Privacy Policy

AlethicOS (“Company,” “we,” “us,” “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the AlethicOS platform, including all related websites, applications, and services (collectively, the “Service”).

This Privacy Policy complies with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Turkish Personal Data Protection Law (KVKK, Law No. 6698), and other applicable data protection regulations. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy should be read together with our Terms of Service.

1. Data Controller

The data controller responsible for your personal data is:

For GDPR purposes, AlethicOS acts as the data controller. For KVKK purposes, AlethicOS is the “veri sorumlusu” (data controller). For CCPA purposes, AlethicOS is a “business” that collects personal information.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Email address, hashed password (via Supabase Auth), display name (if provided);
• Cognitive Profile Data: Answers provided during the onboarding questionnaire, including decision-making style, stress patterns, values, and priorities;
• Decision and Reflection Data: Decisions you enter, AI conversation transcripts during reflection sessions, resolutions, tags, importance ratings, and decision outcomes;
• Subscription and Payment Data: Subscription plan selection, billing history. Full payment card details are collected and processed directly by Stripe and are never stored on our servers;
• Communications: Any messages, feedback, or support requests you send to us.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, session duration, click patterns, and interaction timestamps;
• Device Information: Browser type, operating system, screen resolution, device type (mobile/desktop);
• Network Information: IP address (anonymized after processing), approximate geographic location (country/region level only);
• Authentication Tokens: Secure session tokens for maintaining authenticated access;
• Error and Performance Data: Application error logs and performance metrics for debugging and improvement.

2.3 Information We Do NOT Collect

• We do not collect biometric data, social media profiles, contacts, location history, or financial account details;
• We do not use third-party advertising trackers or analytics platforms that share data with advertisers;
• We do not purchase data from data brokers.

3. Legal Bases for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

• Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide the Service you requested, including account creation, AI reflection sessions, decision tracking, and subscription management;
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, including improving the Service, preventing fraud, ensuring security, and analyzing aggregate usage patterns. We always balance these interests against your rights;
• Consent (Art. 6(1)(a)): Where we rely on your consent (e.g., optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing;
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, regulations, or legal proceedings.

4. How We Use Your Information

We use your personal data for the following purposes:

• Service Delivery: To provide, operate, and maintain the AlethicOS platform and all its features;
• AI Processing: To send your reflection session input to OpenAI's API for generating Socratic responses (see Section 5 for details);
• Personalization: To customize your experience based on your cognitive profile and usage patterns;
• Analytics and Insights: To generate your personal decision analytics, burnout indicators, and cognitive pattern reports;
• Account Management: To manage registration, authentication, and subscription billing;
• Transactional Communications: To send essential emails (email verification, password resets, billing receipts, critical service notifications);
• Service Improvement: To analyze aggregate, anonymized usage patterns to improve features and user experience;
• Security: To detect, prevent, and address fraud, abuse, security incidents, and technical issues;
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

5. AI Data Processing

When you use the reflection session feature, the following occurs:

• Your session input (decision text and conversation messages) is sent to OpenAI's API via encrypted HTTPS connection;
• OpenAI processes the data to generate a response and returns it to us;
• Per OpenAI's API data usage policy, data submitted via their API is not used to train their models;
• OpenAI may retain API data for up to 30 days for abuse monitoring, after which it is deleted;
• We send only the minimum data necessary for generating a response (your session context) — we do not send your email, account ID, or other identifying information to OpenAI;
• Your conversation history is stored in our database (Supabase) and is accessible only to you through your authenticated account.

For more details, see OpenAI's API Data Usage Policy.

6. Data Sharing and Third-Party Processors

We share your data only with the following categories of service providers (data processors), each under strict contractual obligations:

We may also disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

7. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States (for OpenAI, Stripe, and Vercel processing). These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): EU-approved contractual clauses that provide adequate data protection guarantees;
• Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate data protection;
• Data Processing Agreements: Binding agreements with all sub-processors that include data protection obligations;
• Technical Safeguards: Encryption in transit (TLS 1.2+) and at rest for all data transfers.

For KVKK compliance, cross-border data transfers are carried out in accordance with Article 9 of the KVKK, ensuring explicit consent or adequate safeguards are in place.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy. Specific retention periods:

• Active Account Data: Retained for the duration of your account activity;
• Decision and Session Data: Retained until you delete individual items or your entire account;
• Account Deletion: Upon account deletion, your personal data is permanently removed within 30 days from our primary systems. Encrypted backup copies may persist for up to 90 days before being overwritten;
• Billing Records: Retained for 7 years after the end of the billing relationship, as required by tax and accounting regulations;
• Server Logs: Automatically deleted after 90 days;
• Legal Hold: Data may be retained beyond standard periods if required by law, legal proceedings, or regulatory investigations.

9. Data Security

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256);
• Row Level Security (RLS): Supabase RLS policies ensure users can only access their own data at the database level;
• Authentication Security: Secure password hashing (bcrypt), email verification, and rate limiting on authentication endpoints;
• Access Control: Principle of least privilege for all system access;
• Input Sanitization: XSS protection and input validation on all user-facing endpoints;
• Security Headers: Content Security Policy (CSP), HSTS, X-Frame-Options, and other protective HTTP headers;
• Regular Updates: Timely patching and updating of dependencies and infrastructure.

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly addressing any security incidents.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: (a) notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33; (b) notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34; (c) document all breaches, including the facts, effects, and remedial actions taken. For KVKK compliance, we will notify the Turkish Personal Data Protection Board (KVKK Kurulu) as soon as possible upon discovery of a breach.

11. Cookies and Tracking Technologies

We use only strictly necessary cookies for the functioning of the Service:

• Authentication Cookies: To maintain your logged-in session securely;
• Security Cookies: CSRF tokens and rate-limiting identifiers to protect against attacks;
• Preference Cookies: To remember your UI preferences (e.g., theme selection).

We do NOT use:

• Third-party advertising or tracking cookies;
• Social media tracking pixels;
• Cross-site tracking technologies;
• Fingerprinting techniques;
• Any analytics cookies that share data with third-party advertisers.

Because we only use strictly necessary cookies, consent is not required under GDPR Article 5(3) of the ePrivacy Directive. You can manage cookies through your browser settings, but disabling essential cookies may prevent the Service from functioning properly.

12. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

12.1 Rights Under GDPR (EU/EEA Residents)

• Right of Access (Art. 15): Request a copy of the personal data we hold about you;
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data;
• Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”);
• Right to Restrict Processing (Art. 18): Request limitation of processing in certain circumstances;
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON);
• Right to Object (Art. 21): Object to processing based on legitimate interests;
• Right Not to Be Subject to Automated Decision-Making (Art. 22): AlethicOS does not make automated decisions with legal or similarly significant effects. AI-generated content is informational only and does not produce binding decisions;
• Right to Withdraw Consent: Where processing is based on consent, withdraw at any time.

12.2 Rights Under CCPA (California Residents)

• Right to Know: Request disclosure of personal information collected, used, and disclosed;
• Right to Delete: Request deletion of personal information;
• Right to Opt-Out of Sale: We do NOT sell your personal information. No opt-out is necessary;
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

CCPA Disclosure: In the preceding 12 months, we have collected the categories of personal information described in Section 2. We have not sold personal information to third parties. We have disclosed personal information to our service providers as described in Section 6.

12.3 Rights Under KVKK (Turkish Residents)

• Learn whether your personal data is processed;
• Request information about processing activities;
• Learn the purpose of processing and whether data is used in accordance with its purpose;
• Know the third parties to whom personal data is transferred;
• Request correction of incomplete or inaccurate data;
• Request deletion or destruction of personal data under conditions stated in Article 7 of the KVKK;
• Object to negative results arising from analysis of processed data exclusively through automated systems;
• Request compensation for damages arising from unlawful processing.

12.4 How to Exercise Your Rights

To exercise any of these rights, contact us at hello@alethicos.com. We will respond to your request within 30 days (or as required by applicable law). We may require verification of your identity before processing your request. Some features of the Service (e.g., data export) are available directly through your account settings.

13. Children's Privacy

The Service is not intended for individuals under the age of 18 (or the age of majority in the user's jurisdiction). We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete such data from our systems. If you believe a child under 18 has provided us with personal data, please contact us at hello@alethicos.com.

14. Do Not Track Signals

Our Service does not track users across third-party websites and therefore does not respond to Do Not Track (DNT) signals. However, as described in Section 11, we do not use any third-party tracking technologies, so your browsing activity on our Service is not shared with external advertisers or trackers regardless of your DNT setting.

15. Automated Decision-Making and Profiling

The Service uses AI and algorithmic processing to provide features such as:

• Socratic question generation during reflection sessions;
• Cognitive bias detection in decision patterns;
• Burnout risk indicators;
• Decision DNA cognitive profiling.

Important: None of these features constitute automated decision-making that produces legal effects or similarly significant effects on you within the meaning of GDPR Article 22. All AI-generated outputs are informational and advisory only. You are always free to disregard any AI-generated suggestion, and no action is taken automatically based on AI outputs.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by: (a) posting the updated Privacy Policy on the Service with a revised “Last Updated” date; (b) sending an email notification to the address associated with your account at least 30 days before significant changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated Privacy Policy.

17. Complaint Rights

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority:

• EU/EEA: Your local Data Protection Authority (DPA). A list of DPAs is available at the European Data Protection Board;
• Turkey: Kişisel Verileri Koruma Kurumu (KVKK) — www.kvkk.gov.tr;
• California: California Attorney General — oag.ca.gov/privacy.

We encourage you to contact us first at hello@alethicos.com so we can try to resolve your concern directly.