We take data handling seriously because our product depends on it. Here's the full story.
What we collect: everything you upload (Drive files, Gmail messages, Photos, Dropbox files, WhatsApp / iMessage / Facebook exports, voice memos, journal entries, interview answers). Chat messages between you and your clone. Subscriber chat messages (if you're on the expert tier). Safety event audit rows. Billing metadata.
Where it lives: in encrypted S3-compatible object storage for raw files, in Postgres (Neon, EU region) for structured data, in KMS for wrapped signing keys. EU customers: data residency is EU-West-1. US customers: US-East-1.
Who sees it: only you. Your corpus is scoped to your clone; no cross-user queries. Our engineers access data only with your explicit support-ticket consent and every access is logged. We never sell your data. We never train a foundation model on it.
Art. 15 export (GDPR right of access): /api/v1/gdpr/export returns every row we hold about you in JSON. One-click download from the dashboard. Includes every clone, every ingest source, every corpus chunk, every chat message, every interview answer, every safety event.
Art. 17 erasure (right to be forgotten): /api/v1/clones/:id DELETE flips the clone to ARCHIVED + deleted_at=now. 30-day grace period during which you can reinstate. After 30 days a nightly job hard-deletes the row, all associated corpus chunks, all chat history, all safety events. The only surviving record is a hashed ledger entry for payout accounting (no personal data).
Art. 9 special-category data (religious / political / health): when interview questions surface these, we hold them under explicit consent at interview time. You can redact any answer at any time.
What we NEVER do: sell data, train foundation models on your corpus, respond to vague government requests (we require legal process), permit cross-user discovery.