Security

Erphele runs on Convex, which stores your database records and files with encryption at rest and serves every request over TLS. Authentication is handled by Clerk using your existing Google, Apple, or Microsoft account — Erphele never sees or stores your password.

Every piece of data — tasks, chats, notes, memories, files, integration tokens — is tied to your account and access-checked on every read and write. There is no shared workspace and no path for one user to reach another's data.

To answer you and take actions, relevant context is sent to our AI provider for that single request. We operate under zero-data-retention (ZDR) terms: providers do not retain your prompts or outputs and do not use them to train models. We never train AI on your content, and we never sell your data. Semantic recall uses embeddings (numeric representations) computed only to power search across your own content.

If you connect a service (Gmail, Google Calendar, Drive, Notion, Slack, GitHub, or a custom MCP server), Erphele stores the access token server-side and uses it only for the actions you ask for. Tokens are never exposed to the client or to other users, and you can disconnect — which removes them — at any time.

You can see everything Erphele remembers about you (memories, people, daily briefs, notes, files) and delete any of it in a tap. In Settings → Privacy & data you can export everything as a single file, or permanently delete your account and all associated data and stored files.

We rely on a small set of trusted providers, each handling data only to perform its function: Clerk (authentication), Convex (database, file storage, hosting), OpenRouter / OpenAI (AI inference and embeddings, under ZDR), Polar (billing, merchant of record), Expo (mobile push), and Open-Meteo (weather). We'll keep this list current as Erphele grows.

Erphele is a personal assistant, not a certified system of record — so it isn't a replacement for the regulated tools your workplace requires (an EHR, a case-management system, and so on). But that's a statement about purpose, not protection: the security and privacy described here apply to every account equally, whatever you choose to keep in Erphele.

We hold ourselves to the practices on this page today, and we're investing in formal assurances as we grow — including SOC 2 and the controls our larger and more regulated users ask for. If your organization needs specific documentation, get in touch.

Found a vulnerability? We want to hear from you. Email security@erphele.com and we'll work with you to fix it quickly. Please give us a reasonable chance to respond before any public disclosure.