Privacy Policy
Nico AI LLC · 1981 Brevard Rd, Arden, NC 28704 · harry.demere@gmail.com
1. Introduction and Scope
This Privacy Policy describes how Nico AI LLC ("Nico AI", "we", "us", "our") handles data in connection with our products and services, including the Nico AI Chatbot and ExpensePath Expense Management platform (collectively, the "Services"). This policy applies to PEO administrators who manage the Services and to employees who use them.
Nico AI LLC provides AI-powered tools that integrate with the PrismHR platform. Our products help employees look up HR information, submit and manage expenses, search company documents, and manage hiring (applicant tracking).
Data Roles:
- Data Processor: Nico AI LLC processes data solely to deliver the Services on behalf of the PEO.
- Data Controller:The PEO (your employer's administrative partner) determines how employee data is used.
2. Data Collection and Storage Practices
A. Employee HR Data (Not Stored)
The following data is accessed via PrismHR's API to answer queries and process transactions but is never saved in our systems:
- Pay rates, pay stubs, and tax withholdings
- Benefit plans and enrollment details
- PTO balances and accrual information
- Employment status, hire date, and manager information
- Dependent information
B. Authentication and Usage Data
- Identity Verification: We use secure tokens (Employee ID, Client ID, PEO ID, Display Name) to scope sessions. These tokens are not stored in our database.
- Usage Statistics: We store basic counts (messages sent, AI token usage, transactions processed, and timestamps) for billing and monitoring. We do NOT store the content of messages or chatbot responses.
C. Expense Data (ExpensePath)
- Expense reports, line items, and receipt images are stored encrypted for the duration of the service agreement.
- Accounting integration credentials are encrypted using AES-256-GCM.
D. Company Documents
PEO administrators may upload company documents (handbooks, policies) for searchability. These documents are stored encrypted in our database.
E. Applicant Data and SMS Messaging (Nico ATS)
Nico ATS is an applicant tracking system used by PEOs and their client employers to manage hiring. When a job seeker submits an application through an employer's branded career site, we collect the information they provide on the application form, which may include name, email address, phone number, resume, work history, and responses to employer-defined screening questions. This data is stored encrypted and is accessible only to the specific employer the applicant applied to and the PEO supporting that employer.
Phone numbers and SMS messaging:If an applicant provides a phone number and affirmatively checks the SMS consent checkbox on the application form, the employer's recruiters and hiring managers may send the applicant SMS messages relating to their application — including application confirmations, interview scheduling, interview reminders, status updates, and direct recruiter replies. Phone numbers, the consent timestamp, and IP address are recorded with the application.
We do not sell, rent, share, or otherwise disclose phone numbers or SMS opt-in information to any third party for marketing purposes. Phone numbers are used solely to deliver the SMS messaging program described above. SMS data (phone numbers, opt-in status) is not shared with affiliates, advertisers, or any third party for their own marketing.
Opt-out: Applicants may opt out at any time by replying STOP to any message. Replying HELP returns support information. Standard message and data rates may apply. Message frequency varies based on the stage of the application and the activity of the hiring employer.
Retention: Phone numbers and SMS opt-in records are retained for the duration of the application lifecycle plus the retention period required by the employer or applicable law.
3. Excluded Data
Nico AI does NOT access or store:
- Full Social Security Numbers (only the last 4 digits are ever surfaced)
- Bank account information or medical records
- Conversation history or message content
4. Third-Party Sub-Processors
| Service | Purpose | Data Retention |
|---|---|---|
| PrismHR | Source of HR data | Retains data (Controller) |
| Anthropic (Claude) | AI response generation | No retention for API data |
| Vercel | Application hosting | No data retention |
| Supabase | Encrypted database & storage | Stores encrypted data |
| OpenAI | Document search processing | No retention on API tier |
| Stripe | Billing & payments | Per Stripe retention policy |
| Intuit (QuickBooks Online) | Accounting & expense export | Per Intuit retention policy |
| Twilio | SMS message delivery to applicants (Nico ATS) | Per Twilio retention policy |
| Checkr | Background checks for applicants (Nico ATS) | Per Checkr retention policy |
5. Security and Retention
- Encryption: All data is encrypted in transit via HTTPS/TLS and at rest via AES-256.
- Access Control: Users are restricted to their own identity; our systems have read-only access to PrismHR and cannot modify source data.
- Retention: HR data and conversation messages are discarded immediately after each request. If the Service is terminated, all associated data is deleted within 30 days.
For questions about this Privacy Policy, contact harry.demere@gmail.com.