aiBlue Core™ Privacy Policy - Comprehensive Summary

Version: 1.0 Early Access
Effective Date: November 29, 2025
Last Updated: November 29, 2025
Status: Early Access / Experimental Release

---

Table of Contents

1. Critical Privacy Disclosure
2. Executive Summary
3. Who We Are and Contact Information
4. Scope of This Privacy Policy
5. Information We Collect
6. How We Collect Information
7. Why We Collect More Data During Early Access
8. How We Use Your Information
9. Legal Bases for Processing (GDPR)
10. How We Share Your Information
11. Third-Party AI Model Providers
12. Data Retention and Deletion
13. Data Security Measures and Limitations
14. Your Privacy Rights
15. International Data Transfers
16. Cookies and Tracking Technologies
17. Children's Privacy
18. State-Specific Privacy Rights (United States)
19. Enterprise and Institutional Privacy
20. Regulatory Compliance Status
21. Changes to This Privacy Policy
22. Transition to Market-Ready Privacy Policy

---

1. Critical Privacy Disclosure

⚠️ READ THIS SECTION CAREFULLY BEFORE PROVIDING ANY DATA

aiBlue Core™ is in an early-access, experimental testing phase. Our privacy practices are:

• EVOLVING AND INCOMPLETE – We are actively developing and refining our data handling approaches
• MORE PERMISSIVE – We collect more data and have broader uses than mature, market-ready products
• LESS PROTECTIVE – Some privacy safeguards are still being implemented and tested
• SUBJECT TO CHANGE – Practices will change frequently and substantially before general release
• EXPERIMENTAL – We are learning what data is necessary and how best to protect it

What This Means for You

By participating in early access, you accept:

✓ More extensive data collection for testing, debugging, and development purposes
✓ Broader data sharing with third-party AI providers and development partners
✓ Longer data retention to support thorough analysis and improvement
✓ Limited privacy controls compared to commercial products
✓ Evolving security measures that are still being tested and hardened
✓ Experimental practices that may not yet fully comply with all privacy regulations
✓ Substantial changes to privacy policies before market release

Your Explicit Consent

BY USING aiBlue CORE™, YOU EXPLICITLY CONSENT TO:

• Collection and use of your data as described in this experimental privacy policy
• Processing of your inputs by third-party AI model providers
• Extended data retention periods for development purposes
• Evolving privacy practices that will change before general availability
• Limited privacy rights during the testing phase
• Risks associated with early-stage privacy implementations

IF YOU ARE NOT COMFORTABLE WITH EXPERIMENTAL PRIVACY PRACTICES, DO NOT USE THIS SERVICE.

---

2. Executive Summary

This Privacy Policy explains how aiBlue collects, uses, shares, protects, and retains your information during the early access phase of aiBlue Core™. This is NOT our final privacy policy—it reflects current experimental practices that will evolve substantially before market release.

Key Points:

More Data Collection: We collect extensive usage, technical, and interaction data to support product development.

Third-Party AI Processing: Your inputs are processed by external AI providers (OpenAI, Anthropic, Google, etc.).

Development Uses: Data may be used directly for testing, debugging, and improving our cognitive infrastructure.

Extended Retention: Data is retained longer than it will be at market release.

Limited Rights: Some privacy rights are not fully implemented during early access.

Security in Development: Security measures are being tested and hardened.

Will Change: All practices will be formalized and tightened before general availability.

We are committed to protecting your privacy, but you must understand that early-stage systems inherently have more risk and less mature protections than commercial products.

---

3. Who We Are and Contact Information

3.1 Data Controller

aiBlue (the "Company," "we," "us," or "our") is the data controller responsible for your personal information collected through aiBlue Core™.

Primary Contact:

• Email: contact@aiblue.dev
• Website: core.aiblue.dev

3.2 Data Protection Officer

For GDPR and privacy-related matters:

Data Protection Officer (DPO)

• Email: dpo@aiblue.dev

The DPO oversees privacy compliance, responds to data subject requests, and serves as liaison with data protection authorities.

3.3 Privacy Team

For privacy questions, concerns, or requests:

Privacy Team

• Email: privacy@aiblue.dev
• Response Time: 3-7 business days (goal during early access, not guaranteed)

3.4 EU Representative

If aiBlue does not have an establishment in the European Union but offers services to EU residents, we will appoint an EU representative as required by GDPR Article 27.

---

4. Scope of This Privacy Policy

4.1 What This Policy Covers

This Privacy Policy applies to all personal information collected through:

• aiBlue Core™ web application (accessed via browser at core.aiblue.dev)
• Mobile applications (iOS and Android, if available during early access)
• Desktop applications (Windows, macOS, Linux, if available)
• Application Programming Interface (API) for developers
• Enterprise and institutional deployments
• aiBlue website and related marketing sites
• Communications with aiBlue (email, support tickets, feedback forms)

4.2 What This Policy Does Not Cover

This policy does NOT cover:

• Third-party websites or services linked from aiBlue Core™
• Third-party AI model providers (see Section 11)
• Your own use of outputs generated by the Service
• Employment or contractor data (covered by separate notices)

4.3 Geographic Scope

We serve users globally and comply with privacy laws including:

European Economic Area (EEA), UK, Switzerland:

• General Data Protection Regulation (GDPR)

United States:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)
• Other emerging state privacy laws

Other Jurisdictions:

• Brazil: Lei Geral de Proteção de Dados (LGPD)
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
• Australia: Privacy Act 1988
• Other jurisdictions as applicable

Note: Full compliance with all regulations is in development. See Section 20 for current compliance status.

---

5. Information We Collect

5.1 Overview of Data Collection

During early access, we collect MORE data than we will at market release. This is necessary for identifying bugs, understanding feature usage, evaluating system performance, optimizing cognitive processing, testing security measures, and informing product development decisions.

Categories of Data We Collect:

1. Account and Identity Information
2. User Inputs and Content
3. AI-Generated Outputs
4. Usage and Interaction Data
5. Technical and Device Information
6. Location Data
7. Communication and Feedback Data
8. Payment and Billing Information
9. Diagnostic and Error Data
10. Cookies and Tracking Data

5.2 Account and Identity Information

What we collect:

• Full legal name (or preferred name)
• Email address (primary and alternates)
• Username
• Password (encrypted with bcrypt—we cannot access plaintext)
• Profile photo or avatar
• Organization name and role
• Country or region
• Language preference
• Account type (free, paid, enterprise, educational)
• Account creation date and status
• Authentication method

When collected:

• During account registration
• When you update your profile
• When you link third-party authentication services

Why collected:

• To create and maintain your account
• To authenticate you securely
• To communicate with you
• To provide appropriate features based on account type
• To comply with legal requirements

5.3 User Inputs and Content

⚠️ CRITICAL: Everything you submit to aiBlue Core™ is collected and retained.

What we collect:

• Text prompts and queries (every message you send)
• Uploaded files (documents, images, data files—full content)
• File metadata (filename, size, type, upload timestamp)
• Conversation context (full conversation history within sessions)
• Instructions and constraints you provide
• Multi-turn interaction sequences
• Edits and refinements to prompts or outputs
• Saved or bookmarked content
• Shared or exported content

When collected:

• In real-time as you interact with the Service
• When you upload files or paste content
• When you use any feature that accepts input

Why collected:

• To process your requests through our cognitive infrastructure
• To generate appropriate AI responses
• To maintain conversation context and coherence
• To analyze usage patterns and improve the system
• To debug issues and identify failure modes
• To test cognitive processing quality

Sensitive Content Warning

If you include sensitive information in your inputs (health data, financial details, trade secrets, personal secrets, confidential business information), this information will be:

• Collected and stored by aiBlue
• Processed by third-party AI providers (see Section 11)
• Subject to the retention and security measures described in this policy
• Potentially visible to aiBlue personnel for debugging and development

We strongly recommend:

• Avoid including highly sensitive information unless absolutely necessary
• Use pseudonyms or de-identified data when possible
• Understand the risks before submitting confidential information
• For highly sensitive use cases, contact enterprise@aiblue.dev

5.4 AI-Generated Outputs

What we collect:

• Complete AI-generated responses
• Intermediate reasoning steps (internal cognitive processing, if logged)
• Alternative outputs (if you regenerate responses)
• Output ratings and feedback (thumbs up/down, quality ratings)
• Edits you make to outputs
• Outputs you save or export
• Metadata (timestamp, model used, processing time, tokens consumed)

When collected:

• Immediately upon generation
• When you interact with outputs
• When you export or share outputs

Why collected:

• To evaluate output quality and cognitive stability
• To identify patterns of success and failure
• To improve reasoning structures and frameworks
• To test multi-distance reasoning capabilities
• To support debugging and error analysis
• To measure consistency and constraint adherence

Ownership Note: You own the outputs generated in response to your inputs. However, by using the Service, you grant us broad rights to analyze, learn from, and use aggregated patterns from outputs for development purposes.

5.5 Usage and Interaction Data (Extensive)

Session-Level Data:

• Login and logout times
• Session duration and frequency
• Time zone and active hours
• Number of sessions per day/week

Feature-Level Data:

• Every feature you access or use
• Time spent in each feature
• Buttons clicked and actions taken
• Settings and preferences changed
• Workflows and interaction sequences
• Feature adoption and abandonment patterns

Interaction Patterns:

• Typing speed and patterns (for UX optimization)
• Pause durations between inputs
• Scroll behavior and reading patterns
• Mouse movements and clicks (heatmap data)
• Navigation paths through the application
• Search queries within the application
• Error recovery behaviors

Performance Metrics:

• Page load times
• API response times
• Time to first output
• Processing duration for requests
• Network latency and bandwidth usage
• Client-side rendering performance

Engagement Metrics:

• Daily/weekly/monthly active usage
• Feature utilization rates
• Return visit patterns
• Content creation vs. consumption ratio
• Sharing and collaboration behaviors

When collected: Continuously during your use of the Service

Why collected:

• To understand how users interact with features
• To identify usability issues and friction points
• To optimize user experience and interface design
• To detect and diagnose bugs
• To measure feature effectiveness
• To inform product roadmap decisions

Early Access Note: This level of usage tracking is MORE detailed than mature products typically implement. We need granular insights during development but will reduce collection at market release.

5.6 Technical and Device Information

Device Information:

• Device type (desktop, laptop, tablet, smartphone)
• Device manufacturer and model
• Operating system and version
• Screen resolution and display specifications
• CPU architecture
• Available memory (RAM)
• Browser type and version
• Browser plugins and extensions (that affect functionality)

Network Information:

• Complete IP address (not truncated or anonymized during early access)
• Internet Service Provider (ISP)
• Connection type (WiFi, cellular, ethernet)
• Connection quality metrics (bandwidth, latency, packet loss)
• Geographic location derived from IP (country, region, city—approximate)

Application Information:

• Application version and build number
• Client identifier (unique to your installation)
• Crash reports and error logs (with full stack traces)
• Memory usage and performance statistics
• Local storage usage
• Cache size and hit rates

When collected:

• During initial connection and authentication
• Continuously while using the Service
• Upon errors, crashes, or performance issues

Why collected:

• To ensure compatibility and optimize performance
• To diagnose technical issues and bugs
• To detect and prevent fraud and abuse
• To support security monitoring
• To optimize content delivery and rendering
• To test across diverse environments

Privacy Note: Complete IP addresses are collected during early access for detailed diagnostics. At market release, we plan to truncate or hash IP addresses for privacy protection.

5.7 Location Data

What we collect:

• Country (derived from IP address)
• Region/State (derived from IP address)
• City (approximate, derived from IP address)
• Time zone (from device or IP)
• Language and locale settings

What we DO NOT collect:

• Precise GPS coordinates
• Real-time location tracking
• Location history or movement patterns
• Background location data

When collected:

• Upon connection to the Service
• When you change locations
• For localization and compliance purposes

Why collected:

• To comply with jurisdiction-specific privacy laws
• To provide localized experiences (language, time zone)
• To detect unusual access patterns (security)
• To understand geographic distribution of users
• To determine applicable data protection requirements

5.8 Communication and Feedback Data

Support Communications:

• All support tickets and email exchanges
• Live chat transcripts (if available)
• Phone call recordings (if applicable—with notification)
• Attached files, screenshots, or diagnostic data you provide

Feedback and Surveys:

• Bug reports and feature requests
• Survey responses and ratings
• User research participation (interviews, usability tests)
• In-app feedback (thumbs up/down, text comments)
• Net Promoter Score (NPS) responses

Community Interactions:

• Forum posts and comments (if community features exist)
• Public discussions about the Service
• Testimonials or reviews

When collected:

• When you contact support or provide feedback
• When you participate in surveys or research
• When you engage with community features

Why collected:

• To provide customer support and resolve issues
• To gather product feedback and improvement ideas
• To understand user satisfaction and pain points
• To identify bugs and feature gaps
• To measure the success of experimental features

5.9 Payment and Billing Information

For paid early access tiers:

What we collect directly:

• Billing name and address
• Email for receipts and invoices
• Purchase history and transaction records
• Subscription status and plan details
• Payment method type (Visa, PayPal, etc.—not full details)
• Currency and pricing tier

What we DO NOT collect:

• Full credit card numbers (only last 4 digits from payment processor)
• CVV codes
• Complete banking information

Payment Processing:

All payment processing is handled by third-party payment processors:

• Stripe (stripe.com/privacy)
• PayPal (paypal.com/privacy)

These processors collect and store sensitive payment data according to PCI-DSS standards. We receive only transaction confirmations, payment status, and tokenized payment method references.

When collected:

• When you sign up for paid tiers
• When subscriptions renew
• When you update billing information

Why collected:

• To process payments and subscriptions
• To issue invoices and receipts
• To handle refunds and billing disputes
• To detect and prevent payment fraud

5.10 Diagnostic and Error Data

Error Reports:

• Complete error messages and codes
• Full stack traces (showing code execution path)
• Application state at time of error
• User actions leading to the error
• Browser console logs
• Network request/response details

Crash Reports:

• System state at crash (memory, CPU, processes)
• Crash dump files (if applicable)
• Sequence of events before crash
• Device and OS configuration

Performance Diagnostics:

• Slow query logs
• API latency measurements
• Client-side performance metrics
• Memory leaks or resource exhaustion data

Debug Logs:

• Application-level logs (info, warning, error severity)
• Third-party integration logs
• Authentication and authorization events
• Database query logs (anonymized queries)

When collected:

• Automatically upon errors or crashes
• During performance degradation
• When you submit bug reports
• Continuously for security monitoring

Why collected:

• To identify and fix bugs quickly
• To improve system stability and reliability
• To optimize performance
• To understand failure modes
• To prevent future issues

Privacy Consideration: Error logs may inadvertently capture fragments of your inputs or outputs. We make efforts to sanitize logs, but during early access, some personal data may be present in diagnostic data.

5.11 Cookies and Tracking Data

Summary:

• Essential cookies: Authentication, security, session management
• Functional cookies: Preferences, settings, feature toggles
• Analytics cookies: Usage tracking, behavior analysis
• No advertising cookies: We do not use cookies for behavioral advertising

See Section 16 for comprehensive details on cookies.

---

6. How We Collect Information

6.1 Information You Provide Directly

Voluntary submission through:

• Account registration forms
• Profile settings and preferences
• Inputs to the AI system (prompts, files, content)
• Support requests and feedback forms
• Survey responses
• Payment and billing details

6.2 Automatic Collection

Passive collection through technology:

• Application instrumentation: JavaScript and SDK code embedded in our applications
• Server logs: Web server and API server access logs
• Database logs: Query logs and performance metrics
• Security monitoring: Intrusion detection and access logs
• Error tracking services: Sentry, Bugsnag, or similar tools
• Analytics platforms: Google Analytics, Mixpanel, Amplitude, or custom analytics

6.3 Third-Party Sources

Information received from:

• Single Sign-On (SSO) providers: Google, Microsoft, GitHub (basic profile data)
• Payment processors: Transaction confirmations and status
• Enterprise administrators: User lists, roles, and organization data (for organizational accounts)
• Public sources: Information you make publicly available

6.4 Inferred Information

Derived through analysis:

• Usage patterns and preferences (based on behavior)
• Skill level and sophistication (based on query complexity)
• Topics of interest (based on content)
• Geographic location (from IP address)
• Device characteristics (from technical data)

---

7. Why We Collect More Data During Early Access

7.1 Development and Testing Imperative

Early access is fundamentally a collaborative product development process, not a commercial transaction. This requires extensive data collection to:

Identify Bugs and Issues:

• Detect unexpected behaviors and errors
• Understand conditions that cause failures
• Reproduce bugs in development environments
• Track bug resolution and verify fixes

Evaluate Feature Effectiveness:

• Measure whether features achieve intended goals
• Understand how users actually use features (vs. how we expect)
• Identify features that confuse or frustrate users
• Determine which features to prioritize or deprecate

Optimize Performance:

• Identify performance bottlenecks
• Test under various load conditions
• Optimize database queries and API endpoints
• Improve response times and resource efficiency

Improve Cognitive Processing:

• Evaluate the quality of structured reasoning
• Test multi-distance reasoning capabilities
• Assess constraint adherence and alignment
• Refine adaptive cognitive framing
• Measure cognitive integrity and stability

Test Security Measures:

• Detect vulnerabilities and attack vectors
• Monitor for suspicious activities
• Test authentication and authorization systems
• Evaluate encryption and data protection

Inform Product Strategy:

• Understand which use cases are most valuable
• Identify gaps in capabilities
• Prioritize roadmap based on real-world needs
• Make evidence-based product decisions

7.2 Comparison to Market-Ready Products

Early Access Data Collection:

• Individual inputs and outputs analyzed directly
• Detailed usage patterns logged
• Extensive diagnostic and debug data
• Longer retention periods (180 days vs. 30 days for inputs/outputs)
• Broader sharing with development team
• More permissive use for improvement

Market-Ready Data Collection:

• Primarily aggregated and anonymized analysis
• Minimal logging (only what's necessary)
• Standard diagnostic data only
• Shorter retention periods (30 days for inputs/outputs)
• Strict access controls and minimal sharing
• Explicit consent for improvement uses

This difference is why you must be comfortable with experimental privacy practices to participate.

7.3 Your Role as a Tester

By participating, you are helping us:

• Discover and fix bugs before general release
• Refine features based on real-world usage
• Validate that cognitive infrastructure works across diverse use cases
• Build a better, more reliable product for everyone

In exchange, you accept:

• More invasive data collection
• Risks associated with early-stage systems
• Limited privacy controls
• Experimental practices that will evolve

This is a mutually beneficial partnership, not a standard customer relationship.

---

8. How We Use Your Information

8.1 Primary Uses

8.1.1 Providing the Service

Core functionality:

• Process inputs through our cognitive orchestration layer
• Generate outputs by coordinating with underlying AI models
• Maintain context and conversation coherence
• Authenticate users and authorize access to features
• Store preferences and customizations
• Enable all Service capabilities (file upload, export, sharing, etc.)

8.1.2 Product Development and Improvement

Experimental development:

• Analyze usage patterns to understand how features are used in practice
• Test cognitive structures and evaluate reasoning quality
• A/B testing to compare different implementations
• Feature development based on observed needs
• Performance optimization and bottleneck identification
• Bug identification through usage analysis
• User experience research on workflows and pain points

Critical Privacy Point:

Unlike mature products that only analyze aggregated data, we may:

• Review your specific inputs and outputs directly
• Examine individual conversation flows
• Use your exact queries to test improvements
• Share specific examples internally with the development team (with identifiers removed when possible)

This direct analysis is essential for early-stage development but will be restricted at market release.

8.1.3 AI Model and Cognitive Layer Improvement

System enhancement:

• Cognitive orchestration refinement
• Multi-distance reasoning optimization
• Constraint adherence improvement
• Alignment enhancement
• Integration testing with different underlying AI models
• Prompt engineering refinement
• Quality assurance and output validation

Third-Party Model Training:

Your data may also be used by third-party AI providers (OpenAI, Anthropic, Google) to improve their models, subject to their policies and terms. See Section 11 for critical details.

8.1.4 Security and Fraud Prevention

Protection measures:

• Threat detection and monitoring for unauthorized access
• Fraud prevention for accounts and payments
• Spam filtering and abuse detection
• Security monitoring for suspicious activities
• Incident response and investigation
• Vulnerability assessment
• Access control enforcement

8.1.5 Communication

User engagement:

• Transactional emails: Account confirmations, password resets, security alerts
• Billing communications: Invoices, payment confirmations, subscription notices
• Service updates: Important changes to features, terms, or availability
• Early access program updates: Development progress, new feature announcements
• Support responses: Replies to your questions and issues
• Feedback requests: Surveys, user research invitations, feature testing
• Marketing communications: Newsletters, product updates (with opt-out available)

8.1.6 Legal Compliance and Protection

Legal obligations:

• Comply with laws and regulations
• Respond to legal process (court orders, subpoenas, government requests)
• Enforce Terms of Service and Acceptable Use Policy
• Protect rights and defend against legal claims
• Prevent harm and respond to emergencies
• Record keeping as required by law

8.1.7 Business Operations and Analytics

Internal use:

• Business analytics (user acquisition, retention, engagement)
• Financial analysis and revenue tracking
• Strategic planning and product roadmap
• Research and innovation
• Quality assurance and systematic testing
• Documentation (help guides, FAQs, training materials)

8.1.8 Aggregated and Anonymized Uses

Once data is aggregated and anonymized (cannot be traced back to individuals):

• Publish industry research and whitepapers
• Share statistics with partners and investors
• Benchmark performance against standards
• Contribute to academic research
• Support public discussions about AI development

8.2 Purposes We Do NOT Use Data For

We do NOT:

• Sell your personal information to third parties (and never will)
• Use data for behavioral advertising or ad targeting
• Share identified data with advertisers or marketing companies
• Train competing AI products or services
• Provide data to data brokers
• Use data for purposes incompatible with your expectations

---

9. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data based on the following legal grounds under GDPR:

9.1 Contract Performance (Art. 6(1)(b))

Processing necessary to provide the Service you've requested:

• Creating and maintaining your account
• Processing your inputs and generating outputs
• Providing cognitive orchestration services
• Authenticating and authorizing access
• Enabling Service features
• Processing payments (for paid tiers)

9.2 Consent (Art. 6(1)(a))

Where you have given explicit, informed, and freely-given consent:

• Marketing communications
• Optional analytics and tracking
• Participation in user research or surveys
• Sharing testimonials or case studies
• Use of non-essential cookies
• Experimental features or testing programs

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

9.3 Legitimate Interests (Art. 6(1)(f))

Processing necessary for our legitimate business interests (balanced against your rights):

Product Development:

• Analyzing usage patterns to improve the Service
• Testing new features and capabilities
• Optimizing performance and reliability
• Debugging and error correction

Security and Fraud Prevention:

• Detecting and preventing unauthorized access
• Monitoring for abusive behavior
• Protecting against security threats
• Preventing fraud and financial crimes

Business Operations:

• Understanding business performance
• Strategic planning and decision-making
• Financial analysis and reporting
• Quality assurance and testing

Legal Protection:

• Establishing, exercising, or defending legal claims
• Protecting intellectual property
• Enforcing terms and policies

We have conducted legitimate interests assessments (LIAs) to ensure processing is necessary, proportionate, and not overridden by your fundamental rights.

9.4 Legal Obligation (Art. 6(1)(c))

Processing necessary to comply with legal requirements:

• Responding to court orders and subpoenas
• Meeting tax and financial reporting obligations
• Complying with data protection regulations
• Fulfilling regulatory requirements
• Reporting suspected crimes

9.5 Vital Interests (Art. 6(1)(d))

Processing necessary to protect life or physical safety:

• Responding to emergency situations
• Preventing imminent harm
• Supporting law enforcement in life-threatening situations

(This basis is used rarely and only in genuine emergencies.)

9.6 Special Categories of Personal Data

We do not intentionally collect special categories (sensitive) data under GDPR Article 9:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for identification
• Health data
• Sex life or sexual orientation

However, if you voluntarily include such information in your inputs, we process it based on Article 9(2)(a) (explicit consent) or Article 9(2)(e) (data manifestly made public by you).

We strongly recommend avoiding including sensitive data in your inputs.

---

10. How We Share Your Information

10.1 We Do Not Sell Personal Data

Absolute commitment:

aiBlue does NOT and will NEVER:

• Sell your personal information for monetary consideration
• Rent or lease your data to third parties
• Trade your information for valuable consideration
• Provide data to data brokers or marketing aggregators
• Monetize your personal data beyond providing the Service

This commitment applies regardless of jurisdiction and exceeds requirements of laws like CCPA and GDPR.

10.2 Third-Party AI Model Providers

Most significant data sharing:

Your inputs are sent to third-party AI providers to generate responses. This is essential to how the Service works. See Section 11 for comprehensive details.

10.3 Service Providers and Subprocessors

We share data with carefully vetted third-party service providers who assist in operating the Service:

10.3.1 Cloud Infrastructure and Hosting

Providers:

• Amazon Web Services (AWS)
• Google Cloud Platform (GCP)
• Microsoft Azure
• Other cloud providers as used

What they receive:

• All data stored in our systems (account data, inputs, outputs, usage logs)
• Technical data necessary for infrastructure operation

Purpose:

• Data storage and database management
• Application hosting and computing resources
• Content delivery and caching
• Backup and disaster recovery

Protections:

• Data Processing Agreements (DPAs) in place
• Encryption at rest and in transit
• Access controls and authentication
• Compliance certifications (SOC 2, ISO 27001)
• GDPR-compliant Standard Contractual Clauses (SCCs) where applicable

10.3.2 Payment Processing

Providers:

• Stripe (stripe.com/privacy)
• PayPal (paypal.com/privacy)

What they receive:

• Billing name and address
• Email for receipts
• Payment method information (card numbers, bank account details)
• Transaction amounts and currency

Purpose:

• Process subscription payments
• Handle refunds and chargebacks
• Detect payment fraud
• Comply with PCI-DSS standards

Protections:

• PCI-DSS Level 1 certified
• Encrypted payment data
• Tokenization of sensitive information
• Separate data processing agreements

We do NOT receive or store:

• Full credit card numbers (only last 4 digits)
• CVV codes
• Complete banking information

10.3.3 Analytics and Monitoring Services

Providers (examples—specific providers may change):

• Google Analytics
• Mixpanel
• Amplitude
• Segment
• Sentry (error tracking)
• LogRocket (session replay)

What they receive:

• Usage and interaction data (anonymized where possible)
• Technical and device information
• Performance metrics
• Error and crash data
• Session recordings (with sensitive data masked)

Purpose:

• Understand user behavior and engagement
• Track feature adoption and usage
• Monitor performance and stability
• Identify bugs and errors
• Support A/B testing and experimentation

Protections:

• Data Processing Agreements
• Anonymization of personal identifiers where possible
• IP address truncation or hashing (planned for market release)
• Cookie consent mechanisms
• Right to opt out of non-essential analytics

Privacy Note: During early access, analytics collection is more extensive than it will be at market release.

10.3.4 Customer Support and Communication

Providers:

• Zendesk, Intercom, or similar (help desk platforms)
• SendGrid, Mailchimp, or similar (email services)
• Twilio (SMS, if applicable)
• Slack (internal communication about support issues)

What they receive:

• Support tickets and conversations
• Account information (name, email)
• Issue descriptions and attachments you provide
• Email communications

Purpose:

• Provide customer support
• Send transactional and marketing emails
• Manage support ticket workflow
• Internal collaboration on support issues

10.3.5 Security and Fraud Prevention

Providers:

• CloudFlare (DDoS protection, WAF)
• Security monitoring services
• Fraud detection services

What they receive:

• IP addresses and network data
• Access patterns and request logs
• Security event data
• Potentially suspicious account information

Purpose:

• Protect against DDoS attacks
• Detect and prevent fraud
• Monitor for security threats
• Block malicious traffic

10.3.6 Development and Testing Partners

During early access, we may share data with:

• External developers or contractors assisting with feature development
• UX researchers conducting usability studies
• Security consultants performing penetration testing
• Academic researchers studying AI cognition (with anonymization)
• Technical advisors and consultants

What they may receive:

• Anonymized or pseudonymized usage data
• Aggregated statistics and patterns
• Specific examples of inputs/outputs (with identifiers removed)
• Technical logs and diagnostic data

Purpose:

• Support product development
• Conduct research and testing
• Evaluate security and performance
• Provide expert guidance

Protections:

• Non-Disclosure Agreements (NDAs)
• Confidentiality obligations
• Access limited to necessary data only
• Pseudonymization and anonymization where possible
• Purpose-specific and time-limited access

This sharing is broader during early access than it will be at market release, reflecting the collaborative development nature of this phase.

10.4 Legal and Regulatory Disclosure

We may disclose information when required or permitted by law:

10.4.1 Legal Process and Government Requests

• Court orders, subpoenas, and search warrants
• Government investigations and inquiries
• National security requests (with transparency where legally permitted)
• Regulatory examinations and audits

Our approach:

• We carefully review all requests for legal validity
• We challenge overly broad or inappropriate requests
• We notify affected users when legally permitted