Privacy Policy
GDPR & CCPA Compliant
1. Data Controller Information
The AI Consensus is the data controller responsible for your personal data.
| Company Name | The AI Consensus™ |
|---|---|
| Contact Email | privacy@theaiconsensus.com |
| Support Email | support@theaiconsensus.com |
| Location | United States |
2. Legal Basis for Processing (GDPR Article 6)
We process your personal data based on the following legal grounds:
| Legal Basis | Purpose |
|---|---|
| Contractual Necessity | To provide the AI consensus service you subscribed to |
| Consent | For optional marketing communications (if enabled) |
| Legitimate Interests | Service improvement, fraud prevention, security |
| Legal Obligation | Tax records, legal compliance, data breach notification |
3. Information We Collect
3.1 Account Information
- Email address (required)
- Username (via Replit authentication)
- Password (hashed, never stored in plain text)
- Subscription tier and payment status
- Account creation date
3.2 Payment Information
Payment Security: Payment processing is handled by Stripe (PCI DSS Level 1 certified). We do NOT store full card numbers or CVV codes. We only receive: last 4 digits, card brand, and expiration date.
3.3 Usage Data
- Questions/prompts submitted to AI models
- Models selected for consensus
- Discussion mode chosen (Standard/Precision/Council)
- Timestamps of interactions
- Discussion history (retention varies by tier)
- Outcome tracking responses (Enterprise tier only)
3.4 Technical Data
- IP address (for security and geographic compliance)
- Browser type and version
- Operating system
- Device identifiers (for session management)
- Pages visited and time spent
- Error logs and crash reports
4. How We Use Your Information
4.1 Primary Purposes
- Provide and deliver the AI consensus service
- Process subscriptions and manage billing
- Maintain and improve platform performance
- Send transactional emails (receipts, usage alerts, password resets)
- Provide customer support
- Enforce terms of service and prevent abuse
4.2 Secondary Purposes (Legitimate Interest)
- Analyze aggregated usage patterns for product improvement
- Benchmark AI model performance
- Generate anonymous statistics for research
- Detect and prevent fraud and security threats
- Comply with legal obligations
We Do NOT:
- Sell personal data to third parties
- Use your questions for training third-party AI models
- Share identifiable data for marketing purposes
- Process data for purposes incompatible with original collection
6. International Data Transfers
For EU/EEA Users: Your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the EU Commission to ensure adequate protection.
6.1 Safeguards We Use
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Regular security audits
- Limited personnel access
- Vendor security assessments
6.2 For UK Users
Data is transferred under the UK International Data Transfer Agreement (IDTA). UK adequacy decisions are honored where applicable.
7. Data Retention Periods
| Data Type | Retention Period |
|---|---|
| Account Data | While account is active + 30 days after closure |
| Free Tier Discussions | Not retained (deleted at session end) |
| Professional Tier Discussions | 90 days, then automatic deletion |
| Enterprise Tier Discussions | Permanent unless deletion requested |
| Backup Data | 90 days (encrypted), then permanently deleted |
| Legal/Tax Records | 7 years (financial regulations) |
| Anonymized Data | Retained indefinitely for research |
8. Your Rights (GDPR Chapter III)
All Users Have the Right To:
| Right | Description | GDPR Article |
|---|---|---|
| Access | Request a copy of personal data we hold | Article 15 |
| Rectification | Correct inaccurate data | Article 16 |
| Erasure | "Right to be forgotten" - delete your data | Article 17 |
| Restriction | Limit how we process your data | Article 18 |
| Portability | Receive data in machine-readable format | Article 20 |
| Object | Object to processing based on legitimate interests | Article 21 |
| Withdraw Consent | For consent-based processing | Article 7 |
How to Exercise Your Rights
- Email: privacy@theaiconsensus.com
- Subject line: "Data Rights Request - [Type]"
- Include: Account email, specific request, verification details
- We respond within 30 days (GDPR requirement)
Data Portability Format
- JSON for structured data
- CSV for tabular data
- PDF for discussion transcripts
- Delivered via secure download link
EU/EEA Users: You may lodge complaints with your national Data Protection Authority. See EDPB Member List
9. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights:
- Right to Know: What personal information is collected (§1798.100)
- Right to Know if Sold/Shared: Whether personal information is sold or shared (§1798.115)
- Right to Opt-Out: Of sale of personal information (we don't sell, but you can opt-out)
- Right to Deletion: Request deletion of personal information (§1798.105)
- Right to Correct: Inaccurate information (§1798.106)
- Right to Limit Use: Of sensitive personal information (§1798.121)
- Right to Non-Discrimination: For exercising your rights (§1798.125)
Categories of Personal Information Collected
- Identifiers (email, IP address)
- Commercial information (subscription, payment history)
- Internet activity (usage data, browsing)
- Inferences (preferences derived from usage)
We Do NOT:
- Sell personal information
- Share for cross-context behavioral advertising
- Process sensitive personal information beyond necessary use
CCPA Request Process
- Email: privacy@theaiconsensus.com
- Response time: 45 days (may extend 45 more with notice)
11. Data Security Measures
11.1 Technical Safeguards
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- bcrypt password hashing (12+ rounds)
- Regular security patches and updates
- Automated vulnerability scanning
- Firewall and intrusion detection
11.2 Organizational Safeguards
- Principle of least privilege (minimal access)
- Confidentiality agreements with staff and vendors
- Regular security training
- Incident response plan
11.3 Breach Notification
EU Users: In the event of a data breach, we will notify you and the relevant supervisory authority within 72 hours of discovery as required by GDPR Article 33.
12. Children's Privacy
- Our service is not intended for users under 18 years of age
- We do not knowingly collect data from minors
- If we discover a minor's data, we will delete it immediately
- Parents/guardians: Contact privacy@theaiconsensus.com if concerned
- EU users under 16 require parental consent
13. Changes to This Policy
- Material changes: 30-day email notice + banner notification
- Version history available upon request
- Last updated date displayed prominently
- Continued use after notice = acceptance (except where re-consent required)
- Major changes to data processing require explicit re-consent
14. Contact Information
General Privacy Questions
- Email: privacy@theaiconsensus.com
- Response time: 5 business days
Data Rights Requests
- Email: privacy@theaiconsensus.com
- Subject: "Data Rights Request"
- Response: 30 days (GDPR/CCPA requirement)
EU Online Dispute Resolution
EU users may use the Online Dispute Resolution platform: ec.europa.eu/consumers/odr
The AI Consensus
United States