Privacy Policy
Effective Date: September 24, 2025
Last Updated: October 6, 2025 (Phase 1A Intelligence System)
TL;DR: We process your prompts to detect threats. Blocked prompts are stored for 24 hours then automatically anonymized. We use network intelligence to protect all customers (paid tiers can opt-out). We never sell your data. For privacy concerns, use our contact form.
1. What We Collect
We collect only what's necessary to provide our service and protect the network:
- Account Info: Email address and password (hashed)
- API Usage: Request counts, response times, API keys
- Payment: Billing info via Stripe (we don't store card numbers)
- Prompts: Processed in memory only, not stored unless flagged as threats
- Blocked Prompts (Phase 1A): Prompt text + client IP stored for 24 hours, then automatically anonymized
- Client IP Addresses: Required for network defense, stored for 24 hours then deleted (hashes kept permanently)
- Session Data: Multi-turn validation history, stored for 2 hours then automatically deleted
- Attack Patterns: Cryptographic hashes stored permanently (no personally identifiable information)
2. How We Use Your Data
- Process your API requests
- Bill you for the service
- Send important account notifications
- Improve our threat detection
- Comply with legal requirements
3. Data Security
We use industry-standard security measures:
- TLS encryption for all API traffic
- Encrypted database storage
- Regular security updates
- Limited access controls
Note: As a startup, we use trusted third-party services (Supabase, Cloudflare, Stripe) that have their own security certifications.
4. Your Prompts & Threat Intelligence (Phase 1A)
Important: Here's what happens to prompts you send us:
Safe Prompts:
- Analyzed in real-time for threats
- Not stored (processed in memory only)
- Never used to train models
Blocked Prompts (Threat Intelligence Collection):
- First 24 hours: Full prompt text + client IP stored for analysis
- After 24 hours: Automatic anonymization - prompt text & IP deleted
- Permanent storage: Only cryptographic hashes (cannot identify users)
- Purpose: Network defense intelligence to protect all customers
- Free Tier: Contributes attack data automatically (required for service)
- Paid Tiers (Early Bird/Starter/Business): Can opt-out via dashboard preferences
Legal Basis: Legitimate interest (network security) for Free tier, Consent for paid tiers. See our full documentation for technical details.
5. Third-Party Services
We use these services to operate:
- Stripe: Payment processing
- Supabase: Database and authentication
- Cloudflare: CDN and DDoS protection
- Vercel: API hosting
- Resend: Transactional emails
6. Your Rights (GDPR & CCPA)
You have the following rights:
- Right to Access: View all data we have about you via dashboard or API
- Right to Deletion: Delete all identifiable data (<24h old) immediately via API
- Right to Export: Download all your data in JSON format
- Right to Opt-Out (Paid Tiers Only): Disable threat intelligence collection
- Right to Rectification: Update your account information
- Right to Object: Object to processing (paid tiers can opt-out)
How to Exercise Your Rights:
- • Via Dashboard: Settings → Privacy → Delete Data / Export Data
- • Via API:
DELETE /api/v1/privacy/deleteorGET /api/v1/privacy/export - • Via Email: Contact form
Note: Anonymized data (cryptographic hashes) cannot be deleted as it contains no personally identifiable information.
7. Data Retention (Phase 1A Updated)
| Data Type | Retention Period |
|---|---|
| Session Data | 2 hours (auto-deleted) |
| Prompt Text (blocked) | 24 hours (then anonymized) |
| Client IP Addresses | 24 hours (then anonymized) |
| API Logs | 30 days |
| Usage Metrics | 90 days |
| Account Data | While active + 90 days |
| Billing Records | 7 years (legal requirement) |
| Attack Pattern Hashes | Indefinite (no PII) |
Automatic Anonymization: Background jobs run hourly to delete personal data older than 24 hours. This is mandatory and cannot be disabled (GDPR/CCPA compliance).
8. Compliance
We aim to comply with major privacy regulations including GDPR and CCPA to the extent applicable. As a small startup, we may not have all enterprise-level compliance certifications, but we take privacy seriously and will work with you on any concerns.
9. Children's Privacy
Our service is not for users under 16. If we learn we've collected data from a child, we'll delete it immediately.
10. Changes to This Policy
We may update this policy as we grow. We'll notify you of significant changes via email or dashboard notification.
11. Contact Us
For any privacy questions or to exercise your rights, please use our contact form.
Company:
Reboot Media, Inc.
17595 Harvard Ave C-738
Irvine, CA 92614
United States
Transparency Note: We're a small startup doing our best to protect your privacy. If you have specific compliance requirements or concerns, please reach out through our contact form and we'll work with you.