Privacy Policy

Effective date: April 11, 2026

1. Introduction

We collect the bare minimum data required to provide this service and keep the platform secure. We do not use your data for marketing, advertising, profiling, or any purpose beyond delivering the functionality you have chosen to use. This policy explains what we collect, why, and how you stay in control.

2. Data Controller

The data controller responsible for your personal data is a one man startup; Ai Epoque AS, registered in Norway.

3. What We Collect

The only personal data we require to use the platform is your email address, provided at the time of authentication. It serves as your account identifier. We do not collect your name, location, phone number, or any other personal details as part of normal platform use. If you choose to make a payment, additional data is collected by our payment provider — see Section 3.5.

Everything else on the platform — your favourites, notes, and messages — is content you create voluntarily. This content exists only to deliver the features you use, and all of it is visible to you directly on the platform. There is no hidden data about you.

For security and abuse prevention, we maintain limited technical records tied to your email address, such as message rate-limit counters and usage timestamps. These exist solely to enforce fair-use limits and detect misuse. When an account is deleted, we also retain a minimal audit log — your email address, the number of deletion requests, and associated timestamps — to prevent repeated abuse. This audit log is the only data we hold that is not visible to you on the platform, and the only data that survives account deletion.

3.5 Payments

The core platform is free to use. Optional premium features can be unlocked through one-time purchases. If you choose to make a purchase, the transaction is processed by Stripe via a hosted payment page. You enter your payment details directly on Stripe's page; we never see or store your full card number or security code.

Through our Stripe account, we receive and retain: your name, email address, billing address, the last four digits of your card number, the payment amount, and the date of the transaction.

We process this data on the basis of contract performance (to fulfill the transaction you initiated) and legal obligation (the Norwegian Bookkeeping Act requires retention of financial transaction records for five years). Payment records are therefore retained for this statutory period and cannot be deleted on request before it expires, including upon account deletion.

Stripe acts as both a data processor on our behalf and an independent data controller for its own fraud prevention and regulatory compliance. Stripe's privacy policy is available at stripe.com/privacy.

4. How and Why We Process Your Data

Your email address is processed to identify your account, deliver the service, and enforce platform security. Your voluntarily created content is processed exclusively to provide you with the features you use. A daily message rate limit (maximum three per day) is applied automatically as a security measure.

We process your data on the basis of legitimate interest and contract performance — that is, to provide the service you signed up for and to maintain a secure platform. The retention of the deletion audit log is based on our legitimate interest in preventing abuse.

5. Data Storage and Security

All data is stored in an encrypted database and transmitted exclusively over TLS/HTTPS. We do not store passwords; authentication is handled entirely by a dedicated identity provider (Auth0). Access to the database is restricted so that only authorised operations can be performed on your data. The only cookie used on this platform is a session cookie set by Auth0 to keep you logged in. It is strictly functional and required for authentication — we do not use any tracking, advertising, or analytics cookies.

6. Third-Party Services

We rely on a small number of third-party providers to operate the platform: Auth0 (Okta) for authentication, Neon for database hosting, Vercel for application hosting and basic performance analytics, Upstash for internal system caching, and Google Fonts for typeface delivery. These providers receive only the data strictly necessary to perform their technical function — for example, Auth0 receives your email address for authentication, and Vercel receives your IP address and page-view data for hosting and performance monitoring.

These services process data in a technical capacity on our behalf. We have not authorised any of them to use your data as personal data for their own purposes, and none of them have been granted permission to resell, repurpose, or share it. No advertising trackers, social media pixels, or external analytics platforms are integrated into this platform.

7. Your Data, Your Control

All data we hold about you is visible to you directly on the platform — with the sole exception of the security audit log described in Section 3. You do not need to submit a data access request to see your data; simply use the platform.

You can delete individual favourites at any time through the platform interface. These deletions are immediate and permanent — no history or backup is kept. Messages and conversations cannot be deleted individually, as they serve as a shared record between you and the site administrators and may be useful for you to reference or revisit. However, all messages and conversations are permanently deleted when you delete your account.

Account deletion removes all of your data from our systems: favourites, messages, conversations, and rate-limiting records are permanently and irreversibly erased, and your identity is removed from our authentication provider. The only data that survives is the minimal deletion audit log described in Section 3, and any payment records retained under legal obligation as described in Section 3.5.

Under the GDPR and applicable data protection laws, you have the right to access, rectify, erase, restrict, port, or object to the processing of your personal data. Your account can be deleted via settings. To exercise any of your GDPR rights, use the messaging feature on the platform with the "GDPR data" topic.

8. Changes to This Policy

We may update this privacy policy from time to time. The latest version will always be available on this page.