Profundum AI, Inc. ("Company," "we," "us," or "our") operates Depth (the "Service") at www.profundumai.com. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we retain it, and your rights regarding that data.
This Privacy Policy applies when you use our Service directly as a consumer. If you access AI features powered by our Service through a third-party application, that third party is the data controller and you should review their privacy policy.
1. Data We Collect
1.1 Information You Provide
- Email address — Collected at login/signup for authentication via one-time-password code.
- Chat messages — Everything you type in conversations is stored to provide session continuity and cross-session context.
- Uploaded files — Text content from files you upload (up to 100,000 characters per file) is stored and used within the session context.
1.2 Information Generated by the AI
- Depth profile — A structured profile of your conversational patterns, growth areas, blind spots, and key insights. This is generated by the AI after each session and persists across sessions.
- Profile summary — A free-text summary of who you are as a thinker, generated and updated by the AI.
- Session summaries — AI-generated summaries of each conversation session.
- Artifacts — Insights, connections, reframes, actions, and deliverables created by the AI during conversations.
1.3 Information Collected Automatically
- Usage metrics — Number of exchanges, token counts, and associated costs per session for billing and rate limiting.
- Web analytics — Standard anonymized page view and performance data via Vercel Analytics (no personally identifiable information).
- Cookies — Authentication session cookies managed by Supabase for keeping you logged in. See Section 6 (Cookies) and Part IV (Cookie Policy) for details.
- Log and troubleshooting information — We may collect information about how the Service is performing, including error logs, the time errors occurred, and the state of the application when errors occurred.
1.4 Payment Information
Payment card details are processed and stored exclusively by Stripe. We never see, store, or have access to your full card number. We store only your Stripe customer ID and subscription tier for account management.
1.5 Information We Do NOT Collect
- We do not collect your name, phone number, or physical address (unless you voluntarily provide them in conversation).
- We do not use advertising cookies, tracking pixels, or cross-site tracking of any kind.
- We do not collect biometric data.
- We do not collect data from third-party sources for the purpose of building your profile.
2. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|
| Service delivery | Chat messages, uploaded files, profile data, session summaries, artifacts | Performance of contract |
| Personalization | Profile data, session summaries, artifacts | Performance of contract |
| Billing | Email, Stripe customer ID, usage metrics | Performance of contract |
| Authentication | Email, authentication cookies | Performance of contract |
| Service improvement | Anonymized usage metrics | Legitimate interest |
| Communication | Email | Performance of contract; legitimate interest |
| Security & fraud prevention | Account data, usage metrics, log data | Legitimate interest; legal obligation |
| Legal compliance | As required | Legal obligation |
We do not use your individual conversations for training AI models, marketing, or any purpose beyond providing and improving the Service.
3. Who We Share Your Data With
We share your data only with third-party service providers necessary to operate the Service:
| Provider | Data Shared | Purpose | Privacy Policy |
|---|
| Anthropic | Chat messages, profile data, session context, uploaded file content | AI response generation | Link |
| Supabase | All user data (database host) | Database and authentication | Link |
| Stripe | Email, Supabase user ID | Payment processing (processor); fraud prevention and compliance (controller) | Link |
| Vercel | Anonymized page view data | Hosting and analytics | Link |
Anthropic's data policy: Anthropic does not use data submitted via their commercial API to train AI models. Customer Content is treated as confidential under Anthropic's Commercial Terms of Service. Data is processed transiently. Anthropic's Data Processing Addendum (DPA) is incorporated into their Commercial Terms.
We do not sell your personal data. We do not share your data with advertisers. We do not use your conversations for marketing. We do not disclose your personal data to any party not listed above, except as required by law or legal process.
Disclosure in Other Circumstances
We may disclose personal data:
- Legal requirements: In response to lawful requests by public authorities, including to meet law enforcement or national security requirements, or as required by law, regulation, or legal process.
- Protection of rights: To protect the rights, property, or safety of Profundum AI, our users, or the public.
- Corporate transactions: In connection with a merger, acquisition, bankruptcy, or other transfer of business assets. In such event, your personal data would remain subject to the terms of this Privacy Policy.
- With your consent: When you explicitly direct us to disclose information.
4. AI Profiling Disclosure
Depth uses automated processing to build a profile of your conversational patterns and thinking. This constitutes "profiling" under certain privacy laws (including GDPR Article 22 and CCPA). We want to be fully transparent about what this means:
- The AI analyzes your conversations to identify patterns, blind spots, growth areas, and recurring themes.
- This profile is used solely to personalize your experience within Depth — it is not used for advertising, credit decisions, employment decisions, or any purpose outside the Service.
- The AI uses your profile to shape how it facilitates future conversations, including what it challenges and what connections it surfaces.
- No automated decision-making with legal effects: We do not engage in decision-making based solely on automated processing or profiling that produces legal effects or similarly significant effects on you.
- Sensitive nature of profile data: Your AI-generated profile may contain inferences about your thinking patterns, beliefs, values, emotional tendencies, and personal challenges. We treat all profile data as sensitive personal information and apply the same level of protection regardless of jurisdiction. Under GDPR, certain inferences drawn from your conversations (particularly those relating to health, philosophical beliefs, or political opinions) may constitute "special category data" under Article 9. We process such data based on your explicit consent given when you accept these Terms and use the Service.
- No human review of individual conversations: No human at Profundum AI reviews your individual conversations or profile unless you specifically request support that requires it, or we are compelled by law.
- No model training on your data: We do not use your individual conversations, profile data, or uploaded files to train any AI models. Your data is sent to Anthropic's API for real-time processing only — Anthropic does not train on API data.
- You have the right to request access to, correction of, or deletion of your profile at any time.
- You have the right to opt out of profiling. Note that opting out will significantly impact the Service's ability to provide personalized facilitation.
5. Data Retention
- Active accounts: Your data is retained for as long as your account is active.
- Inactive accounts: Accounts inactive for over one year with no paid subscription may be terminated after notice. Associated data will be deleted within 30 days of termination.
- Deleted accounts: Upon account deletion request, we will delete your personal data within 30 days. Some data may be retained in encrypted backups for up to 90 days before automatic purge.
- Usage records: Anonymized usage and billing records may be retained for legal and accounting purposes as required by law.
6. Cookies
We use the following categories of cookies:
Essential Cookies (Required)
- Authentication cookies — Managed by Supabase to maintain your login session. These are strictly necessary for the Service to function and cannot be disabled.
Non-Essential Cookies (Optional)
- Analytics cookies — Used by Vercel Analytics to collect anonymized page view and performance data. These do not track you across sites and do not collect personally identifiable information.
We do not use advertising cookies, tracking pixels, or cross-site tracking of any kind. See Part IV (Cookie Policy) for full details.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of all personal data we hold about you.
- Correction: Request correction of inaccurate personal data.
- Deletion: Request deletion of your account and associated personal data.
- Export / Data portability: Request an export of your data in a portable format.
- Restriction: Request that we restrict processing of your personal data in certain circumstances.
- Objection: Object to processing of your personal data, including profiling, on grounds of legitimate interest.
- Opt-out of profiling: Request that we stop building or using your AI-generated profile. Note that this will significantly impact the Service's ability to provide personalized facilitation.
- Withdrawal of consent: Where our processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Non-discrimination: We will not discriminate against you for exercising any of these rights.
To exercise any of these rights, contact us. We will respond within 30 days (or the time period required by applicable law).
8. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
- Right to know: What personal information we collect, use, and disclose.
- Right to delete: Request deletion of your personal information.
- Right to correct: Request correction of inaccurate personal information.
- Right to opt-out of sale/sharing: We do not sell or share your personal data for cross-context behavioral advertising.
- Right to limit use of sensitive personal information: We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the Service.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
Categories of personal information collected: Identifiers (email address), internet or electronic network activity (usage metrics, log data), and inferences drawn from the above (AI-generated profile data).
Categories of personal information sold: None. We do not sell personal information.
Categories of personal information disclosed for a business purpose: See Section 3 (Who We Share Your Data With) above.
To exercise your California privacy rights, contact us.
9. Virginia, Colorado, Connecticut, Utah, and Other U.S. State Privacy Rights
If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or another U.S. state with comprehensive consumer privacy legislation, you may have rights similar to those described in Section 8, including the rights to access, delete, correct, and opt out of certain processing. To exercise these rights, contact us.
10. International Users and Data Transfers
The Service is operated from the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.
By using the Service, you consent to this transfer. If you are located in the European Economic Area (EEA), the United Kingdom, Switzerland, or another jurisdiction with data protection laws, please be aware that U.S. data protection laws may differ from those in your jurisdiction.
Where information is transferred outside the EEA or UK, we ensure it benefits from an adequate level of data protection by relying on:
- Standard contractual clauses: Approved by the European Commission under Article 46 GDPR (and their UK/Swiss equivalents).
- Adequacy decisions: Where available.
GDPR Data Controller: Profundum AI, Inc. is the data controller for personal data collected through the Service.
For EEA/UK users: You have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
11. Children's Privacy
The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected data from a child under 18, we will delete that information promptly. If you become aware that a child under 18 has provided personal data to us, please contact us.
12. Security
We implement reasonable technical and organizational measures to protect your data, including:
- Row Level Security (RLS) on all database tables, ensuring users can only access their own data.
- Encrypted data transmission via HTTPS/TLS.
- Secure authentication via one-time-password codes (no passwords stored).
- No storage of payment card data — handled entirely by Stripe (PCI-DSS Level 1 compliant).
However, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.
Data Breach Notification
If we become aware of a security breach affecting your personal data, we will:
- Notify affected users via email without unreasonable delay, and in any event within the timeframes required by applicable law (72 hours for GDPR, 60 days for most U.S. state laws, or sooner where required).
- Notify relevant authorities as required by applicable law, including supervisory authorities under GDPR where applicable.
- Provide details of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.
We maintain an incident response plan to ensure timely and effective response to security incidents.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the email address on your account at least 30 days before the changes take effect. The "Last Updated" date at the top of this policy reflects the most recent revision. Continued use of the Service after the updated Privacy Policy takes effect constitutes acceptance.
14. Contact
For privacy-related questions or requests, contact us at:
Profundum AI, Inc.
A Delaware Corporation