Last updated April 6, 2026

Privacy Statement

AiR By Lexvor Inc. (“Lexvor,” “we,” “us”) operates AiR by Lexvor (“AiR” or the “Service”), an AI assistant available over SMS, voice, email, and the web. This statement explains what personal information we collect, how we use it, and the choices and rights you have over your data.

Section 01

Overview

AiR helps you manage messages, calendars, files, and everyday tasks through a conversational interface. To do this, AiR processes the messages you send to it, the connected accounts you authorize, and metadata from the channels you use to reach the assistant.

Section 02

Information We Collect

Information you provide

  • Account details: name, email address, phone number, password hash, and any profile information you add.
  • Messages and content: the SMS, voice transcripts, chat messages, drafts, attachments, and other content you send to or receive through AiR.
  • Tasks, calendar, and notes: items you create or ask the assistant to manage on your behalf.
  • Memory facts: long-lived facts you ask AiR to remember (preferences, contacts, project context). You can list and delete these at any time.
  • Connected account credentials: OAuth refresh tokens for Google and Microsoft accounts you connect. These are stored encrypted at rest and used only to access the data you granted.
  • Billing information: handled by Stripe. We store customer and subscription identifiers; we never see or store full card numbers.

Information collected automatically

  • Channel metadata: phone numbers, email addresses, and message identifiers required to deliver replies through your chosen channel.
  • Usage data: feature usage, model routing decisions, request counts, and timestamps used for billing, rate-limiting, and abuse prevention.
  • Device and session data: browser type, operating system, IP address, and session cookies when you sign in to the web dashboard.
  • Diagnostic logs: application logs and error traces, retained for a limited period to debug and improve reliability.

Section 03

How We Use Information

We use the information we collect to:

  • Operate, maintain, and secure the Service.
  • Process the messages and commands you send to the assistant and return relevant replies.
  • Take actions on your behalf when you instruct AiR to do so, for example, sending an email, creating a calendar event, or uploading a file to your connected drive.
  • Personalize the assistant using the memory and preferences you explicitly save.
  • Process payments and manage subscriptions.
  • Detect, investigate, and prevent fraud, abuse, or violations of our terms.
  • Comply with legal obligations and respond to lawful requests.

We do not use your messages, your connected account data, or any personal information to train AI models or for advertising of any kind.

Section 04

Google User Data

When you connect a Google account, AiR requests OAuth permissions (“scopes”) so it can perform the tasks you ask of it. Each scope is requested for a specific, user-facing reason:

userinfo.email
Identify the Google account you connected.
userinfo.profile
Show your name and avatar in the dashboard.
gmail.send
Send email messages on your behalf when you explicitly ask the assistant to. AiR cannot read your Gmail inbox; inbound email reaches AiR only through the email-forwarding gateway you configure in the dashboard.
calendar.events.owned
Create, update, and delete calendar events you ask the assistant to manage.
calendar.events.owned.readonly
Read events on calendars you own to answer scheduling questions and detect conflicts.
calendar.app.created
Manage calendars created by the assistant separately from your personal calendars.
calendar.freebusy
Check free/busy availability when scheduling meetings.
drive.file
Upload, read, and manage files that you create through AiR or that you explicitly open with AiR. This scope does not grant access to your existing Drive files.
contacts.readonly
Look up contact names, email addresses, and phone numbers when you ask AiR to email or message someone.

You can revoke AiR's access to your Google account at any time from the AiR dashboard, or directly via myaccount.google.com/permissions. When you revoke access, the corresponding refresh token is deleted from our database within 24 hours.

Section 05

Microsoft 365 Data

When you connect a Microsoft account (Outlook.com or Microsoft 365), AiR requests Microsoft Graph permissions for specific assistant features:

User.Read
Identify the Microsoft account you connected and read your basic profile.
Mail.ReadWrite
Read your inbox to surface relevant messages and update message state (read/unread, folders) when you ask.
Mail.Send
Draft and send email on your behalf when you instruct the assistant.
Calendars.ReadWrite
Read your calendar and create, update, or delete events that you ask the assistant to manage.
Files.ReadWrite
Upload, read, and manage files in your OneDrive that you create through AiR or that you explicitly share with AiR.
offline_access
Maintain a refresh token so AiR can keep performing the actions you authorized without prompting you to sign in repeatedly.

Microsoft user data is handled with the same restrictions described above for Google data: it is used only to power user-facing features, is not used to train AI models, is not used for advertising, and is not shared with third parties beyond the subprocessors listed below. You can revoke AiR's access from the AiR dashboard or from myaccount.microsoft.com.

Section 06

AI Processing

AiR routes your messages to one or more large-language-model providers to understand intent, draft replies, and call tools. Depending on context, model availability, and your plan, AiR may use any of:

  • Google Cloud (Vertex AI Gemini): primary assistant model. Workspace data sourced from Google APIs is processed exclusively here, inside Google's own perimeter.
  • Anthropic (Claude family models): fallback when Vertex AI is unavailable.
  • OpenAI: used for specific narrow tasks such as speech-to-text (Whisper) on incoming voice/MMS audio and text-embedding generation for similarity search. Not used for assistant chat.

Each provider operates under its own data-processing terms. AiR sends providers only the content needed to answer your request and the minimum context required for coherent multi-turn conversations. None of these providers are permitted to use your inputs or outputs to train their models.

AI/ML Model Training Disclosure for Google Workspace APIs

Per Google's API Services User Data Policy and the Limited Use requirement, content obtained from any Google Workspace API, meaning Gmail (sent messages and contact suggestions via the gmail.send scope, plus inbound emails received through AiR's forwarding gateway), Google Calendar, Google Drive, and Google Contacts, is processed by Google Cloud Vertex AI as the primary processor, with Anthropic as fallback if Vertex AI is unavailable. Both providers contractually prohibit training on customer inputs: Vertex AI under Google Cloud's terms, Anthropic under their Commercial Terms of Service. Every call carries an internal LlmDataPolicy tag and is recorded in our llm_usage.data_policy column for audit. We do not integrate with any third-party AI provider whose terms reserve a right to train on submitted content.

Data sourceSole AI provider(s)Training prohibited?
Gmail (sent emails, contact suggestions, forwarded inbound)Google Vertex AI (primary), Anthropic (fallback)Yes, by contract
Google Calendar (event titles, descriptions, attendees, locations)Google Vertex AI (primary), Anthropic (fallback)Yes, by contract
Google Drive (files you share with AiR)Google Vertex AI (primary), Anthropic (fallback); OpenAI for transcription onlyYes, by contract
Google Contacts (names, emails, phones)Google Vertex AI (primary), Anthropic (fallback)Yes, by contract
Voice transcription (Whisper)OpenAIYes, by contract
General SMS / RCS routing (no Google data)Google Vertex AI (primary); Anthropic as fallbackYes, by contract

We do not use Google User Data, or any data derived from it, to train, refine, or improve generalized AI/ML models. Aggregated, de-identified metrics (e.g. total request counts, latency percentiles) used solely for internal performance monitoring are not considered training data and contain no message contents.

Section 07

Third-Party Subprocessors

AiR relies on the following third parties to deliver the Service. Each is bound by contract to handle your data only on AiR's instructions and to protect it appropriately.

Google Cloud (Vertex AI)
Primary AI model inference for the assistant (Gemini family). Workspace data sourced from connected Google APIs is processed exclusively here.
Anthropic
Fallback AI model inference (Claude family) when Vertex AI is unavailable.
OpenAI
Narrow AI tasks: speech-to-text on incoming voice/MMS audio (Whisper) and text-embedding generation for similarity search. Not used for assistant chat.
Twilio
SMS/MMS and voice call delivery on phone-number channels.
Deepgram
Real-time speech-to-text for voice calls.
ElevenLabs
Text-to-speech voice synthesis for voice calls.
Resend
Outbound transactional and notification email from AiR itself.
Stripe
Payment processing for paid plans.
Tavily
Web search for assistant queries that require live information.
CoinGecko, CoinMarketCap, Twelve Data
Market data for finance and crypto questions. No personal data is sent, only the symbols you ask about.
Google
Gmail, Calendar, Drive, and Contacts APIs for accounts you choose to connect.
Microsoft
Microsoft Graph (Outlook, Calendar, OneDrive) for accounts you choose to connect.
Hetzner Online GmbH
Cloud infrastructure provider hosting AiR's application servers, databases (PostgreSQL, Redis), message queue, and object storage.

Section 08

SMS, Voice & Email Channels

When you reach AiR over SMS or by phone call, your carrier and our telephony provider Twilio see your phone number, the time of the message or call, and the body or audio of the message. Voice calls are transcribed in real time so the assistant can respond. Audio recordings are not stored beyond what is necessary to produce the transcript and complete the call.

AiR receives inbound email in two ways. (1) Through a dedicated email-forwarding gateway: you set up automatic forwarding from any mailbox (Gmail, Outlook, iCloud, custom domain, etc.) to your unique AiR forwarding address. Forwarded messages, including their subject, body, headers, and attachments, are delivered to AiR's gateway and processed like any other inbound message. AiR does not read your Gmail inbox directly; for Gmail accounts, forwarding is the only path. (2) For connected Microsoft 365 / Outlook accounts, AiR reads inbound mail directly via Microsoft Graph using the permissions you authorize at the OAuth consent screen.

Standard message and data rates from your carrier may apply. Reply STOP to any AiR SMS to opt out of further messages on that number, or HELP for support.

Section 09

Data Security

  • All traffic to AiR is encrypted in transit using TLS 1.2+.
  • OAuth refresh tokens and other credentials are encrypted at rest in our database.
  • Access to production systems is restricted to a small number of authorized engineers and protected by multi-factor authentication.
  • We monitor for unauthorized access, anomalous activity, and known vulnerabilities, and apply security updates promptly.
  • We follow the principle of least privilege for both internal access and the OAuth scopes we request from third parties.

No system can be guaranteed 100% secure. If you believe your account has been compromised, contact us immediately at security@airbylexvor.com.

Section 10

Data Retention

  • Account data is kept for as long as your account is active.
  • Conversation history is retained to provide context for the assistant. You can delete individual conversations or your entire history from the dashboard.
  • Memory facts persist until you delete them, or until you delete your account.
  • Diagnostic logs are retained for up to 30 days.
  • Billing records are retained for as long as required by applicable tax and accounting law.

When you delete your account, we delete your personal data within 30 days, except where retention is required by law. Backups are purged on a rolling basis within 60 days.

Section 11

Your Rights & Controls

Depending on where you live, you may have the right to:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete data;
  • delete your data;
  • object to or restrict certain processing;
  • port your data to another service;
  • withdraw consent you previously gave;
  • lodge a complaint with your local data-protection authority.

Most controls are available directly in the AiR dashboard under Settings. To exercise any other right, email privacy@airbylexvor.com and we will respond within 30 days.

Section 12

International Transfers

AiR is operated by AiR By Lexvor Inc., a Wyoming corporation. Your personal information may be processed in the United States and in other countries where our subprocessors operate, which may have data protection laws different from those in your country. Where required by law, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses, to protect cross-border transfers of personal data.

Section 13

Children's Privacy

AiR is not intended for individuals under 18, and we do not knowingly collect personal information from children. If you believe a child has provided information to us, contact us and we will delete it.

Section 14

Company Relationship

Air By Lexvor Inc. operates independently but in partnership with Lexvor Inc., which provides telecommunications infrastructure, billing, and network support.

Lexvor Inc. may process limited user data (such as carrier or transactional identifiers) strictly for service delivery, compliance, and fraud prevention. Both companies adhere to this unified Privacy Policy.

Section 15

Rewards & Financial Data

When you participate in Air Rewards or purchase credits:

  • Payment data (credit/debit cards, billing addresses) is processed by verified third-party payment providers under PCI-DSS standards.
  • Reward activity (points, tiers, redemptions) is recorded securely but never includes full financial account information.
  • Gift or promotional credits are treated as discounts and are not taxable income.

Air does not store your full payment information.

Section 17

Changes to This Statement

We may update this statement from time to time. When we make material changes, we will revise the “Last updated” date at the top of this page and, where appropriate, notify you in the dashboard or by email before the changes take effect.

Section 18

Contact Us

For privacy questions, requests, or complaints, contact our privacy team:

Get in touch

Email: privacy@airbylexvor.com

↑ Back to top