Privacy Policy
1Who we are & what this covers
This Privacy Policy is published by Iceberg AI, Inc., a Delaware corporation (“Iceberg,” “we,” “us”). It applies to:
- our website and waitlist at www.tryiceberg.ai;
- the Iceberg customer-experience intelligence platform, including hosted applications we provide to our customers (together, the “Services”).
Our Services are built for businesses. Most of the people who use them do so on behalf of an organization that is our customer. For data we process on behalf of a customer — such as its customer-feedback data and the messages its team sends — we act as a service provider (processor), and the customer's agreement with us governs that processing. For data about our own users, website visitors, and waitlist members, we act as the business (controller), and this policy applies directly.
If you have any questions about this policy, contact us at contact@tryiceberg.ai.
2Information we collect
Information you provide to us
- Account information. When you sign in with Google, we receive your Google account email address and basic profile information (your name and profile picture, where available).
- Waitlist information. If you join our waitlist, we collect the email address you submit.
- Content you create. Content you compose, edit, or configure in the product, and the settings you choose.
- Communications. If you email us or contact support, we keep the correspondence.
Information we receive from Google with your permission
If you choose to connect your Google account, we request narrowly scoped permissions to sign you in and to send email on your behalf. This is described in detail in Section 4 (Google user data & Limited Use).
Information collected automatically
- Usage data. We use product analytics (PostHog) to understand how the Services are used — pages viewed, features used, and events such as button clicks, along with device and browser information and approximate location derived from IP address.
- Log and session data. Standard server logs and a session cookie that keeps you signed in.
Business and professional contact information
To deliver the Services to our customers, we process professional contact details of their staff — such as a person's name, role, and work email address. This information comes from our customers, from publicly available sources, or from third-party business-data providers, and is used only to operate the Services (for example, delivering information to the right person at a customer organization).
Publicly available content
The Services aggregate customer-feedback content that is already publicly available — such as public reviews of a business — including the content itself, ratings, posting dates, author display names, and the business's public responses. We collect this content to give businesses a unified view of their own customer feedback; we do not combine it with other data to build profiles of the individuals who posted it.
3How we use information
- Provide the Services — authenticate you, aggregate and analyze your organization's customer-feedback data, generate insights and suggested content, and deliver communications you choose to send.
- Send communications on your behalf, at your direction. When you choose to send a message through an account you have connected (such as Gmail), we transmit it so that it comes from you.
- Improve the product — analytics on feature usage, debugging, and performance.
- Communicate with you — service updates, security notices, waitlist and onboarding emails, and responses to your requests.
- Protect the Services — detect abuse, enforce our terms, and comply with law.
We do not sell personal information, and we do not use personal information for third-party advertising.
4Google user data & Limited Use
If you sign in with Google or connect a Google account to the Services, we want to be precise about what we access and what we never do.
What we request and why
| Permission (OAuth scope) | What it allows | Why we need it |
|---|---|---|
openid, email |
See your Google account email address and basic profile | To sign you in and identify your account — no separate password to manage |
gmail.send |
Send email from your Gmail address — send only | So messages you choose to send are delivered from your own address, not a third-party sender |
What we never do with your Google data
- We cannot and do not read, browse, or search your inbox. The send-only permission does not grant access to the contents of your mailbox.
- We only send email when you explicitly take an action in the product that says an email will be sent. Every message is visible to you before it goes out.
- We store the credential that lets us send on your behalf (an OAuth refresh token) encrypted at rest, alongside a record of the messages you have sent.
- We do not use Google user data for advertising, do not sell it, and do not transfer it to third parties except as necessary to provide the feature you asked for, for security purposes, or to comply with law.
- No humans at Iceberg read your Google user data unless you ask us to (for support), it is required for security or legal reasons, or it has been aggregated and anonymized.
- We do not use Google user data to develop, improve, or train generalized artificial intelligence or machine-learning models, and we do not transfer it to any AI/ML provider.
Iceberg's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Revoking access
You can disconnect Iceberg from your Google account at any time from your Google Account security settings. Revoking access immediately prevents us from sending further email on your behalf, and we delete the stored credential.
5AI features
Iceberg uses artificial intelligence, including large language models, to power analysis and drafting features in the Services. The content processed by these features is customer-feedback content and related business context — not your Google user data. We do not use customer content to train AI models. We use enterprise API offerings from established AI providers; under our agreements with them, content submitted through their APIs is not used to train their models either. AI-generated content is presented to you in the product for your review.
6How we share information
We share personal information only with service providers who process it on our behalf under contract, and in the limited circumstances below. We do not sell personal information and have not done so.
| Category | Providers | Purpose |
|---|---|---|
| Cloud hosting & infrastructure | e.g., Amazon Web Services, Supabase, Vercel | Hosting the Services and storing data (United States) |
| Sign-in & connected accounts | Google LLC | Authentication and sending messages at your direction (see Section 4) |
| Artificial intelligence | Enterprise AI providers (e.g., Anthropic, OpenAI) | Processing customer-feedback content for analysis and drafting (see Section 5) |
| Product analytics | e.g., PostHog | Usage analytics to improve the product |
| Data collection & verification | Specialized service providers | Collecting publicly available content; verifying business contact details |
We may also disclose information:
- Within your organization — activity in the product is visible to other authorized users of the same organization.
- For legal reasons — if required by law, subpoena, or to protect the rights, safety, or property of Iceberg, our users, or others.
- In a business transfer — if Iceberg is involved in a merger, acquisition, or asset sale, personal information may be transferred, subject to this policy's commitments.
7Data retention
- Account information is kept while your account is active and deleted upon verified request.
- Gmail credentials (encrypted refresh tokens) are kept until you disconnect Google, revoke access, or delete your account — whichever comes first.
- Activity records (such as messages sent through the Services) are kept while the customer's account is active.
- Waitlist emails are kept until you ask to be removed or the waitlist is retired.
- Aggregated customer-feedback content is retained to provide historical analysis for active customers.
We may retain certain information for longer where required by law (for example, tax, accounting, or legal compliance records) or where reasonably necessary to resolve disputes and enforce our agreements.
8Security
We protect personal information with industry-standard measures: encryption in transit (TLS), encryption at rest for stored data, application-level encryption for Gmail credentials, role-restricted access to production systems, and OAuth-based authentication (we never see or store your Google password). No method of transmission or storage is 100% secure, but we work to protect your information and will notify you and the relevant authorities of a breach where the law requires it.
9Your rights & choices
You can access, correct, export, or delete your personal information by emailing contact@tryiceberg.ai. We respond to all verified requests consistent with applicable law, and we do not discriminate against you for exercising your rights.
California residents. The CCPA/CPRA gives you rights to know, correct, and delete personal information, and to opt out of “sales” or “sharing.” We do not sell personal information or share it for cross-context behavioral advertising, and we do not use sensitive personal information for purposes requiring a right to limit. We honor Global Privacy Control signals where the law requires. Where we process personal information on behalf of a customer, we do so as a “service provider” and do not use or disclose it for any purpose other than performing the Services.
Visitors from the EEA/UK. Where GDPR applies, we process personal data on four legal bases: to perform our contract with you; for our legitimate interests in operating, securing, and improving the Services; to comply with legal obligations; or with your consent (which you may withdraw at any time — e.g., disconnecting Google). You may also lodge a complaint with your local supervisory authority.
Individuals whose public content appears in our Services. If content you posted publicly (for example, a review of a business) appears in our Services and you want it removed from our systems, contact us — though note the original post lives on the platform where you published it, and removing it there is governed by that platform.
10Cookies & analytics
We use a small number of cookies and similar technologies:
- Essential — a signed session cookie that keeps you logged in to the platform.
- Analytics — PostHog cookies/identifiers that help us understand product usage.
We do not use advertising cookies or trackers. Most browsers let you block or delete cookies; blocking the essential cookie will prevent sign-in from working.
11Children's privacy
The Services are business tools and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.
12International visitors
We are a U.S. company and the Services are hosted in the United States. If you access the Services from outside the U.S., your information will be transferred to, stored, and processed in the United States, where privacy laws may differ from those in your jurisdiction.
13Changes to this policy
We may update this policy as the Services evolve. If we make material changes, we will update the date at the top of this page and, where appropriate, notify you in the product or by email. Continued use of the Services after changes take effect means you accept the updated policy.
14Contact us
Iceberg AI, Inc.
A Delaware corporation
Registered office: 131 Continental Dr, Suite 305, Newark, DE 19713, USA
contact@tryiceberg.ai