Privacy Policy

This Privacy Policy describes how Dispatch Inc. (“Dispatch,” “we,” “us”) collects, uses, discloses, and protects personal information when you visit our website, create an account, or use the Dispatch application and related services (collectively, the “Services”). Dispatch is an AI chief of staff for executive assistants and executives that works inside your existing tools, including email and calendar.

This Privacy Policy applies to:

• visitors to our website; and
• users of the Services, including trial, paid, and enterprise/workspace users.

If you are using the Services on behalf of an organization (your “Customer”), your Customer may have its own policies and may control certain administrative settings. In that case, we may process certain data as a service provider to your Customer depending on your plan and configuration. The Services are offered to customers in Canada and the United States, and data may be processed across borders as described below.

If you do not agree with this Privacy Policy, please do not use the Services.

• “Personal information” (or “personal data”) means information about an identifiable individual, including information that can identify you directly or indirectly (for example, your name, email address, or account identifiers).
• “Customer Content” means information you or your Customer submits to the Services or makes available through integrations, including email and calendar content and related metadata.
• “Integrations” or “Third-Party Services” means services you connect to Dispatch (for example, Google sign-in and Google Workspace services). Dispatch also supports connecting additional third-party services via extensible integration protocols.
• “AI Features” means features that use machine learning models to generate drafts and suggestions, transcribe and summarize meetings, conduct autonomous agent sessions, and execute automated tasks (for example: inbox triage, reply drafting, scheduling suggestions, context memory, transcription, and automated workflows).

We collect information in three main ways: (a) information you provide, (b) information from connected integrations, and (c) information collected automatically through your use of the Services.

Google data minimization. When we access Google user data through Google APIs, we request only the minimum scopes necessary for the features you enable, and we are transparent about what we request and why.

We use personal information for the following purposes, subject to your settings and plan:

• Provide the Services and AI Features. For example: triaging messages, drafting responses, preparing scheduling suggestions, and maintaining context needed for those features.
• Operate, maintain, and secure the Services. Including authentication, abuse prevention, and debugging.
• Customer support and communications. Respond to questions and provide service notices.
• Improve the Services. We may use aggregated or de-identified information to improve reliability and product performance, such as diagnosing issues and preventing abuse. We do not use identifiable Customer Content to train or improve AI models unless you explicitly opt in.
• Legal and compliance. Meet legal obligations and enforce agreements, including these policies and our Terms.

Canada’s private-sector privacy laws are principle-based and emphasize identifying purposes, meaningful consent, limiting collection, safeguards, openness, access, and retention limits. Depending on context, we rely on the following grounds:

• With your consent. For example, when you connect an integration through OAuth and grant permissions, or when you provide preferences that Dispatch will apply.
• To provide the Services. We process account and service data to deliver the functionality you request. This aligns with the “identifying purposes” and “limiting collection” principles.
• For reasonable and appropriate purposes. BC PIPA includes a “reasonable person would consider appropriate” standard for collection, use, and disclosure purposes.
• Legal obligations and protection. For example, security incident handling and breach response obligations.

We do not sell personal information. We share personal information only as needed to provide the Services, in these scenarios:

• Service providers (“subprocessors”). Cloud hosting, monitoring/logging, customer support tools, communications tools, and billing providers. We require service providers to protect personal information and use it only to provide services to us. A subprocessor list is available on request.
• Integrations you connect. For example, you may choose to connect Google. Data flows between Dispatch and the connected provider as needed for the features you enable.
• Legal requirements and protection. We may disclose information to comply with law or protect users and the Services (e.g., fraud or security threats).
• Business transactions. If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to appropriate safeguards and notices.

If you connect Google services, Dispatch complies with Google’s Google API Services User Data Policy, including:

• publishing this privacy policy that thoroughly discloses how Google user data is accessed, used, stored, and shared;
• requesting only the minimum relevant permissions; and
• complying with “Limited Use” requirements for sensitive and restricted scopes, including restrictions on transfers and prohibitions on using Google user data for advertising or unrelated resale.

Dispatch uses Google user data only to provide and improve user-facing features that are prominent in the Dispatch user experience. We do not use Google user data for advertising or sale.

We keep personal information only as long as needed for the purposes described above, then delete, anonymize, or de-identify it, unless a longer retention period is required for legal or legitimate business reasons (e.g., fraud prevention, security, accounting).

• Account data: retained while your account is active; deleted or anonymized within 90 days after account deletion, subject to limited exceptions.
• OAuth tokens: retained until you disconnect the integration or delete your account; revoked and removed within 24 hours after disconnection.
• Email and calendar content: email threads, messages, and related data are retained while your account is active and deleted per the account deletion schedule described above.
• Logs and security events: retained for up to 365 days for security and reliability.
• Support communications: retained for up to 2 years to manage support history.

We maintain administrative, technical, and organizational safeguards appropriate to the sensitivity of the information. This includes access controls, encryption (TLS 1.3 in transit, AES-256 at rest), monitoring, and incident response processes.

For additional detail, see our Security page.

If we become aware of a breach of security safeguards involving personal information under our control, we will investigate, take steps to reduce the risk of harm, and provide notifications as required by applicable law. Where PIPEDA applies, we report breaches that create a real risk of significant harm to the Privacy Commissioner and notify affected individuals.

• We maintain an incident response plan and notify affected customers/users and regulators when required.
• We keep records of security incidents and privacy breaches as required by law.

Dispatch is based in Canada and uses service providers that may process or store information in Canada, the United States, or other jurisdictions. Third-party providers, including AI model providers and transcription services, may process data in additional jurisdictions. We remain accountable for protecting information and use contractual safeguards to provide a comparable level of protection while information is processed by a third party.

If you access the Services from outside Canada or the United States, you understand that your information may be transferred to and processed in other jurisdictions, which may have different laws.

You can request access to, correction of, or deletion of personal information we hold about you, subject to lawful exceptions. We respond to access requests within 30 business days.

Your core privacy choices include:

• Access and correction: request access to your personal information and request corrections.
• Withdrawal of consent: you may withdraw consent by disconnecting integrations or deleting your account, subject to legal/contractual limits.
• Deletion: request deletion of your account and associated data, subject to limited legal/operational retention needs.
• Portability/exports: where available, export data from the Services.
• Google permissions: you can revoke Google access in your Google account settings; Dispatch will stop accessing Google data after revocation.

The Services are not directed to children. You must be at least 16 years old to use the Services. If you believe a child has provided personal information to us, please contact us at privacy@dispatch.am.

We may update this Privacy Policy from time to time. If we make material changes, we will update the “Last updated” date and provide additional notice where appropriate, such as email notification or an in-app banner. Your continued use of the Services after changes become effective means you accept the updated Privacy Policy.

Dispatch Inc.
460 Doyle Ave, Kelowna, BC V1Y 0C2, Canada

• Privacy: privacy@dispatch.am
• Security: security@dispatch.am
• Support: support@dispatch.am