No human has access to your conversation content during normal operations.
📧
We collect minimal data:
Email and display name only.
🗑️
We don't store IP addresses.
Only used temporarily for rate limiting.
💳
We don't store payment data.
Processed by Stripe.
1. What Data We Collect
1.1. Data We COLLECT:
Data
Why
How Long
Email
Login (magic link / OTP)
Until account deletion
Display name
Personalization
Until account deletion
Conversations with Seth
Conversation continuity
Until account deletion
Journal entries
Journal feature
Until account deletion
Feedback (👍/👎)
Service improvement
Until account deletion
1.2. Data We DO NOT Collect:
✕Full name
✕Home address
✕Phone number
✕National ID numbers
✕Payment details (handled by Stripe)
✕IP addresses (only temporarily in memory)
2. Conversations with Seth
2.1. Who has access to conversations?
During normal operations: Only you.
✕Employees do NOT actively read them
✕Third parties do NOT have access
Note: The administrator technically has database access for resolving technical issues, legal obligations, and security incidents.
2.2. How are conversations stored?
Stored in Supabase database (EU region)
Transfer encrypted (HTTPS)
Supabase provides encryption at rest
2.3. Export and deletion
In Settings, you can export all your data or delete your account at any time.
What is retained after account deletion (GDPR compliance):
•SHA256 hash of your email — irreversible, prevents trial credit abuse on re-signup. Your email itself is deleted; only a one-way hash remains. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) for fraud prevention.
•Stripe customer record — retained by Stripe for tax and billing compliance (Art. 17(3)(b) exempts legal retention obligations). Personal fields (email, name) are obscured on deletion.
•Anonymized audit log entry — records that your account was deleted, using only a short hash prefix. No user ID or personal data.
2.4. Private Mode
Seth offers a Private Mode for conversations that require extra privacy. When Private Mode is enabled:
🚫Messages are NOT saved to any database — they exist only in your browser's memory.
🔌The AI backend (ElizaOS) is completely bypassed — your message goes directly to the AI model via OpenRouter ZDR (Zero Data Retention) endpoint.
🧠Seth can still read his own reflections (read-only) to maintain personality, but nothing from your private conversation is written back.
🗑️When you close the tab, switch to normal mode, or refresh the page — the conversation is gone forever. There is no recovery.
📊No analytics, no logs, no conversation history is created for private conversations.
In short: Private Mode = zero persistence. Your words exist only in the moment.
2.5. Voice Input (Speech-to-Text)
Seth offers optional voice input for typing messages by speaking. When you use voice input:
🎤Audio is processed by your browser's built-in speech recognition service (Google Speech Services on Chrome/Edge, Apple Siri on Safari).
🚫Seth does NOT record, store, or transmit any audio data. We only receive the transcribed text that you choose to send.
🔒Audio processing happens between your device and your browser provider — Seth never has access to the audio stream.
📋The transcribed text appears in the message input field. You can review, edit, or delete it before sending.
In short: Voice input is a browser feature. Seth only sees the final text you send — never your voice.
3. Third Party Sharing
Third Party
What Data
Why
Location
Supabase
Account, conversations, journal
Database and authentication
EU
Vercel
IP (temporarily)
Web hosting
EU/US
Railway
IP (temporarily)
Backend hosting
EU
Stripe
Payment data
Payment processing
EU/US
OpenRouter
Conversations (text generation)
AI response generation
US
Cloudflare Workers AI
Embedding inputs only (no storage)
Embedding fallback (when OpenRouter fails)
Global edge
Sentry
Error data, device info (see §5.1)
Error monitoring & stability
EU/US
Zero Data Retention (ZDR) & No AI Training
For AI, we exclusively use providers with equivalent ZDR guarantees:
✓Data is processed and IMMEDIATELY deleted by the AI provider
✓AI providers (OpenRouter ZDR, Cloudflare Workers AI) do NOT store your conversations or embeddings
✓Your conversations, journal entries, and inputs are NEVER used to train, fine-tune, or distill any AI model — not by us, not by any provider
✓Embeddings (vector representations of text used for memory recall) follow the same ZDR principle — DeepInfra (via OpenRouter ZDR) is primary, Cloudflare Workers AI is the fallback. Cloudflare's policy: customer content is not stored unless you explicitly opt into a storage service (we do not).
✓Seth's personal memory (reflections, journal access) is stored only in our own database and is used solely to personalize YOUR conversations — it is not a model update
We only use session cookies (Supabase Auth) required for login. We do not use analytics or marketing cookies.
5.1. Error Monitoring (Sentry)
We use Sentry (Functional Software, Inc.) for error monitoring and application stability. When an error occurs in the application, Sentry may automatically collect:
🌐IP address — anonymized after 30 days by Sentry. We do not use it for tracking.
🐛Error details — stack traces, page URL where the error occurred, error messages.
🎬Session replay data — anonymized recordings of user interactions (all text and inputs are masked by default) to help reproduce and fix bugs.
What Sentry does NOT collect:
✕Conversation content or messages
✕Personal data (email, name) — we configure Sentry with sendDefaultPii: false
✕Payment information
✕Journal entries
This data is used solely for improving application stability and user experience. Sentry is GDPR-compliant (SOC2, ISO 27001) and acts as a data processor under our instructions. Error events are retained according to Sentry's default plan retention (typically 90 days), after which they are automatically deleted; IP addresses are anonymized after 30 days as noted above.
For debugging, performance monitoring, and incident response, our backend (Railway) and frontend (Vercel) infrastructure write operational logs. These logs are designed to be PII-minimized by default:
🔢User identifiers (UUIDs) are truncated to an 8-character prefix (e.g. "75ace6c5…") — enough to correlate events within a single session burst, but not enough to reverse-link an account without database access.
🔐Conversation content, fact text, journal entries, learning insights, and message snippets are NEVER logged verbatim. When a log line would otherwise embed user content, we replace it with a length tag and SHA-256 hash prefix (e.g. "[len=78 hash=a3f8b2c1]") — collision-resistant for cross-line debugging, but cryptographically opaque to a log reader.
⏱️Railway backend logs are retained for 30 days and then automatically purged.
🛡️Database access (where the original content lives) is gated by Row Level Security policies — even with admin database credentials, queries are constrained to authorized rows.
What runtime logs do NOT contain:
✕Verbatim conversation messages, in any direction
✕Verbatim journal entries or fact claims
✕Email addresses, full names, or other directly identifying personal data
✕Payment information (handled exclusively by Stripe)
In short: runtime logs preserve enough technical signal to debug a bug ("which user, in which conversation, hit which code path"), without preserving enough content signal to reconstruct what was said. This is our implementation of GDPR Article 32 ("pseudonymization appropriate to the risk").
6. Security Logging (Audit Log)
To protect the security and integrity of the Service, we maintain an audit log of critical actions. This log records:
🗑️Account deletion requests — to confirm your data was properly removed.
📩Support ticket submissions — to track that your request was received.
🛡️Safety violations — when a message is blocked for violating usage policy. Only the violation type is logged (e.g. "harmful_request"), NEVER the message content.
What is stored:
•User ID (anonymized after account deletion)
•Action type (e.g. "account_deleted", "credits_purchased")
•Violation type for safety events (e.g. "harmful_request") — never message content
The audit log exists solely for security, fraud prevention, and GDPR compliance (proof of data deletion). It does not contain any conversational or personal content.
7. Age Restriction
This service is not intended for persons under 18 years of age.