Privacy Policy
Nico AI LLC · 1981 Brevard Rd, Arden, NC 28704 · harry.demere@gmail.com
1. Introduction and Scope
This Privacy Policy describes how Nico AI LLC ("Nico AI", "we", "us", "our") handles data in connection with our products and services, including the Nico AI Chatbot and ExpensePath Expense Management platform (collectively, the "Services"). This policy applies to PEO administrators who manage the Services and to employees who use them.
Nico AI LLC provides AI-powered tools that integrate with the PrismHR platform. Our products help employees look up HR information, submit and manage expenses, and search company documents.
Data Roles:
- Data Processor: Nico AI LLC processes data solely to deliver the Services on behalf of the PEO.
- Data Controller:The PEO (your employer's administrative partner) determines how employee data is used.
2. Data Collection and Storage Practices
A. Employee HR Data (Not Stored)
The following data is accessed via PrismHR's API to answer queries and process transactions but is never saved in our systems:
- Pay rates, pay stubs, and tax withholdings
- Benefit plans and enrollment details
- PTO balances and accrual information
- Employment status, hire date, and manager information
- Dependent information
B. Authentication and Usage Data
- Identity Verification: We use secure tokens (Employee ID, Client ID, PEO ID, Display Name) to scope sessions. These tokens are not stored in our database.
- Usage Statistics: We store basic counts (messages sent, AI token usage, transactions processed, and timestamps) for billing and monitoring. We do NOT store the content of messages or chatbot responses.
C. Expense Data (ExpensePath)
- Expense reports, line items, and receipt images are stored encrypted for the duration of the service agreement.
- Accounting integration credentials are encrypted using AES-256-GCM.
D. Company Documents
PEO administrators may upload company documents (handbooks, policies) for searchability. These documents are stored encrypted in our database.
3. Excluded Data
Nico AI does NOT access or store:
- Full Social Security Numbers (only the last 4 digits are ever surfaced)
- Bank account information or medical records
- Conversation history or message content
4. Third-Party Sub-Processors
| Service | Purpose | Data Retention |
|---|---|---|
| PrismHR | Source of HR data | Retains data (Controller) |
| Anthropic (Claude) | AI response generation | No retention for API data |
| Vercel | Application hosting | No data retention |
| Supabase | Encrypted database & storage | Stores encrypted data |
| OpenAI | Document search processing | No retention on API tier |
| Stripe | Billing & payments | Per Stripe retention policy |
| Intuit (QuickBooks Online) | Accounting & expense export | Per Intuit retention policy |
5. Security and Retention
- Encryption: All data is encrypted in transit via HTTPS/TLS and at rest via AES-256.
- Access Control: Users are restricted to their own identity; our systems have read-only access to PrismHR and cannot modify source data.
- Retention: HR data and conversation messages are discarded immediately after each request. If the Service is terminated, all associated data is deleted within 30 days.
For questions about this Privacy Policy, contact harry.demere@gmail.com.