Privacy Policy

Ideios collects only what is needed to operate the Service: your email and a hashed password, your subscription tier and usage counters, the notes and source materials you choose to upload, the drafts and final outputs we produce for you, and a small amount of operational metadata. We do not sell your data and do not use your content to train any model.

Account information. Email address, hashed password, email verification status, account creation timestamp, and Stripe customer / subscription identifiers if you subscribe to a paid plan.

Service data. Topics, interview transcripts, library notes, uploaded files (pasted text or PDFs), embeddings derived from them, voice profiles derived from your writing samples, generated drafts and critiques, and your final outputs.

Operational data. Tier, monthly usage counters, IP address and timestamp at signup (used for rate-limiting), session tokens (rolling 30-day expiry), password-reset tokens (single-use, 1-hour expiry), and basic error logs. We do not run third-party analytics or advertising trackers.

We use your information to (a) operate the Service — authenticating you, storing your work, generating drafts on your behalf; (b) bill you and process refunds; (c) send transactional email (verification, password reset, billing receipts); (d) detect and prevent abuse; and (e) comply with applicable law.

To operate the Service, we send relevant data to the following providers, each governed by their own privacy terms:

• Anthropic — language-model inference (Opus, Sonnet, Haiku). Receives the text of your interviews, briefs, drafts, and any library chunks selected for retrieval.
• OpenAI — text embeddings only (no chat completions). Receives the text of library chunks to embed for retrieval.
• Tavily — web search. Receives a search query derived from your topic; does not receive your full interview or draft.
• Stripe — payments. Receives your email and billing details when you subscribe; we receive a customer ID and event webhooks. Stripe operates under Managed Payments and handles tax / VAT compliance.
• Resend — transactional email (verification, password reset). Receives your email address and the email body.
• Supabase — Postgres database hosting. Stores all of the above. Access is via service-role key only; the public anon key is revoked at the table level.
• Vercel — application hosting. Processes inbound HTTP traffic and runs server-side code.

We do not share your data with advertising networks. We do not use your User Content to train any model — neither ours nor any provider's.

We retain your data for as long as your account is open. If you delete your account, your account row, library, voice profile, sessions, essay history, and password-reset tokens are removed within thirty (30) days. Operational logs retained by our infrastructure providers may persist for up to ninety (90) days under their standard retention.

You can:

• access the data we hold about you by signing in and viewing your library, essay history, and account page;
• request a copy of your data in a machine-readable format by emailing us;
• delete individual library items, essays, or your entire account at any time;
• cancel your subscription at any time through the customer portal.

If you are a resident of the European Economic Area, the United Kingdom, or California, you may have additional rights under GDPR or the CCPA, including the right to object to processing and the right to lodge a complaint with a regulator. Contact us to exercise any of these rights.

Passwords are stored as bcrypt hashes; password-reset and email-verification tokens are stored as SHA-256 hashes. Data is encrypted in transit (TLS) and at rest (provider-level disk encryption). Database access is restricted to a service-role key that bypasses public privileges; the public anon key is revoked at the table level so a leaked client key cannot be used to read or modify user data. We rate-limit signups by IP, normalize email aliases, and invalidate sessions after thirty (30) days of inactivity.

No system is perfectly secure. If you become aware of a security issue, please contact us.

Ideios is not directed to children under thirteen (13), and we do not knowingly collect personal information from children under thirteen. If you believe a child under thirteen has created an account, please contact us and we will delete the account.

Ideios is operated from the United States. If you access the Service from outside the United States, you understand that your data will be transferred to and processed in the United States and other countries where our providers operate.

We may update this Policy from time to time. If we make a material change we will give notice through the Service or by email. The “Effective” date at the top of this page shows when the current version took effect.

Questions about this Policy or your data may be sent to hello@ideios.app.