emails to addresses collected through the product.
• Security and fraud prevention: To detect unauthorized access and protect against abuse.

5. Legal Basis for Processing

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that requires a legal basis for processing, we rely on the following:

• Consent: When you submit the waitlist signup form or grant Microsoft 365 permissions during onboarding. You may withdraw consent at any time.
• Contractual necessity: When processing is required to deliver the Lori scheduling service you have signed up for.
• Legitimate interest: For product improvement, security monitoring, debugging, and operational analytics — where our interest does not override your rights.

6. Microsoft 365 Integration

6.1 Permissions We Request

When you connect Lori to Microsoft 365, you authorize the following Microsoft Graph API permissions:

These permissions are granted through Microsoft's standard OAuth 2.0 authorization flow. You can review and revoke Lori's access at any time through your Microsoft 365 account settings at myapps.microsoft.com.

6.2 How Data Flows

You add #lori to an email thread or forward a scheduling request. Lori receives a notification via Microsoft Graph webhook, reads the email content to understand the request, sends follow-up emails to participants from your mailbox, and when a time is confirmed, creates a calendar event in Outlook with a Teams link.

6.3 Real-Time Notifications

Lori uses Microsoft Graph webhook subscriptions to receive real-time notifications when new emails arrive. These notifications contain only a reference to the email (not the email content itself). Lori then fetches the full email content only when it's relevant to an active scheduling request.

6.4 Token Security

Your Microsoft 365 access and refresh tokens are stored in our database and used exclusively to perform scheduling operations on your behalf. Access tokens are short-lived (approximately 60 minutes) and are automatically refreshed. You can revoke Lori's access at any time.

7. Artificial Intelligence and Automated Processing

7.1 AI Provider

Lori uses OpenAI's GPT-4o-mini model for natural language processing. When Lori processes a scheduling-related email, the email subject line, body text, and participant names may be sent to OpenAI's API.

7.2 What AI Is Used For

Intent classification (determining whether an email is a scheduling request, confirmation, decline, or counter-proposal), time extraction, confirmation detection, and follow-up generation.

7.3 What We Do NOT Do with AI

• We do not train AI models on your data. Your emails and scheduling data are processed by OpenAI's API but are not used to train or fine-tune any AI models.
• We do not use AI for profiling, scoring, or automated decisions that produce legal or similarly significant effects on individuals.
• We do not store AI inputs or outputs indefinitely. AI decision logs are retained for a maximum of 14 days for debugging, then automatically deleted.

7.4 Participant Enrichment (Paid Tiers)

For users on paid subscription tiers using advanced scheduling strategies, Lori may use Hunter.io to look up publicly available professional information about meeting participants. This is used solely to optimize scheduling strategy and is not used for free-tier users. You can opt out by contacting info@smartagentics.ai.

8. Third-Party Service Providers

We use the following third-party service providers to operate Lori:

We do not sell, rent, or trade your personal information to any third party.

9. Data Storage, Security, and Retention

9.1 Where Your Data Is Stored

All data is stored on servers located in the United States. Our primary database is hosted by Supabase (cloud-hosted PostgreSQL). The Lori product application is hosted on Replit. Our marketing website is hosted on Vercel.

9.2 Security Measures

• Encryption in transit via HTTPS/TLS
• Industry-standard OAuth 2.0 for Microsoft 365 integration
• Secure session cookies (HttpOnly, SameSite, Secure attributes)
• Access controls and account lockout policies
• Short-lived access tokens with automatic refresh
• Rate limiting on confirmation endpoints
• Webhook validation via client-state tokens

We are continuously evaluating additional security certifications (such as SOC 2) as the company grows. We do not currently hold SOC 2, ISO 27001, or HIPAA certifications.

9.3 Data Retention

9.4 Account Deletion

You may request deletion of your account and all associated data by emailing info@smartagentics.ai. Upon receiving a verified deletion request, we will revoke Lori's Microsoft 365 access tokens, delete your user profile and all associated records, and confirm deletion in writing within 30 days.

10. Data Sharing

We do not sell your personal information. We have never sold personal information and have no plans to do so.

We share your data only with the service providers listed in Section 8, with meeting participants when Lori sends scheduling emails on your behalf, when required by law, in connection with business transfers (with prior notice), or with your explicit consent.

11. Your Rights Under GDPR

If you are located in the EEA or UK, you have the right of access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), objection (Article 21), withdrawal of consent, and the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at info@smartagentics.ai. We will respond within 30 days.

12. Your Rights Under CCPA

If you are a California resident, you have the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of sale or sharing. We do not sell or share your personal information for cross-context behavioral advertising.

To submit a request, email info@smartagentics.ai. We will respond within 45 days.

13. Cookies and Tracking Technologies

Our marketing website (loriagent.info) uses only essential cookies required for basic website functionality. We do not currently use analytics cookies, advertising pixels, or third-party tracking technologies. The Lori product application uses session cookies configured with Secure, HttpOnly, and SameSite=Lax attributes. We may introduce analytics tools in the future and will update this policy accordingly.

14. International Data Transfers

Smart Agentics is based in Charlotte, North Carolina, United States. If you are accessing Lori from outside the United States, your data will be transferred to and processed in the United States. We rely on standard contractual clauses and your explicit consent to ensure adequate protection for international transfers.

15. Children's Privacy

Lori is a business-to-business product designed for professional use. Lori is not directed at children under the age of 16. We do not knowingly collect personal information from children.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify active users via email. Continued use of Lori after changes are posted constitutes acceptance of the updated policy.

17. How to Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how your data is handled:

Email: info@smartagentics.ai

We aim to respond to all privacy inquiries within 30 days.

Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities in accordance with applicable law. For users in the EEA, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach, as required by GDPR Article 33.