What Happens to My Data?

Last updated: 2026-05-27

Straight answers to the questions people actually ask before they sign up. Want the long version? See our Privacy Policy and Data Processing Addendum. Want to talk to a person? Email [email protected].

The short version

• The AI reads your email so it can draft and send replies for you. Achieve IT staff don't, unless you ask for support, and every support session is logged in your Support History.
• We don't sell your data. We don't share it with advertisers. We don't train Achieve's own AI on it.
• On standard plans, the third-party AI model that drafts your replies may use your email content as training data (see below). A no-training tier is available at a higher price on request.
• Your data lives in the US (Oregon and Virginia), encrypted. Canadian hosting available if you need it.
• You can pause, export, or delete your data anytime.
• If something goes wrong, you'll hear from us within 72 hours.

What data do you actually see?

When you connect a mailbox, we see:

• The content of emails in that mailbox, incoming and outgoing.
• Attachments.
• Metadata: sender, recipient, timestamp, subject.
• Documents you upload to the knowledge base.
• Your tone and style, extracted from sample emails you give us.
• Account details: your name, email, company, billing contact.

We do not see:

• Any email in mailboxes you haven't connected.
• Your email password. We use OAuth (Google/Microsoft sign-in) so your password never leaves your hands.
• Your other accounts (Slack, calendar, CRM) unless you explicitly connect them.

Will my emails be used to train AI?

It depends on which AI model tier you're on. Here's the honest breakdown.

On the standard plans (Starter, Growth, Scale)

Your emails are sent to a third-party AI model provider (currently MiniMax) so it can draft replies. That provider may use the content you send it as training data, per the provider's own terms of service. We don't control their training policy, and we link to their terms on our subprocessors page.

What Achieve IT itself does and doesn't do, on every plan

1. We don't train our own general-purpose AI on customer emails.
2. Achieve IT staff don't read your emails outside of logged, ticketed support sessions. Every such session appears in your Support History and you can't be locked out of seeing it.
3. The "per-customer learning loop" that adapts the assistant to your voice and your business stays inside your own account. It never leaks into another customer's results.

The no-training tier

If a contractual no-training guarantee matters for your situation (regulated industries, competitive-intel concerns, customer data you don't want appearing in another vendor's training set), we can put you on a different AI model with a contractual no-training commitment. Pricing is custom because the underlying model costs more. Email [email protected] and we'll quote it.

Where is my data stored?

By default: United States, via Railway (our hosting provider).

Your data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Credentials get additional envelope encryption with per-user keys protected by AWS KMS.

If you're in a regulated industry (healthcare, finance) or you have specific data-residency requirements, ask us about Canadian-hosted options. Our architecture supports the move; we'll scope it as part of your onboarding.

Who at Achieve IT can see my data?

A very small number of people. Today, one: Josh. Every access is:

• Logged. You can see the full history in the "Support History" section of your portal.
• Ticketed. Every support session has a ticket ID and a written reason.
• Time-limited. Sessions expire automatically, usually after 60 minutes.
• Scoped. Staff can only do what their role allows. Support staff cannot export credentials, for example.

You'll always know when someone at Achieve IT has touched your account and why. It's built into the product. We can't turn it off.

Can the AI leak data between customers?

No. We designed the system specifically to stop this:

• Each customer is a separate tenant with strict database-level isolation.
• The AI has no tool to query other tenants' data. It physically can't reach across the boundary.
• Our tests include canary checks: we plant a fake secret in one tenant and verify it never shows up in another. Zero leaks, ever.
• Memory and knowledge-base retrieval stay scoped to your account. What the AI learns about your business doesn't show up in anyone else's results.

What does Achieve IT do to stay secure?

In short: the usual things well-run SaaS does, plus a few extra because we handle email.

• Multi-factor authentication on all privileged accounts.
• Encrypted credentials (OAuth tokens protected by AWS KMS).
• Dependency scanning and fast CVE patching.
• Row-level database security and typed contracts at every boundary.
• Nightly backups with encrypted, cross-region storage.
• Documented incident response: we know what to do when something goes wrong.
• Regular security drills and eval tests against prompt-injection attacks.

Full detail for the curious is in our public architecture and security docs (linked on our security page).

What if my account gets hacked?

Tell us immediately at [email protected] or [email protected]. We will:

1. Pause AI on your account so nothing more goes out.
2. Revoke our OAuth access to your mailbox (or ask you to do so from your Google/Microsoft security settings).
3. Investigate what happened using our audit logs.
4. Help you assess the scope.

If we detect unauthorized access from our side, we'll notify you proactively.

What if Achieve IT gets hacked?

We hope we never have to send you that email. But if we do, here's what's in it:

• What happened, in plain language.
• What data (if any) was affected.
• When it happened and when we contained it.
• What we did about it.
• What, if anything, you should do.

You'll hear from us within 72 hours of us confirming the incident, with updates as we learn more. If the breach triggers PIPEDA's "real risk of significant harm" threshold, we'll notify regulators too.

What if I want my data out?

You have several options:

• Pause the AI: one click in the portal. New emails keep arriving in your inbox as normal; the AI just stops doing anything. You can resume later.
• Export your learned data: email [email protected]. We'll send you a machine-readable file with your knowledge base, style profile, and audit log.
• Disconnect mailboxes: from Settings → Mailboxes in your portal, or from your Google/Microsoft account security settings. Your access revoke takes effect immediately.
• Delete your account: from Settings → Billing → Cancel account. Within 30 days we delete everything associated with your tenant from active systems. Backups containing your data roll off our schedule (up to 12 months for cold archives; 35 days for daily backups). We do not restore those, but they decay naturally.

What if I want to see what data you have on me?

You have a right to see it. Email [email protected] and we'll send you a copy within 30 days. We'll verify your identity first (for your protection).

What if I want you to delete something specific?

Tell us what: email [email protected]. For individual records (one email, one memory entry, one KB document), you can do it yourself in the portal. For broader or more complex requests, we'll handle it manually.

Note: some things we can't delete. For example, audit logs of admin actions on your account are kept for 7 years for compliance reasons, and invoices are kept for 7 years for tax reasons. We'll be specific if we can't honour a deletion request.

Who else can see my data?

Our subprocessors (third-party services we use to run the platform). Full list at achieveit.ca/subprocessors with what each one can access. Highlights:

• Railway: hosts our application and database; sees encrypted-at-rest customer content.
• MiniMax (standard tier): the third-party AI model provider; sees email content sent for inference. May use that content as training data per its own terms; see subprocessors for the no-training tier option.
• Cloudflare: stores your knowledge base files (encrypted).
• AWS KMS: holds the encryption key; never sees the actual data.
• Clerk: handles logins and MFA.
• Stripe: processes payments (holds card details, we don't).

We update that page when we add or remove any subprocessor, with 30 days' notice.

What about Google's and Microsoft's policies?

When you connect Gmail or Microsoft 365, Google or Microsoft also handle your email content. That's how email works. Their privacy policies apply to their handling, not ours:

• Google Privacy Policy
• Microsoft Privacy Policy

We have no control over what they retain; their terms govern. We access your mailbox only through the official APIs, with the permissions you grant at sign-in, which you can revoke anytime from their security settings.

Questions that aren't here?

• Privacy and data questions: [email protected]
• Commercial / contract questions: [email protected]
• General questions: [email protected] or book a call

We try to answer every privacy question in plain language. If our answer ever feels like we're hiding behind legalese, push back. That's a failure on our end.