Privacy Policy

Last updated: March 1, 2026

VER·DICT (“we,” “us,” or “our”) operates verdict.org. This Privacy Policy explains how we collect, use, share, and protect your information when you use our AI-powered religious and philosophical research platform.

1. Information We Collect

1.1 Information You Provide

• Account data: Email address, username, and password (stored as a secure hash) when you create an account
• Profile information: Display name and any additional profile details you choose to provide
• Chat messages: Questions and conversations you submit to the AI research assistant
• Workspace content: Documents, notes, and drafts you create in the research workspace
• Feedback: Message votes (thumbs up/down) and other feedback you provide
• Payment information: When paid plans are available, payment details will be processed by Stripe. We do not store full credit card numbers

1.2 Information Collected Automatically

• Usage analytics: Page views and feature usage via Vercel Analytics (privacy-friendly—does not collect IP addresses or use cookies)
• Performance data: Page load times via Vercel Speed Insights (anonymized, no PII)
• Google Analytics: When you consent to analytics cookies, we use Google Analytics 4 to understand how users interact with the service. This includes pages visited, session duration, and general location (country/city level). With Google Signals enabled, if you are signed into a Google account and have consented to ads personalization in your Google settings, Google may associate your visit data with your Google account information (such as search history and YouTube history) for the purpose of ads personalization and cross-device reporting. We do not send your VER·DICT user ID, email, or any personal data to Google Analytics. You can opt out via the Google Analytics Opt-out Browser Add-on or by declining analytics cookies in our consent banner. You can also manage Google's use of your data at My Activity
• Token usage: AI query counts and token consumption for rate limiting and abuse prevention
• Session metadata: Timestamps, model selection, and inquiry level for your chat sessions

1.3 Information from Third-Party Login

If you sign in with Google or GitHub OAuth, we receive your name, email address, and profile picture from those services. We use this only to create and manage your VER·DICT account.

2. How We Use Your Information

• Provide the service: Process your AI research queries, store your chat history and workspace documents, and manage your account
• AI processing: Send your chat messages to AI providers (OpenAI, Anthropic, Google) to generate responses. We add system context and relevant text excerpts from our corpus to improve response quality
• Rate limiting: Track query counts to enforce fair usage limits and prevent abuse
• Service improvement: Analyze anonymized usage patterns to improve the platform
• Communication: Send you account-related notifications (password resets, security alerts, material policy changes)
• Legal compliance: Fulfill our legal obligations and enforce our Terms of Service

We do not use your conversations to train or fine-tune any AI models.

3. AI Data Processing

When you use VER·DICT's AI features, your chat messages are sent to third-party AI providers for processing. Here is how each provider handles your data:

We recommend that you do not submit personally identifiable information, confidential data, or sensitive personal information in your chat queries.

4. Data Sharing and Sub-Processors

We share your data only with the service providers necessary to operate VER·DICT:

We do not sell your personal information. We do not share your personal data with advertisers for behavioral targeting. Our revenue comes from subscriptions and contextual advertising (Google AdSense). Contextual ads are served based on page content, not your personal data, unless you have explicitly consented to ads personalization via our cookie preferences banner.

5. Data Retention

• Chat sessions and workspace documents: Retained until you delete them or delete your account
• Account data: Retained for the life of your account, deleted within 30 days of account deletion
• Payment records: Retained as required by tax and financial regulations (typically 7 years)
• Audit logs: Retained for up to 1 year for security and abuse prevention
• Analytics data: Google Analytics retains data for up to 14 months; Vercel Analytics data is anonymized and aggregated (no PII retained)
• AI provider logs: See Section 3 for provider-specific retention periods

6. Your Rights

6.1 All Users

Regardless of your location, you have the right to:

• Access your data (export chat sessions as Markdown or JSON)
• Delete your chat sessions and workspace documents at any time
• Delete your account and all associated data
• Update or correct your account information

6.2 European Economic Area and United Kingdom (GDPR / UK GDPR)

If you are in the EU/EEA or the United Kingdom, you additionally have the right to:

• Data portability: Receive your data in a structured, machine-readable format
• Restrict processing: Request that we limit how we use your data
• Object to processing: Object to data processing based on legitimate interests
• Withdraw consent: Withdraw consent at any time where processing is based on consent
• Lodge a complaint: File a complaint with your local data protection authority (in the UK, the Information Commissioner's Office)

Our legal bases for processing are: performance of a contract (providing the service), legitimate interests (security, analytics, service improvement), and consent (where applicable).

6.3 California Residents (CCPA/CPRA)

If you are a California resident, you additionally have the right to:

• Know what categories of personal information are collected, the purposes for collection, and the categories of third parties with whom it is shared
• Request deletion of your personal information
• Correct inaccurate personal information
• Opt out of the sale or sharing of personal information
• Limit the use of sensitive personal information
• Non-discrimination for exercising your privacy rights

Do Not Sell or Share My Personal Information: We do not sell your personal information. When Google Analytics or AdSense is active with your consent, certain data may be shared with Google for analytics and advertising purposes as described in this policy. You can opt out at any time by declining advertising cookies via our consent banner. We honor Global Privacy Control (GPC) signals from your browser.

6.4 Virginia, Colorado, Connecticut, and Other US States

If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), or another US state with comprehensive privacy legislation, you may have similar rights including:

• Access and obtain a copy of your personal data
• Request deletion of your personal data
• Correct inaccuracies in your personal data
• Opt out of targeted advertising, the sale of personal data, and profiling
• Right to appeal a denial of your privacy request

We do not process sensitive data (as defined under these laws) without your consent. We do not sell personal data or use it for profiling in furtherance of decisions that produce legal or similarly significant effects.

6.5 Canada (PIPEDA)

If you are in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) provides you with rights including:

• Access to your personal information held by us
• Correction of inaccurate or incomplete personal information
• Withdrawal of consent for data processing (subject to legal or contractual restrictions)
• Filing a complaint with the Office of the Privacy Commissioner of Canada

We collect and process your personal information only for purposes a reasonable person would consider appropriate, and we obtain meaningful consent for collection, use, and disclosure.

To exercise any of these rights, contact us at [email protected]. We will respond within the timeframe required by applicable law.

7. Cookies and Tracking

VER·DICT uses minimal cookies and tracking:

• Authentication cookies: Essential cookies set by Supabase Auth to maintain your login session. These are strictly necessary for the service to function
• Google Analytics cookies: When enabled, Google Analytics sets cookies (e.g., _ga, _ga_*) to distinguish users and sessions. These are analytics cookies, not used for advertising
• Vercel Analytics: Does not use cookies and does not collect IP addresses. Fully privacy-compliant
• Vercel Speed Insights: Does not use cookies or collect PII

We do not use social media tracking pixels or behavioral advertising trackers. If Google AdSense is enabled for contextual ads, it operates under Google's own Privacy Policy.

7.1 Google Advertising Features

We use Google Signals within Google Analytics, which may enable cross-device reporting and ads personalization when you have consented to both analytics and advertising cookies. This feature is governed by the Google Advertising Features Policy. We do not use sensitive interest categories for advertising. We do not send user IDs or user-provided data (such as email addresses) to Google Analytics. You can control ads personalization in your Google Ad Settings and review or delete collected data at My Activity.

8. Data Security

We implement industry-standard security measures to protect your data:

• All data transmitted over HTTPS (TLS encryption in transit)
• Encryption at rest for database storage (Supabase/AWS)
• Passwords stored as secure hashes (never in plain text)
• Row-Level Security (RLS) on all database tables
• Rate limiting on all API endpoints
• Audit logging for sensitive operations

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If we become aware of a data breach affecting your personal information, we will notify affected users without undue delay and, where required under GDPR, report to the relevant supervisory authority within 72 hours of becoming aware of the breach.

9. International Data Transfers

VER·DICT's infrastructure is located in the United States (US East). If you access VER·DICT from outside the United States, your data will be transferred to and processed in the United States.

For users in the EU/EEA or the United Kingdom, transfers are conducted in compliance with GDPR and UK GDPR requirements, including Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where applicable. For users in Canada, transfers are conducted in accordance with PIPEDA. Our sub-processors (Supabase, Vercel, Stripe) maintain their own data processing agreements and transfer mechanisms.

10. Children's Privacy

VER·DICT is not intended for children under 16. We do not knowingly collect personal information from children under 16. In accordance with the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. If we become aware that a child under 16 (or under 13 for COPPA purposes) has created an account, we will promptly delete it and all associated data. If you believe a child under 16 is using VER·DICT, please contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the service. The “Last updated” date at the top of this page indicates when the policy was last revised.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:

• Privacy and data rights: [email protected]
• Legal and Terms of Service: [email protected]
• General inquiries: [email protected]