Privacy Policy

We collect:

• Account info: email, display name, optional Google profile name and image.
• Acceptance log: TOS / Privacy version, timestamp, IP, User-Agent.
• Usage logs: API endpoints called, response time, status code, IP.
• Watchlists, comparisons, briefing history, and notes — created by you.

We use this data to operate the Service: authenticate sessions, enforce rate limits, deliver notifications, and improve product reliability. We do not sell your data.

We share data with subprocessors necessary to operate the Service:

• Supabase— authentication and database storage.
• Vercel— hosting and serverless functions.
• Upstash— Redis cache and rate-limit state.
• Resend— transactional email delivery.
• Google LLC— authentication (OAuth). When you sign in with Google, we receive your name, email address, and profile image from Google. Google’s privacy policy: https://policies.google.com/privacy.

We do not share your data with advertisers.

Account records are retained while your account is active. Acceptance logs are retained for the legally required minimum (typically 7 years) for auditability. Usage logs are retained for 90 days, then aggregated.

You have the right to:

• Request a copy of the personal data we hold about you.
• Request deletion of your account and associated data.
• Request a copy of your consent and acceptance records.

To exercise any of these rights, email [email protected]. We will fulfill requests within 30 days.

We use one cookie for session authentication (set by Supabase Auth) and one cookie for theme preference. We do not use third-party tracking or advertising cookies.

We protect your data through:

• Encryption in transit — TLS 1.3, enforced via HSTS with a two-year max-age.
• Encryption at rest — AES-256 via our database provider.
• Row-Level Security on all database tables, ensuring users can only access their own data.
• Comprehensive audit logging of administrative actions.
• Regular security assessments and dependency updates.
• Session cookies secured with HttpOnly, Secure, and SameSite attributes.

AI Trace is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact [email protected] and we will delete the information.

In the event of a data breach affecting your personal information, we will notify the Massachusetts Attorney General’s Office and affected individuals in accordance with M.G.L. Chapter 93H, Section 3. We commit to providing notification within 72 hours of confirming a breach.

We do not sell your personal data. We do not share your personal data for cross-context behavioral advertising. Because we do not engage in these practices, no opt-out mechanism is required at this time. If this changes, we will update this policy and provide an opt-out mechanism before any such sharing begins.

Your data is processed and stored in the United States. Our subprocessors (Supabase, Vercel, Upstash, Resend, Google) operate in the United States.

Material updates trigger a re-acceptance prompt on your next sign-in. The current version is shown above.