hermit

Privacy Policy

Last updated: February 2026

Data Controller

SASU Istari โ€” SIRET 942 232 919 00012 Contact: jk@tirith.life

Data We Collect

  • Email address โ€” for authentication (magic link) and optional result notifications.
  • IP address โ€” for rate limiting. Deleted with the job after 24 hours.
  • Aggregated statistics โ€” conversation counts, word counts, activity charts. No message content.
  • Generated profiles โ€” AI-generated summaries of your conversation topics. Deleted after 24 hours.

Data We Do NOT Store

  • We do not store the content of your conversations in our database.
  • Your uploaded file is temporarily stored for processing (~10 minutes) and then permanently deleted.
  • No human ever accesses your conversation content.

Third-Party Processing

To generate your AI profiles, excerpts from your conversations are sent to the Anthropic API (Claude). Anthropic applies a zero-retention policy on API data โ€” your content is not stored or used for training.

Sub-processors

  • Vercel (US) โ€” hosting and edge functions
  • Supabase (US/EU) โ€” database and file storage
  • Anthropic (US) โ€” AI processing (zero-retention API)
  • Stripe (US) โ€” payment processing
  • Resend (US) โ€” transactional emails
  • Inngest (US) โ€” background job processing

Data Retention

  • Uploaded files: deleted ~10 minutes after processing completes.
  • Jobs and results: automatically deleted 24 hours after creation.
  • Rate limiting entries: purged after 24 hours.
  • Account data (email): retained while your account is active.

Your Rights (GDPR)

Under Articles 15-20 of the GDPR, you have the right to access, rectify, delete, and port your personal data. Since most data is automatically deleted within 24 hours, exercising these rights is rarely necessary. Contact jk@tirith.life for any request.

International Transfers

Your data may be processed in the United States by our sub-processors. These transfers are covered by Standard Contractual Clauses (SCCs) with each provider.

Legal Basis

Data processing is based on the performance of the service contract (Article 6(1)(b) GDPR) and your explicit consent for AI processing of conversation excerpts.