Consilium

Privacy Policy

Effective date: April 9, 2026

1. Introduction & Scope

Consilium ("we", "our", "us", or the "Platform") is an AI deliberation platform operated by Saad Kadri as a sole proprietorship. This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you access or use the Consilium hosted service available at consilium.app (the "Service"), our APIs, our command-line interface, and any related websites or applications.

This policy applies to all users of the hosted Service worldwide.

This policy is designed to comply with the European Union General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), the Montana Consumer Data Privacy Act (MCDPA), India's Digital Personal Data Protection Act 2023 (DPDPA), China's Personal Information Protection Law (PIPL), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil's Lei Geral de Proteção de Dados (LGPD), and Australia's Privacy Act 1988.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. Where required by applicable law, we will obtain your explicit consent before processing your personal data.

2. Definitions

For the purposes of this Privacy Policy:

  • "Personal Data" (also "Personal Information") means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable natural person. This includes "personal data" as defined under GDPR, "personal information" under CCPA/CPRA, "digital personal data" under DPDPA, and equivalent terms under other applicable laws.
  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Controller" (also "Data Fiduciary" under DPDPA, "Business" under CCPA) means the natural or legal person that determines the purposes and means of the processing of Personal Data. For the hosted Service, the Controller is Saad Kadri operating as Consilium.
  • "Processor" (also "Data Processor" under DPDPA, "Service Provider" under CCPA) means a natural or legal person that processes Personal Data on behalf of the Controller.
  • "Data Subject" (also "Data Principal" under DPDPA, "Consumer" under CCPA) means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sensitive Personal Data" means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation, as well as any categories designated as sensitive under applicable law. We do not intentionally collect Sensitive Personal Data.
  • "Third Party" means a natural or legal person, public authority, agency, or body other than the Data Subject, Controller, Processor, or persons under the direct authority of the Controller or Processor.

3. Information We Collect

3.1 Account Information

When you create an account through our authentication provider (Clerk), we collect:

  • Email address (required for authentication)
  • Name (optional, if provided through OAuth provider)
  • Profile picture (optional, if provided through OAuth provider)
  • OAuth provider identifiers (e.g., Google, GitHub account IDs)

3.2 API Keys

If you choose to store your AI provider API keys (OpenAI, Anthropic, Google AI, Groq, xAI) in our system, they are encrypted using AES-256-GCM encryption before storage. Your API keys are:

  • Encrypted at rest with AES-256-GCM industry-standard encryption
  • Only decrypted in memory when needed to make API calls on your behalf
  • Never logged, displayed in plain text, or shared with unauthorized third parties
  • Transmitted only to the respective AI provider for which the key was issued
  • Deletable at any time through your account settings

3.3 Debate Content

When you use the deliberation features of the Service, we store:

  • Your debate topics, prompts, and configuration preferences
  • AI agent responses generated during deliberation rounds
  • Synthesized outputs, judgments, and consensus documents
  • Deliberation mode selections and parameters
  • Usage metrics including token counts, cost calculations, and timestamps

3.4 Payment Information

Payment processing is handled entirely by Stripe. We do not store your full credit card number, CVV, or bank account details. We retain only:

  • Stripe customer ID
  • Subscription status and plan type
  • Last four digits of the payment method (for display purposes)
  • Billing address (if provided)
  • Transaction history and invoice records

3.5 Technical Information

We automatically collect:

  • IP address (for security, rate limiting, and approximate geolocation)
  • Browser type, version, and language preference
  • Operating system and device type
  • Referring URL and pages visited within the Service
  • Authentication events and timestamps (for security audit logs)
  • Error reports and performance data (via Sentry)
  • Feature usage and interaction patterns (via PostHog analytics)

3.6 Cookies & Similar Technologies

We use cookies and similar tracking technologies as described in Section 6 of this policy.

4. Legal Bases for Processing

Under the GDPR, UK GDPR, and equivalent regulations, we process your Personal Data on the following legal bases:

  • Performance of a Contract (Art. 6(1)(b) GDPR): Processing necessary to provide you with the Service, including account creation, authentication, debate processing, and subscription management.
  • Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, such as for optional analytics tracking, marketing communications, or the storage of API keys. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
  • Legitimate Interests (Art. 6(1)(f) GDPR): Processing necessary for our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. This includes security monitoring, fraud prevention, service improvement, and bug fixing. We conduct balancing tests for each legitimate interest claim.
  • Legal Obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with a legal obligation to which we are subject, such as tax record retention or responding to lawful government requests.

For jurisdictions that do not use the legal bases framework (e.g., CCPA/CPRA), our collection and use of Personal Information is governed by the disclosures and rights described in the applicable sections of this policy.

5. How We Use Your Information

We use your Personal Data for the following purposes:

  • Service Delivery: To provide, operate, and maintain the Consilium platform, including processing your debate requests through AI providers, managing your account, and delivering deliberation results.
  • Authentication & Security: To verify your identity, secure your account, detect and prevent fraudulent or unauthorized activity, enforce rate limits, and maintain audit logs.
  • Payment Processing: To process subscription payments, manage billing, issue invoices and receipts, and handle refunds or disputes through Stripe.
  • Service Improvement: To analyze usage patterns, diagnose technical issues, fix bugs, optimize performance, and develop new features.
  • Analytics: To understand how users interact with the Service, measure feature adoption, and improve user experience through aggregated and anonymized analytics.
  • Error Monitoring: To collect and analyze error reports for debugging and reliability improvements through Sentry.
  • Communications: To send you transactional emails (e.g., account verification, password resets, subscription confirmations) and, with your consent, product updates or marketing communications.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
  • Abuse Prevention: To detect and prevent abuse of the Service, including automated attacks, scraping, and terms of service violations.

6. Cookie Policy

6.1 What Cookies We Use

We use the following categories of cookies and similar technologies:

  • Strictly Necessary Cookies: Required for the Service to function. These include session cookies set by Clerk for authentication and CSRF protection tokens. These cannot be disabled without breaking the Service.
  • Analytics Cookies: Set by PostHog to help us understand how users interact with the Service, including page views, feature usage, and session duration. These are optional and can be opted out of.
  • Performance Cookies: Set by Sentry for error monitoring and performance tracking, including page load times and JavaScript errors.
  • Payment Cookies: Set by Stripe for fraud prevention and payment processing functionality.

6.2 How to Manage Cookies

You can control cookies through the following methods:

  • Browser settings: Most browsers allow you to block or delete cookies
  • PostHog opt-out: You may opt out of PostHog analytics tracking through our cookie consent banner or by contacting us
  • Do Not Track: See Section 14 regarding Do Not Track signals

Disabling strictly necessary cookies may prevent you from using the Service. In accordance with the ePrivacy Directive (Directive 2002/58/EC as amended), we obtain consent before setting non-essential cookies for users in the EU/EEA and UK.

7. Data Sharing & Third-Party Processors

We do not sell, rent, or trade your Personal Data. We do not share your Personal Data for cross-context behavioral advertising. We share data only with the following categories of recipients, each acting as a data processor or sub-processor under appropriate data processing agreements:

ProcessorPurposeData Shared
ClerkAuthentication & identity managementEmail, name, profile picture, OAuth tokens, session data
StripePayment processing & subscription managementEmail, billing details, payment method, transaction data
SentryError monitoring & performance trackingIP address, browser info, error stack traces, user ID
PostHogProduct analyticsAnonymized usage events, session data, device info
OpenAIAI model provider for deliberationsDebate prompts and content submitted by user
AnthropicAI model provider for deliberationsDebate prompts and content submitted by user
Google AIAI model provider for deliberationsDebate prompts and content submitted by user
GroqAI model provider for deliberationsDebate prompts and content submitted by user
xAIAI model provider for deliberationsDebate prompts and content submitted by user
NeonPostgreSQL database hostingAll stored application data (encrypted at rest)
UpstashRedis cache, queues, and session storageSession tokens, queue job data, cached values
VercelWeb application hosting & CDNIP address, request logs, static asset delivery
RenderAPI & agent backend hostingApplication logs, request data

AI Provider Data Handling: When your debate content is sent to AI providers (OpenAI, Anthropic, Google AI, Groq, xAI), it is transmitted using your API keys or our platform keys. Each AI provider's handling of that data is governed by their own privacy policies and terms of service. We do not control and are not responsible for how AI providers process, store, or use the content once it is transmitted to them. We encourage you to review each provider's privacy policy independently.

We may also disclose your Personal Data if required to do so by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of Consilium, our users, or the public.

8. International Data Transfers

Our Service is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your Personal Data will be transferred to, stored, and processed in the United States and potentially other countries where our processors operate.

For transfers of Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on:

  • Standard Contractual Clauses (SCCs): We enter into the European Commission's Standard Contractual Clauses with our processors to ensure adequate safeguards for transferred data, as approved under Commission Implementing Decision (EU) 2021/914.
  • UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA or the UK Addendum to the EU SCCs as approved by the UK Information Commissioner's Office.
  • Adequacy Decisions: Where applicable, we rely on adequacy decisions issued by the European Commission or the UK Secretary of State recognizing certain countries as providing adequate data protection.
  • Supplementary Measures: Where required by the Schrems II decision (Case C-311/18), we implement supplementary technical, organizational, and contractual measures to ensure the effectiveness of the transfer mechanism.

For transfers involving data from China under PIPL, we comply with applicable cross-border transfer requirements including security assessments where mandated. For transfers from Brazil under LGPD, we use equivalent contractual safeguards. For transfers from India under DPDPA, we comply with any restrictions on cross-border transfers to countries notified by the Indian government.

You may request a copy of the applicable transfer safeguards by contacting us at the address in Section 18.

9. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our specific retention periods are:

  • Account Information: Retained for the duration of your account. Deleted within 30 days of account deletion request, except where retention is required by law.
  • API Keys: Retained in encrypted form until you delete them or delete your account. Purged from all systems within 30 days of deletion.
  • Debate Content: Retained for the duration of your account. You may delete individual debates at any time. All debate content is deleted within 30 days of account deletion.
  • Payment Records: Retained for 7 years after the transaction date as required by tax and financial regulations.
  • Security & Audit Logs: Retained for 12 months for security investigation purposes, then automatically purged.
  • Analytics Data: PostHog analytics data is retained for 12 months, after which it is automatically deleted or anonymized.
  • Error Reports: Sentry error data is retained for 90 days.
  • Server Logs: Retained for 30 days, then automatically deleted.

When data is no longer required, it is securely deleted or irreversibly anonymized. Backup copies may persist for up to an additional 30 days before being purged from backup systems.

10. Your Rights by Jurisdiction

Depending on your location and applicable law, you may have the following rights regarding your Personal Data. To exercise any of these rights, please contact us using the information in Section 18.

10.1 European Economic Area, United Kingdom & Switzerland (GDPR / UK GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under GDPR and UK GDPR:

  • Right of Access (Art. 15): Obtain confirmation of whether we process your data and request a copy of it
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal exceptions
  • Right to Restriction (Art. 18): Request restriction of processing in certain circumstances
  • Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
  • Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling
  • Rights Related to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent

We will respond to your request within 30 days (extendable by an additional 60 days for complex requests). Requests are fulfilled free of charge unless manifestly unfounded or excessive.

10.2 California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act grants you the following rights:

  • Right to Know: Request disclosure of the categories and specific pieces of Personal Information we have collected, the purposes of collection, and the categories of third parties with whom it is shared
  • Right to Delete: Request deletion of your Personal Information, subject to legal exceptions
  • Right to Correct: Request correction of inaccurate Personal Information
  • Right to Opt-Out of Sale/Sharing: We do not sell your Personal Information or share it for cross-context behavioral advertising. If this changes, we will provide an opt-out mechanism
  • Right to Limit Use of Sensitive Personal Information: We do not use or disclose Sensitive Personal Information for purposes beyond those permitted under CPRA
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

We will respond to verifiable consumer requests within 45 days (extendable by an additional 45 days). You may submit requests up to twice per 12-month period.

10.3 Other U.S. States (VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA)

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or Montana, applicable state privacy laws grant you rights that may include:

  • Right to access your Personal Data
  • Right to correct inaccuracies
  • Right to delete your Personal Data
  • Right to data portability
  • Right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects

Response timeframes and appeal procedures vary by state. If we deny your request, you may appeal by contacting us, and we will provide information about how to file a complaint with your state's attorney general if applicable.

10.4 India (DPDPA 2023)

If you are located in India, the Digital Personal Data Protection Act 2023 grants you the following rights as a Data Principal:

  • Right to Access: Obtain a summary of your digital personal data being processed and the processing activities
  • Right to Correction and Erasure: Request correction of inaccurate or misleading data, completion of incomplete data, or erasure of data no longer necessary for the purpose for which it was collected
  • Right to Grievance Redressal: Lodge complaints with us regarding processing of your data, to which we will respond within the timeframe prescribed by applicable rules
  • Right to Nominate: Nominate another individual to exercise your rights in the event of your death or incapacity

10.5 China (PIPL)

If you are located in the People's Republic of China, the Personal Information Protection Law grants you the following rights:

  • Right to Know and Decide: Be informed about and decide on the processing of your personal information, and restrict or refuse processing (except as required by law)
  • Right to Access and Copy: Access and obtain copies of your personal information
  • Right to Correction and Supplementation: Request correction or supplementation of inaccurate or incomplete information
  • Right to Deletion: Request deletion of your personal information in prescribed circumstances
  • Right to Portability: Request transfer of your personal information to another handler under conditions specified by the Cyberspace Administration of China
  • Right to Withdraw Consent: Withdraw consent at any time; withdrawal does not affect the lawfulness of processing conducted prior to withdrawal
  • Right to Explanation: Request an explanation of the rules for processing your personal information

10.6 Canada (PIPEDA)

If you are located in Canada, PIPEDA grants you the following rights:

  • Right to access your personal information held by us
  • Right to challenge the accuracy and completeness of your personal information and have it amended
  • Right to withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions
  • Right to complain to the Office of the Privacy Commissioner of Canada

10.7 Brazil (LGPD)

If you are located in Brazil, the Lei Geral de Proteção de Dados grants you the following rights:

  • Confirmation of the existence of processing
  • Access to your data
  • Correction of incomplete, inaccurate, or outdated data
  • Anonymization, blocking, or elimination of unnecessary or excessive data
  • Portability of data to another service or product provider
  • Deletion of personal data processed with your consent
  • Information about public and private entities with which your data has been shared
  • Information about the possibility of denying consent and the consequences thereof
  • Revocation of consent

10.8 Australia (Privacy Act 1988)

If you are located in Australia, the Privacy Act 1988 and the Australian Privacy Principles (APPs) grant you the following rights:

  • Right to access your personal information held by us (APP 12)
  • Right to request correction of your personal information (APP 13)
  • Right to complain about a breach of the APPs, and to have that complaint handled within a reasonable timeframe
  • Right to complain to the Office of the Australian Information Commissioner (OAIC)

11. Children's Privacy

The Service is not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect Personal Data from children under 16. If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us immediately.

In compliance with the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. In the EU/EEA, we comply with Article 8 of the GDPR regarding conditions applicable to a child's consent. In the UK, the applicable age is 13 under the UK GDPR. Under India's DPDPA, we do not process data of children (under 18) without verifiable parental consent.

If we discover that we have collected Personal Data from a child without appropriate consent, we will take steps to delete that data as quickly as possible.

12. Security Measures

We implement technical and organizational measures designed to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption: All data is encrypted in transit using TLS 1.2 or higher. Sensitive data (including API keys) is encrypted at rest using AES-256-GCM. Database connections use encrypted channels.
  • Access Controls: Access to production systems and databases is restricted to authorized personnel using role-based access controls and multi-factor authentication.
  • Audit Logging: Security-relevant events including authentication attempts, data access, and administrative actions are logged and monitored.
  • Infrastructure Security: The Service is hosted on platforms (Vercel, Render, Neon, Upstash) that maintain SOC 2 Type II certifications or equivalent security standards.
  • Dependency Management: Automated security scanning of dependencies using GitHub CodeQL, pip-audit, Bandit, and Gitleaks for secret detection.
  • Incident Response: We maintain an incident response procedure for identifying, containing, and remediating security incidents, including data breaches (see Section 16).

While we implement commercially reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

13. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, we currently do not alter our data collection and use practices in response to DNT signals. However, you can opt out of analytics tracking as described in Section 6 of this policy.

For California residents, we note that we do not engage in the "sale" or "sharing" (as those terms are defined under CCPA/CPRA) of your Personal Information, and we do not use or disclose Sensitive Personal Information for purposes that would require us to offer a right to limit under CPRA.

14. Automated Decision-Making

The core functionality of Consilium involves the use of third-party AI models to process your debate prompts and generate responses. This AI processing is integral to the Service and is initiated at your direction.

We do not use automated decision-making or profiling, as defined under Article 22 of the GDPR, that produces legal or similarly significant effects on you. Specifically:

  • We do not use automated systems to make decisions about your access to the Service, pricing, or terms
  • We do not use profiling to evaluate personal aspects such as performance, economic situation, health, preferences, interests, reliability, behavior, or location
  • AI-generated deliberation outputs are informational and do not constitute decisions with legal or similarly significant effects

Rate limiting and abuse detection systems make automated decisions about request throttling based on usage patterns, but these do not produce legal or similarly significant effects.

15. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • GDPR/UK GDPR: Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33). Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay (Article 34).
  • CCPA/CPRA: Notify affected California residents in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach.
  • DPDPA (India): Notify the Data Protection Board of India and affected Data Principals in the manner and timeframe prescribed by applicable rules.
  • PIPL (China): Immediately adopt remedial measures and notify the relevant department performing personal information protection duties and affected individuals.
  • PIPEDA (Canada): Report to the Office of the Privacy Commissioner of Canada and notify affected individuals as soon as feasible when the breach creates a real risk of significant harm.
  • LGPD (Brazil): Notify the Autoridade Nacional de Proteção de Dados (ANPD) and the data subject within a reasonable time period.
  • Privacy Act 1988 (Australia): Notify the OAIC and affected individuals as soon as practicable after becoming aware of an eligible data breach under the Notifiable Data Breaches scheme.

Breach notifications will include the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

  • For material changes, we will notify you by email (using the email address associated with your account) and/or by displaying a prominent notice within the Service at least 30 days before the changes take effect.
  • For non-material changes, we will update the "Effective date" at the top of this policy.
  • Where required by applicable law (e.g., GDPR), we will obtain your renewed consent for material changes that affect the legal basis for processing.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy, to the extent permitted by applicable law.

17. Data Protection Contact

Consilium is operated by Saad Kadri as a sole proprietorship. For all privacy-related inquiries, data subject access requests, complaints, or questions about this Privacy Policy, you may contact us at:

For GDPR purposes, Saad Kadri acts as the data controller. Given the current scale of operations, a formal Data Protection Officer (DPO) has not been appointed, as it is not required under Article 37 of the GDPR. This will be reassessed as the organization grows.

We will acknowledge receipt of your inquiry within 5 business days and endeavor to respond substantively within the timeframes required by applicable law.

18. Complaint Rights & Supervisory Authorities

If you are unsatisfied with our response to your privacy concern, you have the right to lodge a complaint with the appropriate supervisory authority in your jurisdiction:

  • EU/EEA: Your local Data Protection Authority (DPA). A list of EEA DPAs is available at edpb.europa.eu.
  • United Kingdom: Information Commissioner's Office (ICO) at ico.org.uk.
  • California: California Attorney General at oag.ca.gov/privacy, or the California Privacy Protection Agency.
  • Other U.S. States: Your state's Attorney General office.
  • India: The Data Protection Board of India, once established and operational under the DPDPA 2023.
  • China: The Cyberspace Administration of China or the relevant department performing personal information protection duties.
  • Canada: The Office of the Privacy Commissioner of Canada at priv.gc.ca.
  • Brazil:The Autoridade Nacional de Proteção de Dados (ANPD).
  • Australia: The Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

19. User Responsibilities & Content

You are solely responsible for the content you submit to the Service for deliberation, including debate prompts, topics, and any information contained therein. You represent and warrant that:

  • You have the right to submit any content you provide to the Service
  • Your content does not contain Personal Data of third parties unless you have a lawful basis to process such data
  • You will not submit Sensitive Personal Data, financial account credentials (other than AI provider API keys), or other information requiring special regulatory protections unless you understand and accept the risks
  • You acknowledge that content submitted to the Service will be transmitted to third-party AI providers for processing

We are not liable for any harm arising from content you choose to submit to the Service or from the outputs generated by AI providers in response to your content.

20. Third-Party Liability Limitation

While we carefully select our processors and sub-processors, we are not responsible for:

  • Data breaches occurring at third-party processors (Clerk, Stripe, Sentry, PostHog, Neon, Upstash, Vercel, Render, or AI providers) to the extent caused by their own failures
  • Changes to third-party privacy policies or data handling practices
  • AI provider training, retention, or processing of data beyond what is specified in their terms of service and API agreements

We maintain data processing agreements with our processors where required by applicable law, and we conduct reasonable due diligence on our sub-processors. However, our liability for third-party actions is limited to the extent permitted by applicable law.

21. Effective Date

This Privacy Policy is effective as of April 9, 2026, and supersedes all prior versions.