Privacy Policy

Last updated: 2026-05-11

Placeholder copy — replace before public launch. A privacy lawyer should draft the final text. The substance below covers what the product actually does with data today.

1. What we collect

  • Account info: email address, password hash (we never store your password in plain text).
  • Content you upload: PDFs, DOCX, TXT files, URLs, and YouTube transcripts you add to your vaults.
  • Chat history: questions you ask and answers we return.
  • Usage metrics: aggregate query counts, ingestion job results, and per-day cost ledger.
  • Optional: IP address (rate-limit buckets for the anonymous demo; deleted after 90 days).

2. What we don't collect

  • We do not sell or share your data with third-party advertisers.
  • We do not train AI models on your vault contents. Content stays in your account.
  • We do not track you across other sites.

3. Third-party processors

We use these providers to deliver the service:

  • Supabase — Authentication, database, storage (EU/US region per your account).
  • Google Gemini — File Search retrieval and answer generation. Content is processed under Google's API data-use terms; not used for model training.
  • Cloudflare — DDoS protection and CAPTCHA (Turnstile) on signup.
  • Stripe — Payment processing for Pro subscriptions. We never see your card number.
  • Resend — Transactional email (verification, weekly digest).
  • PostHog — Product analytics (anonymized).

4. Data retention

  • Account data is retained while your account is active. Deleted accounts: data removed within 30 days.
  • Chat history: kept until you delete a session or your account.
  • Anonymized analytics may be retained beyond account deletion for service-improvement aggregates.

5. Your rights

You can export your data (vaults, sources, chat history) from the Settings page. You can delete your account at any time. EU/UK residents have additional rights under GDPR — to exercise them email [email protected].

6. Cookies

We use only essential cookies (authentication session, CSRF protection) unless you opt into analytics via the cookie banner. We never set third-party advertising cookies.

7. Children

The service is not directed at children under 16. We do not knowingly collect data from anyone under 16.

8. Changes

Material changes to this policy will be emailed to registered users at least 30 days in advance.

9. Contact

Privacy questions: [email protected].