Privacy Policy

Effective: 2026-05-22 · Controller: [LEGAL_ENTITY_NAME] · Contact: [CONTACT_EMAIL]

Contents

Summary in 5 bullets
What we collect
Why we collect it
Sub-processors
Data retention
Your rights (GDPR / CCPA)
Security
Cookies & storage
International transfers
California (CPRA addendum)
Other US state laws
Quebec (Law 25)
Brazil (LGPD)
Do Not Track
Changes

1. Summary in 5 bullets

We store the messages you send, the AI's replies, and your account profile in a database we control (Turso).
Your prompts are processed by Anthropic to generate responses. Anthropic does not train on your inputs.
We never sell your data. There are zero third-party tracking or advertising pixels on the Service.
Payments are processed by Stripe, we never see your full card number.
You can export or delete your data at any time by emailing [CONTACT_EMAIL].

2. What we collect

Account data

Username, email, hashed password (bcrypt; we never see the plaintext).
Optional: name and avatar from Google sign-in (only if you use that flow).
Account status, model assignment, credit balance, application note (if any).
Timestamps: account created, last credit-low email sent.

Conversation data

Full text of every message you send and every reply the AI generates.
Attachments you upload (kept as base64 inside the message record).
Per-message token counts, cost, and which model was used.

Payment data

A record that a payment occurred (Stripe session ID, plan, amount, tokens granted, timestamp).
We do NOT store card numbers, CVCs, or full bank details. Stripe handles those, see Stripe's Privacy Policy.

Operational data

IP address and User-Agent on each request, retained in security logs (see retention).
Rate-limit counters (transient, auto-pruned).
Security events (failed logins, suspicious requests). Used to detect abuse; not used for analytics.

What we do NOT collect

Web analytics. There are zero analytics scripts on the Service. We don't run Google Analytics, Mixpanel, Plausible, Posthog, anything.
Advertising identifiers. No retargeting cookies. No social-media pixels.
Browser fingerprints, cross-site identifiers, or third-party tracking of any kind.

3. Why we collect it

Data	Purpose	Legal basis (EU/UK)
Account & auth data	To create and maintain your account	Contract
Conversation history	To deliver the chat experience and let you revisit prior threads	Contract
Payment records	To process purchases and provide refunds	Contract
Security logs (IP, UA)	To detect abuse and protect the Service	Legitimate interest
Low-credit emails	To warn you before you run out of credits	Contract
Audit trail (admin actions)	To investigate security incidents	Legitimate interest

4. Sub-processors

We rely on the following sub-processors to deliver the Service. Each is bound by appropriate data-processing terms.

Vendor	Purpose	Data accessed	Region
Anthropic	LLM inference (Claude)	Your prompts + attachments, transient at inference time	US
Turso (libSQL)	Database hosting	All account + conversation + payment records	[TURSO_REGION]
Vercel	Application hosting & CDN	HTTP traffic, request logs	Global edge
Stripe	Payment processing	Card details (we never see them), billing email	US / EU
Resend	Transactional email	Email address, message contents	US
Google	OAuth (Sign in with Google)	Verified email, name, avatar (only if you use Google sign-in)	US

Anthropic training opt-out. We use Anthropic's commercial API. Anthropic's commercial terms state that they do not train on customer inputs. See Anthropic's policy at the link above for current terms.

5. Data retention

Account & conversation data: retained as long as your account is active. Deleted within 30 days of account closure.
Payment records: retained for 7 years for tax and accounting purposes (or your jurisdiction's equivalent).
Security logs (IP, UA): retained for 90 days, then aggregated and the raw IP discarded.
Backups: Turso may retain encrypted backups for up to 30 days after deletion in the live database.

6. Your rights

Depending on where you live, you may have rights under GDPR (EU/UK), CCPA/CPRA (California), or similar laws. Specifically:

Access, request a copy of your data. We provide a JSON export within 30 days of request.
Correction, request that we fix inaccurate data.
Deletion, request that we delete your account and associated data. We honor this within 30 days, subject to legal retention obligations.
Portability, receive your data in a machine-readable format (JSON).
Objection, object to processing based on legitimate interest (e.g., security logs).
Withdraw consent, where processing is based on consent, you may withdraw at any time.
Complaint, lodge a complaint with your local data-protection authority (e.g., your national DPA in the EU, or the ICO in the UK).

To exercise any right, email [CONTACT_EMAIL]. We respond within 30 days.

California residents: we do not "sell" or "share" personal information as those terms are defined under CCPA/CPRA. We do not engage in cross-context behavioral advertising.

7. Security

Passwords are hashed with bcrypt; we never store or log them in plaintext.
All traffic is encrypted with TLS (HTTPS); HSTS is enforced.
Database connections use authenticated tokens; database is not publicly reachable.
We maintain an internal security audit (see audits/ in our repository) reviewed and updated periodically.
If we suffer a personal-data breach we will notify affected users within 72 hours per applicable law.

8. Cookies & storage

We do not use cookies in the traditional sense. Authentication uses sessionStorage (a JWT bound to your browser tab), it is deleted when you close the tab. We do not set any tracking cookies, analytics cookies, or advertising cookies.

Stripe Checkout (the payment page) may set cookies in their own domain during the purchase flow, see Stripe's cookie policy.

9. International transfers

Our sub-processors are based in the United States and (depending on configuration) the EU. If you are in the EU/UK/EEA, your data may be transferred outside your jurisdiction. We rely on Standard Contractual Clauses (SCCs) and our sub-processors' adequacy mechanisms for these transfers.

10. California residents (CPRA addendum)

This section provides the disclosures required under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (collectively, "CPRA"). It supplements the general policy above and applies only to California residents.

Categories of personal information collected (last 12 months)

Cal. Civ. Code § 1798.140 categories that we collect:

Identifiers, username, email, IP address. Sources: directly from you, or from Google if you use Google sign-in. Purpose: account creation, authentication, security. Recipients: our sub-processors (see list). Retention: while account active + 30 days post-deletion.
Customer records (Cal. Civ. Code § 1798.80(e)), password hash (bcrypt, never plaintext), payment receipt records. Sources: directly from you, Stripe for payments. Purpose: authentication, billing. Retention: payment records 7 years for tax; passwords until deletion.
Commercial information, credit pack purchase history. Sources: Stripe. Purpose: service delivery, accounting. Retention: 7 years.
Internet activity, chat content, attachments, model selections, request metadata. Sources: directly from you. Purpose: deliver chat functionality, return your prior conversations. Retention: while account active + 30 days post-deletion.
Geolocation (coarse), country-level inferred from IP for fraud detection. Sources: derived from IP. Purpose: security, sanctions compliance. Retention: 90 days.
Inferences, credit usage patterns for low-balance alerts only. Sources: derived from your activity. Purpose: service operation. Retention: aggregated only.

Sensitive personal information

We do not knowingly collect "sensitive personal information" under CPRA § 1798.140(ae), no SSNs, no driver's license numbers, no precise geolocation, no racial/ethnic origin, no religious beliefs, no union membership, no genetic data, no biometric identifiers, no health data, no sexual orientation, no precise content of communications other than what you choose to chat about. We instruct you NOT to submit such data; if you do, you do so at your own risk.

Sale or sharing

We do NOT sell or share personal information as those terms are defined under CPRA (no cross-context behavioral advertising, no sale of personal information for monetary or other valuable consideration). The "Do Not Sell or Share My Personal Information" link is not applicable to us because we do neither.

Your CPRA rights

California residents have the right to:

Know what personal information we collect, use, disclose.
Delete personal information we hold about you.
Correct inaccurate personal information.
Limit use and disclosure of sensitive personal information (we do not collect such information; nonetheless this right exists).
Opt out of sale or sharing (we do neither).
Portability, receive your information in machine-readable form.
Non-discrimination, exercising your rights will not result in denial of service, different pricing, or different service quality.

To exercise these rights, email [CONTACT_EMAIL]. You may use an authorized agent; we may verify your identity before fulfilling the request (typically by replying to your registered email).

Financial incentives

We offer no financial incentives in exchange for personal information.

Shine the Light (Cal. Civ. Code § 1798.83)

California residents may request information about the disclosure of personal information to third parties for direct-marketing purposes. We do not share for direct-marketing purposes, so no such information exists. Email [CONTACT_EMAIL] to receive a confirmation of this.

11. Other US state privacy laws

Residents of Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (DPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive consumer-privacy laws have rights similar to the CPRA rights above. We extend the rights of access, correction, deletion, portability, and opt-out of profiling/targeted advertising/sale (we engage in none of these) to all such residents on the same procedure described above.

Appeals: if we decline a request, you may appeal by replying to our denial with the subject line "APPEAL". We will respond within 60 days. You may also file a complaint with your state's Attorney General.

12. Quebec (Law 25)

If you are a Quebec resident, our Confidentiality Officer is reachable at privacy@[DOMAIN]. We do not engage in automated decision-making with legal effects on you. Your rights of access, rectification, deletion, and portability apply on the same procedure above.

13. Brazil (LGPD)

Data Controller for Brazilian residents: [LEGAL_ENTITY_NAME]. Legal bases for processing under LGPD Art. 7: contract performance (account creation, service delivery), legitimate interest (security logging), legal obligation (tax records). Complaints may be filed with the Brazilian Data Protection Authority (ANPD) at gov.br/anpd.

14. Do Not Track

Some browsers send a "Do Not Track" signal. We do not track users in the first place, so DNT signals are honored automatically, there is nothing to opt out of. The Global Privacy Control (GPC) signal is honored equivalently.

15. Changes

We update this Privacy Policy as our practices evolve. Material changes will be announced by email to active users at least 14 days before they take effect, and posted on this page. The "Effective" date at the top is always current.

Placeholders shown like [THIS] must be filled in by the operator before publication. This document is a starting template; it is not legal advice. Have a privacy professional review before relying on it, especially if you handle EU, UK, California, or sector-regulated (HIPAA, GLBA, FERPA, etc.) data.