Privacy Policy
SethApp.com
Data Controller: Evigilans, s.r.o.
Address: U Synagogy 480/1, Trnitá, 602 00 Brno, Czech Republic
IČO: 23743883
Registered in the Commercial Register kept by the Regional Court in Brno, file no. C 147317
Data Protection Contact: evigilans-data@tuta.com
Effective Date: July 13, 2026
TL;DR (Summary)
Your conversations are not public.
Normal conversations are stored so you can return to them on your computer or phone. The database is secured and encrypted; human access is strictly limited, and listed processors handle only what is needed to provide the service.
Account identity is minimal.
We require an email for login and an optional display name; chat, journal, preferences, and billing status are linked to your account ID.
IP use is limited.
Infrastructure may process IP addresses for rate limiting, abuse prevention, error monitoring, and security incident investigation — never advertising.
We do not store payment credentials.
Card and cryptocurrency payments are processed by Stripe or NOWPayments.
1. What Data We Collect
1.1. Data We COLLECT:
| Data | Why | How Long |
|---|---|---|
| Login (magic link / OTP) | Until account deletion | |
| Display name | Personalization | Until account deletion |
| Identity-provider profile metadata | Google sign-in, when you choose it | Until account deletion |
| Conversations with Seth | Conversation continuity | Until account deletion |
| Journal entries | Journal feature | Until account deletion |
| Feedback (👍/👎) | Service improvement | Until account deletion |
| Images you attach | Create a visual description for Seth | Raw image processed for the request; generated description may become part of conversation context |
| Voice audio in live voice mode | Speech-to-text through Deepgram EU | Only for the duration of processing |
| Legal acceptance evidence | Record the document version, locale, source, time, and non-identifying acceptance facts | Until account deletion; rows cascade with the account |
- Data
- Why
- Login (magic link / OTP)
- How Long
- Until account deletion
- Data
- Display name
- Why
- Personalization
- How Long
- Until account deletion
- Data
- Identity-provider profile metadata
- Why
- Google sign-in, when you choose it
- How Long
- Until account deletion
- Data
- Conversations with Seth
- Why
- Conversation continuity
- How Long
- Until account deletion
- Data
- Journal entries
- Why
- Journal feature
- How Long
- Until account deletion
- Data
- Feedback (👍/👎)
- Why
- Service improvement
- How Long
- Until account deletion
- Data
- Images you attach
- Why
- Create a visual description for Seth
- How Long
- Raw image processed for the request; generated description may become part of conversation context
- Data
- Voice audio in live voice mode
- Why
- Speech-to-text through Deepgram EU
- How Long
- Only for the duration of processing
- Data
- Legal acceptance evidence
- Why
- Record the document version, locale, source, time, and non-identifying acceptance facts
- How Long
- Until account deletion; rows cascade with the account
1.2. Data We DO NOT Collect:
2. Conversations with Seth
2.1. Who has access to conversations?
People with access during normal operations: you; an authorized administrator only when necessary.
- •Team members do not routinely browse individual conversations
- •Processors receive only the data needed for hosting, AI generation, voice, security, payments, or support as listed in §3
Note: The administrator technically has database access for resolving technical issues, legal obligations, and security incidents.
Sensitive information you choose to share
Conversations with Seth and your journal are free-text fields. You may voluntarily share sensitive details — for example about health, beliefs, sexuality, relationships, or emotions. We do not use this content to train or fine-tune an AI model. The separate Article 9 consent in Research settings applies only to optional research and does not supply a legal basis for core-service processing. The appropriate GDPR Article 9 condition for special-category data voluntarily entered into the core service still requires confirmation by Czech/EU counsel. Private Mode remains available when you do not want conversation content persisted.
Seth's internal reflections
As part of his personality, Seth keeps a short internal reflection on his day — how he handled conversations and what he wants to do differently. The reflection is about Seth, not about you: because it draws on conversations, it may include anonymous mentions of interactions (e.g. "I helped someone slow down today"), but it never contains names, identifiable stories, or sensitive details (health, relationships, family, etc.) — automated checks block such content before anything is saved, and a reflection that fails is discarded. Roughly every two days a new reflection replaces the previous one. This is not AI model training — your conversations are never used to train any model (see §3).
2.2. How are conversations stored?
- Stored in Supabase database (EU region)
- Transfer encrypted (HTTPS)
- Supabase provides encryption at rest
2.3. Export and deletion
In Settings, you can export an 11-file archive containing account data, conversations, journal, subscription and credit history, Life Paths, feedback, proactive messages, saved moments, preferences, user-scoped memory, and legal acceptance evidence. You may delete your account at any time. The export does not include Seth's own internal content because that is not your personal data.
What is retained after account deletion (GDPR compliance):
- •SHA256 hash of your email — irreversible, prevents trial credit abuse on re-signup. Your email itself is deleted; only a one-way hash remains. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) for fraud prevention.
- •Payment-provider records — Stripe or NOWPayments may retain transaction records for tax, accounting, anti-fraud, and billing compliance (Art. 17(3)(b) exempts legal retention obligations). Where supported, account-linked personal fields are removed or obscured on deletion.
- •Aggregate deletion audit entry — records only non-identifying deletion counts and operational outcomes. No user ID, hash-derived identifier, or personal data is retained for the legal-acceptance summary.
- •Legal acceptance rows — deleted automatically with the account. Only a non-identifying aggregate count may remain in the deletion audit; it does not retain the accepted text, user ID, evidence payload, IP address, user agent, or device data.
2.4. Private Mode
Seth offers a Private Mode for conversations that require extra privacy. When Private Mode is enabled:
- 🚫Messages are NOT saved to any database — they exist only in your browser's memory.
- 🔌The AI backend (ElizaOS) is completely bypassed — your message goes directly to the AI model via OpenRouter ZDR (Zero Data Retention) endpoint.
- 🧠Seth can still read his own reflections (read-only) to maintain personality, but nothing from your private conversation is written back.
- 🗑️When you close the tab, switch to normal mode, or refresh the page — the conversation is gone forever. There is no recovery.
- 📊No conversation content or history is persisted. Minimal operational metadata may still be logged (for example request timing, model, content length, errors, credit use, and security events), never the private message text.
In short: Private Mode = zero content persistence. There is no recoverable transcript or memory after you leave.
2.5. Voice Input (Speech-to-Text)
Seth offers two separate voice features:
- 🎤Dictation in the composer uses your browser's built-in speech recognition service (for example Google Speech Services in Chrome/Edge or Apple speech services in Safari). Seth receives only the text you choose to send.
- 🗣️Live voice conversation sends microphone audio directly from your browser to Deepgram's EU endpoint for real-time transcription. Model-improvement use is disabled; audio is retained only for processing.
- 🔊Seth's reply text is sent to ElevenLabs only when premium voice playback is requested.
- 🚫Evigilans does not record or persist raw microphone audio in its own databases.
In short: dictation is handled by your browser provider; live voice uses Deepgram EU. Seth stores conversation text according to the selected chat mode, not a reusable audio recording.
2.6. Voluntary Product Research (Opt-in)
Evigilans s.r.o. runs voluntary product research to improve Seth and share aggregated or de-identified findings about how AI companions support personal growth. Individual source text remains linked to your account before aggregation. No staff member reads your individual conversations; analysis and article drafts are produced by automated pipelines. Your chat content is never used to train or fine-tune any AI model.
- 🔒Default for every user, including beta accounts: OFF. Old profile flags alone are insufficient and no previous preference is grandfathered.
- ✅Participation requires two separate current consents in the same language: voluntary research consent and explicit Article 9 consent for research processing of free text that may contain special-category data.
- 📊If both consents are current: automated aggregate analysis only — statistics and pool-level de-identified patterns. No staff browsing of individual chats. Used to improve the live product; not training data.
- 📰We may publish research summaries from non-identifiable aggregated insights (blog articles, reports) — e.g. how Seth helps people reflect and grow. Never direct quotes, never individual stories, never identification of a user.
- 🚫Research and model training are completely separate. We never use your messages or Seth's replies to train any AI model — including our own. Any future Seth voice model is built from synthetic data we generate using open-source models.
- ✋You can withdraw both consents anytime in Settings. Exclusion is immediate and does not affect the core service. Previously produced non-identifying aggregate results cannot be linked back to you.
Legal basis for optional research: consent (GDPR Art. 6(1)(a)) plus separate explicit consent under Art. 9(2)(a) for research processing of free text that may contain special-category data. This does not determine the Article 9 basis for the core service; counsel review remains open. Details in Terms §5a.
In short: Research is off by default for everyone and starts only with two current consents — never model training and never individual chat browsing by staff.
3. Third Party Sharing
| Third Party | What Data | Why | Location |
|---|---|---|---|
| Supabase | Account, conversations, journal | Database and authentication | EU |
| Google OAuth | Email and identity-provider profile metadata | Optional Google sign-in | EU/US |
| Vercel | IP (temporarily) | Web hosting | EU/US |
| Railway | IP (temporarily) | Backend hosting | EU |
| Stripe | Payment data | Payment processing | EU/US |
| NOWPayments | Order ID, package and payment metadata | Optional cryptocurrency payments | EU/International |
| Resend | Email address and transactional/support email content | Account, export, deletion, research and support emails | US |
| Upstash Redis | Pseudonymous account/IP-derived rate-limit keys and counters | Rate limiting, abuse prevention and short-lived caching | EU/US |
| Cloudflare Turnstile | IP, browser and challenge data | Bot protection for login and public forms | Global |
| OpenRouter | Conversations (text generation) | AI response generation | US |
| Vercel AI Gateway | Conversations (text generation) | Backup AI route (only when OpenRouter is unavailable) | US |
| Cloudflare Workers AI | Embedding inputs only (no storage) | Embedding fallback (when OpenRouter fails) | Global edge |
| ElevenLabs | Seth's reply text (only when you tap play) | Voice playback (text-to-speech, paid plans & purchased credits) | US |
| Deepgram | Voice audio (only while you speak in live voice mode; processed in the EU, excluded from model improvement, retained only for processing) | Live speech recognition (paid plans & purchased credits) | EU (US company) |
| Sentry | Error data, device info (see §5.1) | Error monitoring & stability | EU/US |
- Third Party
- Supabase
- What Data
- Account, conversations, journal
- Why
- Database and authentication
- Location
- EU
- Third Party
- Google OAuth
- What Data
- Email and identity-provider profile metadata
- Why
- Optional Google sign-in
- Location
- EU/US
- Third Party
- Vercel
- What Data
- IP (temporarily)
- Why
- Web hosting
- Location
- EU/US
- Third Party
- Railway
- What Data
- IP (temporarily)
- Why
- Backend hosting
- Location
- EU
- Third Party
- Stripe
- What Data
- Payment data
- Why
- Payment processing
- Location
- EU/US
- Third Party
- NOWPayments
- What Data
- Order ID, package and payment metadata
- Why
- Optional cryptocurrency payments
- Location
- EU/International
- Third Party
- Resend
- What Data
- Email address and transactional/support email content
- Why
- Account, export, deletion, research and support emails
- Location
- US
- Third Party
- Upstash Redis
- What Data
- Pseudonymous account/IP-derived rate-limit keys and counters
- Why
- Rate limiting, abuse prevention and short-lived caching
- Location
- EU/US
- Third Party
- Cloudflare Turnstile
- What Data
- IP, browser and challenge data
- Why
- Bot protection for login and public forms
- Location
- Global
- Third Party
- OpenRouter
- What Data
- Conversations (text generation)
- Why
- AI response generation
- Location
- US
- Third Party
- Vercel AI Gateway
- What Data
- Conversations (text generation)
- Why
- Backup AI route (only when OpenRouter is unavailable)
- Location
- US
- Third Party
- Cloudflare Workers AI
- What Data
- Embedding inputs only (no storage)
- Why
- Embedding fallback (when OpenRouter fails)
- Location
- Global edge
- Third Party
- ElevenLabs
- What Data
- Seth's reply text (only when you tap play)
- Why
- Voice playback (text-to-speech, paid plans & purchased credits)
- Location
- US
- Third Party
- Deepgram
- What Data
- Voice audio (only while you speak in live voice mode; processed in the EU, excluded from model improvement, retained only for processing)
- Why
- Live speech recognition (paid plans & purchased credits)
- Location
- EU (US company)
- Third Party
- Sentry
- What Data
- Error data, device info (see §5.1)
- Why
- Error monitoring & stability
- Location
- EU/US
OpenRouter and Vercel AI Gateway are routing gateways, not the AI models themselves: your message is passed on to the upstream model provider that generates the reply (e.g. Anthropic, Google, DeepInfra). These upstream providers act as sub-processors for the duration of a single request. We only use models served through Zero Data Retention endpoints — providers that would log or retain prompts are excluded by our account-level ZDR configuration. See OpenRouter's provider policies for per-provider logging terms. OpenRouter privacy & logging documentation
3.1. International Data Transfers
Some processors are based in the United States or operate global infrastructure. Where personal data is transferred outside the EEA, Evigilans must maintain an applicable Chapter V safeguard, such as valid Standard Contractual Clauses and/or reliance on the EU-U.S. Data Privacy Framework for a currently certified recipient. The processor-by-processor DPA, SCC, DPF and transfer-assessment evidence register is under review and must not be treated as complete until verified.
In practice the persistent footprint outside the EU is minimal: your conversations and journal are stored only in the EU (Supabase), and AI providers process conversation content transiently under the Zero Data Retention guarantees described below — content is not retained after the reply is generated.
Zero Data Retention (ZDR) & No AI Training
For AI, we exclusively use providers with equivalent ZDR guarantees:
- ✓Conversation content is routed only through providers allowed by our account-level Zero Data Retention configuration
- ✓AI providers do not retain conversation content or embeddings after request processing under the applicable ZDR terms
- ✓Your conversations, journal entries, and inputs are NEVER used to train, fine-tune, or distill any AI model — not by us, not by any provider
- ✓Embeddings (vector representations of text used for memory recall) follow the same ZDR principle — DeepInfra (via OpenRouter ZDR) is primary, Cloudflare Workers AI is the fallback. Cloudflare's policy: customer content is not stored unless you explicitly opt into a storage service (we do not).
- ✓Seth's personal memory (reflections, journal access) is stored only in our own database and is used solely to personalize YOUR conversations — it is not a model update
- ✓Any future Seth voice model we build uses synthetic data generated by open-source models only — never your production conversations or Seth's replies
4. Your Rights (GDPR)
Access
Export your data
Rectification
Correct your data
Erasure
Delete your account and active user data, subject to lawful retention exceptions
Portability
Export data in JSON format
Objection
Object to processing
Complaint
With supervisory authority
To exercise your rights, contact us at: evigilans-data@tuta.com
5. Cookies & Error Monitoring
We only use session cookies (Supabase Auth) required for login. We do not use analytics or marketing cookies.
5.1. Error Monitoring (Sentry)
We use Sentry (Functional Software, Inc.) for error monitoring and application stability. When an error occurs in the application, Sentry may automatically collect:
- 🖥️Technical information — browser type, operating system, device type, screen size.
- 🌐IP address — handled according to the configured processor settings and used only for security/error context, not advertising tracking.
- 🐛Error details — stack traces, page URL where the error occurred, error messages.
- 🎬Session replay data — anonymized recordings of user interactions (all text and inputs are masked by default) to help reproduce and fix bugs.
What Sentry does NOT collect:
- ✕Conversation content or messages
- ✕Personal data (email, name) — we configure Sentry with sendDefaultPii: false
- ✕Payment information
- ✕Journal entries
This data is used solely for application stability and incident response. Sentry publishes SOC 2 and ISO 27001 assurance materials and acts as a data processor under our instructions. Error-event and IP retention follow the currently configured Sentry plan and processor settings; the exact periods and supporting evidence are maintained in the internal retention and processor registers and remain under review.
For more information, see Sentry's Privacy Policy
5.2. Operational Runtime Logs
For debugging, performance monitoring, and incident response, our backend (Railway) and frontend (Vercel) infrastructure write operational logs. These logs are designed to be PII-minimized by default:
- 🔢User identifiers (UUIDs) are truncated to an 8-character prefix (e.g. "75ace6c5…") — enough to correlate events within a single session burst, but not enough to reverse-link an account without database access.
- 🔐Conversation content, fact text, journal entries, learning insights, and message snippets are NEVER logged verbatim. When a log line would otherwise embed user content, we replace it with a length tag and SHA-256 hash prefix (e.g. "[len=78 hash=a3f8b2c1]") — collision-resistant for cross-line debugging, but cryptographically opaque to a log reader.
- ⏱️Railway backend logs are retained for 30 days and then automatically purged.
- 🛡️Browser and authenticated application access is restricted by Row Level Security. Privileged operational credentials can bypass those policies and are limited to necessary server-side administration and incident response.
What runtime logs do NOT contain:
- ✕Verbatim conversation messages, in any direction
- ✕Verbatim journal entries or fact claims
- ✕Email addresses, full names, or other directly identifying personal data
- ✕Payment credentials (handled by Stripe or NOWPayments)
In short: runtime logs preserve enough technical signal to debug a bug ("which user, in which conversation, hit which code path"), without preserving enough content signal to reconstruct what was said. This is our implementation of GDPR Article 32 ("pseudonymization appropriate to the risk").
6. Security Logging (Audit Log)
To protect the security and integrity of the Service, we maintain an audit log of critical actions. This log records:
- 🗑️Account deletion requests — to confirm your data was properly removed.
- 💳Payment events — credit purchases, subscription changes, and cancellations (via Stripe or NOWPayments).
- 📩Support ticket submissions — to track that your request was received.
- 🛡️Safety violations — when a message is blocked for violating usage policy. Only the violation type is logged (e.g. "harmful_request"), NEVER the message content.
What is stored:
- •User ID (anonymized after account deletion)
- •Action type (e.g. "account_deleted", "credits_purchased")
- •Violation type for safety events (e.g. "harmful_request") — never message content
- •Timestamp
- •IP address (for security incident investigation only)
- •Technical metadata (e.g. Stripe event ID)
What is NOT stored:
- ✕Conversation content
- ✕Journal entries
- ✕Personal messages or private data
The audit log exists solely for security, fraud prevention, and GDPR compliance (proof of data deletion). It does not contain any conversational or personal content.
Checkout records the accepted Terms and Privacy versions and the separate immediate-performance request without IP address, user agent, or device data. A transactional purchase confirmation is intended to provide a durable-medium summary, but delivery depends on email infrastructure. The legal acceptance database rows—not email delivery—are the source of truth for acceptance evidence.
7. Age Restriction
This service is not intended for persons under 18 years of age.
8. Contact
Evigilans, s.r.o.
U Synagogy 480/1, Trnitá, 602 00 Brno, Czech Republic
IČO: 23743883
Registered in the Commercial Register kept by the Regional Court in Brno, file no. C 147317
Email: evigilans-data@tuta.com
Supervisory Authority: Office for Personal Data Protection (ÚOOÚ) (uoou.cz)
Last updated: July 13, 2026