Privacy Policy — Celes Labs

This Privacy Policy explains how Celes Labs, Inc. ("Celes Labs", "we", "us", "our") collects, uses, discloses, retains, and protects personal information when you use CelesChat, our websites (including https://www.celeslabs.com), and related services (together, the "Service").

Celes Labs does not sell personal information, does not share personal information for cross-context behavioral advertising, and does not use the content of your chats, files, or any AI interactions to train its own artificial-intelligence models. CelesChat's AI Features are powered by OpenAI, L.L.C. ("OpenAI"), a third-party AI service provider whose published API terms prohibit training OpenAI's foundation models on content submitted via the API. Section 3.1 describes precisely what data is sent to OpenAI, when it is sent, and how you authorize that transmission.

1. Scope

This Policy applies to all users of the Service. Sections 12 and 13 set out additional rights and information applicable, respectively, to residents of the European Economic Area ("EEA"), the United Kingdom, and Switzerland, and to residents of U.S. states with comprehensive consumer privacy laws.

Celes Labs, Inc. is the "data controller" for your personal data for purposes of the EU General Data Protection Regulation ("GDPR") and the UK GDPR, and the "business" for purposes of the California Consumer Privacy Act, as amended ("CCPA").

2. Information we collect

We collect information you provide to us, information we collect automatically when you use the Service, and information we receive from third parties.

2.1 Information you provide

Account information — phone number, display name, and, optionally, profile photo and status message. CelesChat uses phone-based sign-in with a one-time SMS verification code; we do not collect a password.
Your content — the text, images, files, voice notes, reactions, and other content you send or receive on the Service ("Your Content").
AI prompts and outputs — when you use an AI Feature, the prompts you submit and the responses generated in reply.
Support and feedback — information you provide when you contact our support team, respond to a survey, or send us other correspondence. If you contact us by email, we receive your email address and the contents of your message.

2.2 Information we collect automatically

Delivery metadata — sender, recipient, timestamp, message size, and delivery status, used to route and deliver messages.
Device and connection data — device model, operating system and version, app version, language, time zone, IP address, and network type.
Diagnostics — crash reports, performance traces, and error logs, de-identified where feasible.
Usage signals — feature-engagement events (e.g., which features are used and how often), excluding the content of Your Content.
Cookies and similar technologies on our websites — see Section 14 and our Cookie Policy.

2.3 Information from third parties

Contacts — if you enable contact matching, phone numbers from your address book are transmitted as one-way hashes so we can identify which of your contacts already use CelesChat. Contact matching can be disabled at any time in Settings.
Invitations — if another user invites you to the Service, we may receive that user's identifier and the fact of the invitation.

2.4 Information we do not collect

Celes Labs does not operate third-party advertising-tracking software development kits that retarget you or build cross-application advertising profiles, does not use device fingerprinting for advertising or cross-application tracking, and does not deliberately collect special categories of personal data (including health, biometric, racial, religious, or political data). If such information is included in Your Content, it is because you chose to include it.

3. How we use information

We use the information described in Section 2 for the following purposes:

To provide the Service — deliver messages, operate AI Features, and synchronize your account across devices. This processing is necessary to perform our contract with you.
To secure the Service — detect and prevent fraud, abuse, spam, and child sexual abuse material; enforce our Acceptable Use Policy; and maintain the integrity of the Service. This processing is based on our legitimate interest in operating a safe service and, where applicable, on legal obligations.
To maintain reliability — diagnose crashes, fix defects, and monitor performance using non-content signals. This processing is based on our legitimate interest in running a reliable service.
To communicate with you — send service messages, respond to support inquiries, and, where permitted, provide product updates. Service messages are necessary to perform our contract with you; marketing or product-update messages are sent only where you have opted in or where otherwise permitted by law.
To comply with law — respond to valid legal process, cooperate with law enforcement where required, and enforce our Terms of Service.

3.1 AI Features and OpenAI

CelesChat includes AI-powered features that allow you to interact with an AI assistant ("AI Features"). The AI Features are operated by OpenAI, L.L.C., a third-party AI service provider with its principal place of business at 3180 18th Street, San Francisco, CA 94110, USA. OpenAI is engaged by Celes Labs as a sub-processor under written terms that comply with the GDPR, the UK GDPR, and applicable U.S. state privacy laws. OpenAI's privacy policy is available at https://openai.com/policies/privacy-policy, and its API data-usage terms are available at https://openai.com/policies/api-data-usage-policies.

3.1.1 When data is sent to OpenAI

Data is transmitted to OpenAI only when you actively invoke an AI Feature — for example, by tapping the AI assistant button, replying to the AI assistant in a conversation, or including the AI-trigger word "@celes" in a message. When you do not invoke an AI Feature, no chat content, message metadata, or other personal information is transmitted to OpenAI. Celes Labs does not send your messages to OpenAI in the background, on a schedule, or for any purpose other than generating the response you have requested.

3.1.2 Your permission and the in-app consent flow

Before any data is transmitted to OpenAI for the first time, CelesChat presents an in-app consent screen that:

identifies OpenAI, L.L.C. by name as the third-party AI service provider;
explains the categories of data that will be sent (set out in Section 3.1.3);
links to OpenAI's privacy policy and to this Policy; and
requires you to tap "Allow and continue" to proceed, or "Cancel" to decline.

If you tap "Cancel," no data is transmitted to OpenAI and the AI Features remain disabled for your account. You may withdraw your permission at any time from Profile → Disable AI Features, which deactivates all AI Features and stops further transmission to OpenAI immediately. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. CelesChat will request your permission again, through the same in-app consent screen, before resuming any transmission to OpenAI.

3.1.3 What data is sent to OpenAI

When you invoke an AI Feature, only the text content of chat messages is transmitted to OpenAI, for the sole purpose of generating the response you have requested. Specifically:

The prompt you submit — the text you type into the AI assistant or the instruction you select (for example, "Summarize this conversation," "Translate to Spanish," or "Suggest a reply").
The text of the messages you explicitly authorize — only the text content of the specific messages you select for the AI action. For example, if you ask the AI to summarize a conversation, the text of those messages is included; messages from other conversations are not.
A non-identifying session token — a randomly generated identifier that allows OpenAI to maintain the context of a single AI conversation. The token is not linked to your phone number, name, email address, device identifier, or IP address.

The following data is never transmitted to OpenAI: images, photos, videos, voice notes, audio recordings, files, attachments, or any other media of any kind; your phone number; your name, profile photo, or status message; your contacts or address book; your device identifier, advertising identifier, or IP address (CelesChat proxies all OpenAI requests through its own servers, so OpenAI does not see your IP address); your message-delivery metadata; your account history; or any messages you have not specifically selected for the AI action.

3.1.4 How OpenAI uses the data

Under Celes Labs's API agreement with OpenAI, OpenAI is contractually prohibited from:

using data submitted through the API to train, retrain, or fine-tune any OpenAI model, including foundation models;
retaining data beyond a short operational window (currently up to 30 days) used solely for abuse monitoring and service delivery, after which the data is deleted;
using data for OpenAI's own commercial purposes, sharing it with other OpenAI customers, or disclosing it to third parties except as required by law.

These restrictions are documented in OpenAI's API data-usage policies and the data-processing addendum executed between Celes Labs and OpenAI. Celes Labs has determined that OpenAI provides protections for personal data that are equal to or greater than those Celes Labs provides under this Policy, as required by Apple App Store Review Guideline 5.1.2(i). Celes Labs monitors OpenAI's terms for changes and will notify you in-app if a material change to OpenAI's data-handling practices affects your rights under this Policy.

3.1.5 No model training on Your Content

Celes Labs does not use Your Content, AI prompts, or AI outputs to train any artificial-intelligence model, whether operated by Celes Labs, OpenAI, or any other party. AI prompts and the AI assistant's responses are retained on Celes Labs's servers as part of your AI history, and may be cleared at any time as described in Section 8.

3.2 Automated decision-making

Celes Labs does not use automated decision-making that produces legal or similarly significant effects concerning you. Celes Labs uses automated systems to detect spam, abuse, and child sexual abuse material; decisions made by those systems are reviewable on request to [email protected].

4. How we share information

Celes Labs does not sell personal information. We disclose personal information only in the circumstances described below:

With other users, at your direction — content you transmit is delivered to the recipients you designate.
With service providers — cloud hosting, push-notification delivery, SMS/OTP verification, crash reporting, customer support, and AI model providers. Each service provider acts as a processor on our behalf under written agreements or vendor terms that restrict use of personal information to providing the Service to Celes Labs. The third-party AI service provider used by CelesChat is OpenAI, L.L.C. The data sent to OpenAI, the conditions under which it is sent, and the restrictions OpenAI is subject to are described in detail in Section 3.1.
For legal, safety, and security reasons — as described in Section 9.
In a business transaction — in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, subject to confidentiality protections and any notice required by law.
With your consent or at your direction — any other disclosure will be made only with your express consent.

5. How long we keep information

We retain personal information only as long as necessary for the purposes described in this Policy. Standard retention periods are:

Account information — retained for the duration of your account. On account deletion, deleted or disassociated from active production systems within 30 days, except for copies retained in encrypted backups, audit logs, and anonymized or aggregated data as permitted by applicable law. Backups are overwritten on our normal rotation.
Your Content on our servers — retained until you delete it, your conversation partner deletes it on their side, or your account is deleted.
Content already delivered to other users — when you delete your account, messages you previously sent remain in the accounts of the recipients who received them. Celes Labs does not have the ability to delete content that has been delivered to and is stored by another user. Your display name and profile are removed from those conversations, and you will appear to recipients as "Deleted user."
Delivery metadata — retained in identifiable form for up to 30 days for reliability and abuse prevention, then de-identified or deleted.
AI prompts and outputs — retained in your AI history until you clear it, and fully deleted within 30 days after deletion or account deletion.
Diagnostics and crash logs — retained in identifiable form for up to 180 days; de-identified data may be retained longer for analytics.
Legal-hold records — retained for as long as necessary to establish, exercise, or defend legal claims, or to comply with an applicable legal obligation.

6. International data transfers

Celes Labs is headquartered in the United States, and personal information we collect is processed in the United States and in other jurisdictions where our service providers operate. When personal information is transferred from the EEA, United Kingdom, or Switzerland to a jurisdiction that has not received an adequacy decision, the transfer is protected by appropriate safeguards, which may include: the European Commission's Standard Contractual Clauses (2021 module), the UK International Data Transfer Agreement or International Data Transfer Addendum to the SCCs, and, where applicable, certification under the EU-U.S. Data Privacy Framework. A copy of the applicable safeguards is available on request at [email protected].

7. Security

Celes Labs maintains administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Current measures include:

encryption in transit using TLS 1.2 or higher (TLS 1.3 where supported by the client);
encryption at rest using AES-256 with cloud-provider key management;
role-based access controls, multi-factor authentication for employee access, and least-privilege engineering practices;
logging, monitoring, and alerting on administrative access;
incident-response procedures, including notification to affected users and supervisory authorities where required by applicable law.

No system can be guaranteed secure, and Celes Labs does not represent that any specific level of security will be maintained at all times.

8. Your rights and choices

The following controls are available through the Service:

Correction — update your display name, profile photo, and status message in Settings → Profile.
Message deletion — delete individual messages you have sent, subject to the limitation in Section 5 regarding content already delivered to other users.
AI history — clear your AI prompt-and-response history at any time from the AI Feature itself.
Disable AI Features — withdraw your permission for transmission of data to OpenAI from Settings → AI Assistant → Disable AI Features (see Section 3.1.2).
Account deletion — delete your account from Settings → Account → Delete Account. Account deletion removes your account information and Your Content from our servers as described in Section 5.
Permissions — enable or disable contact matching, notifications, microphone, camera, and photo-library access in your device settings.
Optional communications — manage product-update notifications from Settings → Notifications.

Celes Labs does not currently offer a self-service data-export tool. You may submit a written request for a copy of the personal information associated with your account (including access, portability, or correction requests) by emailing [email protected]. Celes Labs will provide the information in a structured, commonly used format within the time required by applicable law.

To protect your privacy, Celes Labs verifies requests by confirming control of the account associated with the request, typically by sending a verification code to the phone number on file. Authorized agents may submit requests on your behalf with signed authorization and proof of identity. Celes Labs does not discriminate against users, charge additional fees, or reduce the quality of the Service in response to the exercise of any right described in this Policy.

Region-specific rights are set out in Section 12 (EEA, UK, and Switzerland) and Section 13 (U.S. states).

9. Law enforcement and legal requests

Celes Labs may disclose personal information in response to valid legal process, including subpoenas, court orders, and search warrants, to comply with applicable law, to enforce our Terms of Service, and to protect the rights, property, and safety of our users, Celes Labs, or the public. The standards Celes Labs applies to law-enforcement requests are set out in the Law Enforcement Guidelines.

Our policy is to notify the affected user of a request for their information before disclosure, so that the user has an opportunity to seek to narrow or challenge the request, unless notice is prohibited by law (for example, by a non-disclosure order accompanying the request) or would create a risk of imminent harm to an identifiable individual. Emergency disclosure requests are evaluated under the standards permitted by applicable law.

10. Children's privacy

CelesChat is not directed to children under the age of 13, or under the applicable minimum age in your jurisdiction where that age is higher, and Celes Labs does not knowingly collect personal information from children under the applicable minimum age. If Celes Labs becomes aware that personal information has been collected from a user under the applicable minimum age, such information will be deleted promptly.

Additional protections apply to users under the age of 18: no targeted advertising (Celes Labs does not show targeted third-party advertising inside the Service), no behavioral profiling of minors, and privacy-preserving default settings. The Children's Privacy Notice provides the complete description, including the process by which parents and guardians may exercise rights on behalf of a minor.

11. Changes to this Policy

Celes Labs may update this Policy from time to time. Where a material change is made — including, for example, when a new category of personal data is collected (such as precise geolocation for an AI Feature), when paid subscriptions are introduced, or when new processing activities are added — Celes Labs will notify users in-app at least 30 days before the change takes effect, unless a shorter notice period is required by applicable law. The "Effective" date at the top of this Policy reflects the current version, and an archive of prior versions is maintained on our website.

12. Additional information for EEA, UK, and Swiss residents

If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights under the GDPR and the UK GDPR with respect to your personal data:

Access — the right to obtain confirmation of whether your personal data is being processed and to receive a copy.
Rectification — the right to have inaccurate or incomplete personal data corrected.
Erasure — the right to have your personal data deleted in the circumstances allowed by law, also referred to as the "right to be forgotten."
Restriction — the right to have processing of your personal data restricted in the circumstances allowed by law.
Objection — the right to object to processing based on our legitimate interests.
Portability — the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
Withdrawal of consent — the right to withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Complaint — the right to lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.

Requests may be submitted to [email protected]. Celes Labs will respond within one month and may extend the response period by up to two additional months for complex or numerous requests, in which case it will inform you of the extension within one month of receipt.

12.1 Legitimate-interests balancing test

Where Celes Labs relies on legitimate interests as a legal basis — for example, to operate abuse and fraud detection, analyze pseudonymized performance data, and maintain reliability — Celes Labs has considered the balance between its interests and the rights and freedoms of data subjects, and has concluded that its interests are not overridden, on the basis that: (a) processing is limited to the data necessary for the stated purpose; (b) data is pseudonymized or de-identified where feasible; (c) the impact on data subjects is limited and proportionate; and (d) data subjects may object at any time by contacting [email protected]. Additional information about this assessment is available on request.

12.2 EU and UK representative

Where required by law, Celes Labs will appoint an EU representative and a UK representative before the Service is offered in the EEA or the United Kingdom. The representatives' names and contact details will be published in this Section 12.2 on our website at that time. In the interim, data-protection questions may be directed to [email protected].

13. Additional information for U.S. state residents

13.1 California

Under the CCPA, California residents have the right to:

Know the categories and specific pieces of personal information collected, the sources, the purposes of collection, and the categories of third parties with whom information has been shared.
Delete personal information collected from you, subject to statutory exceptions.
Correct inaccurate personal information.
Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising.
Limit the use and disclosure of sensitive personal information to the purposes permitted under the CCPA.
Non-discrimination for exercising any right under the CCPA.

Celes Labs does not sell personal information for monetary or other valuable consideration, and does not share personal information for cross-context behavioral advertising. No opt-out is therefore required; other rights remain available and may be exercised by contacting [email protected] or using the in-app controls described in Section 8.

Categories of personal information collected. In the preceding 12 months Celes Labs has collected the following categories of personal information: identifiers (such as your phone number and account ID); customer records; internet and other electronic network activity (such as device, app, and usage signals); audio, electronic, visual, or similar information where you transmit voice notes, images, or files; and inferences drawn from the foregoing. Each category is described further in Section 2.

13.2 Other U.S. states

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, or another state with a comprehensive consumer privacy law in effect, you may have rights to access, correct, delete, obtain a portable copy of, and opt out of "targeted advertising," "sale," or certain profiling of your personal data. Celes Labs does not show targeted third-party advertising inside the Service and does not sell personal data.

Rights requests may be submitted to [email protected]. Celes Labs will respond within the timeframe required by applicable law, typically 45 days, with a permitted extension where provided by statute. If Celes Labs declines a request in whole or in part, you have the right to appeal by replying to the response with the subject line "Privacy Appeal," or by writing to [email protected] with that subject line. Appeals will be reviewed and a written decision provided within the timeframe required by the applicable state law, typically 60 days. If the appeal is declined, you have the right to contact the Attorney General of your state.

14. Cookies and similar technologies

The CelesChat mobile applications do not use browser cookies. They use limited on-device storage for session tokens, preferences, and similar functional data. Our websites use a limited set of cookies and similar technologies for essential operation, analytics, and, where applicable, to record cookie preferences. The Cookie Policy describes the categories, purposes, and controls in detail.

15. Contact

Questions, complaints, or requests relating to this Privacy Policy may be directed to:

Email: [email protected]
Postal: Celes Labs, Inc., Attn: Privacy, 938 W Concord Pl, Unit 1, Chicago, IL 60614, USA

Celes Labs will acknowledge receipt within a reasonable time and respond within the timeframe required by applicable law — for example, within 30 days under the GDPR and UK GDPR, and within 45 days (extendable once for another 45 days where permitted) under the CCPA and similar U.S. state laws.