Privacy Policy

1. What we collect

Queries and prompts. When you submit a question or prompt, the text is sent to one or more AI model providers (see Section 3) and a short preview (up to 120 characters) is stored in our usage logs so we can monitor service health and cost.

Uploaded files. If you attach a file (PDF, image, or text), its content is sent to an AI model for extraction and is not stored on our servers beyond the duration of the request.

Account information. If you sign in via GitHub OAuth (powered by Supabase), we receive and store your GitHub user ID, email address, and display name as provided by GitHub.

Feedback. If you submit feedback through the app, the message text and sentiment (thumbs up / down) are emailed to us and retained in our inbox.

Usage metadata. For rate limiting and abuse prevention, we store a per-IP or per-user request count in Redis. This resets every 24 hours. We do not build long-term behavioural profiles from this data.

Browser storage. We use localStorage on your device to save conversation history, thread names, prompt counts, and UI preferences. This data never leaves your browser unless you explicitly share it.

2. How we use your data

• To fulfil your queries by forwarding prompts to AI model providers and returning responses.
• To enforce fair-use rate limits and prevent abuse.
• To monitor service health, debug errors, and estimate infrastructure costs.
• To respond to feedback you send us.
• To authenticate you when you sign in.

We do not sell your data, use it for advertising, or train our own AI models with it.

3. Third-party AI providers

Your prompts and any attached file content are forwarded to the following providers to generate responses. Each provider has its own privacy policy and data-handling practices:

4. Infrastructure providers

• Supabase — user authentication and database. supabase.com/privacy
• Upstash Redis — ephemeral rate-limit counters (no prompt content stored). upstash.com/trust/privacy.pdf
• Vercel — application hosting. vercel.com/legal/privacy-policy

5. Data retention

• Usage logs — we retain a rolling window of the most recent 1,000 log entries in Redis. Older entries are automatically deleted.
• Rate-limit counters — deleted automatically after 24 hours (general) or 1 hour (file uploads).
• Account data — retained for as long as your account exists. You can request deletion at any time.
• Conversation history — stored in your browser's localStorage only. We have no copy of it.
• Feedback messages — retained in our email inbox until manually deleted.

6. Cookies and local storage

We do not use tracking cookies or advertising cookies. Supabase sets a session cookie (sb-*) for authentication when you sign in. We use localStorage to persist conversation threads, settings, and prompt counts entirely within your browser.

7. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Object to or restrict certain processing.
• Data portability (receive your data in a machine-readable format).

To exercise any of these rights, email us at councilaiclb@gmail.com. We will respond within 30 days. Note that conversation history stored in your browser is yours to delete directly — clear your browser's localStorage at any time.

8. Children

OpClave is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top. Continued use of OpClave after a change constitutes acceptance of the updated policy.

10. Contact

Questions about this policy? Reach us at councilaiclb@gmail.com.